Enable port forwarding for an exchange

Use this procedure to add a community delivery associated with an embedded server and enable port forwarding for DMZ nodes. This procedure presumes you already have added a community. If not, see Add a community and return to this procedure. It is also presumes you already have added a DMZ node. If not, see Add a DMZ node.

Steps for port forwarding

  1. Open the summary page for your community in the user interface.
  2. Add a trading pickup for receiving messages from partners. Do one of the following to open the exchange wizard:
    • Click Set up a delivery for receiving messages from partners.
    • If that option is not available, click Trading pickup in the navigation graphic at the top of the page. Then click Add a delivery.
  3. Add a delivery that uses an embedded server. For details about adding the exchange, see Add a trading pickup.
  4. Enable port forwarding for the embedded server.
    1. Open the maintenance page for the exchange just added. To do this, click the transport name on the Trading pickups page for the community.
    2. On the embedded settings tab, click the link to view settings for the embedded server.
    3. Select the DMZ ports tab.
    4. Select Enable DMZ port forwarding and click Save changes. See the Port forwarding details section below for more information. Click the Port field to display a list of ports already in use.
    5. Optionally, select one or both of the following options:
      • Enable security termination in DMZ – Select this check box to have various security functions performed in the DMZ. If connections are via SSL, the secure connection is terminated at the router agent in the DMZ. For delivery exchanges that require a user name and password to connect (for example, FTP, SFTP, WebDAV), the router agent authenticates the user.
      • Enable IP address checking in DMZ – Select this check box to have Interchange check partners’ IP addresses against a whitelist of authorized IP addresses. Connections from unknown IP addresses are not allowed.
        • Match IP address against partner definition – When IP address checking is enabled, select this check box to have the router agent check whether the partner is registered to the IP address. If not selected, the agent only checks the user’s credentials. (This control is not available to all types of servers.)
    6. If you use DMZ zones, select a zone. The Zone field displays only if you have added one or more zones. See Add DMZ zones. The following screen shows the tab with the additional Zone field when DMZ zones are used.
    7. DMZ ports tab section
    8. If an FTP or SFTP server, make sure you have specified a range for passive ports on the Advanced tab. The default value of 0 does not work with DMZ nodes.
    9. In addition, make sure the external host or IP address on the Settings tab is for the computer in the DMZ that hosts the DMZ node. The internal host that runs Interchange cannot be given as the external host. Moreover, make sure the external port on the Settings tab matches the port field on the DMZ ports tab. For more information about these fields, see Embedded transport servers.
  5. Go to Configure load balancer or firewall.

Port forwarding details

Enable DMZ port forwarding – Select this check box if you want the external firewall or load balancer to send inbound connections to Secure Relay DMZ nodes rather than directly to embedded servers in the protected network.

In the simplest case there is one DMZ port with the same value as the corresponding embedded server port in the protected network. If you add a machine to your cluster and return to the DMZ ports tab, another DMZ port automatically is added in sequence. This happens because every machine in the cluster that can host the embedded server must be assigned a unique corresponding port in the DMZ.

Click the port field to display a list of ports already in use.

Example

Suppose you have two trading engine nodes on separate machines hosting FTP servers on port 4021. On the DMZ ports tab you would see one port representing each machine in the cluster (for example, 4021 and 4022). This allows a dedicated port forwarding rule to be established from each unique DMZ port to each unique cluster machine.

Another way to think of this is that a cluster host and port represent a unique to address for a forwarding rule (for example, te1:4021 and te2:4021). The corresponding from address in the DMZ also must be unique. This is achieved by assigning multiple ports. Consequently, if the DMZ node machine is named dmz1, the forwarding rules would look like this:

dmz1:4021 -> te1:4021
dmz1:4022 -> te2:4021

If you add another DMZ node, it forwards the same set of DMZ port numbers. But the forwarding rules would still be unique because the new DMZ node must be on a different host machine. For example:

dmz2:4021 -> te1:4021
dmz2:4022 -> te2:4021

Notice for a given DMZ node the from host is the same for all the rules, but the port changes. Similarly, the to host changes for each rule, but the port stays the same. You do not necessarily need to be aware of this, apart from making sure your load balancer is configured properly.

You can access the DMZ ports tab for any embedded server by clicking on the value in the DMZ port column on the embedded servers page. You can open the page by selecting System management > Manage embedded servers.

Related topics

Related Links