Manage IP address whitelists

IP whitelists provide optional additional layer of security for Secure Relay DMZ nodes. Whitelists only allow connections from trusted partners.

The IP address whitelist is stored in Interchange database. It is edited and managed in the user interface. Information is synchronized between the master agent within Interchange and the router agent in the DMZ. Checking is done in the DMZ. But neither the list nor any related parameter is persisted in the DMZ. IP checking can be enabled or disabled per listening point.

Note   If you are licensed for Peer Networking and are cloning the whitelist, note that it should be manually set on the peer set when needed.

How IP addresses are checked

IP address checking is done in two steps:

  1. Check whether the sender’s IP address is trusted. This is done at connection time, independently of the transport protocol.
  2. Check whether the IP address corresponds to the correct partner. This check is performed only when the first check succeeds. If a user name and password is needed for the connection, the correlation is done through the user that is logging on.

Objects used for checking are:

  • Secure Relay DMZ nodes deployed in the DMZ
  • One or more embedded servers within Interchange
  • A whitelist of IP addresses used by partners
  • Users known to Interchange who log in to embedded servers (in applicable cases)

Processing varies depending on whether trading is via a delivery exchange that requires user name and password authentication.

Without user authentication

This processing applies to transports such as HTTP.

  1. The router agent in the DMZ receives a connection request. The request includes the sender’s IP address.
  2. The IP address of the partner is checked against the whitelist.
    1. If the IP address is unknown, the connection is rejected.
    2. If the address is known, the connection is allowed.

With user authentication

This processing applies to transports such as FTP and SFTP.

  1. The router agent in the DMZ receives a connection request. The request includes a user name and password and the sender’s IP address.
  2. The router agent submits the request to the master agent.
  3. The master agent looks for a partner that matches the user name, password and IP address.
    1. If the IP address is unknown, the connection is rejected.
    2. If the IP address is known but the log-in credentials are unknown, the connection is rejected.
    3. If both the IP address and the log-in credentials are known, the connection is allowed.

See: Add, change IP address whitelist and Enable IP address checking.

Add, change IP address whitelist

Use this procedure to add or change IP addresses on the global whitelist. The global whitelist is for managing the whitelisted IP addresses of all communities and partners. The only users who can do this must have administrator permissions or must be associated with a role enabling the “Manage IP address whitelist” permission.

Although this procedure is for the global whitelist, whitelisted IP addresses can be managed per partner. On a partner summary page, click IP whitelist in the navigation graphic at the top of the page. Many of steps for adding or changing IP addresses are the same as for the global whitelist, except the addresses only affect the specific partner and are registered to the partner.

Note   IP whitelists are only used with Secure Relay.
  1. Select System management > Manage IP addresses to open the page for globally managing all whitelisted IP addresses.
  2. Click Add IP address and complete the fields.
  3. The start and end fields are used for specifying a range of IP addresses. If you only need to specify one IP address, complete the start field and leave the end field blank.
  4. Click Pick party and select a community or a partner to associate with the IP address or range of addresses. Multiple parties can be registered to the same IP address. For example, two parties may share the same computer.
  5. You must register a party who submits a user name and password to connect. This applies to delivery exchanges such as FTP, SFTP, WebDAV. Registration is required so Interchange can validate the user’s credentials and verify the user is associated with the party’s IP address.
  6. Registration is optional for parties connecting via a transport not involving a user name and password.
  7. Click Save to add the IP address.

Change an IP address

  1. Click the name of an IP address to open its details page. You can change the IP address or range of addresses and change the registered parties.
  2. Click Save when done.

Delete an IP address

Click Delete to delete an IP address or range of addresses.

See How IP addresses are checked and Enable IP address checking.

Enable IP address checking

Enabling IP address checking for Secure Relay requires selecting a check box on an embedded server’s DMZ ports tab.

  1. Select System management > Manage embedded servers on the top toolbar.
  2. Select the name of an embedded server used for Secure Relay to open the server’s maintenance page.
  3. Select the DMZ ports tab. Make sure Enable DMZ port forwarding is selected.
  4. Select Enable IP address checking in DMZ.
  5. Click Save changes.

See Embedded transport servers for more information about embedded servers.

See How IP addresses are checked and Add, change IP address whitelist.

Related topics

Related Links