DMZ and the TURN command

Related topics

Overview

The following concepts apply to DMZ for the PeSIT protocol version E. Additionally, the PeSIT DMZ profile is fully compatible with Axway Gateway.

The security rules relating to a DMZ (deMilitarized Zone) strongly recommend that you not make outgoing calls. This means a Transfer CFT in a DMZ cannot transfer the files to a monitor outside the DMZ. To remedy this, you can use the TURN command to change the direction of control. When you do this, a Transfer CFT outside the DMZ opens a session with the Transfer CFT in the DMZ, which then hands over control.

In PeSIT the partner opening a protocol session, the requester, always has control. This partner decides on the transfers to make, both sending and receiving. Inverting these roles means that the requester hands over control to the server. It is then the server that decides on which transfers to make.

Setting up Transfer CFT outside the DMZ

A Transfer CFT outside the DMZ can establish a PeSIT protocol session and give control to the remote partner. Parameters in the CFTPROT command enable you to:

  • Define operations when faced to/with a monitor in DMZ
  • Designate the session partner(s)
  • Indicate the creation period for protocol sessions

To define the PeSIT protocol, the PROF parameter accepts the DMZ value. This value indicates operation in DMZ requester mode. For this to occur you must define the PART parameter with the values of the partners' identifiers needed to initialize the DMZ protocol sessions.

If the remote client terminates the session prematurely, the partner retry parameters ( RETRYM, RETRYW and RETRYN) are used.

The partner CNXOUT parameter sets the maximum number of parallel sessions. First, the monitor opens a session. As soon as a transfer occurs on the initiative of the remote partner, which has obtained control, the monitor opens another session up to the limit of CNXOUT sessions.

Setting up Transfer CFT in a DMZ

Requester-mode transfers to a site in a DMZ are blocked when the site does not have control. As soon as it obtains control, the blocked transfers are sent to the remote site.

When the current site has no other transfers pending, it returns control to the initial requester site. Submitted transfers are then blocked once again until control is next returned.

The partner CFTPART CNXOUT parameter must be null to submit a transfer blocked by Transfer CFT. The SEND and RECV commands then have status H, with code 0 and DMZ diagnosis. Only requests with this status will be activated when the PeSIT session is reversed; this occurs in order of priority and then chronology.

The PROF parameter of the CFTPROT command must have the value DMZ to accept the reversal of the session. The TURN parameter must have the value MESSAGE if the Transfer CFT is to send messages only.

The parameters CTO, PART and CYCLE of the CFTPROT command are not used in server mode. The DISCTS parameter gives the wait time-out between the end of a transfer and termination of the session in the absence of a new transfer.

TURN command

For a Transfer CFT outside the DMZ, control is handed to the Transfer CFT in a DMZ using the TURN command. The monitor regularly and automatically generates a TURN command according to the CYCLE parameter value for each partner listed in the PART parameter of the CFTPROT command in the DMZ profile.

The TURN command can also be submitted directly by the command utility or the GUI in 3 specific cases:

  • To temporarily stop automatic calls to a given site:

TURN PART = part, MODE=INACT

  • To reactivate automatic calls following the previous command:

TURN PART = part, MODE=ACT

  • To manually make a connection to change direction. In this case, the CTO and TURN parameter values of the CFTPROT command may be modified for this session.

TURN PART=part,CTO=5,TURN=MESSAGE

The TURN parameter default value is FILE. In this example, the TURN command selects only messages for this session. If the CFTPROT command TURN parameter has the value MESSAGE, the command TURN PART = part selects files and messages.

Note Using the CFTPROT command parameters, the automatic mechanism for handing over control creates the command:

TURN PART=part,CTO=n,CYCLE=n,TURN=identifier,MODE=CREATE

Related topics

Using the TURN function (GUI)

TURN - Changing the DMZ control (CFTTUTIL)

Related Links