This section describes the Axway Secure Relay integration with Transfer CFT. Secure Relay provides Transfer CFT with two main data security features. First, it enables a firewall-friendly access to Transfer CFT via the Secure Relay Master Agent (MA) and the Secure Relay Router Agent (RA). The second feature is SSL termination. This allows for secure SSL access to Transfer CFT without Transfer CFT needing to perform SSL or PKI access procedures. You can use Secure Relay with Transfer CFT over any supported Transfer CFT protocol, for example PeSIT, OFTP, and so on.

The following additional topics describe how to configure Transfer CFT to use Secure Relay for exchanges.

Note Secure Relay was formerly called XSR. In some documentation, you may still see references to XSR.


When you set a Transfer CFT network resource to use Secure Relay, all of the connections that use this network resource transmit through Secure Relay for both incoming and outgoing connections.

The following diagram illustrates how Transfer CFT and Secure Relay interact with each other, as well as with the network.

Network to DMZ overview

View of link between Transfer CFT and the Master Agent in the private network, with the Router Agent in the DMZ


Data connections are a pool of multiplexed connections between the RA and the MA. There are 5 connections by default, which can be either clear text or SSL-ciphered connections, depending on the configuration.

All connections between the Master Agent (MA) and Router Agents (RA) are initiated by the MA, and are allowed by firewall rules; this refers to all connections coming from the intranet toward the DMZ. When a connection comes from outside (the Internet), the RA alerts the MA using the hot channel (HC or administration channel), and the MA creates a new data connection to handle the incoming data.

When using Secure Relay, all service access points that are normally set in Transfer CFT (in the CFTTCPS.exe process) are exported on the external router side to the DMZ (the network interface accessible from outside).

Secure Relay is not aware of data sent to, or received from, Transfer CFT and remote partners. This means that data are not checked or modified, and Secure Relay is oblivious of the underlying protocol. The only possible transformation done by Secure Relay is the encapsulation of clear test data into SSL packets.


  • The Transfer CFT license key must include the Secure Relay option.
  • Prior to setting up Secure Relay to Transfer CFT interoperability, you should already have installed Secure Relay 2.5.1. Refer to the Secure Relay documentation available at Axway Support at https://support.axway.com.


  • This option is not operational in Transfer CFT multi-node architecture.
  • If you are using multiple Router Agents, you cannot select the RA to be used for the outgoing transfers.
  • SecureRelay is not operational with the Transfer CFT acceleration option.

Related Links