For further security of your IBM® Connect:Direct® network, you can use Sterling Secure Proxy as an application proxy in your DMZ. When used as a reverse proxy, Secure Proxy ensures that the node has the authority to connect. If the node is authorized, the proxy provides a session break and establishes a new connection to connect to the IBM Connect:Direct node inside the company.
As a forward proxy, it allows an internal node to connect to a IBM Connect:Direct node outside of your secure environment. The internal node connects to the forward proxy in the DMZ. The forward proxy then sends connection information to the external IBM Connect:Direct node. The session break ensures that the company node is protected and does not have a direct connection to the external node. The external IBM Connect:Direct node is unaware that Secure Proxy is deployed and believes it is connecting to the internal IBM Connect:Direct node.
Secure Proxy also provides user authentication to ensure that the external node is authorized to connect to Secure Proxy. As an extension of user authentication, you can use Sterling External Authentication Server to make use of an external database, such as Active Directory or Lightweight Directory Access Protocol (LDAP), to perform IBM Connect:Direct node authentication and certificate authentication.
Secure Proxy also provides the following security features:
- SSL or TLS using certificates—Ensures that the connection between Secure Proxy and the internal and external nodes uses SSL or TLS.
- Support for Hardware Security Modules (HSM)—Stores and protects your certificates.
- Support for connection routing—Allows you to route incoming connections using the following methods:
- Direct Routing—Routes incoming connections directly to the trusted company server.
- PNODE routing—Allows the inbound node to determine what SNODE it connects to.
- Certificate-based routing—Allows Secure Proxy to determine the internal server to route the connection to, based on the distinguished name in the certificate.
- Support for step injection—Allows you to insert IBM Connect:Direct Process statements into the communications session with the SNODE independent of the PNODE Process statements. These injected statements can provide real-time notification of file delivery, invoke applications, run operating system jobs and commands, and submit other IBM Connect:Direct Processes, all without the need to provide an exit program on the SNODE or without changing the PNODE Process. The results of these steps are logged in the statistics file of the SNODE.
In addition to providing proxy services for IBM Connect:Direct, Secure Proxy also provides proxy support to for FTP, SFTP (SSH), HTTP, and HTTPS, allowing you to extend your managed file transfer enterprise to IBM B2B Integrator and IBM File Gateway.
Sterling External Authentication Server
You can use External Authentication Server together with Secure Proxy to implement extended authentication and validation services for your IBM products. The External Authentication Server is a separate, GUI-configurable application that allows you to validate certificates against certificate revocation lists (CRLs). You can also configure multifactor authentication using SSL client certificates, SSH keys, user ID and password, and client IP address as factors. You can enable application outputs to allow you to map attributes, such as login credentials that are returned to a query, to outputs you specify.