Sterling Secure Proxy Architecture

The components of the Sterling Secure Proxy architecture are:
  • Sterling Secure Proxy Engine—the engine resides in the DMZ and contains the minimum components necessary to manage communications sessions. The engine configuration (Sterling Secure Proxy engine properties) is created at Configuration Manager and pushed to the engine. It is stored in active memory and is never stored on disk in the DMZ. No web services or UI ports are open in the DMZ.
  • Configuration Manager (Sterling Secure Proxy CM)—Configuration Manager is installed in the trusted zone. Use this tool to configure your environment. When you save a configuration definition (Sterling Secure Proxy configuration store) at CM, it is pushed to an engine, using an SSL session. Configuration files are encrypted and stored on the computer where CM is installed.
    Note: Only one Configuration Manager should update an engine definition.
  • Sterling Secure Proxy configuration store—This file is encrypted on disk and contains the following information:
    • The user store with information on user credentials
    • The system certificate store with the certificates used for SSL/TLS sessions
    • The key store with the SSH keys
    • The engine configuration store with all configuration information for the engine
  • Sterling Secure Proxy engine properties file—These files are encrypted and contain the following information:
    • The IP and port number to listen on for connections from Configuration Manager
    • SSL key certificate, trusted certificate, and encryption cipher used for the connection from Configuration Manager
  • Web server—Configuration Manager is installed with a web server. You open a browser and access CM through a web page to configure Sterling Secure Proxy and monitor the engine activity. The web server is installed when you install Configuration Manager.
  • Adapter—an adapter identifies the protocol allowed for connections from trading partners. You can accept connections from clients that use different protocols; however, you must define a different adapter for each protocol. A single engine can run multiple adapters. In an adapter definition, you identify the port on which to listen for connections, the netmap to use with the adapter, the security policy, and the routing method to use. If you are using Sterling External Authentication Server, you identify the Sterling External Authentication Server to use in the adapter definition. If you are using a remote perimeter server, you identify the perimeter server to use in the adapter definition.
  • Netmap—define a netmap to identify the trading partners authorized to communicate through Sterling Secure Proxy and the company servers where connections are made.
    • For a Sterling Connect:Direct® netmap, create a node definition for all Sterling Connect:Direct nodes that will communicate through Sterling Secure Proxy. The node definition identifies the IP address and port to be used by the node and the policy to associate with the node. If SSL or TLS security is required for the connection, configure the protocol options in the node definition. You can also enable node-level logging in the node definition.
    • For HTTP and FTP netmaps, define an inbound node definition for trading partner connections from outside the company. The inbound node definition identifies the IP address or address pattern to allow for the connection and the policy to associate with the node. If SSL or TLS security is required, configure the protocol options in the node definition. You can also enable node-level logging in the inbound node definition.
    • For HTTP and FTP netmaps, define an outbound node for every company server to which Sterling Secure Proxy will connect. An outbound node definition identifies the address and port used to connect to the company server and enables SSL or TLS if this is required. You can also enable node-level logging and failover support in the outbound node definition.
    • For SFTP netmaps, define an inbound node definition for trading partner connections from outside the company. The inbound node definition identifies the IP address or address pattern to allow for the connection and the policy to associate with the node.You can also enable node-level logging in the inbound node definition.
    • For SFTP netmaps, define an outbound node for every company server to which Sterling Secure Proxy will connect. An outbound node definition identifies the address and port used to connect to the company server, the known host key that is used to authenticate the company server to Sterling Secure Proxy, and the cipher suites and MACs used to secure the connection. You can also enable node-level logging and failover support in the outbound node definition.
  • Policy—define a policy to identify the security features to implement for an inbound node definition or a Sterling Connect:Direct node definition.
    • In all protocol policies, you can enable the capability to authenticate the inbound connection and identify what user ID and password to use to connect to the secure company server.
    • For FTP, HTTP, and Sterling Connect:Direct policies, you can enable the capability to authenticate certificate information using Sterling External Authentication Server,
    • In an HTTP policy, you can enable the capability to block commonly occurring HTTP exploits.
    • In a Sterling Connect:Direct policy, you can enable the capability to send a warning message or stop a session if a protocol error occurs, as well as prevent a Sterling Connect:Direct node from performing a runtask, runjob, copystep, or submit step function.
    • In an SFTP policy, you identify the method required to authenticate the inbound connection. Authentication methods supported are key, password, password or key, and password with security code.
  • Sterling External Authentication Server—a separately installed feature of Sterling Secure Proxy, Sterling External Authentication Server allows you to validate digital certificates passed by the client or trading partner during SSL/TLS session requests. You can also validate certificates against one or more certificate revocation lists (CRLs), and validate certificates based on a valid date range. See the Sterling Secure Proxy documentation library for more information.
    Sterling External Authentication Server can be configured to validate certificates and authenticate users. The functions performed by Sterling External Authentication Server are defined in an Sterling External Authentication Server definition. Sterling External Authentication Server performs one or more of the following functions:
    • Certificate Validation
    • Certificate Revocation List (CRL)—certificate revocation checking using a certificate revocation list (CRL)
    • Multi-factor Authentication
    • Certificate Policy Enforcement
    • LDAP Authentication
    • User ID mapping—remote trading partners can be given IDs and passwords that do not provide access to internal systems. The ID and password presented by the trading partner is mapped to an ID and password that can then access the internal system
    • Tivoli Access Manager Authentication
    • Generic Authentication

    Before you can use Sterling External Authentication Server with Sterling Secure Proxy, you must configure Sterling External Authentication Server definitions in Sterling Secure Proxy. Then, when configuring policies and protocol adapters, you select these server definitions. You can also select security features available in Sterling External Authentication Server such as certificate authentication, user authentication, and user mapping. Refer to the Sterling External Authentication Server documentation library for more information.

Parent topic: Product Overview