You have several options for how you configure EFT Server in your network architecture. Some common deployment scenarios are described below. If none of these scenarios exactly meets your needs, GlobalSCAPE's Professional Services team can work with you to design a custom architecture, assist with installation and initial configuration, and help you create custom scripting, Event Rules, Commands, and external user databases.
EFT Server in the Demilitarized Zone (DMZ)
In the most basic deployment scenario, both end users and business partners (clients) communicate with EFT Server as it resides in your organization's demilitarized zone (DMZ). All authentication directory service quests and data storage occur inside the DMZ.
EFT Server can be configured to forward all received data to the back-end network to mitigate the risks associated with storing it in the DMZ. This architecture, commonly known as store and forward, means that data only resides in the DMZ temporarily before it is offloaded to a back-end system for processing or storage. This store-and-forward architecture requires a hole to be punched through the firewall in west-to-east fashion, a deviation from security best practices. This architecture is the one most commonly employed by competitors to GlobalSCAPE’s Server solution.
EFT Server and DMZ Gateway Deployment
The ideal security solution is to implement a two-tier architecture comprised of EFT Server deployed behind the corporate firewall and the DMZ Gateway deployed inside the demilitarized zone. This setup is known as a streaming or pass-through configuration.
Hybrid Configuration 1: Server-to-Server Deployment
Various hybrid approaches exist consisting of multiple servers in a variety of configurations for different business use cases. Take for example a scenario in which the majority of traffic is outbound push with occasional in-bound pull, initiated by an automated script or batch process. In this scenario, data is generated behind the corporate firewall, then forwarded from one EFT Server to another EFT Server that resides in the DMZ for client pick-up, or directly from the back-end server to a destination server residing at the partner’s location.
The business need for placing EFT Server in the DMZ often stems from the need to pre- or post-process data as it moves through the DMZ, such as performing an anti-virus scan or an encryption procedure. |
Hybrid Configuration 2: Two EFT Servers and a DMZ Gateway
In this hybrid deployment scenario, a client-initiated push and/or pull transaction is brokered through DMZ Gateway, and outbound push transactions are initiated by EFT Server, either from within the corporate firewall or from a Server residing in the DMZ. In this example, the partner is equipped with a file transfer server to service outbound push operations initiated by EFT Server.
Two EFT Servers and Two DMZ Gateways in a Server Cluster
In the architecture illustrated below, 2 EFT Servers and 2 DMZ Gateway Servers in a server cluster meet business continuity requirements requiring the duplication of servers to provide a fail-over cluster.