DMZ Gateway Server Configuration File (gwconfig.xml) Reference
The DMZ Gateway Server configuration file, gwconfig.xml, contains the main configuration settings governing communications through the DMZ Gateway Server.
The configuration file is in XML format and its contents are verified against a document type definition (DTD) file gwconfig.dtd.
Typically, the configuration items specified in gwconfig.xml will be edited via the DMZ Gateway administration interface. However, it is possible to edit the configuration settings using a text editor. Additionally, some advanced configuration items are not available via the DMZ Gateway administration interface and thus will require manual editing to configure.
Changes made to the configuration via manual editing will not take effect until the DMZ Gateway Server is restarted. Thus, the following steps should be followed:
-
Edit the gwconfig.xml file using a text editor.
-
Save changes to the file.
-
Verify the DMZ Gateway Server has started and verify that no ERROR or FATAL messages are present in the DMZGatewayServer.log diagnostics log file.
Configuration Validation
During startup, the DMZ Gateway Server will load the configuration file and validate its structure against the definition in the DTD file. It will also validate the various data constraints governing each element. If the configuration file format is invalid or the configuration violates any constraints, the DMZ Gateway Server will log an appropriate error message in the diagnostics log DMZGatewayServer.log and shut down.
Configuration Elements
Please refer to the DTD file for the valid structure of the configuration file. The following describes the configuration elements available in the gwconfig.xml file.
-
ConfigurationVersion
-
AdminPort
-
AdminPortEnabled
-
VerboseLoggingEnabled
-
GlobalPNCKeepalivePeriod
-
StatisticsLoggingEnabled
-
StatisticsLoggingPeriod
-
Profiles
-
Profile
-
ProfileName
-
ServerIP
-
ServerPort
-
ClientIP
-
PNCKeepalivePeriod
-
NetworkAccessPolicy
-
DefaultAccessPolicy
-
GrantPolicyExceptions
-
DenyPolicyExceptions
The internal version number used to track the configuration file format. Do not edit.
The DMZ Gateway administration interface communicates with the DMZ Gateway Server via a local-only TCP/IP communications port to conduct administrative tasks. This configuration item specifies the port to use for this communication path. This setting is not configurable via the user interface and must be edited manually.
Valid values: 0 to 65525.
Setting the port to 0 instructs the operating system to randomly select an available port from its ephemeral port range.
Setting the port to 1 through 65535 specifies an exact port. Care should be taken to ensure the specified port is not in use on the system.
Default value: 0
The DMZ Gateway administration interface communicates with the DMZ Gateway Server via a local-only TCP/IP communications port to conduct administrative tasks. This configuration item allows the user to disable this communication path. Note that disabling the administration port will prevent use of the DMZ Gateway Administration Interface. The DMZ Gateway Server inherently only allows local connections via the administration port. This setting provides an additional level of security by allowing the operator to disable the administration port altogether once initial configuration has been completed. This setting is not configurable via the user interface and must be edited manually.
Valid values:
true - enable the administration port.
false – disable the administration port.
Default value: true
Enables or disables verbose log messages in the DMZ Gateway Server communications activity log file, DMZActivity.log. This setting is configurable via the user interface.
Valid values:
true - enable verbose log output
false – disable verbose log output
Default value: false
When a Peer Server application, such as the EFT, is connected to the DMZ Gateway Server via a Peer Notification Channel, keepalive functionality is used to verify that the communications channel is valid and alive. The keepalive functionality verifies the validity of the channel by periodically sending a message to the peer server and verifying that it receives a reply. This setting governs how often this check is performed for all Profiles. This setting is not configurable via the user interface and must be edited manually.
Valid values: 1 to 2^63 – 1, in milliseconds
Default value: 30000
(30 seconds)
The DMZ Gateway Server is capable of periodically logging statistical information to a statistics log file. This setting enables this logging functionality. This setting is not configurable via the user interface and must be edited manually.
Valid values:
true - enable statistics logging
false – disable statistics logging
Default value: false
This setting governs how often the current set of statistics within the DMZ Gateway Server is recorded in the statistics log file. This setting is not configurable via the user interface and must be edited manually.
Valid values: 1 to 2^63 – 1, in milliseconds
Default value: 300,000(5 minutes)
This element encloses 0 to 15 Profile elements. If no Profiles are specified in the configuration file, the DMZ Gateway Server will automatically create a default Profile during startup. If more than 15 Profiles are defined, the DMZ Gateway Server will log the error during startup and subsequently shut down.
This enclosing element contains the configuration items defining a Profile. Profiles are configurable via the administration interface.
This is the name of the enclosing Profile. The name must be unique among all defined profiles. If the name is not unique, the DMZ Gateway Server will log the error during startup and subsequently shut down. Profile Names are configurable via the administration interface.
Valid values: From 1 to 260 alphanumeric characters.
Default value: Profile
This the IP Address of a local network adapter on which to listen for connections from peer servers on a peer notification channel. Server Listener IPs are configurable via the administration interface.
Valid values: All or a specific IP address. When "All" is specified, the DMZ Gateway Server will listen on all IP address/port combinations on the local computer that are not already in use.
Default value: All
This is the port to use with the IP address(es) specified in the ServerIP element to fully define the IP Address:Port combination on which to listen for connections from peer servers. Server listener ports are configurable via the administration interface.
Valid values: 0 to 65535. When set to 0 the operating system will randomly select an available port from its ephemeral port range
Default value: 44500
This the IP address of a local network adapter on which to listen for connections from clients. Client Listener IPs are configurable via the administration interface.
Valid values: All or a specific IP address. When "All" is specified, the DMZ Gateway Server will listen on all IP address/port combinations on the local computer that are not already in use.
Default value: All
This element allows optional overriding of the GlobalPNCKeepalivePeriod on a per-Profile basis. This setting is not configurable via the user interface and must be edited manually.
Valid values: 1 to 2^63 – 1, in milliseconds
Default value: 30000 (30 seconds)
This enclosing element contains the configuration settings for the IP access policy used to validate connections to the Peer Notification Channels of the enclosing Profile. The Network Access Policies for each Profile are configurable via the administration interface.
This is the policy to use by default when validating connections to the Peer Notification Channels of the enclosing Profile. The Default Access Policy for each Profile is configurable via the administration interface.
Valid values:
Grant – by default all connections will be granted access.
Deny – by default all connections will be denied access.
Default value: Grant
This element encloses 0 or more Exception elements that act as exceptions to the Grant All policy. Thus, they define what will be denied access. A maximum of 100 Exception elements may be defined. If more than 100 are defined, the DMZ Gateway Server will log the error during startup and subsequently shut down. The Grant Policy Exceptions for each Profile are configurable via the administration user interface.
This element encloses 0 or more Exception elements that act as exceptions to the Deny All policy. Thus, they define what will be granted access. A maximum of 100 Exception elements may be defined. If more than 100 are defined, the DMZ Gateway Server will log the error during startup and subsequently shut down. The Deny Policy Exceptions for each Profile are configurable via the administration user interface.
Exception
This element defines an exception to the enclosing Policy type. Exceptions are implemented as IP address masks that allow definition of masks that may be used to match the IP Address of a connecting peer server. The exceptions are configurable via the administration interface.
Valid values: IP Address Masks match against IPv4 or IPv6 IP addresses
File Location
For new installs, the configuration file is created the first time the DMZ Gateway Server is started. When the configuration file is created, the corresponding DTD file is also created. By default, the configuration and DTD files are created in the DMZ Gateway installation directory. However, to facilitate sharing of configuration data in high availability clustered installs, an alternate shared data location may be specified.
Shared Configuration Location
An alternate shared data location may be specified either during the installation process or by subsequently editing the DMZGatewayServerService.conf file.
To specify the shared data location:
-
Edit the <Installation Directory>\conf\DMZGatewayServerService.conf file using your preferred text editor.
-
Locate the following line in the file:
set.DMZ_SHARED_CONFIG_DIRECTORY=""
-
Edit the line and enter the shared data location within the quotes, for example:
On Windows: set.DMZ_SHARED_CONFIG_DIRECTORY="\\jupiter\DataShare\DMZGateway"
On Solaris/Linux: set.DMZ_SHARED_CONFIG_DIRECTORY="/export/share/dmzgateway"
-
Save the changes to the file.
-
If you want to reuse the settings in the existing gwconfig.xml configuration file, move the file to the new location.
Please ensure that the operating permissions governing the DMZ Gateway Server service/daemon are set such that the process is able to access the specified shared configuration directory.
Note that the DMZ Gateway Server will automatically (re)generate the gwconfig.dtd DTD file in the specified shared data location. Additionally, for convenience, the file will also be generated in the installation directory.