DataPower as SFTP Gateway

DataPower is not only about HTTP traffic. In quite a few implementations, DataPower is being used as a central SFTP gateway, providing secured interface, allowing external clients and partners to transfer files. In this post I'll try to briefly point out some of the main advantages using DP for transferring files.

Some high level security aspects of SFTP solution on DataPower:

1. SFTP is Secure File Transfer Protocol piggy-backing SSH protocol, so the connection between client and server nodes is encrypted to protect against attacks.
2. DP acts as a reverse proxy breaking the incoming connection and thus preventing direct access to the destination server / internal network.
3. DP AAA feature can be used to authenticate client's credentials and authorize the operation.
4. ACL policies can be used to enforce restrictions on client IP addresses accessing the service.
5. Support isolated tenants is possible by utilizing Content Based Routing feature to implement dynamic routing, so destination folder (and/or server) would be determined and set separately for each transaction during the runtime according to the request data. For example if I am logging in with "GOSHA" userid, the destination might be set to ftp://internalfss.com/external/GOSHA/.
6. Files can be sent for inspection to one of the supported ICAP-enabled antiviruses.

Some tips with regards to the implementation:

1. Usually you would use Multi Protocol Gateway with SFTP Front Side Handler. The backend could be regular (S)FTP server. If the backend is based on IIS, you might want to have "Directory Listing Style" set to "UNIX", otherwise connected clients might have issues with listing files.
2. If not set already, it would be a good practice to have dedicated ETH interfaces for each network, i.e. "INTERNAL" interface and "EXTERNAL" interface with corresponding Host Aliases.
3. The AAA should be configured on the SFTP Front Side Handler level, not as part of the processing policy.
4. Make sure you allow empty messages processing.
5. Don't forget to adjust maximum message size, since the default is only 4 MB.

This is not a step-by-step guide and many configuration steps weren't outlined since a lot depends on the security policy and business requirements. By implementing this integration pattern, organizations gain the ability to quickly on-board new SFTP clients, bring new business to the company in a fast and agile way, utilize already existing central file transfer infrastructure.

Fell free to reach out if you have any questions.

Gosha 

Bibliography

1. Using the WebSphere DataPower SOA appliance to send files to an SFTP back-end
2. WeSphere DataPower Release 3.8.2 - File Transfer 
3. KC 2018.4 - Scenarios and Tutorials - FTP-based messages