Sterling Secure Proxy

For further security of your Sterling Connect:Direct® network, you can use IBM® Sterling Secure Proxy as an application proxy in your DMZ. When used as a reverse proxy, Sterling Secure Proxy ensures that the node has the authority to connect. If the node is authorized, the proxy provides a session break and establishes a new connection to connect to the Sterling Connect:Direct node inside the company.

As a forward proxy, it allows an internal node to connect to a Sterling Connect:Direct node outside of your secure environment. The internal node connects to the forward proxy in the DMZ. The forward proxy then sends connection information to the external Sterling Connect:Direct node. The session break ensures that the company node is protected and does not have a direct connection to the external node. The external Sterling Connect:Direct node is unaware that Sterling Secure Proxy is deployed and believes it is connecting to the internal Sterling Connect:Direct node.

Sterling Secure Proxy also provides user authentication to ensure that the external node is authorized to connect to Sterling Secure Proxy. As an extension of user authentication, you can use IBM Sterling External Authentication Server to make use of an external database, such as Active Directory or Lightweight Directory Access Protocol (LDAP), to perform Sterling Connect:Direct node authentication and certificate authentication.

Sterling Secure Proxy also provides the following security features:

SSL or TLS using certificates—Ensures that the connection between Sterling Secure Proxy and the internal and external nodes uses SSL or TLS.
Support for Hardware Security Modules (HSM)—Stores and protects your certificates.
Support for connection routing—Allows you to route incoming connections using the following methods:
- Direct Routing—Routes incoming connections directly to the trusted company server.
- PNODE routing—Allows the inbound node to determine what SNODE it connects to.
- Certificate-based routing—Allows Sterling Secure Proxy to determine the internal server to route the connection to, based on the distinguished name in the certificate.
Support for step injection—Allows you to insert Sterling Connect:Direct Process statements into the communications session with the SNODE independent of the PNODE Process statements. These injected statements can provide real-time notification of file delivery, invoke applications, run operating system jobs and commands, and submit other Sterling Connect:Direct Processes, all without the need to provide an exit program on the SNODE or without changing the PNODE Process. The results of these steps are logged in the statistics file of the SNODE.

In addition to providing proxy services for Sterling Connect:Direct, Sterling Secure Proxy also provides proxy support to for FTP, SFTP (SSH), HTTP, and HTTPS, allowing you to extend your managed file transfer enterprise to IBM Sterling B2B Integrator and IBM Sterling File Gateway.

IBM Sterling External Authentication Server

You can use Sterling External Authentication Server together with Sterling Secure Proxy to implement extended authentication and validation services for your IBM products. The Sterling External Authentication Server is a separate, GUI-configurable application that allows you to validate certificates against certificate revocation lists (CRLs). You can also configure multifactor authentication using SSL client certificates, SSH keys, user ID and password, and client IP address as factors. You can enable application outputs to allow you to map attributes, such as login credentials that are returned to a query, to outputs you specify.