Gateway

GoAnywhere Gateway is an enhanced reverse and forward proxy that gives organizations an additional layer of security for exchanging data with trading partners. With Gateway, file sharing services can be kept safely inside your private network, without exposing sensitive data to your DMZ (Demilitarized Zone), and connections can be made to external systems on behalf of users in the private network.

Get a Quick Overview of GoAnywhere Gateway:

View our detailed brochure for more information.

Why GoAnywhere Gateway?

Alongside GoAnywhere Managed File Transfer, Gateway provides IT teams with many benefits:

  • Your file servers (e.g., FTPS, SFTP, HTTPS, and AS2) can be kept securely in your internal network. This allows you to keep inbound ports to your network closed, which is essential for complying with data security standards like PCI DSSHIPAA, HITECH, SOX, ISO 27000, and the GLBA.
  • Files can be safely shared with trading partners, users, clients, and vendors while avoiding having critical documents or files stored, even temporarily, in your DMZ.
  • As a forward proxy, Gateway can make connections to external systems on behalf of users and applications in the private network. This allows you to more easily manage file transfers from your firewall. Additionally, the identities and locations of your internal systems are hidden for better security.
  • GoAnywhere Gateway is a platform agnostic, software-only solution. Install it on WindowsLinux, AIX, UNIX, or other operating systems to enhance file security in whatever environment works best for you.
GoAnywhere Gateway Diagram

GoAnywhere Gateway Diagram

Quick GoAnywhere Gateway Features

  • No incoming ports need to be opened into the private network
  • User credentials, permissions, certificates, and keys are kept safe in the private network
  • Hides the locations and identities of internal systems
  • Services configurations are maintained/stored in the private network
  • Supports FTP, FTPS, SFTP, SCP, HTTP, HTTPS and AS2 file transfer protocols
  • Built-in load balancer to distribute workloads across multiple systems

In essence, when added to GoAnywhere MFT, GoAnywhere Gateway serves as a transparent interface between internal systems and external systems without exposing sensitive files or your private network.

For a better understanding of GoAnywhere Gateway, refer to the section on how it works.

Reverse and Forward Proxy - How it Works

GoAnywhere Gateway can serve as both a reverse and forward proxy. Typically GoAnywhere Gateway is installed in the demilitarized zone (DMZ) and GoAnywhere MFT is installed in the private/internal network.

At startup, GoAnywhere MFT creates an outbound connection to GoAnywhere Gateway, which is used as a "control channel" for passing commands and messages between the products. This control channel will initially provide the proxy details (IP and port mappings) to GoAnywhere Gateway, at which point it will start up "listeners" on the designated IPs and ports for incoming traffic.

Reverse Proxy

A reverse proxy is an intermediate connection point that serves as a gateway between users and your origin server. This type of proxy server retrieves files or other resources on behalf of a client. In the case of GoAnywhere Gateway’s reverse proxy, when an external client (trading partner) connects to a listener on GoAnywhere Gateway in the DMZ, GoAnywhere Gateway will make a request over the control channel to GoAnywhere MFT in the private/internal network. GoAnywhere MFT will then create a new outbound data channel to GoAnywhere Gateway. This data channel will be attached to the desired service (e.g. FTP, FTPS, SFTP, HTTP/s) and all traffic for that session will be routed over this new data channel including client authentication requests, data and commands. When the session is terminated, the corresponding data channel will be removed.

How It Works Diagram

How do reverse proxies work?

Forward Proxy

Similar to a reverse proxy, a forward proxy also serves as an intermediary between clients and servers; however, forward proxies filter connections going out (where reverse proxies filter connections coming in) from the internet to your servers.

The Forward Proxy in GoAnywhere Gateway allows you to route client requests from GoAnywhere MFT (in the private/internal network) to external FTP, FTPS, SFTP and SCP servers without revealing the identity or locations of your internal systems.  The Forward Proxy is additionally used by GoAnywhere MFT to route active and passive FTP and FTPS data connections through GoAnywhere Gateway.

When a process in GoAnywhere MFT needs to make an outbound connection through the proxy, a request is made to GoAnywhere Gateway with the address of the intended destination. GoAnywhere Gateway will then establish the connection to that destination and will bridge it to the requesting system.

Load Balancing

GoAnywhere Gateway can serve as a load balancer for distributing workloads across multiple GoAnywhere MFT installations within a cluster, as well as other systems within your network. If a system was to fail in the cluster, then GoAnywhere Gateway will send all new trading partner connections to the remaining systems in the cluster. This active-active framework provides greater high availability for mission-critical environments.

GoAnywhere Gateway Diagram

GoAnywhere Gateway Diagram

As a load balancer, GoAnywhere Gateway spreads connections evenly across the clustered systems. This load balancing algorithm is called "round-robin", which is a common load balancing standard.

FTP, FTPS and SFTP will use the round robin algorithm to load balance connections across the systems in the cluster. For each new connection from a trading partner, GoAnywhere Gateway will distribute that session to the next FTP/FTPS/SFTP server (in sequential order) within the cluster.

HTTP/S is a stateless protocol which also uses the round robin algorithm, however it can persist each connection (for a period of time) to the same HTTP/S server in order to maintain the integrity of the session. This is important because the user's HTTP/S session is typically only able to be serviced by a single HTTP/S server at a time.

PCI DSS and GoAnywhere Gateway

GoAnywhere Gateway is an important security component for protecting cardholder data and helping organizations to comply with the PCI DSS security standards. By allowing organizations to keep sensitive files and credentials out of the DMZ while not requiring inbound ports to be opened into the internal network, GoAnywhere Gateway is specifically useful for meeting the requirements in section 1.3 of the PCI DSS (text of the standard as follows).

1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.
1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.
1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.
1.3.4 Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.
1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only "established" connections are allowed into the network.)
1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.
1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties. Note: Methods to obscure IP addressing may include, but are not limited to:

  • Network Address Translation (NAT),
  • Placing servers containing cardholder data behind proxy servers/firewalls or content caches,
  • Removal or filtering of route advertisements for private networks that employ registered addressing,
  • Internal use of RFC1918 address space instead of registered addresses.

PCI DSSHelpSystems is a Participating Organization in the Payment Card Industry Security Standards Council (PCI SSC). As a member, HelpSystems receives training and provides review of existing standards or advance review of new standards or programs directly to the PCI SSC. HelpSystems is dedicated to the protection of payment card and other personally identifiable information while in motion and at rest through encryption, key management and secure file transport.