Using OfficeNet Extra in combination with a connection via a gateway

Using OfficeNet Extra in combination with a connection via a gateway
Using OfficeNet Extra in combination with a connection via a gateway
OfficeNet connects to the ABN AMRO server using active FTP. If your internal network uses a gateway
(proxyserver/firewall) this means that adjustments to this gateway may be necessary.
General
Considering the wide variety in gateway hardware and software it unfortunately is impossible to indicate where in your
environment the necessary adjustments should be made. If performing the changes to your gateway raises questions
and/or problems ABN AMRO unfortunately cannot supply support. In such a case we will have to refer you to the
supplier of your gateway
Attention: Contact your network administrator before changing settings on your gateway.
Explanation of active FTP
With active FTP a client connects to the command port of the server (port 21). The client uses a standard TCP port
where the port number is higher than 1023. During communication the client will listen to the TCP port that is 1 higher
than the original port. Also the FTP command Port+1 is sent to the server.
The server will then set up a connection with the data port specified by the client using its own local data port (TCP port
20).
Server
20
Data
Client
21
Command
1026
Command
1027
Data
1
2
3
4
In step 1 the command port of the client (here 1026) makes a connection to the command port of the server. After
establishing a connection the client will send the command Port 1027 (Portnumber 1 higher than command port).
The server will send an ACK (acknowledgement) to the command port of the client (step 2). In step 3 the server will
make a connection using the local data port and the data port specified by the client (here 1027). Finally the client sends
an ACK (acknowledgement) to the server (step 4). After this the data will be transferred.
In this document the term gateway will be used.
Active FTP using a gateway and security
In order to be able to use a gateway (proxyserver/firewall) for setting up a safe way of communication using active FTP
the gateway should meet a number of demands. First the gateway should be able to use active FTP sessions. On top of
that the gateway should be able to use some intelligence in handling active FTP.
With active FTP ‘agreements’ are set on which (source and data) ports to use and also on the (local and destination) IPaddresses to use. Using these agreements the gateway will accept traffic on the agreed data port. In other words the
gateway should be able to distinguish a ‘trusted’ session on the basis of the ports and IP addresses specified by the
client. The gateway should be intelligent enough to open or close ports on the basis of the active FTP protocol. This is
further explained in the following diagram.
(Bank)server
20
Gateway
21
Command
Data
21
Command
Client (OfficeNet)
20
Data
1026
Command
1027
Data
1
4
6
7
1028
Command
1029
Data
2
3
5
8
If more gateways are being used in a chain setting (for instance a proxyserver and a seperate firewall) all should meet
these demands.
Limitations
It will not be possible to set up communication to the ABN AMRO FTP servers in the following situations:
•
•
A username and password needs to be specified on the gateway.
The gateway uses 1 IP address but multiple port numbers for address translation to the Internet, this is also called
PAT (Port Address Translation) or NAT-overload.
Possible exceptions
DNS-problems
If DNS look-up is not possible using your gateway the IP-address for the bankservers should be entered in OfficeNet
Direct instead of the URL. This can be done by using the following instruction.
Start the module OfficeNet Direct, select
<Settings> and then <Advanced>.
Note! In order to make the changes you
need to log on as superuser.
Change the settings in the field server
addresses using the table below.
Server addresses
Software Update
Server addresses
URL
viaebt.eb.abnamro.com
viaebt1.eb.abnamro.com
iigprod1.eb.abnamro.com
iigprod2.eb.abnamro.com
Change to
IP-address
193.172.44.45
194.151.107.44
193.172.44.78
194.151.107.76
Note : ABN AMRO does not recommend using IP-addresses instead of the URL of bankservers as IP addresses may
change in time.
Routing problems
General
When a gateway does not use NAT (Network Address Translation) a number of alterations are necessary. Changes need
to be made to the gateway as well as to OfficeNet Direct.
Changes to the gateway
Configure the gateway to use port forwarding using unused ports. Note! The selected ports can not be used for other
communication in the internal network. A minimum of two free ports need to be available to be able to distinguish the
bankserver and the update server. Create the following rules for portforarding on the gateway1:
•
•
Create a rule where all FTP traffic that is received from the internal network through port X be redirected to the
bankserver through port 21.
Create a rule where all FTP traffic that is received from the internal network through port Y be redirected to the
bankserver through port 21.
An important condition is that the gateway should have a fixed IP address. If on the internal network DHCP is used for
dynamically assigning IP-addresses, a fixed IP address should be assigned to the gateway being used for
communication with the bank.
1
In this document the free ports used are named X (for communication with the bankservers) and Y (for
communication with the software update servers). Replace X and Y with values for available ports on your network.
Changes in OfficeNet Direct
In OfficeNet Direct the IP address of the gateway should be entered as address for the bankservers and software update
servers.
Start the module OfficeNet Direct, Select
<Settings> and <Advanced>. Change the
entries for server addresses and Software
update servers using the table below.
Server addresses
Software Update
Server addresses
URL
viaebt.eb.abnamro.com
viaebt1.eb.abnamro.com
iigprod1.eb.abnamro.com
iigprod2.eb.abnamro.com
Change to
IP address
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
The IP address used in the table (0.0.0.0) is an example value. Replace this value with the actual IP address for your
gateway.
Note: the gateway used for connecting to the software update servers should be the same as the one used for connecting
to the bankservers.
In OfficeNet Europe the ports used (X and Y in the example) also have to be specified. You can do this by making an
adjustment to the ebca.ini file.
Changes in ebca.ini
The file ebca.ini can be found in the data folder of your OfficeNet installation.
The following changes need to be made under the header [Transport Protocol]:
[Transport Protocol]
TPServerName=VIAEBT
TPServerPort=X
TPIIGPort=Y
Disclaimer: This document has been drafted with the highest possible care.
Nevertheless ABN AMRO can not be held responsible for the correctness and completeness of the information
supplied.
No rights can be derived from any information in this document.
Before changes are made a careful consideration should be made if these changes comply to the security strategy for
your network. ABN AMRO will not accept any liability for damage caused by changes mentioned in this document.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising