Using OfficeNet Extra in combination with a connection via a gateway OfficeNet connects to the ABN AMRO server using active FTP. If your internal network uses a gateway (proxyserver/firewall) this means that adjustments to this gateway may be necessary. General Considering the wide variety in gateway hardware and software it unfortunately is impossible to indicate where in your environment the necessary adjustments should be made. If performing the changes to your gateway raises questions and/or problems ABN AMRO unfortunately cannot supply support. In such a case we will have to refer you to the supplier of your gateway Attention: Contact your network administrator before changing settings on your gateway. Explanation of active FTP With active FTP a client connects to the command port of the server (port 21). The client uses a standard TCP port where the port number is higher than 1023. During communication the client will listen to the TCP port that is 1 higher than the original port. Also the FTP command Port+1 is sent to the server. The server will then set up a connection with the data port specified by the client using its own local data port (TCP port 20). Server 20 Data Client 21 Command 1026 Command 1027 Data 1 2 3 4 In step 1 the command port of the client (here 1026) makes a connection to the command port of the server. After establishing a connection the client will send the command Port 1027 (Portnumber 1 higher than command port). The server will send an ACK (acknowledgement) to the command port of the client (step 2). In step 3 the server will make a connection using the local data port and the data port specified by the client (here 1027). Finally the client sends an ACK (acknowledgement) to the server (step 4). After this the data will be transferred. In this document the term gateway will be used. Active FTP using a gateway and security In order to be able to use a gateway (proxyserver/firewall) for setting up a safe way of communication using active FTP the gateway should meet a number of demands. First the gateway should be able to use active FTP sessions. On top of that the gateway should be able to use some intelligence in handling active FTP. With active FTP ‘agreements’ are set on which (source and data) ports to use and also on the (local and destination) IPaddresses to use. Using these agreements the gateway will accept traffic on the agreed data port. In other words the gateway should be able to distinguish a ‘trusted’ session on the basis of the ports and IP addresses specified by the client. The gateway should be intelligent enough to open or close ports on the basis of the active FTP protocol. This is further explained in the following diagram. (Bank)server 20 Gateway 21 Command Data 21 Command Client (OfficeNet) 20 Data 1026 Command 1027 Data 1 4 6 7 1028 Command 1029 Data 2 3 5 8 If more gateways are being used in a chain setting (for instance a proxyserver and a seperate firewall) all should meet these demands. Limitations It will not be possible to set up communication to the ABN AMRO FTP servers in the following situations: • • A username and password needs to be specified on the gateway. The gateway uses 1 IP address but multiple port numbers for address translation to the Internet, this is also called PAT (Port Address Translation) or NAT-overload. Possible exceptions DNS-problems If DNS look-up is not possible using your gateway the IP-address for the bankservers should be entered in OfficeNet Direct instead of the URL. This can be done by using the following instruction. Start the module OfficeNet Direct, select <Settings> and then <Advanced>. Note! In order to make the changes you need to log on as superuser. Change the settings in the field server addresses using the table below. Server addresses Software Update Server addresses URL viaebt.eb.abnamro.com viaebt1.eb.abnamro.com iigprod1.eb.abnamro.com iigprod2.eb.abnamro.com Change to IP-address 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 Note : ABN AMRO does not recommend using IP-addresses instead of the URL of bankservers as IP addresses may change in time. Routing problems General When a gateway does not use NAT (Network Address Translation) a number of alterations are necessary. Changes need to be made to the gateway as well as to OfficeNet Direct. Changes to the gateway Configure the gateway to use port forwarding using unused ports. Note! The selected ports can not be used for other communication in the internal network. A minimum of two free ports need to be available to be able to distinguish the bankserver and the update server. Create the following rules for portforarding on the gateway1: • • Create a rule where all FTP traffic that is received from the internal network through port X be redirected to the bankserver through port 21. Create a rule where all FTP traffic that is received from the internal network through port Y be redirected to the bankserver through port 21. An important condition is that the gateway should have a fixed IP address. If on the internal network DHCP is used for dynamically assigning IP-addresses, a fixed IP address should be assigned to the gateway being used for communication with the bank. 1 In this document the free ports used are named X (for communication with the bankservers) and Y (for communication with the software update servers). Replace X and Y with values for available ports on your network. Changes in OfficeNet Direct In OfficeNet Direct the IP address of the gateway should be entered as address for the bankservers and software update servers. Start the module OfficeNet Direct, Select <Settings> and <Advanced>. Change the entries for server addresses and Software update servers using the table below. Server addresses Software Update Server addresses URL viaebt.eb.abnamro.com viaebt1.eb.abnamro.com iigprod1.eb.abnamro.com iigprod2.eb.abnamro.com Change to IP address 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 The IP address used in the table (0.0.0.0) is an example value. Replace this value with the actual IP address for your gateway. Note: the gateway used for connecting to the software update servers should be the same as the one used for connecting to the bankservers. In OfficeNet Europe the ports used (X and Y in the example) also have to be specified. You can do this by making an adjustment to the ebca.ini file. Changes in ebca.ini The file ebca.ini can be found in the data folder of your OfficeNet installation. The following changes need to be made under the header [Transport Protocol]: [Transport Protocol] TPServerName=VIAEBT TPServerPort=X TPIIGPort=Y Disclaimer: This document has been drafted with the highest possible care. Nevertheless ABN AMRO can not be held responsible for the correctness and completeness of the information supplied. No rights can be derived from any information in this document. Before changes are made a careful consideration should be made if these changes comply to the security strategy for your network. ABN AMRO will not accept any liability for damage caused by changes mentioned in this document.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project