Create Policy, Netmap and Adapter in SSP for Dynamic Routing
The next is to configure Sterling Secure Proxy. There are 3 artifacts that needs to be created. First a Policy, next a Netmap, that uses the created Policy and at last an Adapter that uses the created Netmap. Everything in SSP is nested, and thus always hard to delete again since everything is referenced somewhere else…:) But that is another story…
Start by logging in to the Sterling Secure Proxy Configuration Manager User Interface.
The Policy is quite simple. Select Action -> New Policy… -> FTP Policy…
I give the Policy the name “FTP_Dynamic_Routing”.
In the “Advanced” Tab, select User Authentication “Through External Authentication”, and add the “External Authentication Profile” created in SEAS in the previous step. Select “Pass-through”.
The Netmap is he next step. Select Action -> New Netmap… -> FTP Netmap…
I give the Netmap the name “FTP_UserID_Netmap”.
Next is to create Inbound Node. In the “Inbound Node” tab, select “New”. I name it FTP_in, and set wildcard as “Peer Address Pattern”. Here it can be limited as you wish, but I allow anyone to connect. I link to the “FTP_Dynamic_Routing” policy created in the previous step. “Security” and “Advanced” tabs can be unchanged.
The Inbound Node is now created.
Select the “Outbound Nodes” tab, and click “New”. Name the Node “SB2BI”, and set the correct Destination Address and Port. In my case the FTP Service on SB2BI is listening on port 40032.
The “Security” Tab can be unchanged. In the “Advanced” tab, set the “Destination Service Name”. This is the name of your FTP Server Adapter in SB2BI.
Then SB2BI is configured as one of two Outbound Nodes. The second Outbound Node is the VSFTPD Server. Under the “Outbound Nodes” tab click “New” again, and add the VSFTPD Server as the other Node. My VSFTPD server is on the address ftp.demos.ibm.int and listen on port 21. The “Security” and “Advanced” tabs can be unchanged.
Now just save the Netmap.
The Netmap is now created.
And this is also what is important to get Dynamic Routing to work. The names of the Outbound Nodes need to be the exact same as the value in the “destinationIndicator” in the LDAP on each user.
The last step is to create the Adapter.
Click Action -> New Adapter -> FTP Reverse Proxy…
I name the Adapter “FTP_UserID_Adapter”. It listens to port 21, and uses the “FTP_UserID_Netmap” I created previously. I select to use “Dynamic Routing with Fallback” and select “VSFTPD” as Fallback. By doing so, VSFTPD is the server the user is directed to if there is no routing information in the LDAP. When migrating from an old to a new solution it might be a good idea to have the fallback to the old solution where you will know that the user has access.
The “Advanced” and “Properties” tabs can be unchanged. In the “Custom” tab I write a “Server Greeting Banner” and “Login Banner” just to be able to see the difference when logging in on the FTP Servers directly or through SSP when testing.
We are then finished with the configuration part. The only thing left now is to test if everything done in fact works as planned. That is done in the next chapter. Fingers crossed!