Relay Configuration

For security reasons, clients may wish to avoid exposing a machine to the internet that has direct access to confidential assets which need to be transferred. In this case, a Relay server can be used as proxy sitting in between the Jetstream server and the internet.

A Demilitarized Zone (DMZ) is a computer that has access to the internet but not to the private network. A firewall sits between the DMZ and the private network that forbids any incoming connections from being accepted into the private network, thereby preventing any would-be attackers from accessing this network, even if the DMZ should be compromised. By contrast, the firewall allows incoming connections to the DMZ from the private network.

Using the topology outlined in this article, a Relay server is run in the DMZ. Before sending or receiving assets, the Jetstream server in the private network is configured to route all data through this Relay. The Relay server simply forwards data from the Jetstream server to its external internet connection. Since all data is encrypted by the Jetstream server before it is sent to the Relay, the DMZ never has access to unencrypted assets. This topology works because the CJetstream server initiates the connection with the Relay and is therefore permitted through the firewall between the DMZ and the private network.

Single Relay

../_images/jetstream-relay-single.png

Here, a relay is assigned in the DMZ in front of the Receiver. This allows clients to send files to the Receiver’s network, without exposing the Receiver’s file system or network to a public connection.

Receiver Relay

To start the Receiver Relay, specify the TCP control port to which the Receiver will connect:

[recv_relay]# jetstream relay_server --control-port=8887

Receiver

To start the Receiver, specify the hostname and TCP control port for the Receiver Relay.

[receiver]# jetstream server --recv-relay-host=recv-relay --recv-relay-port=8887 --recv-port=8886

Sender

The Sender is started without any special configuration:

[sender]# jetstream server

Transfer

To create a Destination for this configuration, specify the Receiver Relay hostname and Receiver UDP port.

>>> createDestination(destinationAddress='recv_relay', destinationPort=8886)
  • The destinationAddress must match the hostname or ip of the Receiver Relay.
  • The destinationPort must match the jetstream server --recv-port specified for the Receiver.

Note that the ‘relayAddress’ and ‘relayPort’ parameters are not specified for the Destination. These are specified only if a transfer is routed through a Sender Relay; this configuration does not use a Sender Relay.

Double Relay

../_images/jetstream-relay-double.png

Here, two relays are assigned in the DMZ in front of each of the Sender and Receiver. This allows clients to send files to the Receiver’s network, without exposing the file systems or networks from either the Sender or Receiver to a public connection.

Receiver Relay

To start the Receiver Relay, specify the TCP control port to which the Receiver will connect:

[recv_relay]# jetstream relay_server --control-port=8887

Receiver

To start the Receiver, specify the hostname and TCP control port for the Receiver Relay.

[receiver]# jetstream server --recv-relay-host=recv_relay --recv-relay-port=8887 --recv-port=8886

Sender Relay

To start the Sender Relay, specify the TCP control port through which a Destination will route a transfer:

[send_relay]# jetstream relay_server --control-port=8887

Sender

The Sender is started without any special configuration:

[sender]# jetstream server

Destination

To create a Destination for this configuration, specify the Receiver Relay hostname and Receiver UDP port. Additionally specify the hostname and control port for the Sender Relay.

>>> createDestination(destinationAddress='recv_relay', destinationPort=8886, relayAddress='send_relay', relayPort=8887)
  • The destinationAddress must match the hostname or ip of the Receiver Relay.
  • The destinationPort must match the jetstream server --recv-port specified for the Receiver.
  • The relayAddress must match the hostname or ip of the Sender Relay.
  • The relayPort must match the jetstream relay_server --control-port specified for the Sender Relay.