Introduction

IBM Aspera Proxy protects your organization’s network while enabling secure, high-speed FASP transfers to and from highly restrictive network environments. Built on top of the Linux kernel, it allows transparent pass-through of FASP transfer sessions across secure DMZs without impeding transfer speeds or compromising the security of your internal network.

IBM Aspera Proxy also supports load balancing, high availability, and flexible security policies. It consolidates FASP transfers in and out of a corporate network and enables precise control over which users can initiate transfers with remote Aspera transfer servers. With Proxy support built into all Aspera desktop and browser-based transfer clients, its configuration and use is straightforward for all your users.

IBM Aspera Proxy supports both forward (outbound) and reverse (inbound) proxy modes, allowing FASP transfers to be initiated by users who are either inside or outside the corporate network.

Forward Proxy

Forward proxy provides a secure way for users behind company network firewalls to initiate requests for FASP transfers of files that are on servers outside the firewall. It addresses the following customer use cases:

  • Limited-use Internet access: Your enterprise has security requirements that prevent you from deploying IBM Aspera Enterprise Server (or IBM Aspera Connect Server) inside your DMZ. Organizations often limit general Internet access for their employees, which can affect the FASP protocol even if used for legitimate business needs. IBM Aspera Proxy provides secure access to the Aspera transfer servers residing outside of your corporate network without exposing users’ IP addresses. It also enforces strict user authentication for Aspera clients that initiate connections to the outside servers.
  • Consolidation and control of FASP transfers: If you are an IT systems manager and want to establish better control and security around FASP transfers that your internal users initiate, IBM Aspera Proxy can fulfill your requirements without impeding the users’ experience. It provides a single point through which all FASP transfers flow in and out of your corporate network, hiding internal clients’ IP addresses and allowing you to control which users can initiate FASP transfers, without slowing down the speed of the transfers.

Reverse Proxy

Reverse proxy provides a secure way for users outside company network firewalls to initiate requests for FASP transfers from servers inside the firewall. It addresses the following customer use case:

  • Trusted partners need access to files on your servers: Customers want to allow users outside their company firewall to initiate FASP transfers to and from servers inside the company network.

Reverse proxy is usually deployed inside a DMZ, on top of a Linux-based server. Multiple proxy instances can also be launched on a server cluster, behind an enterprise-grade load balancer, forming a high-availability solution. Reverse proxy currently employs the same security model as IBM Aspera Enterprise Server and Connect Server, based on the SSHD service. As a result, no changes are needed on the client side. Once authenticated, the proxy server invokes one program: ascp_rproxy, which is in charge of bidirectional forwarding of SSH control traffic and FASP (UDP) traffic between the client and the internal server.

The ascp_rproxy program maintains an SSH connection with the ascp client when it’s invoked by the SSHD service. A second SSH connection is set up between the proxy server and the internal Enterprise Server instance by virtue of a pre-installed SSH key. It then bridges the two SSH connections, by forwarding incoming data from one connection to the other, in both directions. In order to forward FASP (UDP) traffic, the ascp_rproxy program proxy server sets up a dynamic network address translation (DNAT) rule using the Linux iptables kernel module. Since UDP traffic forwarding is done using the Linux iptables kernel module, high-speed packet forwarding can be achieved without any reduction in speed.