KB Article #163747
Streaming (Edge <--> Backend communication) setup in ST 5.2.x and later
Problem
Initial configuration of Streaming (Edge to Backend and vice versa) communication in ST 5.2.x and later releases.
Resolution
The Edge to Backend communication in ST 5.2.x was completely redesigned and with a brand new architecture compared to previous ST versions. It introduces the Network Zones concept which allows one or multiple Edge servers to be grouped in a "zone", so all of the inbound and outbound traffic to go through it. The existence of several Zones provides the opportunity to have multiple DMZ's, for intranet and Internet traffic for example.
Additionally the streaming in 5.2.x and above is entirely outbound from Backend's perspective. This means that no inbound ports have to be opened in the firewall between the Edge and Backend. In previous versions of ST the streaming was in the reverse direction - from the Edge to the Backend, and if you are upgrading from an older version, additional reconfiguration would be required to accommodate the new connection flow.
To initially configure such a setup follow the steps below:
Certificates exchange
Exchange the Internal CA's of Edge(s) and Backend(s). The process is described in details in KB 68337.
On the Backend node(s)
1. Configure the Streaming.TrustedAliases
parameter in the Admin UI -> Operations -> Server Configuration page. Put the alias of the Edge's CA cert in the way it was imported during the CA-exchange step.
2. Generate a new Local Certificate (under the Admin UI -> Setup -> Certificates -> Local Certificates page) which will be used only for the streaming.
3. Add a new Network Zone (for each Edge)
4. Configure the Zone.
- Put a Title, Description, notes
- Select the protocols which would be used for that Zone and put the corresponding IP address of the Edge. For SSL Key Alias set the alias of the certificate generated in step 2.
- Put the ports which are supposed to be used for outbound connection from the Backend to the Edge. These ports must be opened in the firewall between Edge and Backend, outbound.
- Make sure the streaming ports would be the same as you would configure it on the Edge later.
- IMPORTANT: Also take care to enable the proxy and set the port that is configured for the proxy service on the ST Edge (default on ST Edge is port 1080):
ST Edge Proxy port:
On the Edge node(s)
5. Configure the Streaming.TrustedAliases
parameter in the Admin UI -> Operations -> Server Configuration page. Put the alias of the Backend's CA cert in the way it was imported during the CA-exchange step.
6. Generate a new Local Certificate (under the AdminUI -> Setup -> Certificates -> Local Certificates page) which will be used only for the streaming.
7. Edit the Network Zone on the Edge and change the default "localhost" to the IP address of the Edge server itself.
8. Make sure that the ports for the services (FTP, HTTP, etc.) in the Zone are the same as the ports, which were configured for the Zone on the BE from step 4. For SSL Key Alias set the alias of the certificate generated in step 6.
9. Add the address of the Backend under the AdminUI -> Setup -> Allowed ST Servers page.
Bringing it all online
11. Restart all of the services (stop_all/start_all) on both Backend and Edge.
12. Wait at least 2 minutes for the TM to connect properly to the Edge. You should be good now and have a streaming up and running.
13. Tests
- For Client Initiated Transfers login using the address of the Edge and upload/download some files.
- For Server Initiated Transfers test configure a Transfer Site and select the corresponding Zone in the Transfer Site which the TM should use to go to the remote server. Pull or push a file with the Transfer Site.