FileCatalyst Server - managed file transfer for automation, acceleration and workflow

FileCatalyst® Tunneling Servlet

FileCatalyst products are designed to solve file transfer problems. Our acceleration protocol solves one of the biggest—that of speed. But speed is only a factor when a connection can be made. What if network policies prevent transfers over UDP or FTP?

FileCatalyst's Tunneling Servlet is an optional component for FileCatalyst Direct^† that adds the ability for transfers to “fail over&rdquo to HTTP, ensuring successful transfer.

The Tunneling Servlet is also fully compatible with third-party FTP servers, providing the same failover and Gatekeeper benefits to organizations who are using FTP servers, with or without the addition of a FileCatalyst Server

What Does Tunneling Servlet Do?

In short, the Tunneling Servlet allows the client to transfer over HTTP. Such connections are permitted by virtually any organization with policies allowing internet access. The purpose is to make connections when other protocols or required ports are blocked on either the client or server side, or to add a layer of security by allowing the Servlet to be a “gatekeeper”

How Does the Tunneling Servlet Work?

The servlet is deployed within a “servlet container” such as Apache Tomcat, Websphere or Jetty. The container itself might be on the same machine as FileCatalyst Server, but is also commonly installed on a web server on the same network. The servlet therefore serves as a proxy between the outside HTTP connection, and the FileCatalyst Server on the inside, hence the “tunnel”. The servlet can also tunnel any standard FTP/FTPS traffic and can be connected to any other FTP/FTPS Server.

Use Cases

Client-Side Policy (restricted to HTTP by client network):

The company with the FileCatalyst Server has a variety of end-users. While many are able to connect using UDP, certain clients are restricted in which protocols they may use for sending and receiving data over the internet. The Tunneling Servlet is deployed on the same network as the FileCatalyst Server to enable all clients to successfully connect.

Server-Side Policy (restricted to HTTP by organization with FileCatalyst Server):

The company with the FileCatalyst Server is primarily interested in FileCatalyst's range of file transfer management features, and themselves restrict UDP and FTP at the protocol or port levels. Adding the Tunneling Servlet allows the company to take advantage of features like automatic scheduling, bandwidth restrictions, and incremental delta transfers, while limiting traffic to HTTP.

Tunneling Servlet As “Gatekeeper”

Tunneling Servlet adds a layer of security to your server, acting as a gatekeeper to prevent unauthorized access. It not only controls access to your server's functionality, but also mitigates the risk of exploits such as buffer overflows, FTP bounce, and a number of other potential attacks. There are two key features of Tunneling Servlet that will help you secure any FTP server: The first is that it is built using the Java platform, so it is not susceptible to the same types of attacks as programs written in C/C++. This is explained in further detail below. The second is that the socket connections, and the commands used to communicate with an FTP server are between the Servlet and the FTP Server, instead of from arbitrary clients directly to the server. The Tunneling Servlet ensures that only proper FileCatalyst or FTP commands actually make it to the FileCatalyst or FTP Server.

To translate from HTTP requests to FileCatalyst or FTP commands, Tunneling Servlet uses a parameter scheme. Actual commands sent are not a 1:1 mapping from the request parameters. Each command and its arguments are sent to Tunneling Servlet via a HTTP GET or HTTP POST. The parameters are parsed and—using a set of predetermined rules— used to construct the corresponding commands. Because of this design, Tunneling Servlet will not understand arbitrary commands and will not forward them to the server. These commands are discarded, and the client making the request will simply receive an empty reply. The Servlet also controls the instantiation of data connections to and from the Server. Thus a user can not execute an arbitrary PASV or PORT command against the FileCatalyst or FTP server.

In addition, because of the nature of the Java platform, parameters can not be formulated in a way to cause buffer overflows. C and C++ programmers often use pointer arithmetic to manipulate strings and arrays. However Java programmers need not resort to this low-level manipulation, because the Java programming language provides high-level abstractions for both strings and arrays. Arrays are bounds-checked at compile-time and at run-time. Strings are immutable: when memory is allocated for a string, and its contents are initialized, from that point on, the string cannot be altered. When a string variable is assigned a new value, the system creates a new string object, and assigns it to the variable. The string itself is not changed. This feature inherent to all Java applications protects the Tunneling Servlet from the types of attacks that exploit buffer overflows.

In order to further protect your FileCatalyst or FTP Server, it is recommended that it be configured to only allow connections from addresses within a trusted internal network that includes the Tunnelling Servlet. It is also recommended that the application server only permit access to the Tunneling Servlet using the HTTPS protocol. This ensures all communication from the end user to the servlet is encrypted with SSL encryption.

Key Features

Security: All command and data streams are sent through HTTPS (if enabled). This means that everything (control commands/data) is encrypted while being transferred over the internet.
Firewall and proxy friendly: The Servlet has the added advantage that it works through all proxy servers and firewalls without modification. Some FTP client connections are blocked either by the firewall at the server side or by the proxy/firewall on the client side. The Servlet is transparent to all firewalls and proxies because it uses only HTTP or HTTPS protocols.
Compression: Data may be compressed before transmission. This can result in a speed increase of up to 40% when using standard FTP and in most cases offsets the small HTTPS overhead by a wide margin.
Bandwidth Limits: With The Servlet, you can limit how much bandwidth each connection uses, adding an extra layer of bandwidth management to FileCatalyst's existing abilities, or adding such capabilities to your FTP Server.
Ability to connect to any FTP or FTPS server as well as FileCatalyst Server. If your organization is still using legacy FTP servers alongside a FileCatalyst Server, the Tunneling Servlet will provide the same benefits to those. FTPS Server must run in IMPLICIT mode.
Ability to use the following features built-in to FileCatalyst Protocol:
- MD5 Checksum
- RSYNC - transfer file deltas only
- Tail FTP - progressive transfers
Detailed Activity Logs: provide additional information on all activities going through the Servlet
Compatibility with a standard <input type="file"> with progress bar and a Cancel button. Upload files directly to your FTP/FTPS/FC server from any standard HTML from.
Fine-grained control over FTP commands to be allowed to be sent through the Tunneling Servlet. Using FTPServlet Permissions class you can decide which commands should be allowed. For example: GET (download) command might be blocked for unauthorized users.

† The Tunneling Servlet is also an included component of FileCatalyst Workflow, FileCatalyst Webmail, and the SDK. The Tunneling Servlet is not available for FileCatalyst Express.

	Download
	Datasheets
	FileCatalyst vs. FTP (Interactive Chart)
	Throughput Calculator