3

Our application suite includes a procurement platform that transmits purchase orders via FTP to dozens of vendors. Until now, this application has run on one server so these FTP transmissions have originated from one IP address. Over the years many vendors have white-listed this one IP address on their internal networks. Our infrastructure is growing and we need to host this aspect of our application on more than one server and therefore FTP transmissions would be sent to these vendors from new IP addresses. Our fear is that if we make this move, transmissions will begin to fail as transmissions are denied by the vendors' firewalls, etc. If possible, we would like to avoid coordinating this sort of move with each vendor due to the number of vendors and varying reliability of their IT resources.

We are currently researching FTP proxying, but I was wondering what other options we may have. I'm sure there are other SaaS shops our there that have come across similar issues and I would love to hear how they've approached them.

thanks!

adam
  • 31
  • 1
  • 4

4 Answers4

4

If you setup your firewall to NAT all the servers to the one IP address you would be able to keep the single public facing IP but host the services on multiple FTP servers. You would do this with a Dynamic NAT in a cisco:

access-list DNAT-FTP permit <first ip> <subnet>
access-list DNAT-FTP permit <second ip> <subnet>
access-list DNAT-FTP permit <...> <...>
access-list DNAT-FTP permit <last ip> <subnet>
static (DMZ,outside) <ip to nat to> access-list DNAT-FTP
Zypher
  • 36,995
  • 5
  • 52
  • 95
3

I would just bite the bullet, frankly. You don't want to be relying on your old address space forever.

Start testing against your vendors from the new address space as early as possible. You shouldn't need to simulate much more than a login and directory listing, if IP whitelisting is your concern.

Get onto the case of vendors that explicitly fail the tests. Make the rest aware of the change, even if the test succeeded. When you're happy that all the tests are passing then you can proceed with renumbering.

We're a SaaS shop ourselves. But the difference is that we procure PI address space directly from the RIRs ourselves and don't really have any processes like you describe.

It might be relevant if you stated the relationship between the vendors, your clients and yourselves. For instance it could be a bit more tricky if the service contract is by proxy of your clients, as it would require them to chase up the change requests on your behalf. However if you make it professionally clear that the changes must be completed on time in order for you to deliver the clients the level of service they expect then there shouldn't be any problems.

Dan Carley
  • 25,189
  • 5
  • 52
  • 70
2

One potential solution might be to provide your service to clients via VPN tunnels. It would require a change, but once you implement the tunnel, you can make server-side changes at will.

duffbeer703
  • 20,077
  • 4
  • 30
  • 39
0

If the server is Linux, you can use iptables to nat as another external IP address.

xeon
  • 3,796
  • 17
  • 18