Implementing One Primary Function per Server with Serv-U
One Function Per Server
If your security policy, PCI-DSS, or operations require you to implement one primary function per server, Serv-U® MFT Server can support you. The most common segmentation is to split Serv-U’s folder-based secure file transfer (e.g., SFTP) and ad hoc secure file sharing onto two separate systems.
One Primary Function per Server Diagrams
Secure file transfer and
file sharing on separate servers.
Single-function servers with
a shared Serv-U Gateway.
Single-function servers with
their own Serv-U Gateways.
One Primary Function per Server Best Practices
The practice of implementing only one function per server came about after servers became inexpensive enough to dedicate to key functions. Operations embraced the practice because it meant that servers would avoid having multiple applications competing for the same resources; security teams embraced it because it reduced the chance that other applications would expose key processes to additional vulnerabilities.
The phrase itself is enshrined in the credit card industry’s PCI-DSS regulations as requirement 2.2.1: "Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)". The practice is also codified in the information security policies of many organizations such as the University of Connecticut's "implement only one primary function per server requirement".
In the file transfer industry, "secure file transfer" (using secure FTP and other protocols to access remote folders through authenticated user accounts) and "ad hoc file sharing" (allowing end users to send and request files with people of their choice) are often considered to be different functions.
Common concerns with comingling these file transfer functions include mixing time-sensitive file transfer processes with user content, resource contention, and planning orderly outages for upgrades. Fortunately, Serv-U MFT supports separating file transfer and file sharing functions onto separate servers when circumstances, regulations or policy require one primary function per server.
Implementing One Primary Function per Server
To implement one primary function per server, Serv-U MFT Server is generally deployed in one of three different ways
The first type of deployment involves only two servers: one for folder-based secure file transfer (e.g., SFTP) and the other for secure ad hoc file sharing. These servers are often deployed in a DMZ segment and both servers often access the same Active Directory® (AD) at the same time. The secure file transfer server often uses local storage but may also use remote sharing across a firewall. The secure file sharing server typically uses only local storage because all Serv-U File Sharing files are stored in a common folder.
The second type of deployment involves three servers: the two Serv-U servers described above, plus one common Serv-U Gateway server to safely terminate connections in the DMZ. In this deployment, both Serv-U MFT Servers may be safely deployed in the internal network so that connections to shared storage or AD need not traverse any firewalls.
The third type of deployment involves four servers: the two Serv-U servers described above, plus dedicated Serv-U Gateway servers for each Serv-U MFT Server.
All of these deployments are supported.
Download Free Trial
- Try Online Demo
- Contact Us