Globus GridFTP Data Session and Firewall TLS Probes

[Richard]

I have a technical challenge with allowing outbound Globus sessions that pass through our firewall. Whilst we have been able to bypass Deep Packet Inspection for our DTNs, our GCP endpoints throughout our institution are unable to send data due to a technical limitation.

Our Internet Firewall has TLS certificate verification enabled (as recommended) which we have discovered sends a look-ahead probe when it encounters a TLS connection. 

Whilst this has no impact on normal web servers that continuously server an unlimited number of requests/connections, this is not the case for Globus Grid FTP.

Unfortunately, the Grid FTD Data Channel only opens a certain number of connections (as set by the concurrency/parallelism Globus settings) and as communicated via the Globus control channel. We have discovered the Globus Grid FTP server terminates the connection once the 4 or 8 data channel connections have been consumed. In our instance, the Firewall look-ahead probe that is retrieving the certificate for inspection, also consumes the TCP Grid FTPD Data session, resulting in the Globus Grid FTP server terminating before the GCP client connections are fully established.

My question is this appears to be an architectural limitation. We have worked around this with the outbound DTN sessions by whitelisting our Globus DTNs. But for normal user desktops that have GCP installed, I don't see a way around this issue.

Has anyone else run into this problem and can offer any suggestions. I saw another post here where outbound firewall rules were in place and the solution was to whitelist selected GCP endpoints (specifically instruments with fixed addresses). 

Does anyone else have any silver bullet that may help us offer general outbound GCP across our environment.

Rgds