there are no GCS processes actively listening on ports 50000 - 51000. Connections on the data channel are initiated only at the start of a data transfer task and are closed at the completion of the transfer. Ports are picked out of that range and used only as needed for inbound data transfers, and are not otherwise listened on by GCS. This is important because it means that not all 1001 ports are actively listening, which substantially changes the security posture.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@globus.org.
Hi Spencer,
mTLS—which is enabled through the “Encrypt Transfer” transfer option—does not change the ports that are used. Globus will still choose one of the data-transfer ports (normally 50000-51000) for the transfer.
As Alan mentioned, all connections from Globus Connect Personal to Globus Connect Server are outbound connections. But, it sounds to me like your Security folks are firewalling outbound connections. Is my guess correct?
~ Karl
Yes, outbound connections are firewalled. They are concerned about malicious services using open unmonitored ports for data exfiltration in the event of a breach. I'm not in a position to argue about the likeliness of that scenario.
As a compromise they have agreed to whitelist servers that we
want to connect to. This is a hassle, but at least it seems to be
working.
-Spencer