Hello!

We would like to suggest Atlassian look into the possibility a gateway for the Data Center products.

The use case for such a solution is to allow Atlassian Data Center customers to collaborate with external parties w/o the need to comprise their security posture by hosting Atlassian applications in a DMZ.

By gateway, we mean an Atlassian-aware forward and reverse proxy server.

Here is our idea for how such a gateway would work:

Start-up:

1. The internally-hosted application (Jira, Confluence, Bitbucket, Bamboo) creates an outbound connection to the DMZ-hosted gateway application. This connection is used as a control channel for passing data between the two applications.
   1. The control channel provides proxy details (IP address and port mappings) to the gateway.
   2. The gateway starts up listeners on the designated IPs and ports for incoming traffic.

Reverse proxy mode:

1. When an external application connects to a listener on the DMZ-hosted gateway, the gateway makes a request over the control channel to the application in the internal network.
2. The internally-hosted application then creates a new outbound data channel to the gateway.
   1. This data channel is attached to service (e.g. HTTP/s) and all traffic for that session is routed over this data channel.
   2. When the session is terminated, the corresponding data channel is removed.

Forward proxy mode:

1. When the internally-hosted application needs to make an outbound connection, a request is made to gateway with the address of the intended destination.
2. The gateway establishes the connection to the destination and bridges it to the requesting application.
   1. The bridge does not reveal the identity or locations of the internal systems.

Regards,

-CET