BOE inside and IIS out. How?

[CubicalRat]

After installing BOE XI R2 on a single machine within the firewall, how do I use IIS running on a different machine in the DMZ? Our web server is out in the DMZ. Our BOE box is running internally. How do I get the two to communicate? I do not want to install WAS on the web server out in the DMZ because this requires mulitiple ports to be opened for each BOE service. Rather, I would like to have the Web Application Server (WAS) communicate over the firewall to IIS running in the DMZ. How do I do that?

 

[hilfy]

If you look at Chapter 7 - Working with Firewalls - of the Administrator's Guide, there are complete instructions. You'll have to open some specific ports in your firewall. You'll also probably want to set the various BO component servers to use specific ports, otherwise the CMS will assign them to random ports when they start.

-Dell

A computer only does what you actually told it to do - not what you thought you told it to do.

 

[Turkbear]

Hi,
I believe that is CubicalRat's issue:The # of ports needed to be opened in the Firewall.
( our security folks won't hear of it..1 or 2 may be OK, but not all those that BOE needs)

In CE V10, only the WCS ( which no longer exists) needed to communicate through the firewall so only 2 ports were needed ( in and out - set by the command line for the WCS)
The WCA ( XI's method) seems to need all the servers' ports open both ways..






To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[hilfy]

We haven't yet installed our Production system where the web server is in the DMZ. However, the contractor I'm working with said that I need 4 ports, which makes sense because not all of the server components talk directly to the WCA, most of them go through the CMS.

I took the Administering Servers class from BO and several of the exercises had to do with the 'flow' through the system of specific types of requests. I just went back through the text from class and the only server that directly communicate with the WCA are the CMS, RAS, Connection Server, Desktop Intelligence Cache Server, Webi Report Server, and Crystal Cache Server. Since we're not using using DI or the Connection Server, we only need 4 ports.

-Dell

A computer only does what you actually told it to do - not what you thought you told it to do.

 

[CubicalRat]

Thanks for the responses. TurkBear is correct. We would like to keep the open ports to a minimum (preferably 1).

I have been dealing with customer support and they did make another suggestion that hasn't been discussed here. Here is what they had to say:

There are only two ways to do what you want regarding a firewall. The way that you are setting this up would require that those ports would be opened up. The other way is to put the WAS (IIS) internally and have an additonal IIS server on the outside that merely redirects requests to the internal web application server. We have documentation on the first method only. With the second way, you would not need the WCA or SDK installed on the outside server.

Has anyone ever redirected from one IIS to another? If so how is it done? Are there additional security issues?

 

[Turkbear]

Hi,
We use a Linux box in the DMZ ( running Apache) which uses a 'Reverse Proxy' connection to our internal BOE XI servers..Works great EXCEPT we cannot get the ActiveX viewer to work in this setup..( Java is fine, if no JRE conflicts, and DHTML works exactly the same as internal use)..



the ActiveX viewer plug-in fails to fully get installed
on External users client machines ( it appears) and, from our internal clients connecting through that Linux server, we need to log in to the CMS again to run the viewer...








To Paraphrase:"The Help you get is proportional to the Help you give.."