BOE XI and Firewalls

[Turkbear]

Hi,
I find the docs on this to be less than helpful..

We currently have CE10 set up for External access by having the web server in our DMZ use a web connector to redirect all .csp pages to a web component server inside our firewall( using the -requestport xxxx on it to control the port used) - requiring only 2 ports to be opened.

In XI, there is no web connector ( nor .csp pages) and, if I understand the docs at all ( a real problematic issue), the WCA can be used to specify the CMS to connect to, BUT, a port must be opened for every service that needs to communicate.( Also the docs are very murky about where the WCA configuration is set in a simple (Non .NET) web server)
Our security folks are not happy about opening multiple ( maybe 5 or more) ports in the firewall ( they really were not happy about opening the 2 we now use )..

Is there any other way to configure this that would be as simple as the CE10 setup is?

( I love improvements that make things more dificult )
Thanks...







To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[KingfisherINC]

What is "a simple (Non .NET) web server"?

In the (good?) old days all the web traffic was passed though the WCS so only 2 ports needed. This also caused a bottle-neck.

Now there is the WCA and it is part of the Web Application Server (IIS, Tomcat, Websphere, Weblogic, etc). So all the servers that interact with the web tier need to have a port open. If you only use basic CR then you might be able to get away with CMS and Cache only.

An alternative would be to forward the request from your DMZ web server to a WAS inside the firewall. Your security folks should be able to configure this, particularly if they don't want those ports opened.

Kingfisher

 

[Turkbear]

Hi,
One that does not use .aspx files, just classic .asp ( Coded in VBscript or Javascript)...

We have decided to use a 'Reverse Proxy' to reroute the external request..

Thanks...





To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[sandy3269]

Hi,

I have been having this discussion with business objects for the last 6 months. We've had 3 conference calls with their technical people, and I finally have a handle on the situation.

The webconnector is gone. The WCA is a part of the application tier and if you want to have the same functionality as the webconnector setup, meaning a redirect from within a firewalled zone as we do here, you have few options.

These are:

1)Redirect traffic directly into your intranet with port mapping at the firewall. Our security folks went nuts, not happening.

2)Drop a large part of the application tier in the firewall zone. BO says this raises your security vulnerability quite a bit. Security and I said not happening.

3) Write a .NET application that sits in the zone and transverses the firewall. (Recreating the webconnector?). One of our business units had already did that for 10, so the code should be reusable.

4)For some of our law enforcement access, and maybe others, VPN connections through to our intranet.

This is why we've held up going to XI, but are scheduled to later in 2006.

 

[Turkbear]

Hi,
Thanks Sandy..
As I mentioned we are using a reverse proxy ( set up in an Apache web server) to redirect the request to our inside servers..This seems to satisfy our security folks and works fine - not sure how it does it though since our 'Nix folks configured it..





To Paraphrase:"The Help you get is proportional to the Help you give.."