01-10-2013 3:17 PM
I have a question about trusted relationships between WebDispatcher and Portal app servers. For an externally facing Portal with SSL/HTTPS enabled, what is preventing a hacker from going around WebDispatcher and accessing the Portal app servers directly if they know the hostname and port? Do you know of a way to establish a trusted relationship between webdispatcher and portal app servers so that only the request can come from the webdispatcher and not directly to each portal app server?
Thanks, John
01-10-2013 6:06 PM
By designing your network topology correctly, involving firewalls and network segments. Are you saying your portal application servers can be accessed externally? Oh my, you really need to talk to your network admins if that is the case.
Usually you place the Web Dispatcher in DMZ and then allow only specific ports between the DMZ and the internal network. All access goes through the Web Dispatcher since it is a reverse proxy hence it acts as a client to the backend application.
Do a search on SCN for example scenarios, there are many documents out there.
01-10-2013 6:33 PM
Yes, we do have the webdispatcher in the external DMZ and acting as a reverse proxy.
01-10-2013 6:42 PM
If your network correctly setup, clients can't access the portal servers directly. They have to go through the Web Dispatcher in the DMZ. Most companies allow direct access to the portal servers within the internal network so you should be sure to test from the external network to see whether you can access the portal servers directly or not. Of course if you want you can also restrict direct access within the internal network forcing everyone to go through the Web Dispatcher.