| Author |
Message
|
| kash3338 |
 Posted: Tue May 19, 2015 6:27 pm Post subject: IIB in Secured zone |
 |
|
Shaman
Joined: 08 Feb 2009
Posts: 709
Location: Chennai, India
|
Hi,
I am not sure if this is the right forum for this query, but still feel I will have some suggestions here. I have a query on the network design for all incoming traffic to IIB services. Here is my problem,
I have IIB installed in a secured zone within the org. There is a DMZ zone which is exposed to the outside world. I have developed many services which are hosted in IIB. Now, I cannot publish the URL of my service to the external consumers. Instead I will have to provide the public IP from the DMZ zone.
What is the best way to implement this? How do I route the requests coming into DMZ zone to my respective IIB service? How do I ensure load balancing here as there would be only one web server in DMZ? Any suggestions or best practice would be helpful. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed May 20, 2015 4:34 am Post subject: Re: IIB in Secured zone |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| kash3338 wrote: |
| What is the best way to implement this? How do I route the requests coming into DMZ zone to my respective IIB service? How do I ensure load balancing here as there would be only one web server in DMZ? |
Any of multiple methods including (but not limited to) a Datapower appliance or a web container. The IIB HTTP Proxy is designed to assist with this.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed May 20, 2015 5:05 am Post subject: Re: IIB in Secured zone |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| Vitor |
| Posted: Wed May 20, 2015 5:25 am Post subject: Re: IIB in Secured zone |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
I quote those whom I've experienced. But defer to you.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed May 20, 2015 5:34 am Post subject: Re: IIB in Secured zone |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
I quote those whom I've experienced. But defer to you. |
I spent quite a long time arguing for the creation of these. It's really a much more lightweight and easier to config solution. And straight forward for any HTTP server Admin. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed May 20, 2015 5:36 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
For those who swear with .NET. What would you use with an IIS server? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed May 20, 2015 5:39 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| fjb_saper wrote: |
| For those who swear with .NET. What would you use with an IIS server? |
a ratty scrap of paper with badly scrawled urls in faded pencil, sent via interoffice mail through an offshore routing location?
|
|
| Back to top |
|
|
| kash3338 |
| Posted: Mon May 25, 2015 3:34 am Post subject: |
|
|
Shaman
Joined: 08 Feb 2009
Posts: 709
Location: Chennai, India
|
| Thanks for the suggestions. We were able to achieve this using the exportable configurations. Thanks mqjeff for the pointer. |
|
| Back to top |
|
|
| ruimadaleno |
| Posted: Fri May 29, 2015 5:42 am Post subject: |
|
|
Master
Joined: 08 May 2014
Posts: 274
|
| kash3338 wrote: |
| Thanks for the suggestions. We were able to achieve this using the exportable configurations. Thanks mqjeff for the pointer. |
Hi kash,
i'm also looking for the best way to publish message broker message flows (version 8.0.0.4 on DMZ) to the internet. I'd like to gather some knowledge from your case.
why have you decided to use exportable configs + was ibm http server plugin vs https proxy servlet vs apache server + modproxy ? what criteria have you analyzed ? what requirement drive your choice ?
can you share it with us ?
_________________
Best regards
Rui Madaleno |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri May 29, 2015 5:52 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I can't speak to what kash3338 used to make this decision,but some basic criteria are - a JEE server is more heavyweight and complicated, and potentially less secure in a DMZ
- you should lean heavily towards using existing technology for http servers in your DMZ.
- apache http and mod-proxy are open source and license free, ibm http server may not be.
- the JEE server may be trickier to keep up to date, the exportable config can probably be automated fairly easily.
But, again, I'm kind of biased, having strongly advocated for the creation of the exportable configs for several years. |
|
| Back to top |
|
|
| inMo |
| Posted: Fri May 29, 2015 1:05 pm Post subject: |
|
|
Master
Joined: 27 Jun 2009
Posts: 216
Location: NY
|
| I apologize if I'm asking the obvious ... the exportable configurations seem to be simple routing rules that can be handed off and loaded into the corresponding http server. Am I missing something? Do they need to be tweaked in anyway? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri May 29, 2015 10:42 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| inMo wrote: |
| I apologize if I'm asking the obvious ... the exportable configurations seem to be simple routing rules that can be handed off and loaded into the corresponding http server. Am I missing something? Do they need to be tweaked in anyway? |
Every time you deploy something to a new URL you will have to export again to add the new URL to your list of redirects...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Jun 01, 2015 4:36 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| inMo wrote: |
| Do they need to be tweaked in anyway? |
They shouldn't, unless there are site specific reasons to do so. |
|
| Back to top |
|
|
| ruimadaleno |
| Posted: Mon Jun 01, 2015 6:28 am Post subject: |
|
|
Master
Joined: 08 May 2014
Posts: 274
|
I've done a simple test with exportable configuration and found that every single message flow deployed is listed in the resulting config file.
So, the first "tweak" should be: remove the lines corresponding to the deployed message flows you don't want to expose otherwise you will end up with all the message flows deployed published to the internet 
_________________
Best regards
Rui Madaleno |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Jun 01, 2015 7:01 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| ruimadaleno wrote: |
I've done a simple test with exportable configuration and found that every single message flow deployed is listed in the resulting config file.
So, the first "tweak" should be: remove the lines corresponding to the deployed message flows you don't want to expose otherwise you will end up with all the message flows deployed published to the internet |
You could do that. Or you could config the web server to not expose those URLs. Or you could configure a firewall/something to not expose those URLs. |
|
| Back to top |
|
|
|
|
