| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Setup DMZ in Datapower SOA Appliance XI52 |
« View previous topic :: View next topic » |
| Author |
Message
|
| uditara |
 Posted: Mon Nov 18, 2013 1:18 am Post subject: Setup DMZ in Datapower SOA Appliance XI52 |
 |
|
Apprentice
Joined: 18 Nov 2013
Posts: 36
|
Hi All,
This is part of my POC activity related to DMZ setup in WebSphere Datapower SOA Appliance (XI52).
We have two Datapower Appliances with XI52...firmware 6.0.0.0
The requirement is to host web services based application in datapower and publish over the internet to access from outside (public internet)...
This service will be load balance with two datapower boxes (load balance and high availability....)
This web service based application need to be publish over the internet using DMZ IP Address with SSL Certificate..
I need some clarification on below mentioned points to moving forward with correct approach :-
1) Network team will provide the DMZ IP
2) Please confirm - DO I need to configure this DMZ IP in Datapower Ethernet Interface (for example eth10)
3) Datapower Eth11 on both datapower box - Local intranet ip is configured...
4) Application optimizer need to be setup using dedicated Virtual IP to redirect traffic from DMZ IP to both datapower (eth11) intranet ip's (load balance and HA)
5) All the DMZ IP traffic need to route to Application Optimizer ip using Network NATing (I am not sure here)..
6) For Name reslution, DNS need to configure with DMZ IP to publish web service over the internet using naming convention...
The overall flow like it is -
Internet -----> Domain/Application Firewall--->DMZ IP (port 443) ------> AO VIP --------> Datapower Intranet IP on both boxes.....
Could you please suggest the correct approach to publish the web service over the internet using DMZ in Datapower XI52...
Thanks,
uditara |
|
| Back to top |
|
 |
| TXMQ_Doyle |
| Posted: Wed Dec 04, 2013 7:42 am Post subject: Datapower in the DMZ |
|
|
Novice
Joined: 04 Dec 2013
Posts: 18
|
Hello Uditara,
Installing a XI52 in the DMZ with Application Optimization will have a few requirements.
1. First off we need to make sure those appliances have AO ( Application Optimization Feature ), this is an extra feature that needed to be purchased.
2. The two appliances participating in the AO will need to each have an interface that is on the same subnet. So, if you have Eth10 configured on each appliance to receive traffic, then those interfaces need to be on the same subnet.
3. Once you have those interfaces configured and up and running, you will need a third IP. This IP will be your Virtual IP, and also needs to be on the same subnet as the previous two IP's.
4. A Standby Group will need to be defined on both appliances and should look identical.
5. As for DNS, is this for resolving the internet name to an ip so that internet clients can route to your DMZ Datapower? If so, then most likely your network team will add that entry for your External VIP ( the floating IP that bounces from 1 Datapower to the other )
let me know if you run into any trouble,
Doyle
TXMQ inc. |
|
| Back to top |
|
|
| uditara |
| Posted: Thu Dec 05, 2013 1:36 am Post subject: |
|
|
Apprentice
Joined: 18 Nov 2013
Posts: 36
|
Hi Doyle,
Appreciate for your response.
since long time i was excepting someone response to my query.....
1) In our DP XI52 Box - AO ( Application Optimization Feature ) already in place and multiple service are using this AO feature for load balancing and failover....
AO IP (VIP) redirecting all request to DP1 and DP2 Box - Physical Interfaces...
2) AO IP sending all the traffic equally distributed to DP1 and DP2 Eth10 Interfaces physical Ip's (same subnet)
3) AO VIP and DP1 and DP2 - Eth10 physical interfaces ip's are in the same subnet.
4) Standby Group already defined on both appliances and it is appliance load balancing is running smoothly in the both DP boxes.
I have some doubs here :-
As for DNS, is this for resolving the internet name to an ip so that internet clients can route to your DMZ Datapower? - Correct..This is exactly the requirement...
If so, then most likely your network team will add that entry for your External VIP ( the floating IP that bounces from 1 Datapower to the other )
- Is this for resolving the internet name to an ip so that internet clients can route to your DMZ Datapower? - As for DNS, Is it possible to resolving the internet name to my DMZ IP?
- I did not understand about External VIP? Do you mean that External VIP is my present DP AO VIP?
Because DP AO VIP is the floating ip that bounce from 1 DP to other in case of failover..
I need some clarification on DMZ IP :-
Do I need to configure the DMZ IP in my Datapower ETH interface?
Thanks,
UdiTara |
|
| Back to top |
|
|
| TXMQ_Doyle |
| Posted: Thu Dec 05, 2013 6:39 am Post subject: |
|
|
Novice
Joined: 04 Dec 2013
Posts: 18
|
Hello,
If I am understanding your situation correctly,
You want a DNS name registered on the internet's dns servers?
If so, the IP that you want 'uditara.service.com' to resolve to, will be the AO VIP that you configured in the standby group on each appliance. With this configuration, both appliances share the IP, so if one goes down, the other will take on the address.
thanks,
Doyle
TXMQ Inc. |
|
| Back to top |
|
|
| uditara |
| Posted: Thu Dec 05, 2013 12:37 pm Post subject: |
|
|
Apprentice
Joined: 18 Nov 2013
Posts: 36
|
well....I discussed with my network team and below inputs received from them :-
1) My Present DP AO VIP is regular production segment ip (not part of DMZ zone).
2) Network Team has allocated one DMZ zone segment IP Address and this ip is in different subnet...
The solution comes from out IT architect :-
1) DNS name should be registered on the internet dns server using DMZ IP so that all intenet public user land request to "udtara.service.com" registered with DMZ IP and then these traffic redirect to datapower AO VIP and then same traffic distributed to DP1 and DP2 box...
I would like to know your inputs on above point..
"uditara.service.com" registered with DMZ IP ------- redirect traffic to DP present AO VIP ------ then redirect the same traffic to DP1 and DP2 physical interfaces....
As per your solution......'uditara.service.com' to resolve to, will be the Datapower present AO VIP that is already present in the standby group on both appliance. With this configuration, both DP appliances share the IP for load balance and failover...
Thanks,
Uditara.... |
|
| Back to top |
|
|
| TXMQ_Doyle |
| Posted: Tue Dec 10, 2013 7:33 am Post subject: |
|
|
Novice
Joined: 04 Dec 2013
Posts: 18
|
Hello Uditara,
Quick Question,
Is the DMZ External IP not the same IP that is shared by your Datapower's Standby Group? I thought this was the case.
You should have a DMZ IP that is an Internet IP. That IP needs to be on the same subnet as the Physical Interfaces that are participating in the Standby Group. The DNS name will be applied to the external DMZ Floating IP.
let me know if you have any questions,
Doyle
TxMQ Inc. |
|
| Back to top |
|
|
| uditara |
| Posted: Fri May 23, 2014 3:10 am Post subject: |
|
|
Apprentice
Joined: 18 Nov 2013
Posts: 36
|
Hello Doyle,
Apologies for the delay resonse.
There are multiple discussion with network team and IT architect team.
Below are the points we discuss :-
1) We are NOT going to touch/use the present/existing AO VIP as this VIP is already in use for multple services. For example - Existing AO VIP - 10.X.X.X
2) The plan is create a new domain in datapower appliance for our new requirement.
3) Network Team will provide one DMZ IP and two new production ip's.
4) Two new production ip's will be configure on ETH12 interfaces on both the datapower boxes.
5) In the ETH 12 interfaces, DMZ IP will be configured in the standby group on both the appliance...DMZ IP will be act as AO VIP for new domain.
6) The DNS name will be applied to the external DMZ Floating IP.
For Example :-
New DMZ IP -
As you suggest - You should have a DMZ IP that is an Internet IP. That IP needs to be on the same subnet as the Physical Interfaces that are participating in the Standby Group.
Is there any specific reason that Physical Interface IP's and DMZ IP (The IP will be participating in the Stanby Group) should be in the same subnet???
Why the Physical IP's and DMZ IP (Standby Group) needs to be on the same subnet?
I am asking this question because our network team is not agree on this statement.
They are providing DMZ IP and two production IP's (for ETH12 physical interfaces) but both these DMZ IP and production IP's will be in the different network subnet.
Kindly suggest the way forward on this...
Thanks in Advance.
UdiTara
Thanks in Advance. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
