We are planning on making our ESS/MSS application available to the outside world. Previously it has only been available on our intranet behind our firewall. We currently have the IIS web server, Websphere, SQL and Lawson all on the same Windows 2003 server. I’m thinking we need to move IIS to the DMZ as a bare minimum. I'm not sure if we will want access to the applications by portal users as they have access via vpn already. Any suggestions appreciated.
It's really a matter of putting IIS in DMZ or outside the firewall and installing the Websphere plugin to point to that server. Then using firewall/NAT to 1) route the inside and outside users to the correct web server address and 2) restricting the traffic flow to the websphere server to onlu be allowed to come from the IIS server. John Henley
Thanks for the feedback. I'm assuming WAS can accept connections from both the inside and outside IIS instances. We wouldn't want to break production access. Our services vendor did this setup during our LSF migration - do you know where is the WAS plugin install for IIS is documented?
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tins_manualWebIIS.html John Henley
We are bracing for the help desk calls since there are seemlingly infiite combinations of software versions and settings on home computers. There were a number of XML patches that addressed Portal issues a few years back and we had to patch many of our internal systems. I believe Microsoft has rolled these up for W2K and XP now so if the home users have windows updates turned on like we do at corporate they should be ok. I have not have to apply any patches to fix IE for Portal in 2 years now. Wonder how Vista Home edition will behave?
Has anyone had trouble with the redirect when referencing their external server by IP? We're getting the "Portal cannot load without a fully qualified URL" msg when we try to connect to the external IIS webserver instance via IP. If we try to connect to the external by server name it will only work from from inside our FW - outside the connection fails. The endpoint must be taking care of it as the redirect msg is not displayed if we user servername . I wanted to use IP rather than have our ISP add our servername in their DCHP list. Thanks.
We've almost got this working after alot of tinkering with the endopoints in ssoconfig. A Lawson KB article indicates that an https cert needs to be installed on both the internal and external webserver assumedly since the internal wil be using https for authentication only. We only bought one cert and installed it on both. The external works great, but portal connections to the internal now complain about an invalid cert (it does let you log in after that). Has anyone been able to get the internal webserver to inherit the cert from the external or are we faced with ordering another cert from verisign for our internal webserver even though we're not really using it for https connections?
That is correct--WAS plugins on the external server. You only need one WAS ND.
We got it to work by using Microsof't's ISA server to securely route requests from an outside name to the application server. It works well. I've also repackaged the ESS javascript js and htm files in to an iframe page the removes the requirement for the portal from home. This way it works well from any browser and is less intensive on the system.
Making it work with the SSO LSF9 security was a bit tough but it's working. I wouldn't mind sharing if anyone is interested.
Hopefully this thread is still sort of monitored, because we're in a similar spot here.
We want to make ESS available externally for our users, however, we'd like it to be opt in. We'd also like to limit the external access to ESS/MSS only leaving portal/rss/etc available internally only.
Now I've got HTTPS running just fine, and we're only using a single webserver right now (all Lawson components run on seperate servers so the box only has IIS/WebSphere Plugins installed). Our current webserver is sitting in our DMZ as well so from a logistics standpoint, I'm hoping we're ok.
Does anyone have external access deployed in their environment for only ESS/MSS and, if they do, has anyone figured out a way to make it opt-in for employees that only want to have their access available externally?
Next...
Apparently some webserver issues going on - see next post...
Posted By Joe O'Toole on 03/26/2009 02:30 PM Posted By Joe O'Toole on 03/26/2009 01:57 PM There are 2 different issues here. First I would make sure you really want to run "everyone" through the DMZ webserver. There are numerous reasons I would not - a few in no particular order: 1) security - if one is breached all your web access is gone. 2) patches / maint on external webserver will take all your web access down 3) Traffic - why route your internal users through the DMZ? 4) Throughput - assuming you have full HTTPS running (and this is a MUST) on the external, why force all your internal portal traffic to be encrypted with no caching when all you need is HTTPS for login only? Some of these could be less of an issue if your application users only run LID, but sooner or later most shops will have some portal app users plus anyone using ESS/MSS must go through portal. Controlling what functionaliy they have based on point of access would also be aother tough thing to tackle since content is assigned based on user. We assign fixed content to our "ESS/MSS only" users and lock them out from changing their content through default.xml mods. In LSF I think this can be done from an admin screen as well. As for opt-in, you would need some intercept or a different front end before the user hit portal where they could log in and agree to the terms and conditions. Then the next time they hit it it would let them through if the flag was set. We thought about doing this but decided it was not necessary at this point. Have you considered puting a disclaimer stating "by clicking on this link I understand and agree to the terms and conditions of remote access"? Good Luck!
Posted By Joe O'Toole on 03/26/2009 01:57 PM There are 2 different issues here. First I would make sure you really want to run "everyone" through the DMZ webserver. There are numerous reasons I would not - a few in no particular order: 1) security - if one is breached all your web access is gone. 2) patches / maint on external webserver will take all your web access down 3) Traffic - why route your internal users through the DMZ? 4) Throughput - assuming you have full HTTPS running (and this is a MUST) on the external, why force all your internal portal traffic to be encrypted with no caching when all you need is HTTPS for login only? Some of these could be less of an issue if your application users only run LID, but sooner or later most shops will have some portal app users plus anyone using ESS/MSS must go through portal. Controlling what functionaliy they have based on point of access would also be aother tough thing to tackle since content is assigned based on user. We assign fixed content to our "ESS/MSS only" users and lock them out from changing their content through default.xml mods. In LSF I think this can be done from an admin screen as well. As for opt-in, you would need some intercept or a different front end before the user hit portal where they could log in and agree to the terms and conditions. Then the next time they hit it it would let them through if the flag was set. We thought about doing this but decided it was not necessary at this point. Have you considered puting a disclaimer stating "by clicking on this link I understand and agree to the terms and conditions of remote access"? Good Luck!
There are 2 different issues here. First I would make sure you really want to run "everyone" through the DMZ webserver. There are numerous reasons I would not - a few in no particular order: 1) security - if one is breached all your web access is gone. 2) patches / maint on external webserver will take all your web access down 3) Traffic - why route your internal users through the DMZ? 4) Throughput - assuming you have full HTTPS running (and this is a MUST) on the external, why force all your internal portal traffic to be encrypted with no caching when all you need is HTTPS for login only?
Some of these could be less of an issue if your application users only run LID, but sooner or later most shops will have some portal app users plus anyone using ESS/MSS must go through portal. Controlling what functionaliy they have based on point of access would also be aother tough thing to tackle since content is assigned based on user. We assign fixed content to our "ESS/MSS only" users and lock them out from changing their content through default.xml mods. In LSF I think this can be done from an admin screen as well.
As for opt-in, you would need some intercept or a different front end before the user hit portal where they could log in and agree to the terms and conditions. Then the next time they hit it it would let them through if the flag was set. We thought about doing this but decided it was not necessary at this point. Have you considered puting a disclaimer stating "by clicking on this link I understand and agree to the terms and conditions of remote access"? Good Luck!
Joe,
How do you limit external webserver only serve ESS?
We are in the spot to make Vendor self service available to WWW. Please share your experience if you have.
We are looking into using netscaler for ESS web access and saw the post from Brian and Dean. Can I get an update on how that is working for you company. Also, is any one else using this solution or have abandoned the idea of using it? Thanks....
published it on to the public internet by putting an Apache server in the DMZ to handle reverse proxy chores and used a Cisco ACE in front of that to handle SSL termination.