Webgate Reverse Proxy Farm

Some of our larger deployments are seeing the benefits of centralizing their Webgate deployments onto a server farm. This post discusses some of the architecture and recommendation when deploying such an architecture.

First, what is a Webgate farm or Webgate Reverse Proxy farm? A Webgate farm is:

• A series of web servers that are clustered on the basis of their protected applications.
• These servers protect the same set of applications. It is not unheard of to create multiple farms for different sets of applications, say internal/external applications.
  
• This architecture acts as a reverse proxy to back end applications.

Some things to consider when deploying this architecture:

• Which team manages the proxy farm? Will it be the Security team or maybe the infrastructure team. Working knowledge of the farm infrastructure as well as proxy configuration is crucial.
• Web server type. Any web server that WebGate supports will work. Many of our customers use Oracle HTTP Server (OHS) or Apache which has good support for virtual hosting and reverse proxy configuration.

Some benefits in deploying a centralized Webgate farm:

• Adding patches/upgrading is easier knowing where the servers are as opposed to the application owner; Security team may not have access.
• Adding more servers and/or upgrading servers is easier in a clustered environment.
• Aside from Web-Gates protecting applications, the web server reverse proxy configuration defines which applications to expose. This provides additional security preventing inadvertent access.

Configuration considerations:

• Use a single Web-Gate profile for all servers in the farm. It is highly recommend that you use a single Webgate profile for all servers on the farm; otherwise you may see cookie decryption errors if the load balancer is not configured correctly.
  
• Use 'SERVER_NAME' for the preferred host value when using Apache/OHS and use 'HTTP_HOST_HEADER' for all other web servers. This is used for virtual hosting.  For more info on Host IDs take a look at this post.
  

Use Case: Internal/External Webgate Scenario

Let's say you have an internal facing application where both internal and external users are allowed access.  Well the easiest implementation is to only allow access through the DMZ.  This means that internal users must go back out to the DMZ to gain access.  Done.

Now let's say the requirement is that internal users must access the site internally and external users through the DMZ.  In 10g it was relatively easy to set this up (see diagram below).  All that was needed is two sets of Webgates; one within the DMZ and a second internally.  Once authenticated the ObSSOCookie is easily consumed by any of the Webgates shown below; as long as the same OAM infrastructure supported both internal and external users/applications.

In 11g, the cookie model is quite different as you an read here.  Supporting the above use case will not work out-of -the-box; nor is it recommended.  However it can be done with some caveats:

• Set a user defined parameter in the Webgate configuration, filterOAMAuthnCookie=false
• The Webgate profile for all Webgates depicted must be the same.

By default, the OAM_Authn cookie will not be passed along in the HTTP payload for security reasons; however, setting the parameter 'filterOAMAuthNCookie' to 'false' removes this condition.  Also keep in mind that the Webgate profile must be the same for both sets of Webgates in order for Single-Sign-On (SSO) to work.  This may not be feasible depending on your topology/requirements.

The recommended approach in 11g is to create a new end-point for the application.

Notice the distinction, we again decouple the Webgate from the application and create another Webgate Proxy farm (internally).  Why?  In 10g it was feasible for the Webgate plug-in to reside on the same web server as the application; it was also possible to have a single transaction going through two Webgates.  In 11g, this is not recommended; a single transaction should never pass through two Webgates.