Some
of our larger deployments are seeing the benefits of centralizing their
Webgate deployments onto a server farm. This post discusses some of the
architecture and recommendation when deploying such an architecture.
First, what is a Webgate farm or Webgate Reverse Proxy farm? A Webgate farm is:
- A series of web servers that are clustered on the basis of their protected applications.
-
These servers protect the same set of applications. It is not unheard
of to create multiple farms for different sets of applications, say
internal/external applications.
- This architecture acts as a reverse proxy to back end applications.
Some things to consider when deploying this architecture:
- Which
team manages the proxy farm? Will it be the Security team or maybe the
infrastructure team. Working knowledge of the farm infrastructure as
well as proxy configuration is crucial.
- Web
server type. Any web server that WebGate supports will work. Many of
our customers use Oracle HTTP Server (OHS) or Apache which has good
support for virtual hosting and reverse proxy configuration.
Some benefits in deploying a centralized Webgate farm:
- Adding
patches/upgrading is easier knowing where the servers are as opposed to
the application owner; Security team may not have access.
- Adding more servers and/or upgrading servers is easier in a clustered environment.
- Aside
from Web-Gates protecting applications, the web server reverse proxy
configuration defines which applications to expose. This provides
additional security preventing inadvertent access.
Configuration considerations:
- Use
a single Web-Gate profile for all servers in the farm. It is highly
recommend that you use a single Webgate profile for all servers on the
farm; otherwise you may see cookie decryption errors if the load
balancer is not configured correctly.
- Use
'SERVER_NAME' for the preferred host value when using Apache/OHS and
use 'HTTP_HOST_HEADER' for all other web servers. This is used for
virtual hosting. For more info on Host IDs take a look at this post.
Use Case: Internal/External Webgate Scenario
Let's
say you have an internal facing application where both internal and
external users are allowed access. Well the easiest implementation is
to only allow access through the DMZ. This means that internal users
must go back out to the DMZ to gain access. Done.
Now let's say
the requirement is that internal users must access the site internally
and external users through the DMZ. In 10g it was relatively easy to
set this up (see diagram below). All that was needed is two sets of
Webgates; one within the DMZ and a second internally. Once
authenticated the ObSSOCookie is easily consumed by any of the Webgates
shown below; as long as the same OAM infrastructure supported both
internal and external users/applications.
In 11g, the cookie model is quite different as you an read here. Supporting the above use case will not work out-of -the-box; nor is it recommended. However it can be done with some caveats:
- Set a user defined parameter in the Webgate configuration, filterOAMAuthnCookie=false
- The Webgate profile for all Webgates depicted must be the same.
By
default, the OAM_Authn cookie will not be passed along in the HTTP
payload for security reasons; however, setting the parameter
'filterOAMAuthNCookie' to 'false' removes this condition. Also keep in
mind that the Webgate profile must be the same for both sets of Webgates
in order for Single-Sign-On (SSO) to work. This may not be feasible
depending on your topology/requirements.
The recommended approach in 11g is to create a new end-point for the application.
Notice
the distinction, we again decouple the Webgate from the application and
create another Webgate Proxy farm (internally). Why? In 10g it was
feasible for the Webgate plug-in to reside on the same web server as the
application; it was also possible to have a single transaction going
through two Webgates. In 11g, this is not recommended; a single
transaction should never pass through two Webgates.
Posts
