Network topology for CONNECT

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Network topology for CONNECT

Yogesh
I am interested in knowing what is typical/recommended network topology for deploying CONNECT

CONNECT Gateway requires two-way mutual SSL authetication and has other security provisions built-in the application layer. Considering this, how do most organizations deploy CONNECT

1. Application Server (Glassfish/WAS/JBoss/Weblogic) exposed in DMZ.
2. Reverse proxy in DMZ (Apache HTTP Server/F5 BIG-IP/IBM DataPower) and Application server inside secure zone.

Option 1 is not recommended by application server vendors.
If we go with Option 2, then how does the security policy work in CONNECT and what parts of security check are offloaded in DMZ and what is kept in CONNECT Gateway?

Regards,
Yogesh
Reply | Threaded
Open this post in threaded view
|

Re: Network topology for CONNECT

dtrepanier
Did you find a good way to set up Option 2 ?    We are wanting to deploy multiple CONNECT gateways behind a load balancer (F5).
Reply | Threaded
Open this post in threaded view
|

Re: Network topology for CONNECT

Yogesh Arora
We deployed option 2. It has been a while, if I remember correctly we used separate certificates for network layer security (between Outside organizations and IBM Data Power) and message level security.