I am interested in knowing what is typical/recommended network topology for deploying CONNECT
CONNECT Gateway requires two-way mutual SSL authetication and has other security provisions built-in the application layer. Considering this, how do most organizations deploy CONNECT
1. Application Server (Glassfish/WAS/JBoss/Weblogic) exposed in DMZ.
2. Reverse proxy in DMZ (Apache HTTP Server/F5 BIG-IP/IBM DataPower) and Application server inside secure zone.
Option 1 is not recommended by application server vendors.
If we go with Option 2, then how does the security policy work in CONNECT and what parts of security check are offloaded in DMZ and what is kept in CONNECT Gateway?
We deployed option 2. It has been a while, if I remember correctly we used separate certificates for network layer security (between Outside organizations and IBM Data Power) and message level security.