Best practice for deploying webservice with webserver within

Posted by mtugler on 12-Dec-2014 02:29

Hello everybody,

For a customer of us, we have to deploy a webservice with following constellation:

* Web Server in a DMZ

* DB-Server in network

What's the best practice for such a deployment / development ? Where should be installed which component ?

Normally (without any DMZ), State-Free AppServer & WSA are installed on the DB-Server but I think that with a DMZ, this is different.

Many thanks in advance.

Kind regards,

Mat

OpenEdge Development - Forum

All Replies

Posted by Michael Jacobs on 12-Dec-2014 07:26

Hi Mat,

There can be multiple approaches, and opinions, regarding what runs in the DMZ and what runs in the inner security zone.  Here is my opinion. 

The thing I would not do is put an AdminServer, AppServer or a db server inside the DMZ.   I would keep the AppServer running in the same system as the DB-server inside the internal security zone.

The WSA could run in the DMZ if the web server being used is Tomcat, and then make a network connection to the AppServer through the inner security zone's firewall.   SSL could be used if the performance #s work just in case where a network monitor can get inserted inside the DMZ.

If the web server running in the DMZ is something like Apache httpd or IIS,  you could run the WSA ( and its Tomcat server ) in the inner security zone on the same system containing the AppServer and DB, and use a proxy [worker] connection between the web server and the WSA's Tomcat server.

NameServers and firewalls can be a problem, so use IP addresses and port #s in your configurations.

Others may chime in with their thoughts.

Mike J.

[collapse]
From: mtugler <bounce-mtugler@community.progress.com>
Reply-To: "TU.OE.Development@community.progress.com" <TU.OE.Development@community.progress.com>
Date: Friday, December 12, 2014 at 3:29 AM
To: "TU.OE.Development@community.progress.com" <TU.OE.Development@community.progress.com>
Subject: [Technical Users - OE Development] Best practice for deploying webservice with webserver within a DMZ

Thread created by mtugler

Hello everybody,

For a customer of us, we have to deploy a webservice with following constellation:

* Web Server in a DMZ

* DB-Server in network

What's the best practice for such a deployment / development ? Where should be installed which component ?

Normally (without any DMZ), State-Free AppServer & WSA are installed on the DB-Server but I think that with a DMZ, this is different.

Many thanks in advance.

Kind regards,

Mat

Stop receiving emails on this subject.

Flag this post as spam/abuse.

[/collapse]

Posted by mtugler on 17-Dec-2014 03:34

Hi Mike,

Many thanks for your reply.

Here my approach:

WSA in DMZ

AppServer in network running on the DB-server.

I know that it's possible to set remote & local webservice. Do I have to create 2 WebServices (1 on DB-server & 1 in DMZ) ? Which one will be the local and wich one will be the remote ?

Do you or someone else have an idea ?

Many thanks !

Mat

Posted by bronco on 17-Dec-2014 03:58

I would go for the second option Michael suggests. Setup a reverse proxy in the DMZ and let that point to a machine in your LAN. This LAN machine could run the entire OE stack (ie. db, AppServer and WSA). From a security point of view it's easier to maintain because this obscures most of Tomcat (WSA), except the URL you want obviously.

Moreover, you don't have to access you DMZ for deployments of your webservices. Apart from IIS & Apache I can recommend the nginx webserver for this task. It's lightweight in both footprint and at runtime (and it serves > 15% of the websites worldwide, so proven technology).

This thread is closed