12.2
We have setup this for a pasoe web handling service:
Firewall giving access through HTTPS to DMZ machine (Win2019 IIS doing redirect to a machine on LAN using AJP13(8009,8010..) for two applications.
It is probably many ways of doing this, but we we do not want to have certificates between IIS(DMZ) and the linux server(LAN) if we do not have to. I recently read that Progress want to depricate use of AJP13, so we probably need to rethink how to do this. How could be do it? I will ask Techsupport, but would like to hear what you are doing.
I think we are essentially in the same boat. It felt like Progress was recommending the AJP approach (for multiple reasons including load balancing, I think), so I'm waiting to hear what they recommend next. It seems like the immediate recommendation would be to fall back to HTTPS proxies, but like you mentioned, I'd prefer not to manage certificates on my PASOE servers.
The NIST vulnerability David Cleary referenced (https://nvd.nist.gov/vuln/detail/CVE-2020-1938) seems to be flagged as a high risk, but perhaps the way your application is written, it doesn't expose the high risk part (such as if your application doesn't have any file upload feature that stores the files in the application directories), you may feel that the risk in your environment is not worth abandoning AJP.
Tim
Thanks Tim
13. apr. 2020 kl. 15:20 skrev Tim Hutchens <bounce-hutct@community.progress.com>:
Update from Progress Community
Tim Hutchens I think we are essentially in the same boat. It felt like Progress was recommending the AJP approach (for multiple reasons including load balancing, I think), so I'm waiting to hear what they recommend next. It seems like the immediate recommendation would be to fall back to HTTPS proxies, but like you mentioned, I'd prefer not to manage certificates on my PASOE servers.
The NIST vulnerability David Cleary referenced (https://nvd.nist.gov/vuln/detail/CVE-2020-1938) seems to be flagged as a high risk, but perhaps the way your application is written, it doesn't expose the high risk part (such as if your application doesn't have any file upload feature that stores the files in the application directories), you may feel that the risk in your environment is not worth abandoning AJP.
Tim
You received this notification because you subscribed to the forum. To unsubscribe from only this thread, go here.
Flag this post as spam/abuse.