Purpose:
If you’ve been wondering how to support end-users who’d like connect to your E-Business Suite environment from outside of your corporate firewall, a combination of a demilitarized zone and a reverse proxy might be an alternative to traditional VPN-based solutions. This document describes methods for making a iRecruitment of Oracle E-Business Suite 11i functionality accessible via the Internet to external users. This document describes network topologies and architectures, including the use of reverse proxy servers in demilitarized zones (DMZs), and the use of hardware-based load-balancers in these configurations. For the purpose of clarity I will post this in two parts. Part I will deal with introduction and general information, part II will mainly talk about actual steps.
Introduction to DMZ:
A DMZ (De-Militarized Zone) is a separate part of an organization’s network which is a shielded and ‘cut off ‘ from the main corporate network and its systems. The DMZ contains technical equipment to prevent access from external parties (say on the Internet) from gaining access to your main systems. In the IT industry, a demilitarized zone is a single or multi-segment perimeter network that demarks the portion of the corporate network that lies between the intranet and outside networks. Corporate DMZ borders are enforced by firewalls and other dedicated networking devices.
DMZ Setup System Requirements:
- 1) Reverse Proxy Server:
Model: HP-Unix
Host Name: reverseproxy.external.com
IP Address: 123.123.123.123
OS: HP-Unix
OS User: applmgr
2) External Web Server
Model: HP-Unix
Host Name: hostname.external.com
IP Address: 123.123.123.123
OS: HP-Unix
OS User: applmgr
3) Database Server
Model: HP-Unix
Host Name: dbhost.internal.com
IP Address: 123.123.123.123
OS: HP-Unix
OS User: oracle
Please note that we are taking HP-UX as an example OS for the setup. In theory this can be setup for any OS that support Oracle Apps 11i.
Proposed DMZ Configuration Architecture
Image taken from metalink note:287176.1
Design Considerations, Assumptions, Limitations:
When configuring Oracle E-Business Suite in a DMZ configuration, firewalls are deployed at various levels to ensure that only the traffic that the architecture expects is allowed to cross the firewall boundaries. The firewalls ensure that if intrusion attempts against machines in the DMZ are successful, the intrusion is contained within the DMZ and the machines in the intranet are not affected. To make Oracle E-Business Suite modules as secure as possible, the following tasks may need to be performed.
- Use of separate web node for external usage
- Setting of server level profile values
- Associate trust levels to application middle tier nodes
- Mark a subset of responsibilities as available on an external web node
- Deploy a Reverse proxy in front of the external web node
- Configuring a URL firewall and mod security in the reverse proxy
- Run only the required Oracle E-Business Suite Application services on the external web tier
Pre-requisite Patches:
This concludes Part I of this main post and I will continue with DMZ setup steps in my next one…..
References:
287176.1 – DMZ Configuration with Oracle E-Business Suite 11i
364439.1 – Tips and Queries for Troubleshooting Advanced Topologies
