It's possible to expose selected Oracle E-Business Suite applications such as iStore or iRecruitment to users outside of your corporate intranet. As part of our security best practices recommendations, we recommend the use of reverse proxies in demilitarized zones (DMZ) for these types of deployments.
While simple in concept, the actual execution is sometimes a little trickier. These projects are often complicated by the separation between different groups that manage network operations, enterprise security, and the E-Business Suite environments themselves. Coordinating all three organizational groups can be a project in itself. Even small missteps can result in some of the following issues:
- Misconfigured firewalls and other networking components
- Incorrectly configured reverse proxies
- Incomplete or incorrect E-Business Suite setups
- Inconsistencies between testbeds and production setups
Debugging environments with lots of complex moving parts can be frustrating. The best strategy is to take a systematic approach and test the critical components in sequence. To help you with that, our hardworking Oracle Support team has assembled some of the best tips for debugging these types of configurations here:
- Tips and Queries for Troubleshooting Advanced Topologies (Metalink Note 364439.1)
- Case History: Implementing a Reverse Proxy Alone in a DMZ (Metalink Note 438744.1)
Related
- What Does "DMZ Certification" Mean?
- In-Depth: Demilitarized Zones and the E-Business Suite
- Oracle E-Business Suite 11i Configuration in a DMZ (Metalink Note 287176.1)
- Oracle E-Business Suite Release 12 Configuration in a DMZ (Metalink Note 380490.1)
Comments (7)
Hi Steven,
Thanx for pointing to DocID: 438744.1. Its really very well written and practically useful Document. I would also like to thank Dan Collier (Author of Document)
Thanks,
Kalpit
Posted by kalpit | September 14, 2007 5:46 PM
Posted on September 14, 2007 17:46
Hi, Kalpit,
Thanks for the feedback on this Note. I've passed on your comments to Dan; I know he'll be very pleased to hear that you found it useful.
Regards,
Steven
Posted by Steven Chan | September 17, 2007 11:45 AM
Posted on September 17, 2007 11:45
Steven,
I've followed Dan's Note: 438744.1, in addition to the dmz document for 11i. However I find that in the two seperate cases I have setup the jserv for the external entry point is always broken. What this means is that logins to 11i cannot happen. When I say this, I mean an access the login page: http://hostname.domain:port/oa_servlets/AppsLogin, results in a 404 page not found error. Investigating the various log files shows that the jserv that should be handling this request never starts up to begin with. I have an SR open 6559343.992. I was hoping if you could have a look at it, or perhaps if Dan could be contacted. My email address is naqimirza@yahoo.com.
Thanks
Posted by Naqi | October 19, 2007 7:01 AM
Posted on October 19, 2007 07:01
Naqi,
I won't have the opportunity to look at this in-depth today, unfortunately. However, I've asked the Service Engineer assigned to your SR to coordinate with Dan as part of the investigation process.
If this is urgent, I would recommend calling Oracle Support and speaking with an Oracle Duty Manager to request escalation.
Good luck with this one.
Regards,
Steven
Posted by Steven Chan | October 19, 2007 11:07 AM
Posted on October 19, 2007 11:07
Steven,
Just wanted to thank you for this, still in the process of trying to get this to work. However it looks like we are now hopefully making some headway. You may want to read it and see, I like to think its become an interesting read. To save yourself from reading the entire SR (and then halfway pondering over why you did in the first place). Take a read starting from the posts dated : '23-OCT-07 12:57:18 GMT' onwards.
Anyway thanks again.
Posted by Naqi | October 23, 2007 8:48 AM
Posted on October 23, 2007 08:48
Naqi,
Glad to hear that Dan helped you work through that. We're very lucky to have him as part of our team -- he does great work in this area and is one of our recognized experts worldwide.
Best of luck with the rest of your implementation.
Regards,
Steven
Posted by Steven Chan | October 24, 2007 2:05 PM
Posted on October 24, 2007 14:05
Steven,
Just an update to let you know that the issue I was facing has now been resolved. A special thanks to Dan too, who really helped in identifying that the parameter s_webhost was incorrectly set to our reverse proxy server name - it should have been set to the internal node. With that done, we now have successful access to the e business suite via the internal and external url. Many thanks once again.
Posted by Naqi | October 24, 2007 4:11 PM
Posted on October 24, 2007 16:11