Sunday Aug 19, 2007

There can be only one (port in a firewall)

In the last blog we explored how to make the connections secure, which is essential if you want to use SGD in a secure, remote environment where users are outside and apps are inside the corporate network boundary. But an equally important pre-requisite is to work "nicely" with firewalls.

Many organizations have a policy which allows ports 80 and 443 (http/https) to remain open. So can SGD operate over these ports or do we need to spend weeks with the Security guys convincing them to open up other ports?

The answer is that SGD can work entirely over a single port and this blog explains how.

SGD, or a component thereof, is made to sit on the external 443 port as shown in this diagram

Thru a magical technique, SGD can discover if the traffic arriving on the port is AIP or https traffic, without needing to decrypt the traffic, and is then able to forward the stream to the web server or the SGD server as it deems fit. In this way only one port needs to be opened in the firewall.

Here's how to set up SGD in this way:

  1. Set up the webserver to listen on localhost:443
  2. You'll need to edit the webserver configuration file /opt/tarantella/webserver/apache/\*/conf/httpd.conf and change the port it listens on from:
    Listen 443
    to...
    Listen 127.0.0.1:443

  3. Set up SGD to listen on external-dns:443
  4. # /opt/tarantella/bin/tarantella config edit --array-port-encrypted 443
  5. Tell SGD where to send non-AIP traffic
  6. # /opt/tarantella/bin/tarantella config edit --security-firewallurl https://127.0.0.1:443 
  7. Finally, restart the web server and the SGD server
  8. # /opt/tarantella/bin/tarantella webserver restart --ssl 
    # /opt/tarantella/bin/tarantella restart

And now you're only using one port. Voila!

-FB

About

Fat Bloke

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today