In the last blog we explored how to make the connections secure, which is essential if you want to use SGD in a secure, remote environment where users are outside and apps are inside the corporate network boundary. But an equally important pre-requisite is to work "nicely" with firewalls.
Many organizations have a policy which allows ports 80 and 443 (http/https) to remain open. So can SGD operate over these ports or do we need to spend weeks with the Security guys convincing them to open up other ports?
The answer is that SGD can work entirely over a single port and this blog explains how.
SGD, or a component thereof, is made to sit on the external 443 port as shown in this diagram
Thru a magical technique, SGD can discover if the traffic arriving on the port is AIP or https traffic, without needing to decrypt the traffic, and is then able to forward the stream to the web server or the SGD server as it deems fit. In this way only one port needs to be opened in the firewall.
Here's how to set up SGD in this way:
- Set up the webserver to listen on localhost:443
You'll need to edit the webserver configuration file /opt/tarantella/webserver/apache/\*/conf/httpd.conf
and change the port it listens on from:
- Set up SGD to listen on external-dns:443
# /opt/tarantella/bin/tarantella config edit --array-port-encrypted 443
- Tell SGD where to send non-AIP traffic
# /opt/tarantella/bin/tarantella config edit --security-firewallurl https://127.0.0.1:443
- Finally, restart the web server and the SGD server
# /opt/tarantella/bin/tarantella webserver restart --ssl
# /opt/tarantella/bin/tarantella restart
And now you're only using one port. Voila!