Portal 7 SRA: Move SRA Server into DMZ

Why move SRA into the DMZ?

The SRA Server is designed to be installed in the DMZ of an enterprise network. The SRA server has Rewriter Services and Netlet Services that allow external users to access internal network applications in a safe and secure manner without exposing those applications to the internet. Many times customers will initially install the Sun Portal Server and Sun Secure Remote Access Server in a simple environment that does not include a DMZ. If the environment is changed and the SRA is moved into the DMZ, then you can expect the following things to change:
  • The network that the SRA Server is on has changed. This typically results in a new IP address that is on a different subnet than the Sun Portal Server and Sun Access Manager.
  • The host name of the SRA Server has changed. The server is now accessible on the Internet and has a name that is publicly resolvable via DNS.
There are a few things that need to be changed when this happens.
  • Update the Platform configuration to include the new domain name in the list of Cookie Domains
  • Update the configuration of the SRA Server to listen on the new IP address

Update the Platform Configuration

  1. Log in to the amconsole
  2. Click on the Service Configuration Tab
  3. Click on the Platform link in the tree on the left
  4. Edit the list of Cookie Domains. Enter the domain name of the SRA Server. For instance, .sun.com

Update the SRA Server Configuration

  1. Open a terminal session on the SRA Server
  2. Edit the file /etc/opt/SUNWportal/platform.conf.default
    1. gateway.bindipaddress=192.168.1.1
      Change the IP address to the external IP address
    2. gateway.virtualhost=sra.internalnetwork.com 192.168.1.1
      Change the IP address to the external IP address. Also add the full external host name of the SRA Server. This is a space-delimited list, so just add to the end of the line.
    3. gateway.external.ip=192.168.1.1
      Change the IP address to the external IP address
  3. Restart the SRA Gateway
Comments:

Hi Jim,
thanks for the info, but what if the SRA host is reachable on a backend ip like 192.168.1.1 while the SRA listens on gateway.bindipaddress=172.16.1.1 ?

Can this work?

Thanks,
jobbe

Posted by jobbe on April 15, 2008 at 12:51 AM MDT #

"thanks for the info, but what if the SRA host is reachable on a backend ip like 192.168.1.1 while the SRA listens on gateway.bindipaddress=172.16.1.1 ?"

We wanted to be able test the SRA internally (inside the firewall, from within the backend LAN). The gateway.bindipaddress is either one IP or all interfaces to bind HTTP/HTTPS. If 172.16.1.1 were the SRA interface that connects to our firewall and 192.168.1.1 were the interface that connects to our backend LAN, here is what our /etc/opt/SUNWportal/platform.conf.default configuration would look like:

gateway.bindipaddress=0.0.0.0
(bind to all interfaces)
gateway.virtualhost=sra.internalnetwork.com 192.168.1.1 172.16.1.1
gateway.external.ip=172.16.1.1

HTH

Posted by J on July 08, 2008 at 02:07 PM MDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

user12622652

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today