Troubleshooting DMZ Setups for Apps

It's possible to expose selected Oracle E-Business Suite applications such as iStore or iRecruitment to users outside of your corporate intranet.  As part of our security best practices recommendations, we recommend the use of reverse proxies in demilitarized zones (DMZ) for these types of deployments.

DMZ Reverse Proxy:

While simple in concept, the actual execution is sometimes a little trickier.  These projects are often complicated by the separation between different groups that manage network operations, enterprise security, and the E-Business Suite environments themselves.  Coordinating all three organizational groups can be a project in itself.  Even small missteps can result in some of the following issues:
  • Misconfigured firewalls and other networking components
  • Incorrectly configured reverse proxies
  • Incomplete or incorrect E-Business Suite setups
  • Inconsistencies between testbeds and production setups
One Step at a Time

Debugging environments with lots of complex moving parts can be frustrating.  The best strategy is to take a systematic approach and test the critical components in sequence.  To help you with that, our hardworking Oracle Support team has assembled some of the best tips for debugging these types of configurations here:
They've also published a companion document with a crisp walkthrough:
These documents are written specifically with Release 11i in mind but the principles and techniques apply equally to Release 12, too.  Great stuff and highly recommended if you're working on implementing a DMZ in your Apps environment.



Hi Steven,

Thanx for pointing to DocID: 438744.1. Its really very well written and practically useful Document. I would also like to thank Dan Collier (Author of Document)


Posted by kalpit on September 14, 2007 at 10:46 AM PDT #

Hi, Kalpit,Thanks for the feedback on this Note.  I've passed on your comments to Dan; I know he'll be very pleased to hear that you found it useful.Regards,Steven

Posted by Steven Chan on September 17, 2007 at 04:45 AM PDT #

I've followed Dan's Note: 438744.1, in addition to the dmz document for 11i. However I find that in the two seperate cases I have setup the jserv for the external entry point is always broken. What this means is that logins to 11i cannot happen. When I say this, I mean an access the login page: http://hostname.domain:port/oa_servlets/AppsLogin, results in a 404 page not found error. Investigating the various log files shows that the jserv that should be handling this request never starts up to begin with. I have an SR open 6559343.992. I was hoping if you could have a look at it, or perhaps if Dan could be contacted. My email address is

Posted by Naqi on October 19, 2007 at 12:01 AM PDT #

Naqi,I won't have the opportunity to look at this in-depth today, unfortunately.  However, I've asked the Service Engineer assigned to your SR to coordinate with Dan as part of the investigation process.If this is urgent, I would recommend calling Oracle Support and speaking with an Oracle Duty Manager to request escalation.Good luck with this one.Regards,Steven 

Posted by Steven Chan on October 19, 2007 at 04:07 AM PDT #

Just wanted to thank you for this, still in the process of trying to get this to work. However it looks like we are now hopefully making some headway. You may want to read it and see, I like to think its become an interesting read. To save yourself from reading the entire SR (and then halfway pondering over why you did in the first place). Take a read starting from the posts dated : '23-OCT-07 12:57:18 GMT' onwards.
Anyway thanks again.

Posted by Naqi on October 23, 2007 at 01:48 AM PDT #

Naqi,Glad to hear that Dan helped you work through that.  We're very lucky to have him as part of our team -- he does great work in this area and is one of our recognized experts worldwide.  Best of luck with the rest of your implementation.Regards,Steven 

Posted by Steven Chan on October 24, 2007 at 07:05 AM PDT #

Just an update to let you know that the issue I was facing has now been resolved. A special thanks to Dan too, who really helped in identifying that the parameter s_webhost was incorrectly set to our reverse proxy server name - it should have been set to the internal node. With that done, we now have successful access to the e business suite via the internal and external url. Many thanks once again.

Posted by Naqi on October 24, 2007 at 09:11 AM PDT #

Steve, I am having issue setting up DMZ on a R12 instance that was upgraded from 11i. I am getting http 404 file does not exist /OA_HTML/AppsLogin in the dmz apache error.log and access.log. Please check with your colleagues on this. I have already confirmed that it's not related to metalink document 344379.1, 1177264.1.

Posted by Jeffrey on August 17, 2012 at 11:44 AM PDT #

Hello, Jeffrey,

I'm sorry to hear that you've encountered an issue with this.

We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.


Posted by Steven Chan on August 17, 2012 at 11:49 AM PDT #

Thanks, Steven. There seems to be very little knowledge on the DMZ implementation matter in the oracle support organization. So if you know someone within Oracle with more hands on experience on the DMZ implementation side, please let me know. Much appreciated.

My SR # is 3-6072744491.

Posted by Jeffrey on August 20, 2012 at 09:58 AM PDT #

Hello, Jeffrey,

On the contrary, our Support organization for the EBS Applications Technology Group area has quite extensive experience working with DMZ-based configurations. We'll get this straightened out for you.

I've asked the Support team assigned to this Service Request to revisit it, and have offered some Development resources as needed to help isolate this issue.


Posted by Steven Chan on August 20, 2012 at 10:11 AM PDT #

Thanks Steve, that's great to know. I look forward to working with the Oracle resources.

Posted by Jeffrey on August 20, 2012 at 10:15 AM PDT #

Hello Steve,

Im facing the same issue when configuring a proxy server alone in dmz.

im facing a 404 error in the proxy.

I have an SR open 3-11713948181 but no help rigth now.

Posted by Ali on November 24, 2015 at 06:57 AM PST #

Hi, Ali,

I'm sorry that you're encountering issues with this.

I've contacted Support management to escalate your Service Request. If this is urgent, I'd recommend that you do the same from your side.

Please monitor your SR for updates.


Posted by Steven Chan on November 24, 2015 at 09:38 AM PST #

Hello Steven,

I was contacted by oracle 3 days ago (on tuesday) to ask me to upload them xml context files and logs files.

I uploaded all necessary files in the same day and since this time no thing is happening (no news).

I nevertheless specified that it is urgent.


Posted by Ali on November 30, 2015 at 05:27 AM PST #

Hello, Ali,

It is important to understand that this blog is not a Support channel. Posting questions about your Service Request on this blog will not work, since this blog is not connected to Support's SR systems.

You should contact Support and ask to speak with the On Duty Manager to escalate your Service Request.


Posted by Steven Chan on November 30, 2015 at 10:52 AM PST #

Hello steven,

I have question about the note 438744.1.

Is it necessary to have an other separate ip adresse in the internal apps node in order to implement the configuration like described in the note 438744.1?


Posted by Ali on December 03, 2015 at 06:36 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed


« July 2016