Tuesday, October 7, 2008

DMZ-hardened WebSphere Proxy

One of the main frustrations for customers who have wanted to move from legacy proxy solutions such as the IHS plug-in or Edge Caching Proxy to the WebSphere Proxy (introduced in WAS 6.0.2) has been the additional network hop needed for deployment. The WAS proxy offers significant advantages over the legacy solutions in terms of usability, performance, and systems management integration (see Erik Burckart's Article). However, it is not recommended for deployment inside of a demilitarized zone for security reasons. Thus, deployments with the WebSphere Proxy often required an extra network hop from a DMZ-hardened solution to the proxy itself. The rules have changed in WAS v7.

In WAS v7, customers have access to a DMZ-hardened version of the proxy server. This server ships on a separate installer that contains a subset of the full WAS ND installation. It contains a few notable differences from the ND install that make it suitable for installation in a DMZ:
  • No JDK: The secure proxy utilizes only the JRE, so no compiler is available in the DMZ.
  • Fewer Listening Ports: The security proxy can be configured to have as few as two listening ports (HTTP and HTTPS).
  • Slimmer set of jars: Since the proxy does not require certain functionality (e.g. web container, EJB container, web services, etc.), jars containing this function are omitted from the install for security and memory footprint purposes.
  • Slimmer set of active services: The secure proxy utilizes runtime provisioning (new in v7) to start only the required services. Services like JNDI, application install, and ORB are not started.
In addition to these security features, customers can also toggle certain pieces of function on or off to increase usability or security. Four pieces of function can be toggled for enhanced security/usability: Startup permissions, error handling, remote administration, and dynamic routing.

The DMZ Secure Proxy Server is a nice upgrade over the IHS plug-in and Edge Proxy in terms of feature set, scalability, performance, and WAS integration and I am very excited to see customers begin reaping the benefits of deploying it.


whale said...

Is it true that this feature is only available to WAS ND and not base?

Aaron Shook said...

Yes, both the DMZ Secure Proxy Server and the original WebSphere Proxy Server are only available in WAS ND. Many of the value-add functions of the proxy server are only applicable in an ND environment (e.g. load balancing, HA), and thus it is only available in ND as well.