Hello,
i read the SGD manual, without finding usefoul info.
We would like to installa SGD NOT in DMZ, but intranet... and to publish application over internet through a reverse proxy in DMZ.
The reverse proxy "understands" just HTTP over SSL (https).
I do not know if we will have to face problems; i do not know if AIP is encapsulated into https or not.
Any suggestion?
Thanks
OK, this is important:
AIP is not encapsulated into HTTP and it does not travel over SSL.
This should mean that an hardware appliance that is able to perform hardware acceleration of any protocols running on SSL is not compatible with SGD.
Right?
Second... if a client computer is running behind a proxy server (think about a PC installed in a office behind ISA Server or NetCache), how can it work?
The SGD User Guide says that it is possible to run the SGD client (webtob, or classic) on a browser behind an HTTPs, HTTP or socks5 proxy server and I am asking....
"if a client PC can run through a HTTPs proxy on the client side, then it means that everything run on the HTTPs, even if it is called AIP or whatever else"
WHat is wrong?
Thanks a lot
Hi,
Carmelo Says, "AIP it is not encapsulated in https", which does not mean it is not SSL. In Fact it is or not, depending your settings.
The relevant fact is, SGD seems to be http or https, but it is not.
Unlike https AIP it's a connection oriented protocol, like telnet or SSL.
So a proxy will work, but that proxy must allow the socket to socket connection between the client and the SGD server.
This is not the case for a reverse proxy which acts as " the man in the middle" avoiding the direct connection between the SGD server and the client.
I hope that helps to clarify that issue,
Regards,
Hi Again,
I forgot to mention about the use of hardware accelerators.
SGD allows to be configured to works with such devices, using the Array Manager you can configure it to send the traffic by 443 port, but not doing the encryption, allowing the hardware SSL accelerator to do the job.
Regards,
When setting up SSGD on a Solaris 10 server which has been installed in secure mode and configuring Firewall-traversal-mode I don't really see why this server can't be installed in a DMZ.
The only port which should be opened from the outside to the DMZ will be port 443 since the webpages and AIP are secured via SSL.
It is possible to install a SSL-accelerator (aka SSL-offloader) before SSGD. This system can be placed in the DMZ and the SSGD-server further back into the network. When using a single SSGD-server this is quite simple to setup. When using multiple SSGD-Servers loadbalanced and SSL-accelerated the configuration will be a bit harder.
An SSL-accellerator is a bit different from a reverse-proxy since it does not cache content, just forward the packages after stripping SSL.
We have successfully installed SSGD after different types of SSL-accellerators for multiple clients.
Remold | Everett
Good.
This is a very very interesting answer and this is our case.
For security reasons (do not ask me why... i am not a security expert) we can NOT install server in DMZ... but just load balancer, prozy, reverse and so on.
In this way, our goal will be:
have the SGD in the internal intranet network
have an hardware SSL offloader in the DMZ.
The SSL offloader is Radware CT100, aka ApplXcel
http://www.radware.com/content/products/appxcel/default.asp
It says that this appliance can offload any protocol running with SSL (HTTP, FTP, SMTP....) but no info about AIP.
My problem is that: if AIP is not in the SSL... will it work or not?
If ApplXcel does not "understand" the protocol running with SSL... it simply offload the SSL and forward the rerquest through the tunnel.
When using Firewall Traversall mode (redirecting both https and aip to port 443) an ssl-offloader can be used.
The AIP packets are encapsulated in an https-packets.
It is advisable to do a Proof of Concept first to make sure it works with AppXcel. I don't have experience with that particular device, but from the specs it looks like it should work. Be sure to use only ssl-offloading and no caching.
We believe that the SUN Secure Application Switch N2000 Series is the best solution in both security and speed for these kind of applications. Since these switches can be used for multiple environments the TCO can be reduced dramatically :)
- Remold | Everett
OK.
I agree to do a test.
Using this way, will be available the 3 way to connect?
(browser based webtop, classic webtop, native client)
I suppose that the first two are ok. Native Client too?
Unfortunately the Radware SSL accelerator are for us "the standard".
Do you see pros and cons positiong the SGD in DMZ without reverse proxy vs having a reverse SSL offloader in DMZ and SGD in the intranet?
Many... MANY thanks
It works for all 3 types of connections, browser-based webtop (the one you should use), classic webtop and the native client (will be taken out of the product or being replaced).
Pro for SGD in DMZ:
- one single box
- easier to setup
- when using SSGD-arrays over multiple sites connections between the array-members can be made directly (secured by ssl)
- no costs for an ssl-offloader
Pro for ssl-offloader in DMZ:
- an extra layer for security (from three-tier to four-tier, but when SSGD is in the same tier as the application servers it will be three-tier again)
- offloading of the CPU of the SSGD server
These lists can be extended if I took more time for this.
- Remold | Everett
PS a reverse ssl-offloader is not what you want, since that will be a ssl-onloader ;P hmmmz, when looking from SSGD to the internet it will be an on-loader, so you could be correct ;P
