DMZ Secure Proxy Environment setup for IP Forwarding

DMZ Secure Proxy Environment setup for IP Forwarding

The DMZ Secure Proxy Server for IBM® WebSphere® Application Server was a new feature introduced in the WebSphere Application Server V7.0 product. An IBM DMZ Secure Proxy server provides a more secure proxy server that can be installed and used in demilitarized zone (DMZ) topologies. The reduced risk is achieved by removing all functions/features not required for a proxy from the application server. Also, the DMZ Secure proxy is designed to improve security by minimizing the number of external ports opened.

In the diagram below, a topology is shown of DMZ Secure Proxy Server(s) configured and deployed between a network of inner and outer firewalls.

© 2013 IBM Corporation 4

IP Forward with 2 DMZ Proxies fronted by F5 in a different subnet

WAS1 WAS2

DMZ Public Network

Intranet

DMZ Proxy

F5 sipp

Subnet 4

Load balancer front end – Subnet 2

Load balancer back end – Subnet 3 Subnet 5 Subnet 1 Inner Firewall Outer Firewall

Hardware and Software required for setup

Machines

For Single DMZ environment Use one machine, Host 1 For Dual DMZ environment

Use two machines, Host 1 and Host 2 Need to install and configure the following: - DMZ Secure Proxy Server

- WAS ND for Administrative Agent and Secure proxy (configuration-only) For WAS ND environment

Need to install and configure the following: - WAS ND clustered environment

Note: This document assumes that Host 3 has existing WAS 8.5.5.0 ND clustered environment installed/configured and ready to be fronted by the DMZ Secure Proxy Servers.

Software

- IBM Installation Manager (IM) 1.6.2

- DMZ Secure Proxy Server for IBM WebSphere Application Server Version 8.5.5.0 - IBM WebSphere Application Server Network Deployment Version 8.5.5.0

Software can be obtained from a number of external sources.

Install DMZ Secure Proxy Server on Host 1 and Host 2 (for Dual)

(1) Install IBM Installation Manager (IM) 1.6.2

(2) After install completes, and IM brought up, go to File->Preferences… and hit “Add

Repository” button

(3) In Repository field, enter the build repository location, for example, /WASV855_NDDMZ/DMZ/repository.config

(4) After repository accepted, hit “OK” (5) Now, click Install icon

(6) From the “Installation Packages” panel, select DMZ Secure Proxy Server for IBM WebSphere Application Server Version 8.5.5.0

On the Panel click the Next> button

(7) The License Agreement panel appears

Select I accept the termsin the license agreement and then click the Next> button

(8) On this panel, take default or change the Shared Resources Directory and click the Next>

button

(9) The Installation Directory Panel appears

On this panel, take default or change Installation Directory, and then click the Next> button (10) The Translations panel appears

On this panel, take defaultand click the Next> button

(11) The Features panel appears, take defaults and click the Next> button (12) The Summary panel appears

(13) The Results panel appears when Install finishes

For Which program do you want to start, take default, Profile Management Tool to create a

profile.

Click Finish button

Create the DMZ Secure Proxy Server profile on Host 1 and Host 2 (for Dual)

The IBM DMZ secure proxy server is equipped with capabilities to provide protection from security risks. The security levels that can be assigned when creating the DMZ Secure Proxy Server are High, Medium, or Low. The Medium and Low DMZ security levels support only dynamic routing, while the High DMZ security level supports only static routing.

Static routing means the server obtains the routing information from local flat files. Dynamic routing means the server obtains the routing information from a Hypertext Transfer Protocol (HTTP) tunnel connection from the proxy server to a server in the secure zone.

The High DMZ security level cannot be used for SIP proxy servers because static routing is not supported for the SIP proxy server.

When creating the secure proxy server profile, select the Low security level so that the DMZ servers can be used for SIP proxy servers.

(1) Profile Management Tool panel appears (2) On the Profiles panel

Click the Create button

(3) On Environment Selection panel Select the Secure proxy environment Click Next> button

(4) On Profile Creation Options panel

Select the Advanced profile creation and click Next>

(5) On Profile Name and Location panel Take defaults and click Next> button (6) On Node and Host Names panel Take defaults and click Next>

(7) On Security Level Selection panel Select the Low proxy security level De-select the Web protocol

(8) On Administrative Security panel

Enable administrative security, enter User name and Password in fields and click Next>

(9) On Security Certificate (Part 1) panel Take defaults and click Next>

(10) On Security Certificate (Part 2) panel Take defaults and click Next>

Note: keystore password should be later changed/updated (11) On Port Values Assignment panel

Take defaults and click Next>

(12) On Service Definition panel Take defaults and click Next>

(13) On Profile Creation Summary panel

Important: Remember the Profile name, Node name, and Server name, these exact names are needed to be used during the ND Secure proxy (configuration-only) setup

Click Create

(14) On Profile Creation Complete panel

Uncheck Launch the First steps console and click Finish

(15) On Profile Management Tool panel

File > Exit

To exit out of the Profile Management Tool

Install WAS Version 8.5.5 Network Deployment on Host 1 and Host 2 (for

Dual)

Install the IBM® WebSphere® Application Server Network Deployment (ND) code from the product media or from an installation image onto machines where the real DMZ secure proxy servers will be hosted. The ND install is performed so that an Administrative agent and a DMZ Secure proxy (configuration-only) profile can be configured on those machines.

(1) Back on the IBM Installation Manager panel

Go to File->Preferences… and hit “Add Repository” button

(2) In Repository field, enter the build repository location, for example, /WASV855_ND/WAS/repository.config

(3) After repository accepted, hit “OK” click Install icon

(4) From the “Install Packages” panel, select IBM WebSphere Application Server Network Deployment Version 8.5.5.0

and Click Next> button

(5) On License Agreement panel

Select I accept the terms in the license agreement and click Next> button (6) On location panel, enter Installation Directory and click Next> button (7) The Translations panel appears

On this panel, take default and click Next> button (8) On Features panel

On this panel, take defaults and click Next> button (9) On Summary panel

Click Install> to begin installation (10) When Installation finishes

For which program do you want to start, take default and click Finish.

Create the Administrative Agent and Server proxy (configuration-only)

profiles on Host 1 and Host 2 (for Dual)

An Administrative agent is a component that provides enhanced management

capabilities for stand-alone application servers. This was a new concept introduced with the WebSphere Application Server V7.0. The administrative agent can only manage application servers that are installed in the same operating system image as the administrative agent. Create an Administrative agent profile, with its sole purpose to be used to administer a DMZ Secure proxy (configuration-only) profile. After the profile creation, start the Administrative agent. A secure proxy (configuration-only) profile is for use with a DMZ secure proxy server. This configuration-only profile is intended to be used only to configure the profile using the administrative console of the Administrative agent. The configuration-only server cannot be started or used for any work.

Create the DMZ Secure proxy (configuration-only) profile with the same server name, profile name, node name, security level, and port values as the real DMZ secure proxy server. (1) On the Profile Management Tool panel

(2) On Environment Selection panel Select Management and click Next>

(3) On Server Type Selection panel

Select Administrative agent and click Next>

(4) On Profile Creation Options panel

Select Typical profile creation and click Next>

(5) On Administrative Security panel Enable administrative security here

Note: You must also enable administrative security when doing the Secure proxy

(configuration-only) profile creation, otherwise the Admin agent will not be able to manager the

node

Enter User name and Password in fields and click Next>

(6) On Profile Creation Summary panel Click Create

(7) On Profile Creation Complete panel

Uncheck Launch the First steps console and click Finish

(8) On Profiles panel again Click Create

(9) On Environment Selection panel

Select Secure proxy (configuration-only) and click Next>

(10) On Profile Creation Options panel

Select Advanced profile creation and click Next>

(11) On Profile Name and Location panel

Important: Make sure Profile name matches that of the DMZ Proxy Server created earlier in step(13) on page 4 of this document

and click Next>

(12) On Node and Host Names panel

Important: Make sure Node name and Server name match that of the DMZ Proxy Server created earlier in step(13) on page 4 of this document

and click Next>

(13) On Secure Level Selection panel Select Low

De-select the Web protocol Click Next>

(14) On Administrative Security panel

If you enabled administrative security on the Administrative agent creation, you must also enable now and Enter User name and Password in fields and click Next>

(15) On Security Certificate (Part 1) panel Take defaults and click Next>

(16) On Security Certificate (Part 2) panel Take defaults and click Next>

Note: keystore password should be later changed/updated (17) On Port Values Assignment panel

Click the Default Port Values to match the ports setup during the DMZ Secure Proxy configuration

Click Next>

(18) On Profile Creation Summary panel

Make sure Profile name, Node name and Server name match those of DMZ Secure Proxy server created earlier and click Create

(20) On Profile Creation Complete panel Click Finish

(21) On Profiles panel

File > Exit

To exit out of Profile Management Tool

Need to register the Secure proxy (configuration-only) profile node with the

Administrative Agent on Host 1 and Host 2 (for Dual)

After the Secure proxy (configuration-only) profile has been created, register the node to the Administrative agent. This is performed so that the secure proxy profile can be configured using the administrative console of the Administrative agent.

(1) After the Secure proxy (configuration-only) profile has been created, start the Administrative agent from directory

<WAS_HOME_ND_AdminAgent_profile_directory>/bin

Start the Administrative Agent

Once the Administrative agent is started

(2) Register the Secure proxy (configuration-only) node with Administrative agent From <WAS_HOME_ND_AdminAgent_profile_directory>/bin

Run registerNode command

registerNode -conntype SOAP -port <SOAP_port> -profilePath <WAS_HOME_ND_Secure proxy_configuration_only_profile_directory> -username <admin_agent_user> -password <admin_agent_passwd> -nodeusername <secure_config_only_user> -nodepassword <secure_config_only_passwd>

Note: The default SOAP port is 8877, but my be different. The SOAP port value is listed in the "AboutThisProfile.txt" file located at <WAS_HOME_ND_AdminAgent_profile_directory>/logs

Once profile is registered, changes can be made to the Secure proxy (configuration-only) profile thru the Administrative Agent console

(http://<admin_agent_hostname>:<Administrative_port>/ibm/console)

Note: The Administrative default port is 9060, but may be different. The Administrative port value is listed in the "AboutThisProfile.txt" file located at

<WAS_HOME_ND_AdminAgent_profile_directory>/logs

Create Core Group Tunnel connection between the DMZ Secure Proxy

server(s) and WAS 8.5.5 ND Cell

On Host 3 with WAS 8.5.5.0 ND internal cell clustered environment

If you are using a DMZ secure proxy server with dynamic routing, the routing information is exchanged using core groups. In this case, you need to create a tunnel access point group to establish a core group bridge tunnel between the core groups and DMZ proxy server.

The core group contains a bridge service that supports cluster services that span multiple core groups. Core groups are connected by access point groups. A core group access point defines a set of bridge interfaces that resolve IP addresses and ports. It is through this set of bridge interfaces that the core group bridge provides access to a core group.

Any WebSphere Application Server process (dmgr, node agent, application server) can be a core group bridge process for a core group. A process that is chosen for a core bridge should have production activities or response times that will not be affected by the core bridge workload. Node agents or application servers that do not host any applications can be used as bridges, but it is best, if system resources permit, to use dedicated non-clustered application servers that do not host applications.

Also it is best for a core group to have the core group bridges reside on different physical systems, if possible. One bridge is typically sufficient for workload purposes, but two are recommended in the event a bridge fails. The bridges in a core group partition high availability (HA) data amongst the active bridges. To enable “seamless” core group failover, whereby the HA state of the failed bridge will be recovered by the remaining bridge(s) without the data being unavailable in the local core group, one should set the WAS Core Group custom property IBM_CS_HAM_PROTOCOL_VERSION to 6.0.2.31.

For additional information on core group bridges, check the WebSphere Application Server Version 8.5 information center (see Appendix).

To create the core group tunnel, go to the administrative console of the WebSphere Application Server Network Deployment (ND) internal cell and do the following:

Log in to the WAS 8.5.5.0 ND Administrative Console

The steps below should be followed for each of the DMZ Secure Proxy servers. Each DMZ external cell should have a tunnel to the WAS 8.5.5.0 ND internal cell nodes.

(1) Create Tunnel peer access points for the DMZ Secure Proxy server(s) Go to Servers -> Core Groups -> Core group bridge settings

Under the Additional Properties click the Tunnel peer access points link Click New

Name field enter <Anything unique>

Cell field enter <CELL_NAME_OF_DMZ_SECURE_PROXY1> can be found under directory

Accept the remaining defaults

Clcik OK and Save directly to master configuration

Repeat the above steps for the second DMZ secure proxy server Click New

Name field enter <Anything unique>

Cell field enter <CELL_NAME_OF_DMZ_SECURE_PROXY2> can be found under directory

Accept the remaining defaults

Clcik OK and Save directly to master configuration (2) Create Tunnel Template

Go to Core Groups -> Core group bridge settings

Under Additional Properties click Tunnel templates link Click New

Enter Name for the template

Click OK and Save directly to the master configuration (3) Create a Tunnel Access Point Group

Go to Core Groups -> Core group bridge settings

Under Additional Properties click the Tunnel access point groups link Click New

Then hit Next

(b) Step 2: Add core group access points

The DefaultCoreGroup contains all the servers and node agents in the WAS ND cell.

Select the DefaultCoreGroup and add (>) to the Core group access points in Tunnel access point group and click Next

(c) Step 3: Add tunnel peer access points

The tunnel peer access points are those created prior for each DMZ Secure Proxy server. Select the available core group tunnel peer access points and add (>) to the Tunnel peer

access points in the Tunnel accces point group

Then click Next

(d) Step 4: Review summary and Click Finish Save directly to the master configuration (4) Create Bridge Interface(s)

This step can be done one time and is not related to the number of DMZ proxies.

For the bridge interface(s), the node agents in the default core group listed from the WAS internal cell SIP nodes will be used.

(a) Go to Core group bridge settings -> Access point groups

Click DefaultAccessPointGroup link Under Access points

Click Core group access points

(b) Select the DefaultCoreGroup (make sure it becomes highlighted) and click Show Detail

(c) In the Core Group page under Additional Properties

Click on the Bridge interfaces

(d) Select New

In the Bridge interfaces dropdown, select a node agent

Hit OK and Save directly to the master configuration.

Now select New again, and in the Bridge interfaces dropdown, select another node agent Hit OK and Save directly to the master configuration.

Now two node agents are defined to act as core group bridges. (e) Go to Core Groups -> Core group settings

Click on DefaultCoreGroup link

Under Additional Properties click Custom properties link Click New and add property

Click OK and Save directly to the master configuration. (5) Export the Tunnel Group information from the Cell (a) Export the Tunnel Template

Go to Core Groups -> Core group bridge settings -> Tunnel templates

Associate the Tunnel Access Point Group to the template Name Click on template Name link

(b) Select the Tunnel Access Point Group (make sure becomes highlighted) from the dropdown list

Click OK and Save directly to the master configuration.

Make sure Tunnel Access Point Group is now associated with tunnel template.

(6) Export the Tunnel template

Make sure the export was successful. The MyTunnel.props file is created and placed in the

<WAS_HOME>/dmgr_profile directory.

Import the Tunnel Template with DMZ Secure Proxy and ND Secure proxy

(configuration-only) profile on Host 1 and Host 2 (Dual)

(1) Go to the <Secure Proxy (configuration-only) profile>/bin directory on each machine

Run wsadmin command

wsadmin -conntype NONE -username <userid> -password <passwd>

From the wsadmin prompt, type

wsadmin>$AdminTask importTunnelTemplate -interactive

Import tunnel template.

Import a tunnel template and its children into the cell-scoped configuration.

*Input file name. (inputFileName): <Name/location of WAS ND tunnel.props file>

*Bridge Interface Node Name. (bridgeInterfaceNodeName): <Name of Secure proxy node>

*Bridge Interface Server Name. (bridgeInterfaceServerName): <Name of Secure proxy server>

Import tunnel template. F (Finish)

C (Cancel) Select [F, C]: [F] F

Example of command generated

WASX7278I: Generated command line: $AdminTask importTunnelTemplate {-inputFileNa me /MyTunnel.props -bridgeInterfaceNodeName svt-r1c3b06Node01 -bridgeInterfaceSer verName proxy1}

wsadmin>$AdminConfig save

wsadmin>quit

Configure the DMZ Secure Proxy Server using Administrative Console on

Host 1 and Host 2 (for Dual) for IP Forwarding

The secure proxy server configurations are created and maintained as configuration-only profiles and managed using the administrative console of the Administrative agent.

Make sure the Administrative agent is running.

(1) Access the Administrative Agent console to make changes to the Secure proxy (configuration-only) profile on each machine

http://<admin_agent_hostname>:<Administrative_port>/ibm/console

(2) Select the <Secure proxy (configuration-only) node> to administer and click Continue

button and log in to console

(3) Go to Servers -> Server Types -> WebSphere proxy servers (4) Click the <proxy_name> link

Under Proxy Settings

Open Sip Proxy Server Settings and click Sip proxy settings link In the Default cluster field,

Enter the name of the WAS ND cluster you want the DMZ Secure proxy to route traffic thru. The cluster name is the one defined on the WebSphere Application Server ND cell.

Click OK and Save directly to the master configuration. (5) Click the <proxy_name> link

Under Proxy Settings

Open SIP Proxy Server Settings and click the Sip proxy settings link Under Additional Properties click Custom properties link

Click New and add the properties below, clicking OK and Save to the master configuration after each entry

Name sipClusterCellName Value <CellName of Remote ND Cluster routing traffic thru>

Name LBIPAddr Value <IP of Load Balancer>

Name SIPAdvisorMethodName Value OPTIONS

Name UDPMultiThreadingEnabled Value true

Name burstResetFactor Value 120

Name clusterRouteConfigUpdateDelay Value 60000

Name forceRport Value true

Name isSipComplianceEnabled Value false

Name keepAliveFailures Value 3

Name keepAliveInterval Value 2000

Name localOutboundTCPAddress Value <IP or hostname of DMZ proxy> Name localOutboundTCPPort Value 1080

Name maxDeflatorRatio Value 10

Name maxThroughputFactor Value 90

Name minDeflatorRatio Value 6

Name perSecondBurstFactor Value 200

Name proxyTransitionPeriod Value 360

Name receiveBufferSizeSocket Value 3000000

Name sendBufferSizeSocket Value 3000000

Name tcp.IPSprayer.host Value <Load Balancer cluster IP>

Name tcp.IPSprayer.port Value <Port for TCP> for example 5060

Name tls.IPSprayer.host Value <Load Balancer cluster IP>

Name tls.IPSprayer.port Value <Port for TLS> for example5061

Name useViaSentByForOutboundConnections Value true

Import and export of the configuration should preserve the port settings. The serverindex.xml should no longer be needed to be copied manually to the DMZ Secure Proxy server.

Under Communications

Click Ports link

Click on PROXY_HTTPS_ADDRESS and change * to <IP or hostname of DMZ proxy> and click OK and Save to the directly to the master

Click on PROXY_HTTP_ADDRESS and change * to <IP or hostname of DMZ proxy> and click

OK and Save directly to the master configuration

Click on PROXY_SIPS_ADDRESS and change * to <IP or hostname of DMZ proxy> and click

OK and Save directly to the master configuration

Click on PROXY_SIP_ADDRESS and change * to <IP or hostname of DMZ proxy> and click

OK and Save directly to the master configuration

(7) Go to Servers -> Server Types -> WebSphere proxy servers

Click the <proxy_name> link

Under Java and Process Management

Click Process definition and then Java Virtual Machine

Set Initial heap size 300 MB Set Maximum heap size 450 MB Set Generic JVM arguments

-Xtrace:none -Xmo120m -Xgcpolicy:gencon -Xtgc:parallel

-Xgc:noAdaptiveTenure,tenureAge=8,stdGlobalCompactToSatisfyAllocate

-Xdump:heap:events=user,request=exclusive+prepwalk+compact -Xloa -Xloaminimum0.03 -XX:MaxDirectMemorySize=256000000 -Xcompactexplicitgc

Click OK and Save to the master configuration

(8) Go to Servers -> Server Types -> WebSphere proxy servers

Click the <proxy_name> link

Under Java and Process Management

Change Ping interval to 30

Change Ping timeout to 60

Click OK and Save to the master configuration

(9) Go to Servers -> Server Types -> WebSphere proxy servers

Click the <proxy_name> link Under Troubleshooting

Click Logging and trace and click JVM Logs

System.out

Change File Size Maximum to 20 MB

Change Maximum Number of Historical Log Files to 2

System.err

Change File Size Maximum to 20 MB

Change Maximum Number of Historical Log Files to 2

Click OK and Save to the master configuration

(10) Go to Servers -> Server Types -> WebSphere proxy servers Click the <proxy_name> link

Under Administration

Click Custom properties

Clck New and add

Name IBM_CLUSTER_RUNRULES_TIMER_TIME

Value 1000

Click OK and Save to the master configuration

Export the Proxy Profile from Secure proxy (configuration-only) on Host 1

and Host 2 (for Dual) and transfer to DMZ Secure Proxy servers

The secure proxy server (configuration-only) profile configuration is exported to a configuration archive (CAR) file using the exportProxyProfile wsadmin command. The CAR file is then transferred to the real secure proxy server installation, where it is then imported into the DMZ Secure Proxy Server using the importProxyProfile wsadmin command. Repeat this process if any additional changes are made to the secure proxy server configuration.

(1) Go to the <Secure proxy (configuration-only) profile>/bin directory for each DMZ Proxy Server

Run the following wsadmin command

wsadmin -conntype NONE -lang jython

From wsadmin prompt export the proxy profile

wsadmin>AdminTask.exportProxyProfile(['-archive’, ‘myCell.car'])

''

(2) Transfer/copy archive file to appropriate DMZ Secure proxy server on Host 1 and Host 2 Copy/transfer the myCell.car to the <DMZ Secure proxy server runtime profile>/bin directory.

Import the Secure proxy (configuration-only) archive to appropriate DMZ

Secure Proxy server

(1) Start the DMZ Secure proxy server

Go to the <DMZ Secure proxy server runtime profile>/bin directory for each DMZ Proxy Server

startServer <proxy_server_name>

Run the following wsadmin command

wsadmin -lang jython -username <user> -password <passwd>

From the wsadmin prompt import the proxy profile

wsadmin>AdminTask.importProxyProfile(['-archive', 'myCell.car',’-deleteExistingServers’,’true’])

''

wsadmin>AdminConfig.save()

''

wsadmin>quit

The importProxyProfile command used with the deleteExistingServers option should ensure

all configuration data (including serverindex.xml information) was transferred properly to the runtime DMZ Secure Proxy server profile.

Configure the Trust association between the DMZ Secure Proxy servers

and the internal WebSphere 8.5.5 ND Cell

Make sure the dmgr and node agents and cluster members on the WebSphere 8.5.5. ND internal cell have been started.

(1) The ssl.client.props file contains the location of the key.p12 and trust.p12 files on the systems. On the DMZ Secure proxy servers, the ssl.client.props is located in the <DMZ Secure

proxy server profile>/properties directory.

For the DMZ Secure proxy servers, modify the following lines: com.ibm.ssl.keyStore=${user.root}/etc/key.p12

to

com.ibm.ssl.keyStore=$

{user.root}/config/cells/<DMZCellName>/nodes/<DMZNodeName>/key.p12

and

com.ibm.ssl.trustStore=${user.root}/etc/trust.p12

to

This will ensure that the key and trust store files are located in the proper profile configuration location for the DMZ proxy servers.

(2) Go to the <DMZ Secure proxy server runtime profile>/bin directory for each DMZ proxy server

Run the retrieveSigners command

retrieveSigners -conntype SOAP -port <dmgr_SOAP_port> -host <dmgr_host_name> -username <dmgr_user> -password <dmgr_user_passwd> -listRemoteKeyStoreNames – listLocalKeyStoreNames -autoAcceptBootstrapSigner

This command configures the trust association between the WebSphere internal cell servers and the DMZ external cell by adding the cell’s signer to the DMZ proxy server’s trust store (trust.p12). For Windows, if the Administrative agent server is running on the machine, then execute the retrieveSigners command again with the configured interprocess communications (IPC) port.

retrieveSigners –username <dmzuser> -password <dmzpasswd> NodeDefaultTrustStore ClientDefaultTrustStore -conntype IPC -host localhost -port <local_IPC_port>

-autoAcceptBootstrapSigner

For backup, copy the trust.p12 file from the

<DMZ Secure proxy server runtime

profile>/config/cells/<DMZCellName>/nodes/<DMZNodeName> directory to the <DMZ Secure

proxy server runtime profile>/etc directory.

(3) Stop and restart each DMZ Secure Proxy server

Now ready to start sending SIP traffic through the Load Balancer with the multiple fronted DMZ Secure proxy servers.

Configuring DMZ Firewalls

© 2013 IBM Corporation 4

IP Forward with 2 DMZ Proxies fronted by F5 in a different subnet

WAS1 WAS2

DMZ Public Network

Intranet

DMZ Proxy

F5 sipp

Subnet 4

Load balancer front end – Subnet 2

Load balancer back end – Subnet 3

Subnet 5 _{Subnet 1}

Inner Firewall

Outer Firewall

Inner Firewall rules

From IP From Port To IP To Port Protocol Comments

DMZ Secure proxies Ephemeral port range Core Bridge servers (on WAS internal cell node agents )

Bridge DCS port TCP or TLS Incoming DCS

DMZ Secure proxies

Ephemeral

port range WAS internal cell SIP

containers

5060,5061,5062,5063 TCP or TLS SIP TCP,TLS DMZ Secure proxies Ephemeral port range WAS internal cell DMGR

DMGR SOAP port SOAP Incoming

SOAP* Keep SSH port open. Block all other ports not used

The “To IP” for each Core Bridge server is listed in the MyTunnel.props file from step 4(d) on page 13. The “To Port” for each Core Bridge server can be found as port for

DCS_UNICAST_ADDRESS. DMZ Secure proxies to WAS containers are available over TCP or TLS protocols.

* In order to have the DMZ external cells trust the WAS internal cell servers, the retrieveSigners

Outer Firewall rules

From IP From Port To IP To Port Protocol Comments

Incoming

Clients* Any Virtual IP of Load Balancer

5060,5061 TCP/TLS Incoming

Clients DMZ Secure

proxies

Any Outgoing

Clients*

5060,5061 TCP/TLS Outgoing

Clients Block all other

ports not used

* In case of a gateway, the clients are external communities/other gateways and their IP(s) or range of IP(s) are known, and thus the customer will open the firewall to those specific IP(s) or range of IP(s).

Appendix

WebSphere Application Server Version 8.5 information center http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp

IBM WebSphere Application Server V8.5 Concepts, Planning, and Design Guide http://www.redbooks.ibm.com/redbooks/pdfs/sg248022.pdf

Configuring and Deploying WebSphere SIP Environments

https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/WebSphere SIP and CEA/page/Configuring and Deploying WebSphere SIP Environments