DMZ Secure Proxy Environment setup for IP Forwarding
The DMZ Secure Proxy Server for IBM® WebSphere® Application Server was a new feature introduced in the WebSphere Application Server V7.0 product. An IBM DMZ Secure Proxy server provides a more secure proxy server that can be installed and used in demilitarized zone (DMZ) topologies. The reduced risk is achieved by removing all functions/features not required for a proxy from the application server. Also, the DMZ Secure proxy is designed to improve security by minimizing the number of external ports opened.
In the diagram below, a topology is shown of DMZ Secure Proxy Server(s) configured and deployed between a network of inner and outer firewalls.
© 2013 IBM Corporation 4
IP Forward with 2 DMZ Proxies fronted by F5 in a different subnet
WAS1 WAS2
DMZ Public Network
Intranet
DMZ Proxy
F5 sipp
Subnet 4
Load balancer front end – Subnet 2
Load balancer back end – Subnet 3 Subnet 5 Subnet 1 Inner Firewall Outer Firewall
Hardware and Software required for setup
Machines
For Single DMZ environment Use one machine, Host 1 For Dual DMZ environment
Use two machines, Host 1 and Host 2 Need to install and configure the following: - DMZ Secure Proxy Server
- WAS ND for Administrative Agent and Secure proxy (configuration-only) For WAS ND environment
Need to install and configure the following: - WAS ND clustered environment
Note: This document assumes that Host 3 has existing WAS 8.5.5.0 ND clustered environment installed/configured and ready to be fronted by the DMZ Secure Proxy Servers.
Software
- IBM Installation Manager (IM) 1.6.2
- DMZ Secure Proxy Server for IBM WebSphere Application Server Version 8.5.5.0 - IBM WebSphere Application Server Network Deployment Version 8.5.5.0
Software can be obtained from a number of external sources.
Install DMZ Secure Proxy Server on Host 1 and Host 2 (for Dual)
(1) Install IBM Installation Manager (IM) 1.6.2(2) After install completes, and IM brought up, go to File->Preferences… and hit “Add
Repository” button
(3) In Repository field, enter the build repository location, for example, /WASV855_NDDMZ/DMZ/repository.config
(4) After repository accepted, hit “OK” (5) Now, click Install icon
(6) From the “Installation Packages” panel, select DMZ Secure Proxy Server for IBM WebSphere Application Server Version 8.5.5.0
On the Panel click the Next> button
(7) The License Agreement panel appears
Select I accept the termsin the license agreement and then click the Next> button
(8) On this panel, take default or change the Shared Resources Directory and click the Next>
button
(9) The Installation Directory Panel appears
On this panel, take default or change Installation Directory, and then click the Next> button (10) The Translations panel appears
On this panel, take defaultand click the Next> button
(11) The Features panel appears, take defaults and click the Next> button (12) The Summary panel appears
(13) The Results panel appears when Install finishes
For Which program do you want to start, take default, Profile Management Tool to create a
profile.
Click Finish button
Create the DMZ Secure Proxy Server profile on Host 1 and Host 2 (for Dual)
The IBM DMZ secure proxy server is equipped with capabilities to provide protection from security risks. The security levels that can be assigned when creating the DMZ Secure Proxy Server are High, Medium, or Low. The Medium and Low DMZ security levels support only dynamic routing, while the High DMZ security level supports only static routing.Static routing means the server obtains the routing information from local flat files. Dynamic routing means the server obtains the routing information from a Hypertext Transfer Protocol (HTTP) tunnel connection from the proxy server to a server in the secure zone.
The High DMZ security level cannot be used for SIP proxy servers because static routing is not supported for the SIP proxy server.
When creating the secure proxy server profile, select the Low security level so that the DMZ servers can be used for SIP proxy servers.
(1) Profile Management Tool panel appears (2) On the Profiles panel
Click the Create button
(3) On Environment Selection panel Select the Secure proxy environment Click Next> button
(4) On Profile Creation Options panel
Select the Advanced profile creation and click Next>
(5) On Profile Name and Location panel Take defaults and click Next> button (6) On Node and Host Names panel Take defaults and click Next>
(7) On Security Level Selection panel Select the Low proxy security level De-select the Web protocol
(8) On Administrative Security panel
Enable administrative security, enter User name and Password in fields and click Next>
(9) On Security Certificate (Part 1) panel Take defaults and click Next>
(10) On Security Certificate (Part 2) panel Take defaults and click Next>
Note: keystore password should be later changed/updated (11) On Port Values Assignment panel
Take defaults and click Next>
(12) On Service Definition panel Take defaults and click Next>
(13) On Profile Creation Summary panel
Important: Remember the Profile name, Node name, and Server name, these exact names are needed to be used during the ND Secure proxy (configuration-only) setup
Click Create
(14) On Profile Creation Complete panel
Uncheck Launch the First steps console and click Finish
(15) On Profile Management Tool panel
File > Exit
To exit out of the Profile Management Tool
Install WAS Version 8.5.5 Network Deployment on Host 1 and Host 2 (for
Dual)
Install the IBM® WebSphere® Application Server Network Deployment (ND) code from the product media or from an installation image onto machines where the real DMZ secure proxy servers will be hosted. The ND install is performed so that an Administrative agent and a DMZ Secure proxy (configuration-only) profile can be configured on those machines.
(1) Back on the IBM Installation Manager panel
Go to File->Preferences… and hit “Add Repository” button
(2) In Repository field, enter the build repository location, for example, /WASV855_ND/WAS/repository.config
(3) After repository accepted, hit “OK” click Install icon
(4) From the “Install Packages” panel, select IBM WebSphere Application Server Network Deployment Version 8.5.5.0
and Click Next> button
(5) On License Agreement panel
Select I accept the terms in the license agreement and click Next> button (6) On location panel, enter Installation Directory and click Next> button (7) The Translations panel appears
On this panel, take default and click Next> button (8) On Features panel
On this panel, take defaults and click Next> button (9) On Summary panel
Click Install> to begin installation (10) When Installation finishes
For which program do you want to start, take default and click Finish.
Create the Administrative Agent and Server proxy (configuration-only)
profiles on Host 1 and Host 2 (for Dual)
An Administrative agent is a component that provides enhanced management
capabilities for stand-alone application servers. This was a new concept introduced with the WebSphere Application Server V7.0. The administrative agent can only manage application servers that are installed in the same operating system image as the administrative agent. Create an Administrative agent profile, with its sole purpose to be used to administer a DMZ Secure proxy (configuration-only) profile. After the profile creation, start the Administrative agent. A secure proxy (configuration-only) profile is for use with a DMZ secure proxy server. This configuration-only profile is intended to be used only to configure the profile using the administrative console of the Administrative agent. The configuration-only server cannot be started or used for any work.
Create the DMZ Secure proxy (configuration-only) profile with the same server name, profile name, node name, security level, and port values as the real DMZ secure proxy server. (1) On the Profile Management Tool panel
(2) On Environment Selection panel Select Management and click Next>
(3) On Server Type Selection panel
Select Administrative agent and click Next>
(4) On Profile Creation Options panel
Select Typical profile creation and click Next>
(5) On Administrative Security panel Enable administrative security here
Note: You must also enable administrative security when doing the Secure proxy
(configuration-only) profile creation, otherwise the Admin agent will not be able to manager the
node
Enter User name and Password in fields and click Next>
(6) On Profile Creation Summary panel Click Create
(7) On Profile Creation Complete panel
Uncheck Launch the First steps console and click Finish
(8) On Profiles panel again Click Create
(9) On Environment Selection panel
Select Secure proxy (configuration-only) and click Next>
(10) On Profile Creation Options panel
Select Advanced profile creation and click Next>
(11) On Profile Name and Location panel
Important: Make sure Profile name matches that of the DMZ Proxy Server created earlier in step(13) on page 4 of this document
and click Next>
(12) On Node and Host Names panel
Important: Make sure Node name and Server name match that of the DMZ Proxy Server created earlier in step(13) on page 4 of this document
and click Next>
(13) On Secure Level Selection panel Select Low
De-select the Web protocol Click Next>
(14) On Administrative Security panel
If you enabled administrative security on the Administrative agent creation, you must also enable now and Enter User name and Password in fields and click Next>
(15) On Security Certificate (Part 1) panel Take defaults and click Next>
(16) On Security Certificate (Part 2) panel Take defaults and click Next>
Note: keystore password should be later changed/updated (17) On Port Values Assignment panel
Click the Default Port Values to match the ports setup during the DMZ Secure Proxy configuration
Click Next>
(18) On Profile Creation Summary panel
Make sure Profile name, Node name and Server name match those of DMZ Secure Proxy server created earlier and click Create
(20) On Profile Creation Complete panel Click Finish
(21) On Profiles panel
File > Exit
To exit out of Profile Management Tool
Need to register the Secure proxy (configuration-only) profile node with the
Administrative Agent on Host 1 and Host 2 (for Dual)
After the Secure proxy (configuration-only) profile has been created, register the node to the Administrative agent. This is performed so that the secure proxy profile can be configured using the administrative console of the Administrative agent.
(1) After the Secure proxy (configuration-only) profile has been created, start the Administrative agent from directory
<WAS_HOME_ND_AdminAgent_profile_directory>/bin
Start the Administrative Agent
Once the Administrative agent is started
(2) Register the Secure proxy (configuration-only) node with Administrative agent From <WAS_HOME_ND_AdminAgent_profile_directory>/bin
Run registerNode command
registerNode -conntype SOAP -port <SOAP_port> -profilePath <WAS_HOME_ND_Secure proxy_configuration_only_profile_directory> -username <admin_agent_user> -password <admin_agent_passwd> -nodeusername <secure_config_only_user> -nodepassword <secure_config_only_passwd>
Note: The default SOAP port is 8877, but my be different. The SOAP port value is listed in the "AboutThisProfile.txt" file located at <WAS_HOME_ND_AdminAgent_profile_directory>/logs
Once profile is registered, changes can be made to the Secure proxy (configuration-only) profile thru the Administrative Agent console
(http://<admin_agent_hostname>:<Administrative_port>/ibm/console)
Note: The Administrative default port is 9060, but may be different. The Administrative port value is listed in the "AboutThisProfile.txt" file located at
<WAS_HOME_ND_AdminAgent_profile_directory>/logs
Create Core Group Tunnel connection between the DMZ Secure Proxy
server(s) and WAS 8.5.5 ND Cell
On Host 3 with WAS 8.5.5.0 ND internal cell clustered environment
If you are using a DMZ secure proxy server with dynamic routing, the routing information is exchanged using core groups. In this case, you need to create a tunnel access point group to establish a core group bridge tunnel between the core groups and DMZ proxy server.
The core group contains a bridge service that supports cluster services that span multiple core groups. Core groups are connected by access point groups. A core group access point defines a set of bridge interfaces that resolve IP addresses and ports. It is through this set of bridge interfaces that the core group bridge provides access to a core group.
Any WebSphere Application Server process (dmgr, node agent, application server) can be a core group bridge process for a core group. A process that is chosen for a core bridge should have production activities or response times that will not be affected by the core bridge workload. Node agents or application servers that do not host any applications can be used as bridges, but it is best, if system resources permit, to use dedicated non-clustered application servers that do not host applications.
Also it is best for a core group to have the core group bridges reside on different physical systems, if possible. One bridge is typically sufficient for workload purposes, but two are recommended in the event a bridge fails. The bridges in a core group partition high availability (HA) data amongst the active bridges. To enable “seamless” core group failover, whereby the HA state of the failed bridge will be recovered by the remaining bridge(s) without the data being unavailable in the local core group, one should set the WAS Core Group custom property IBM_CS_HAM_PROTOCOL_VERSION to 6.0.2.31.
For additional information on core group bridges, check the WebSphere Application Server Version 8.5 information center (see Appendix).
To create the core group tunnel, go to the administrative console of the WebSphere Application Server Network Deployment (ND) internal cell and do the following:
Log in to the WAS 8.5.5.0 ND Administrative Console
The steps below should be followed for each of the DMZ Secure Proxy servers. Each DMZ external cell should have a tunnel to the WAS 8.5.5.0 ND internal cell nodes.
(1) Create Tunnel peer access points for the DMZ Secure Proxy server(s) Go to Servers -> Core Groups -> Core group bridge settings
Under the Additional Properties click the Tunnel peer access points link Click New
Name field enter <Anything unique>
Cell field enter <CELL_NAME_OF_DMZ_SECURE_PROXY1> can be found under directory
Accept the remaining defaults
Clcik OK and Save directly to master configuration
Repeat the above steps for the second DMZ secure proxy server Click New
Name field enter <Anything unique>
Cell field enter <CELL_NAME_OF_DMZ_SECURE_PROXY2> can be found under directory
Accept the remaining defaults
Clcik OK and Save directly to master configuration (2) Create Tunnel Template
Go to Core Groups -> Core group bridge settings
Under Additional Properties click Tunnel templates link Click New
Enter Name for the template
Click OK and Save directly to the master configuration (3) Create a Tunnel Access Point Group
Go to Core Groups -> Core group bridge settings
Under Additional Properties click the Tunnel access point groups link Click New
Then hit Next
(b) Step 2: Add core group access points
The DefaultCoreGroup contains all the servers and node agents in the WAS ND cell.
Select the DefaultCoreGroup and add (>) to the Core group access points in Tunnel access point group and click Next
(c) Step 3: Add tunnel peer access points
The tunnel peer access points are those created prior for each DMZ Secure Proxy server. Select the available core group tunnel peer access points and add (>) to the Tunnel peer
access points in the Tunnel accces point group
Then click Next
(d) Step 4: Review summary and Click Finish Save directly to the master configuration (4) Create Bridge Interface(s)
This step can be done one time and is not related to the number of DMZ proxies.
For the bridge interface(s), the node agents in the default core group listed from the WAS internal cell SIP nodes will be used.
(a) Go to Core group bridge settings -> Access point groups
Click DefaultAccessPointGroup link Under Access points
Click Core group access points
(b) Select the DefaultCoreGroup (make sure it becomes highlighted) and click Show Detail
(c) In the Core Group page under Additional Properties
Click on the Bridge interfaces
(d) Select New
In the Bridge interfaces dropdown, select a node agent
Hit OK and Save directly to the master configuration.
Now select New again, and in the Bridge interfaces dropdown, select another node agent Hit OK and Save directly to the master configuration.
Now two node agents are defined to act as core group bridges. (e) Go to Core Groups -> Core group settings
Click on DefaultCoreGroup link
Under Additional Properties click Custom properties link Click New and add property
Click OK and Save directly to the master configuration. (5) Export the Tunnel Group information from the Cell (a) Export the Tunnel Template
Go to Core Groups -> Core group bridge settings -> Tunnel templates
Associate the Tunnel Access Point Group to the template Name Click on template Name link
(b) Select the Tunnel Access Point Group (make sure becomes highlighted) from the dropdown list
Click OK and Save directly to the master configuration.
Make sure Tunnel Access Point Group is now associated with tunnel template.
(6) Export the Tunnel template
Make sure the export was successful. The MyTunnel.props file is created and placed in the
<WAS_HOME>/dmgr_profile directory.
Import the Tunnel Template with DMZ Secure Proxy and ND Secure proxy
(configuration-only) profile on Host 1 and Host 2 (Dual)
(1) Go to the <Secure Proxy (configuration-only) profile>/bin directory on each machine
Run wsadmin command
wsadmin -conntype NONE -username <userid> -password <passwd>
From the wsadmin prompt, type
wsadmin>$AdminTask importTunnelTemplate -interactive
Import tunnel template.
Import a tunnel template and its children into the cell-scoped configuration.
*Input file name. (inputFileName): <Name/location of WAS ND tunnel.props file>
*Bridge Interface Node Name. (bridgeInterfaceNodeName): <Name of Secure proxy node>
*Bridge Interface Server Name. (bridgeInterfaceServerName): <Name of Secure proxy server>
Import tunnel template. F (Finish)
C (Cancel) Select [F, C]: [F] F
Example of command generated
WASX7278I: Generated command line: $AdminTask importTunnelTemplate {-inputFileNa me /MyTunnel.props -bridgeInterfaceNodeName svt-r1c3b06Node01 -bridgeInterfaceSer verName proxy1}
wsadmin>$AdminConfig save
wsadmin>quit
Configure the DMZ Secure Proxy Server using Administrative Console on
Host 1 and Host 2 (for Dual) for IP Forwarding
The secure proxy server configurations are created and maintained as configuration-only profiles and managed using the administrative console of the Administrative agent.
Make sure the Administrative agent is running.
(1) Access the Administrative Agent console to make changes to the Secure proxy (configuration-only) profile on each machine
http://<admin_agent_hostname>:<Administrative_port>/ibm/console
(2) Select the <Secure proxy (configuration-only) node> to administer and click Continue
button and log in to console
(3) Go to Servers -> Server Types -> WebSphere proxy servers (4) Click the <proxy_name> link
Under Proxy Settings
Open Sip Proxy Server Settings and click Sip proxy settings link In the Default cluster field,
Enter the name of the WAS ND cluster you want the DMZ Secure proxy to route traffic thru. The cluster name is the one defined on the WebSphere Application Server ND cell.
Click OK and Save directly to the master configuration. (5) Click the <proxy_name> link
Under Proxy Settings
Open SIP Proxy Server Settings and click the Sip proxy settings link Under Additional Properties click Custom properties link
Click New and add the properties below, clicking OK and Save to the master configuration after each entry
Name sipClusterCellName Value <CellName of Remote ND Cluster routing traffic thru>
Name LBIPAddr Value <IP of Load Balancer>
Name SIPAdvisorMethodName Value OPTIONS
Name UDPMultiThreadingEnabled Value true
Name burstResetFactor Value 120
Name clusterRouteConfigUpdateDelay Value 60000
Name forceRport Value true
Name isSipComplianceEnabled Value false
Name keepAliveFailures Value 3
Name keepAliveInterval Value 2000
Name localOutboundTCPAddress Value <IP or hostname of DMZ proxy> Name localOutboundTCPPort Value 1080
Name maxDeflatorRatio Value 10
Name maxThroughputFactor Value 90
Name minDeflatorRatio Value 6
Name perSecondBurstFactor Value 200
Name proxyTransitionPeriod Value 360
Name receiveBufferSizeSocket Value 3000000
Name sendBufferSizeSocket Value 3000000
Name tcp.IPSprayer.host Value <Load Balancer cluster IP>
Name tcp.IPSprayer.port Value <Port for TCP> for example 5060
Name tls.IPSprayer.host Value <Load Balancer cluster IP>
Name tls.IPSprayer.port Value <Port for TLS> for example5061
Name useViaSentByForOutboundConnections Value true
Import and export of the configuration should preserve the port settings. The serverindex.xml should no longer be needed to be copied manually to the DMZ Secure Proxy server.
Under Communications
Click Ports link
Click on PROXY_HTTPS_ADDRESS and change * to <IP or hostname of DMZ proxy> and click OK and Save to the directly to the master
Click on PROXY_HTTP_ADDRESS and change * to <IP or hostname of DMZ proxy> and click
OK and Save directly to the master configuration
Click on PROXY_SIPS_ADDRESS and change * to <IP or hostname of DMZ proxy> and click
OK and Save directly to the master configuration
Click on PROXY_SIP_ADDRESS and change * to <IP or hostname of DMZ proxy> and click
OK and Save directly to the master configuration
(7) Go to Servers -> Server Types -> WebSphere proxy servers
Click the <proxy_name> link
Under Java and Process Management
Click Process definition and then Java Virtual Machine
Set Initial heap size 300 MB Set Maximum heap size 450 MB Set Generic JVM arguments
-Xtrace:none -Xmo120m -Xgcpolicy:gencon -Xtgc:parallel
-Xgc:noAdaptiveTenure,tenureAge=8,stdGlobalCompactToSatisfyAllocate
-Xdump:heap:events=user,request=exclusive+prepwalk+compact -Xloa -Xloaminimum0.03 -XX:MaxDirectMemorySize=256000000 -Xcompactexplicitgc
Click OK and Save to the master configuration
(8) Go to Servers -> Server Types -> WebSphere proxy servers
Click the <proxy_name> link
Under Java and Process Management
Change Ping interval to 30
Change Ping timeout to 60
Click OK and Save to the master configuration
(9) Go to Servers -> Server Types -> WebSphere proxy servers
Click the <proxy_name> link Under Troubleshooting
Click Logging and trace and click JVM Logs
System.out
Change File Size Maximum to 20 MB
Change Maximum Number of Historical Log Files to 2
System.err
Change File Size Maximum to 20 MB
Change Maximum Number of Historical Log Files to 2
Click OK and Save to the master configuration
(10) Go to Servers -> Server Types -> WebSphere proxy servers Click the <proxy_name> link
Under Administration
Click Custom properties
Clck New and add
Name IBM_CLUSTER_RUNRULES_TIMER_TIME
Value 1000
Click OK and Save to the master configuration
Export the Proxy Profile from Secure proxy (configuration-only) on Host 1
and Host 2 (for Dual) and transfer to DMZ Secure Proxy servers
The secure proxy server (configuration-only) profile configuration is exported to a configuration archive (CAR) file using the exportProxyProfile wsadmin command. The CAR file is then transferred to the real secure proxy server installation, where it is then imported into the DMZ Secure Proxy Server using the importProxyProfile wsadmin command. Repeat this process if any additional changes are made to the secure proxy server configuration.
(1) Go to the <Secure proxy (configuration-only) profile>/bin directory for each DMZ Proxy Server
Run the following wsadmin command
wsadmin -conntype NONE -lang jython
From wsadmin prompt export the proxy profile
wsadmin>AdminTask.exportProxyProfile(['-archive’, ‘myCell.car'])
''
(2) Transfer/copy archive file to appropriate DMZ Secure proxy server on Host 1 and Host 2 Copy/transfer the myCell.car to the <DMZ Secure proxy server runtime profile>/bin directory.
Import the Secure proxy (configuration-only) archive to appropriate DMZ
Secure Proxy server
(1) Start the DMZ Secure proxy server
Go to the <DMZ Secure proxy server runtime profile>/bin directory for each DMZ Proxy Server
startServer <proxy_server_name>
Run the following wsadmin command
wsadmin -lang jython -username <user> -password <passwd>
From the wsadmin prompt import the proxy profile
wsadmin>AdminTask.importProxyProfile(['-archive', 'myCell.car',’-deleteExistingServers’,’true’])
''
wsadmin>AdminConfig.save()
''
wsadmin>quit
The importProxyProfile command used with the deleteExistingServers option should ensure
all configuration data (including serverindex.xml information) was transferred properly to the runtime DMZ Secure Proxy server profile.
Configure the Trust association between the DMZ Secure Proxy servers
and the internal WebSphere 8.5.5 ND Cell
Make sure the dmgr and node agents and cluster members on the WebSphere 8.5.5. ND internal cell have been started.
(1) The ssl.client.props file contains the location of the key.p12 and trust.p12 files on the systems. On the DMZ Secure proxy servers, the ssl.client.props is located in the <DMZ Secure
proxy server profile>/properties directory.
For the DMZ Secure proxy servers, modify the following lines: com.ibm.ssl.keyStore=${user.root}/etc/key.p12
to
com.ibm.ssl.keyStore=$
{user.root}/config/cells/<DMZCellName>/nodes/<DMZNodeName>/key.p12
and
com.ibm.ssl.trustStore=${user.root}/etc/trust.p12
to
This will ensure that the key and trust store files are located in the proper profile configuration location for the DMZ proxy servers.
(2) Go to the <DMZ Secure proxy server runtime profile>/bin directory for each DMZ proxy server
Run the retrieveSigners command
retrieveSigners -conntype SOAP -port <dmgr_SOAP_port> -host <dmgr_host_name> -username <dmgr_user> -password <dmgr_user_passwd> -listRemoteKeyStoreNames – listLocalKeyStoreNames -autoAcceptBootstrapSigner
This command configures the trust association between the WebSphere internal cell servers and the DMZ external cell by adding the cell’s signer to the DMZ proxy server’s trust store (trust.p12). For Windows, if the Administrative agent server is running on the machine, then execute the retrieveSigners command again with the configured interprocess communications (IPC) port.
retrieveSigners –username <dmzuser> -password <dmzpasswd> NodeDefaultTrustStore ClientDefaultTrustStore -conntype IPC -host localhost -port <local_IPC_port>
-autoAcceptBootstrapSigner
For backup, copy the trust.p12 file from the
<DMZ Secure proxy server runtime
profile>/config/cells/<DMZCellName>/nodes/<DMZNodeName> directory to the <DMZ Secure
proxy server runtime profile>/etc directory.
(3) Stop and restart each DMZ Secure Proxy server
Now ready to start sending SIP traffic through the Load Balancer with the multiple fronted DMZ Secure proxy servers.
Configuring DMZ Firewalls
© 2013 IBM Corporation 4
IP Forward with 2 DMZ Proxies fronted by F5 in a different subnet
WAS1 WAS2
DMZ Public Network
Intranet
DMZ Proxy
F5 sipp
Subnet 4
Load balancer front end – Subnet 2
Load balancer back end – Subnet 3
Subnet 5 Subnet 1
Inner Firewall
Outer Firewall
Inner Firewall rules
From IP From Port To IP To Port Protocol Comments
DMZ Secure proxies Ephemeral port range Core Bridge servers (on WAS internal cell node agents )
Bridge DCS port TCP or TLS Incoming DCS
DMZ Secure proxies
Ephemeral
port range WAS internal cell SIP
containers
5060,5061,5062,5063 TCP or TLS SIP TCP,TLS DMZ Secure proxies Ephemeral port range WAS internal cell DMGR
DMGR SOAP port SOAP Incoming
SOAP* Keep SSH port open. Block all other ports not used
The “To IP” for each Core Bridge server is listed in the MyTunnel.props file from step 4(d) on page 13. The “To Port” for each Core Bridge server can be found as port for
DCS_UNICAST_ADDRESS. DMZ Secure proxies to WAS containers are available over TCP or TLS protocols.
* In order to have the DMZ external cells trust the WAS internal cell servers, the retrieveSigners
Outer Firewall rules
From IP From Port To IP To Port Protocol Comments
Incoming
Clients* Any Virtual IP of Load Balancer
5060,5061 TCP/TLS Incoming
Clients DMZ Secure
proxies
Any Outgoing
Clients*
5060,5061 TCP/TLS Outgoing
Clients Block all other
ports not used
* In case of a gateway, the clients are external communities/other gateways and their IP(s) or range of IP(s) are known, and thus the customer will open the firewall to those specific IP(s) or range of IP(s).
Appendix
WebSphere Application Server Version 8.5 information center http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp
IBM WebSphere Application Server V8.5 Concepts, Planning, and Design Guide http://www.redbooks.ibm.com/redbooks/pdfs/sg248022.pdf
Configuring and Deploying WebSphere SIP Environments
https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/WebSphere SIP and CEA/page/Configuring and Deploying WebSphere SIP Environments