Security Guide for Siebel Business Applications > Physical Deployment and Auditing >

Firewall and Proxy Server Support

A firewall separates a company's external Siebel Web Clients (those accessing applications over the Internet) from its internal network and controls network traffic between the two domains. A firewall defines a focal point to keep unauthorized users out of a protected network, prohibits vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks.

Firewalls often include one or more of the following capabilities:

  • Proxy server. A proxy server is a Web server that acts as an intermediary to prevent direct connection to your local corporate network from the Internet. It shields internal IP addresses from the Internet. Siebel Business Applications support both forward and reverse proxy servers within a deployment.
  • Reverse proxy server. A reverse proxy server acts as an intermediary to prevent direct connections from clients to Web servers. A reverse proxy server shields internal IP addresses from users by rewriting IP addresses of the Web servers so that they are not revealed to the user. Additionally, the reverse proxy server can cache data closer to end users, thereby improving performance.

    NOTE:  You do not need to perform any configuration within your Siebel environment to enable reverse proxy servers.

    Customer applications, which use standard interactivity, commonly are deployed with reverse proxy servers. Employee applications, which use high interactivity, can also be deployed with reverse proxy servers.

    If you deploy applications that use high interactivity with a reverse proxy server or a Web server load balancer, note the following considerations:

    • Siebel Systems does not support the translation of port numbers or protocol switching. An example of protocol switching is changing from HTTP to HTTPS or vice versa.
    • Siebel Systems does support rewriting of the hostname and of the IP addresses of the Web servers.
    • The reverse proxy server and Web server must run on the same port.
    • If you deploy SSL between the client and the reverse proxy server, then you must deploy SSL between the reverse proxy server and the Web server and vice versa.
  • Network Address Translation (NAT). NAT technology transparently rewrites the IP addresses of Internet connections as they move across the firewall boundary. This allows multiple computers in a local network to hide behind a single IP address on the Internet.
  • Virtual Private Networks (VPN). Siebel Business Applications also support the use of Virtual Private Networks. VPN is a technique that allows computers outside the firewall to tunnel traffic through a firewall, then appear as if they are connected inside the firewall.

    VPN technology allows employees working at home or on the road to access many corporate intranet resources (for example, email servers, file shares, and so on) which otherwise would not be sufficiently secured to be placed outside the firewall.

Recommended Placement for Firewalls

This section describes a placement of firewalls with respect to Siebel network components. A Siebel network typically has four zones:

  • Internet. Where external Siebel Web Clients reside.
  • Web server zone. Where Siebel Web servers and Web server load balancers reside. The Siebel Web Server Extension (SWSE) is installed on the Web server machine. Sometimes called the DMZ (demilitarized zone), this zone is where the external network first interacts with the Siebel environment.

    NOTE:  To handle traffic between the external Siebel Web Clients and the Web server that contains the SWSE, installing a reverse proxy server is recommended. If you deploy a reverse proxy, it should reside in the DMZ. The Web server and SWSE can then be moved behind a firewall into its own zone, or into the Siebel Server zone.

  • Siebel Server zone. (This is sometimes called the application server zone.) Components that reside inside this zone include Siebel Servers, the Siebel Gateway Name Server, a third-party HTTP load balancer (if deployed) for Siebel Servers, and the authentication server (such as an LDAP or ADS directory server).
  • Data Server zone. Where the Siebel Database, Siebel File System, and Database Server reside. Typically, this is where the most critical corporate assets reside. Access to this zone should be limited to authorized system administrators and database administrators only.

Siebel network architecture allows you to install firewalls between each of these zones. For optimum performance, however, do not install a firewall between the Siebel Server zone and the Data Server zone, or between the Siebel Database and the Siebel File System. Figure 4 shows the recommended placement for firewalls in Siebel networks.

Figure 4. Firewalls in Siebel Networks
Click for full size image

Deploying Siebel Business Applications Accessed Through a Firewall

When deploying Siebel Business Applications across a firewall, verify that your firewall and proxy servers support the HTTP 1.1 protocol. This protocol enables functionality such as inline data compression to improve performance for bandwidth-constrained environments, cookies, and other features.

If your firewall does not support HTTP 1.1, and you use HTTP 1.0 instead, lower performance will result. The following requirements apply if you do not use HTTP 1.1:

  • Web server compression for SWSE must be disabled. In the eapps.cfg file, set the value of the DoCompression parameter to FALSE. (Use other settings where compression is known to be supported, or may be supported.) For more information, see Siebel System Administration Guide.
  • Make sure that the firewall can handle cookie-wrapping or other proxy-specific features that enable forwarding of cookie. Or, reduce or remove the use of cookies in your Siebel Business Applications. For more information, see Cookies and Siebel Business Applications.
  • Make sure that your proxy server does not pass to the SWSE any header content that uses HTTP 1.1 protocol. The proxy must strip any header content that is not compliant with HTTP 1.0.
Security Guide for Siebel Business Applications