Actual firewalls are not set up in this deployment example. If firewalls were deployed they would protect critical components using three distinct security zones as illustrated in 1.1 Deployment Architecture and Components. One zone is completely secure, protected by all three firewalls, and used for internal traffic only. The second, less secure zone is protected by only two firewalls but is also for internal traffic only. The third, minimally-secured demilitarized zone (DMZ) leaves only simple components and interfaces exposed to the Internet and is used for external traffic. Thus, direct access to individual instances of OpenSSO Enterprise and Directory Server is allowed only if permitted by firewall rules. Based on the illustration cited:
The instances of OpenSSO Enterprise are isolated between an internal firewall and the DMZ, and exposed through an external-facing load balancer. The load balancer and instances together provide high data availability within the infrastructure.
The policy agents themselves are deployed behind a load balancer configured in the DMZ.
The Distributed Authentication User Interface would be deployed in the DMZ for communication with OpenSSO Enterprise behind a firewall, additionally protecting the OpenSSO Enterprise instances from exposure in the minimally-secured DMZ.
You may set up firewalls to allow traffic to flow as described in the following table.
Table 2–5 Summary of Firewall Rules
From |
To |
Port # |
Protocol |
Traffic Type |
---|---|---|---|---|
Internet users |
Load Balancer 3 |
1443 |
HTTPS |
User authentication |
Internet users |
Load Balancer 4 |
90 |
HTTP |
Application access by internet user |
Internet users |
Load Balancer 5 |
91 |
HTTP |
Application access by internet user |
Distributed Authentication User Interface 1 |
Load Balancer 2 |
1081 |
HTTPS |
User authentication |
Distributed Authentication User Interface 2 |
Load Balancer 2 |
1081 |
HTTPS |
User authentication |
Load Balancer 4 |
Protected Resource 1 |
1080 |
HTTP |
Application access by user |
Load Balancer 5 |
Protected Resource 2 |
1081 |
HTTP |
Application access by user |