Siebel Security Hardening Guide > Securing the Network and Infrastructure > About Securing the Network Infrastructure >

Proxy Servers

Siebel Business Applications support the use of both forward and reverse-proxy servers within a deployment. Using proxy servers enhances security by preventing direct access to servers from the Internet.

Forward Proxy Servers

Forward proxy servers are generally used to provide Web access to the Internet for client computers when direct routing is not possible, either because it is forbidden by policy or by the network implementation. Forward proxy servers are therefore part of the client security infrastructure. They are also sometimes used by Internet service providers for caching.

Reverse Proxy Servers

A reverse-proxy server acts as an intermediary to prevent direct connections from clients to Web servers. A reverse-proxy server shields internal IP addresses from users by rewriting the IP addresses of the Web servers so that the Web server IP addresses are not revealed to the user. Additionally, the reverse proxy server can cache data closer to end users, thereby improving performance. Reverse-proxy servers provide an additional layer of security by helping protect the Web server from direct external attacks, but do not directly help secure the Web application.

To handle traffic between the external Siebel Web clients and the Web server that contains the SWSE, install a reverse-proxy server in the demilitarized zone (see Figure 2). The Web server and SWSE can then be moved behind a firewall into a separate zone or into the intranet zone.

Customer applications, which use standard interactivity, commonly are deployed with reverse proxy servers. Employee applications, which use high interactivity, can also be deployed with reverse proxy servers. If you deploy applications that use high interactivity with a reverse proxy server or a Web server load balancer, then note the following considerations:

• Siebel Business Applications do not support the translation of port numbers or protocol switching. An example of protocol switching is changing from HTTP to HTTPS.

  NOTE:  Protocol switching from HTTPS to HTTP is supported if you have enabled the SSL acceleration feature for communications between Siebel Web Clients and the Web server. For information on using SSL acceleration, see Siebel Security Guide.

• Siebel Business Applications support rewriting of the host name and of the IP addresses of the Web servers. For example, you can rewrite the following URL:

  http://ServerInternal/callcenter_enu/start.swe

  to:

  http://ServerExternal/callcenter_enu/start.swe

  However, you cannot rewrite it to:

  http://ServerExternal/portal1/start.swe

• The reverse proxy server and Web server must run on the same port.
• If you deploy SSL or TLS between the client and the reverse proxy server, then you must also deploy it between the reverse proxy server and the Web server on which the Siebel Web Server Extension (SWSE) is installed. Similarly, if you deploy SSL or TLS between the reverse proxy server and the Web server, then you must deploy it between the client and the reverse proxy server.

  NOTE:  If the SSL acceleration feature is enabled, then you can deploy SSL or TLS between Siebel Web Clients and the reverse proxy server. However, you do not have to deploy SSL or TLS between the reverse proxy server and the Web server. You can use the HTTP protocol for communications between the reverse proxy server and the Web server. For information on enabling SSL acceleration, see Siebel Security Guide.