Actual firewalls are not set up in this deployment example. The intended deployment if firewalls were configured would be to protect critical components using three distinct security zones as illustrated in Figure 1–1. One zone is completely secure, protected by all three firewalls, and used for internal traffic only. The second, less secure zone is protected by only two firewalls and is also for internal traffic only. The third, minimally-secured demilitarized zone (DMZ) leaves only simple components and interfaces exposed to the Internet and is used for external traffic. Thus, direct access to individual Access Manager servers and Directory Server instances is allowed only if permitted by firewall rules. Based on the illustration cited:
The Access Manager servers are isolated between an internal firewall and the DMZ. Access Manager services are exposed through both an external-facing load balancer and an internal-facing load balancer. The load balancer and Access Manager servers together provide high data availability within the infrastructure.
The policy agents themselves are deployed behind a load balancer configured in the DMZ.
The Distributed Authentication User Interface would be deployed in the DMZ for communication with Access Manager behind a firewall, additionally protecting the Access Manager servers from exposure in the minimally-secured DMZ.
You may set up firewalls to allow traffic to flow as described in the following table.
Table 2–5 Summary of Firewall Rules
From |
To |
Port # |
Protocol |
Traffic Type |
---|---|---|---|---|
Internet users |
LoadBalancer-4 |
9443 |
HTTPS |
User authentication |
Internet users |
LoadBalancer-5 |
90 |
HTTP |
Application access by internet user |
Internet users |
LoadBalancer-6 |
91 |
HTTP |
Application access by internet user |
AuthenticationUI-1 |
LoadBalancer-3 |
9443 |
HTTPS |
User authentication |
AuthenticationUI-2 |
LoadBalancer-3 |
9443 |
HTTPS |
User authentication |
LoadBalancer-5 |
ProtectedResource-1 |
1080 |
HTTP |
Application access by user |
LoadBalancer-6 |
ProtectedResource-2 |
1081 |
HTTP |
Application access by user |
Intranet User |
LoadBalancer-3 |
7070 |
HTTP |
User authentication and various Access Manager services |