In Figure 3–1, the directory, Access Manager, and portal service modules reside in a network zone that is isolated from the main corporate network. Within this zone are separate subnets that are used to help secure each service.
Each service is accessed only through its respective load balancer. Clients of the service address their requests to the virtual IP address that is configured into the load balancer. Behind the load balancer, the computers that are running the component instances are isolated on their own subnets with private IP addresses. In Figure 3–1, the following five subnets are used:
Directory service subnet: 10.0.1.0/24
Access Manager/portal service subnet: 10.0.2.0/24
Access Manager/portal service load balancer subnet: 10.0.3.0/24
Gateway service subnet: 10.0.4.0/24
Gateway service load balancer subnet: 10.0.5.0/24
The directory service load balancer is on the same subnet as the Access Manager and Portal Server instances because the latter directly access directory services.
These subnets are bridged by the load balancers, and all communications between the subnets is routed through routers. Therefore, if one subnet is compromised, there is no direct route to other services.