The Gateway service runs in a separate subnet (the DMZ) that is isolated from the portal service subnet by an Internal Firewall and from the public Internet by an External Firewall, as shown in Figure 3–1.
In the DMZ, only the Gateway service load balancer (at sra.pstest.com) is exposed to traffic from the public Internet, and only through the External Firewall. Other hardware in the DMZ is assigned a private IP address, in keeping with the philosophy of minimizing the surface of attack. In Figure 3–1, the DMZ subnet is created with private IP addresses in the 10.0.4.0/24 range. These private addresses are not recognized by the Internet and are not routed outside the network.
In Figure 3–1, the gateway service load balancer is shown with the IP address 10.0.5.10. When you deploy your reference configuration, you must configure this load balancer with a real, publicly accessible IP address that is appropriate for your site.
The firewall rules that are used to establish the Gateway service subnet are shown in the following tables.
Table 3–2 Internal Firewall Rules
Rule Number |
Source |
Destination |
Type/Port |
Action |
---|---|---|---|---|
1 |
sra1.pstest.com sra2.pstest.com |
am.pstest.com |
TCP/80 |
ALLOW |
2 |
sra1.pstest.com sra2.pstest.com |
ps.pstest.com (Portal Server) |
TCP/80 |
ALLOW |
3 |
sra1.pstest.com sra2.pstest.com |
ps.pstest.com (Rewriter Proxy) |
TCP/10433 |
ALLOW |
4 |
sra1.pstest.com sra2.pstest.com |
ps.pstest.com (Netlet Proxy) |
TCP/10555 |
ALLOW |
5 |
am1.pstest.com am2.pstest.com |
sra1.pstest.com sra2.pstest.com |
TCP/443 |
ALLOW |
6 |
* |
* |
* |
DENY |
The first two rules in the previous table allow the Gateway instances to reach the virtual service IP addresses (the load balancers) for the Access Manager and portal services. Rule 3 allows the session notifications that are generated by the Access Manager instances to reach the Gateway instances. The firewall automatically adds rules to allow the response traffic.
Table 3–3 External Firewall Rules
Rule Number |
Source |
Destination |
Type/Port |
Action |
---|---|---|---|---|
1 |
* |
sra.pstest.com |
TCP/443 |
ALLOW |
2 |
* |
* |
* |
DENY |
The rules in the previous table allow only the Gateway service load balancer to be accessed from the Internet.