In this enterprise topology, the SSL connection can be terminated at the offloader (similar to terminating SSL at the web server) or can extend beyond the offloader (similar to full SSL) The offloader accepts encrypted requests from the browser and decrypts them. If SSL is terminated at the offloader, unencrypted data is passed from the offloader to Oracle HTTP Server, which is configured with WebLogic Server plugin. An optional load balancer can be used to route traffic between the offloader and multiple Oracle HTTP Servers. Oracle HTTP Server routes requests to EPM System components deployed on WebLogic Server or IIS Server. Server-to-server communication is routed through the web server without offloader involvement.
Based on security requirements, you can use SSL for communication between Oracle HTTP Server and the deployed EPM System components, including databases and user directories.
If you choose not to use SSL for communication between Oracle HTTP Server and the deployed EPM System components, you can minimize security risks by deploying the offloader and Oracle HTTP Server in the DMZ behind a firewall on a secure subnet to which users do not have direct access. WebLogic Servers, IIS Servers, and other components could be behind another firewall to ensure greater security.
The following illustration presents a conceptual deployment using one Oracle HTTP Server:
Note: | Oracle HTTP Server uses mod_wl_ohs for redirection to WebLogic Server and mod_proxy for redirection to IIS. |
The following illustration presents a conceptual high availability deployment using a load balancer and SSL accelerator:
