1. Security Guide
  2. Reverse Proxy Servers

Reverse Proxy Servers

A reverse proxy server acts as an intermediary to prevent direct connections from clients to Web servers. A reverse proxy server shields internal IP addresses from users by rewriting the IP addresses of the Web servers so that the Web server IP addresses are not revealed to the user. Additionally, the reverse proxy server can cache data closer to end users, thereby improving performance. Reverse proxy servers provide an additional layer of security by helping protect the Web server from direct external attacks, but do not directly help secure the Web application.

A reverse proxy server is always required in the DMZ for all implementations with and without SSO. To handle traffic between the external Siebel Web clients and the Web server/authentication plug-in, always install a reverse proxy server in the demilitarized zone (see the image in Network Zones and Firewalls). All application interfaces and other Siebel enterprise components are secured in the secure intranet zone.

If you deploy applications that use Siebel Open UI with a reverse proxy server or a Web server load balancer, then note the following considerations:

  • Siebel CRM supports rewriting the host name and IP addresses of the Web servers.

    For example, you can rewrite the following URL: http://ServerInternal/siebel/app/callcenter/enu

    To the following: http://ServerExternal/siebel/app/callcenter/enu

  • The reverse proxy server and the application interface may not run on the same port. Port and protocol switching is supported between reverse proxy and the application interface, and requires that you configure URL rewrite. URL rewrite is at the reverse proxy level and is vendor specific.

  • As of Siebel CRM 20.5 Update, configuring reverse proxy is a mandatory post installation task - see Procedure to Configure Reverse Proxy.

  • Protocol switching from HTTPS to HTTP is supported if you have enabled the TLS acceleration feature for communications between Siebel Web clients and the Siebel Application Interface.

    Note: If the TLS acceleration feature is enabled, then you can deploy TLS between Siebel Web Clients and the reverse proxy server. However, you do not have to deploy TLS between the reverse proxy server and the application interface. You can use the HTTP protocol for communications between the reverse proxy server and the application interface.
Note: For Siebel CRM 17.0 and later, a reverse proxy server is required in the DMZ to expose the Siebel app on the Internet or intranet. Setting up reverse proxy is usually documented as part of the Web server choice a customer makes for the platform and Web server product being used. Reverse proxies are typically lightweight and have minimal impact on the overall performance of a deployment. To determine the exact impact of using a reverse proxy, it is recommended that you contact the vendor of your chosen reverse proxy solution.

About Load Balancer Persistence if Using Reverse Proxy

The following are recommendations about (enabling) load balancer persistence when using a reverse proxy:

  • Load balancer in front of Siebel Application Interface. Load balancer persistence is required for UI applications when the load balancer in front of the application interface. You can use the same configuration for the Siebel Migration Application and test automation. Load balancer persistence is not required for REST.

  • Load balancer in front of the reverse proxy (with or without SSO). Load balancer persistence is optional when the load balancer is in front of the reverse proxy. There is no functional requirement mandating load balancer persistence at this level. Siebel functionality is independent of load balancer persistence.