- This topic has 5 replies, 1 voice, and was last updated 9 years, 2 months ago by
.
-
Posts
-
-
Hi,
Out network team has stated that all web services traffic should go through our firewall via a secure port between our external DMZ server and internal server. We will have BizTalk installed on both the external and internal servers.
Here is an example of what I want to do:
1) Web Service published to the internet via the external BizTalk server
2) User consumes the external web service
3) Orchestration is performed on the message on the external BizTalk server
4) Message is pushed through the firewall to the internal BizTalk server
5) Internal BizTalk server calls an internal back-end service
6) Internal back-end service sends a response back, through the firewall and to the user that originally started the process.Given the above scenario, what is the best way to approach this?
Also, What is the best practice for BizTalk to BizTalk communication through a firewall?My BizTalk book states that ISA Server is a good option but my network guy doesn’t like ISA Server.
Thanks!
-
Seems like an expensive way of doing this. You are effectively using the external Biztalk server as a reverse proxy server. There are cheaper options. You mention ISA Server, this functions as both a firewall and a reverse proxy server. Although there are other options for a reverse proxy e.g. Apache.
With a reverse proxy you do not need any service specific logic in the DMZ, just a refernce to the internal web service. You allow ports 80 and 443 from the internet to the reverse proxy on the outermost firewall and ports 80 and 443 from the reverse proxy to the Biztalk Server on the inner firewall. The reverse proxy can implement various security measures to filter requests
You will have issues using SSL (port 443) thru a reverse proxy as you will need to deploy the certificate with the private key on the reverse proxy server. You could always use WS-Security and message level security on port 80 but this will require the use of the WCF adapter and remote client support.
-
Thanks for the reply.
The idea for the external BizTalk server is that some integrations will never come into the organization. For example, we are looking at two different SaaS products that require address verification. Instead of the SaaS product going direct to the address verification web service it will call the external BizTalk server first before heading to the address verification web service.
Which approach would you take?
1) Windows ISA Server for the reverse proxy
2) WS-Security with the WCF adapterWe are at the very start (obviously) of introducing BizTalk to the company so the decisions I make now will become the blue-print for going forward.
Thanks again.
-
I would always use a reverse proxy for those services on the internal, irrespective of any other security like WS-Security. My policy is to never have sockets traversing the DMZ from external to internal.
How is the external Biztalk Server set up. Is it’s SQL server also in the DMZ? Does it belong to a domain? Does it access any resources in the internal network?
-
This is a new installation so BizTalk has not been setup yet externally. When it is installed it won’t access any resources internally because that would be a security violation.
Based on your comments, we are having a meeting tomorrow to determine if we even need BizTalk externally. The network team wants all access (in and out) to go through the secure channel. For example, if an external web service needs to be invoked from inside the firewall it would need to go to the external BizTalk first.
If our network security guy is fine with external web service invocations from inside the firewall, a reverse proxy may be acceptable and no need for the external BizTalk server.
-
There is no real security benefit in using a BizTalk Server in the DMZ. You have a non-hardened server running in the DMZ open to attack. You have to build and deploy front-end applications to route requests to the internal network.
With a reverse-proxy server like ISA you have a hardened server, specifically designed to provide a secure intermediary between the big wide world and your internal services. You don’t have to design, develop and maintain application software. You simply configure some security rules about what is allowed through.
There is also a difference in licensing costs between these two.
-
-
-
-
-
- The forum ‘BizTalk 2004 – BizTalk 2010’ is closed to new topics and replies.