|
Home > Archive > WebSphere Portal Server > May 2007 > Access WPS from Internet through IHS in the DMZ side.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Access WPS from Internet through IHS in the DMZ side.
|
|
|
|
Hi,
I have a WPS Express 6 in the LAN side. IBM HTTP Server 6 is installed in DMZ.
I want to access my portal server throught a DMZ web server (only https connections are allowed to the DMZ web server).
To do this I installed and configured IHS 6 and WAS Plugin into the DMZ Server.
The matter is that I don't want that all LDAP users (LDAP server is a Domino Server) have access through the internet, I want to restrict the access to a few users. Keep in mind that all users still have to have access through intranet/LAN (they will not
use the DMZ Server).
So the only thing I want to do is limit to a few users the access to the portal server through the internet. WebSphere Portal Server can't detect if a user is connecting from the internet or the intranet it always do the same autenthication process making
the request to the LDAP server (not very flexible on this).
I think with these choices:
1.- Modify the login process to detect if source IP address is from intranet or internet, depending on this validate the user doing somekind of filtering to LDAP server. This requires programming.
2.- Activate the IBM LDAP access module on the IBM HTTP Server (DMZ) and use LDAPRequire group directive.
3.- Make a Firewall policy that asks for a username and password for incomming https connections.
Choice number 1 requires programming and the autenthication is being made in the LAN, I would prefer to do a first autenthication in the DMZ layer so it is more secure.
Choice number 2. The autenthication mecanism is Basic (not Digest) so the password is clear text (I am using https connection... I don't know if the password is still clear text but the documentation says that Basic type autenthication is clear text). One
more problem, if you connect and autenthicate to portal1.company.com when you change the server name (your pages use references to different servers under the same domain, for example portal2.company.com) the browser will prompt again for the username an
d password, this is due to that autenthication mecanism is not session enabled (LTPA cookie or whatever).
Choice number 3. My firewall didn't allow this (... for the moment).
Can anyone help me on this?
thank you very much.
----
Albert Collet
Telecom Engineer.
| |
|
|
I have tried mod_auth_digest.so 2.0.59 with IHS 6.1 (based on Apache 2.0.47) and it works. But not in conjunction with IBM LDAP module. So, you have to define the users localy (good if you have only few users).
Using this type of authentication (Digest) I solve the problem to login DMZ web server for each server (in case you have more than one). You can setup an AuthDigestDomain that let you share same username and password accross different URIs.
With this method I have to authenticate twice. First to access DMZ and second to access Portal. With this, only the users that have access to DMZ can login to Portal through the internet.
Any new ideas?
Albert.-
----
Albert Collet
Telecom Engineer.
|
|
|
|
|