+2
we are looking at accessing Aurena from the internet rather then using VPN. The documentation refers to a reverse proxy but we are currently using a port forwarding rule within our firewall to access our Touch Apps server. Does anyone have any Pros and Cons regarding both methods? Also, exposing port 48080 to access Aurena, is there a way to change the port to the admin portal so it isn’t accessible from the web ( /admin ).
thanks,
Steven
+21
Hi
We use a reverse proxy for the Touch App Server and we will also be using a reverse proxy when we begin to utilize Aurena in the coming months. With a reverse proxy you’re able to expose a URL such as https://ifsproduction.somedomain.com which your users utilize to access your system but the reverse proxy using URL Rewrite would access your internal servers at https://internal.domain.com:48080 . You could configuring would only be required to open port 443 to the world instead of opening port 48080.
Another potential advantage of using a reverse proxy would be you could setup load balancing within the reverse proxy setup and allow you to have multiple IFS application servers configured to share the load.
You could also block the /admin access if you were to configure a reverse proxy. It is a lot of configuration work to setup a reverse proxy so everything accurately work but once setup the reverse proxy has good performance and helps provide a secure environment to access IFS Aurena.
Regards,
William Klotz
+21
Hi
In speaking with one of my colleagues he would recommend using a reverse proxy over port forwarding mainly because of security issues. A reverse proxy terminates the connection between the client and the reverse proxy and establishes a separate connection between the reverse proxy and IFS Application server thus providing another level of isolation. Port forward on the other hand the client is directly connected to the IFS Application server so you loose the isolation between the external web and your IFS Application servers.
Regards,
William Klotz
We recently did this. Our environment uses Azure AD authentication.
We put traffic through our reverse proxy, however we had to make the IFS ports match both internally and externally due to the Azure app Redirect URIs. In the end, we changed our IFS environments from using the 48080 port to 443 the whole way through.
And definitely make sure you block admin access via reverse proxy, and keep your Oracle and WebLogic patched.
Also worth making sure everyone has MFA if possible too.
+2
We deployed an Azure App proxy in our tenant to be used has a reverse proxy to connect to Aurena. I can connect to the initial IFS portal screen from the internet but when I select the Aurena icon it changes the URL to the internal server making it unreachable from the internet. I’ve tried reconfiguring IFS using SSL proxy ,SSL passthrought and SSL offloading and setting the proxy URL to point to the external proxy URL but it still fails, last I tried it asked to import an InTune certificate!
I was able to get around this issue by manually replacing the https://internalurl/main/xxxxx with https://externalurl/main/xxx once I clicked on the Aurena icon so I can’t see that much is missing to get this going.
MFA is also configured for this as well does appear to be working well.
+2
If anyone has a guide on this it would be appreciated. I do not think that a port forward will work at all as weblogic appears to reject requests on any host header other than the FQDN of the server. Unless someone can tell us how to allow weblogic to respond to HTTP requests on multiple URLS, we are a no go. Anything other than the FQDN gives us a 403 Forbidden. WE did have some luck with reverse proxy with the application server configured in direct mode but could not get the other 3 modes(which shoud be used for proxy/load balancer) to work.
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
