Configuring External Network Access to vFire
This topic explains how to configure vFire so users on a public network can access vFire Self Service and the vFire apps without needing to log into the corporate network.
Depending on organizational security requirements, the recommended environment and security configurations may differ. The most common security recommendation is to create a demilitarized zone (DMZ) containing a reverse proxy server buffered by firewalls.
Work with your Network Administration teams to set up and configure reverse proxy servers, DMZ, and IIS redirection.
Three scenarios involving a DMZ are outlined in this topic and provide recommended configurations based on whether or not Windows Authentication is enabled on the vFire Core system within the secure network.
The three scenarios are:
- DMZ with a web Server where vFire Core is installed. The vFire Core system within the secure network may / may not have Windows Authentication enabled.
- DMZ with a reverse proxy server. The vFire Core system within the secure network has Windows Authentication disabled.
- DMZ with a reverse proxy server. The vFire Core system within the secure network has Windows Authentication enabled.
Ports to open in the firewalls
HTTP | HTTPS | SQL | |
---|---|---|---|
Ports | 80 | 443 | TCP 1433, UDP 1434 |
Option 1: Install a second vFire Core system on a Web Server in the DMZ
Internal network | The primary vFire Core system is installed on the internal server. It may or may not have Windows Authentication enabled; it has no effect on this configuration. |
DMZ | A second web server is configured within the DMZ to act as a reverse proxy server. On this web server in the DMZ:
|
URL for External Users | The URL points to the server and virtual directory within the DMZ. |
Option 2: Setup a Reverse Proxy Server in the DMZ. Authentication Disabled
Internal network | The primary vFire Core system is installed on the internal server. Windows Authentication is not enabled. |
DMZ | A reverse proxy server is configured within the DMZ. On this server in the DMZ:
|
URL for External Users | The URL points to the reverse proxy server and virtual directory within the DMZ. |
Option 3: Setup a Reverse Proxy Server in the DMZ. Authentication Enabled
Internal network | The internal server's vFire Core system has Windows Authentication enabled. On the internal server:
During system creation, when prompted to update the database, select No |
DMZ | A reverse proxy server is configured within the DMZ. On this server in the DMZ:
|
URL for External Users | The URL points to the reverse proxy server and virtual directory within the DMZ. |