Configuring External Network Access to vFire

This topic explains how to configure vFire so users on a public network can access vFire Self Service and the vFire apps without needing to log into the corporate network.

Depending on organizational security requirements, the recommended environment and security configurations may differ. The most common security recommendation is to create a demilitarized zone (DMZ) containing a reverse proxy server buffered by firewalls.

Work with your Network Administration teams to set up and configure reverse proxy servers, DMZ, and IIS redirection.

Three scenarios involving a DMZ are outlined in this topic and provide recommended configurations based on whether or not Windows Authentication is enabled on the vFire Core system within the secure network.

The three scenarios are:

  • DMZ with a web Server where vFire Core is installed. The vFire Core system within the secure network may / may not have Windows Authentication enabled.
  • DMZ with a reverse proxy server. The vFire Core system within the secure network has Windows Authentication disabled.
  • DMZ with a reverse proxy server. The vFire Core system within the secure network has Windows Authentication enabled.

Ports to open in the firewalls

  HTTP HTTPS SQL
Ports 80 443 TCP 1433, UDP 1434

Option 1: Install a second vFire Core system on a Web Server in the DMZ

Internal network The primary vFire Core system is installed on the internal server. It may or may not have Windows Authentication enabled; it has no effect on this configuration.
DMZ A second web server is configured within the DMZ to act as a reverse proxy server.

On this web server in the DMZ:

  • A vFire Core system is created that points to the same database as the internal vFire Core system.

    During system creation, when prompted to update the database, select No

  • In the virtual directory for this system, Windows Authentication is disabled and Anonymous Authentication is enabled.
  • All vFire Core services are stopped and their "Start Up" property is set to Manual; except for the vFire 9 Administrative Service.
  • The vFire 9 Administrative Service is running and set to Automatic.
  • In the registry key, database upgrade is disabled via registry string SkipDatabaseUpgrade = 1
URL for External Users The URL points to the server and virtual directory within the DMZ.

 

Option 2: Setup a Reverse Proxy Server in the DMZ. Authentication Disabled

Internal network The primary vFire Core system is installed on the internal server. Windows Authentication is not enabled.
DMZ A reverse proxy server is configured within the DMZ.

On this server in the DMZ:

  • IIS is installed
  • A virtual directory is created, with Windows Authentication disabled and Anonymous Authentication enabled.
  • IIS is configured to redirect traffic to the vFire Core application server and virtual directory within the internal secure network.
URL for External Users The URL points to the reverse proxy server and virtual directory within the DMZ.

 

Option 3: Setup a Reverse Proxy Server in the DMZ. Authentication Enabled

Internal network The internal server's vFire Core system has Windows Authentication enabled.

On the internal server:

  • A second vFire Core system is created that points to the same database as the primary vFire Core system.

    • During system creation, when prompted to update the database, select No

  • In the virtual directory for the new system, Windows Authentication is disabled and Anonymous Authentication is enabled.
  • In the registry key for the new system, polling of services is disabled via registry string PollingDisabled = 1
  • In the registry key for the new system, database upgrade is disabled via registry string SkipDatabaseUpgrade = 1
DMZ A reverse proxy server is configured within the DMZ. On this server in the DMZ:
  • IIS is installed
  • A virtual directory is created, with Windows Authentication disabled and Anonymous Authentication enabled.
  • IIS is configured to redirect traffic to the internal application server and the virtual directory that has Anonymous Authentication enabled.
URL for External Users The URL points to the reverse proxy server and virtual directory within the DMZ.