Security and Authentication for the vFire Officer App

This topic contains instruction on the vFire Officer app, introduced in 9.2. For more information on the vFire app, which supports users from 9.7 and analysts from 9.10.1, see About the vFire App.

The vFire Officer app provides connectivity from a mobile device, usually located on a public network, to a vFire Core system inside the corporate network.

Depending on organizational security requirements, the recommended environment and security configurations may differ. The most common security recommendation is to create a demilitarized zone (DMZ) containing a reverse proxy server buffered by firewalls.

Three scenarios involving a DMZ are outlined in this topic and provide recommended configurations based on whether or not Windows Authentication is enabled on the vFire Core system within the secure network.

The app is not compatible with Windows Authentication, and must be configured to use a virtual directory with Anonymous Authentication enabled.

The three scenarios are:

  • DMZ contains an Application Server with vFire Core installed. The vFire Core system within the secure network may / may not have Windows Auth enabled.
  • DMZ contains a reverse proxy server. The vFire Core system within the secure network has Windows Authentication disabled.
  • DMZ contains a reverse proxy server. The vFire Core system within the secure network has Windows Authenication enabled.

Work with your Network Administration teams to create a DMZ to safely expose connections to your vFire system.

Ports for the vFire Mobile App

  HTTP HTTPS SQL
Ports 80 443 1433, 1434

Scenario 1: DMZ with an Application Server

Internal network The internal server's vFire Core system may or may not have Windows Authentication enabled; it has no effect on this configuration.
DMZ

A second application server is configured within the DMZ to act as a reverse proxy server.

On this server in the DMZ:

  • A vFire Core system is created that points to the same database as the internal vFire Core system.

    During system creation, when prompted to update the database, select No

  • In the virtual directory for this system, Windows Authentication is disabled and Anonymous Authentication is enabled.
  • All vFire Core services are stopped and their "Start Up" property is set to Manual.
  • In the registry key for the new system, polling of services is disabled via registry string PollingDisabled = 1
  • In the registry key for the new system, database upgrade is disabled via registry string SkipDatabaseUpgrade = 1
URL for Mobile App The URL for the mobile app points to the server and virtual directory within the DMZ.

Scenario 2: DMZ with Reverse Proxy Server. Windows Auth Disabled

Internal network The internal server's vFire Core system does not have Windows Authentication enabled.
DMZ

A reverse proxy server is configured within the DMZ.

On this server in the DMZ:

  • IIS is installed
  • A virtual directory is created, with Windows Authentication disabled and Anonymous Authentication enabled.
  • IIS is configured to redirect traffic to the vFire Core application server and virtual directory within the internal secure network.
URL for Mobile App The URL for the mobile app points to the reverse proxy server and virtual directory within the DMZ.

Scenario 3: DMZ with Reverse Proxy Server. Windows Auth Enabled

Internal network

The internal server's vFire Core system has Windows Authentication enabled.

vFire Officer Mobile App is not compatible with Windows Authentication and must use a virtual directory with Windows Auth disabled.

On the internal server:

  • A second vFire Core system is created that points to the same database as the primary vFire Core system.

  • During system creation, when prompted to update the database, select No

  • In the virtual directory for the new system, Windows Authentication is disabled and Anonymous Authentication is enabled.
  • In the registry key for the new system, polling of services is disabled via registry string PollingDisabled = 1
  • In the registry key for the new system, database upgrade is disabled via registry string SkipDatabaseUpgrade = 1
DMZ

A reverse proxy server is configured within the DMZ. On this server in the DMZ:

  • IIS is installed

  • A virtual directory is created, with Windows Authentication disabled and Anonymous Authentication enabled.
  • IIS is configured to redirect traffic to the internal application server and the virtual directory that has Anonymous Auth enabled.
URL for Mobile App The URL for the mobile app points to the reverse proxy server and virtual directory within the DMZ.