Configure a Load balance or WAF in front of Veridium server.
VeridiumID product is exposing some applications, some are exposed on internet some on intranet. This is the summary of all exposed applications.
VeridiumID can have in front of the services a L4 (TCP) or a L7 (HTTP) load balancer and WAF for traffic inspection.
Summary of services:
There are 2 requirements important requirements:
for WEBSEC and WEBSECADMIN services, if SSL termination is done in WAF or in reverse proxy, then the client cerificate information should be send to veridium on a specific header or an a specific cookie.
for shibboleth it should be implemented sticky session
if SSL termination is done, it is highly recommended to send the real client IP on X-Forwarded-For header.
service | short description | Requires certificate Auth | Exposed Internally | Exposed Externally | PATH | Sticky session | If port implementation | If FQDN implementation |
|---|---|---|---|---|---|---|---|---|
WEBSEC | Used for authentication | Y | Y | Y | /websec | N | HOST.DOMAIN.INTERNAL:443 HOST.DOMAIN.EXTERNAL:443 | HOST.DOMAIN.INTERNAL:443 HOST.DOMAIN.EXTERNAL:443 |
DMZWEBSEC | Used for registration | N | N (if not extern, then must be internal) | Y | /dmzwebsec | N | HOST.DOMAIN.EXTERNAL:8544 | dmz-HOST.DOMAIN.EXTERNAL:443 |
SHIBBOLETH | Identity provider | N | Y | Y | /idp | Y | HOST.DOMAIN.INTERNAL:8945 HOST.DOMAIN.EXTERNAL:8944 | shib-HOST.DOMAIN.INTERNAL:443 shib-HOST.DOMAIN.EXTERNAL:443 |
WEBSECADMIN | Veridium configuration manager | Y | Y | N |
| N | HOST.DOMAIN.INTERNAL:9444 | admin-HOST.DOMAIN.INTERNAL:443 |
SSP | Veridium Self service portal | N | Y | Y (only registration) | /ssp
/ssp/..html | N | HOST.DOMAIN.INTERNAL:9987 HOST.DOMAIN.EXTERNAL:9987 | ssp-HOST.DOMAIN.INTERNAL:443 ssp-HOST.DOMAIN.EXTERNAL:443 |
RA/EP | Used for Register Authority/Enrollment Proxy | N | Y | N | N/A | N | RAEPSERVICE.DOMAIN.INTERNAL | |
TENANT | Used for ILP tenant list | N | Y | N | N/A | N | TENANT.ILP.DOMAIN.INTERNAL:443 |
|
INGESTION | Used for getting scores | N | Y | N | N/A | N | INGESTION.ILP.DOMAIN.INTERNAL:443 |
|
USERS | Used for ILP users | N | Y | N | N/A | N | USERS.ILP.DOMAIN.INTERNAL:443 |
Most common used implementation:
different FQDN for each service. SSL Traffic is terminated dirrectly by Veridium, so there are just L4 Load balancers in front of veridium services.
this kind of implementation is normally used in Proff of Concepts.
same FQDN but different ports for each service. SSL Traffic is terminated by a WAF. In the internet and intranet is exposed one FQDN and based on Path the traffic is routed to different ports/applications.
this kind of implementation is normally used in Production environments.
There are supported different kind of implementations, based on user arhitecture and necessities.
These are a some Firewalls/WAF/Reverse proxy solutions that can easily set in front of veridium services.
F5
Netscaler
Airlock WAF
FortiWeb
Imperva
Apache HTTP
Nginx
Haproxy