VeridiumID product is exposing some applications, some are exposed on internet some on intranet. This is the summary of all exposed applications.
VeridiumID can have in front of the services a L4 (TCP) or a L7 (HTTP) load balancer and WAF for traffic inspection.
Summary of services:
There are 2 requirements important requirements:
-
for WEBSEC and WEBSECADMIN services, if SSL termination is done in WAF or in reverse proxy, then the client cerificate information should be send to veridium on a specific header or an a specific cookie.
-
for shibboleth it should be implemented sticky session
-
if SSL termination is done, it is highly recommended to send the real client IP on X-Forwarded-For header.
|
service |
short description |
Requires certificate Auth |
Exposed Internally |
Exposed Externally |
PATH |
Sticky session |
If port implementation |
If FQDN implementation |
|---|---|---|---|---|---|---|---|---|
|
WEBSEC |
Used for authentication |
Y |
Y |
Y |
/websec |
N |
HOST.DOMAIN.INTERNAL:443 HOST.DOMAIN.EXTERNAL:443 |
HOST.DOMAIN.INTERNAL:443 HOST.DOMAIN.EXTERNAL:443 |
|
DMZWEBSEC |
Used for registration |
N |
N (if not extern, then must be internal) |
Y |
/dmzwebsec |
N |
HOST.DOMAIN.EXTERNAL:8544 |
dmz-HOST.DOMAIN.EXTERNAL:443 |
|
SHIBBOLETH |
Identity provider |
N |
Y |
Y |
/idp |
Y |
HOST.DOMAIN.INTERNAL:8945 HOST.DOMAIN.EXTERNAL:8944 |
shib-HOST.DOMAIN.INTERNAL:443 shib-HOST.DOMAIN.EXTERNAL:443 |
|
WEBSECADMIN |
Veridium configuration manager |
Y |
Y |
N |
|
N |
HOST.DOMAIN.INTERNAL:9444 |
admin-HOST.DOMAIN.INTERNAL:443 |
|
SSP |
Veridium Self service portal |
N |
Y |
Y (only registration) |
/ssp
/ssp/..html
|
N |
HOST.DOMAIN.INTERNAL:9987 HOST.DOMAIN.EXTERNAL:9987 |
ssp-HOST.DOMAIN.INTERNAL:443 ssp-HOST.DOMAIN.EXTERNAL:443 |
|
|
|
|
|
|
|
|
|
|
|
RA/EP |
Used for Register Authority/Enrollment Proxy |
N |
Y |
N |
N/A |
N |
RAEPSERVICE.DOMAIN.INTERNAL |
|
|
|
|
|
|
|
|
|
|
|
|
TENANT |
Used for ILP tenant list |
N |
Y |
N |
N/A |
N |
TENANT.ILP.DOMAIN.INTERNAL:443 |
|
|
INGESTION |
Used for getting scores |
N |
Y |
N |
N/A |
N |
INGESTION.ILP.DOMAIN.INTERNAL:443 |
|
|
USERS |
Used for ILP users |
N |
Y |
N |
N/A |
N |
USERS.ILP.DOMAIN.INTERNAL:443 |
|
Most common used implementation:
-
different FQDN for each service. SSL Traffic is terminated dirrectly by Veridium, so there are just L4 Load balancers in front of veridium services.
-
this kind of implementation is normally used in Proff of Concepts.
-
-
same FQDN but different ports for each service. SSL Traffic is terminated by a WAF. In the internet and intranet is exposed one FQDN and based on Path the traffic is routed to different ports/applications.
-
this kind of implementation is normally used in Production environments.
-
-
There are supported different kind of implementations, based on user arhitecture and necessities.
These are a some Firewalls/WAF/Reverse proxy solutions that can easily set in front of veridium services.
-
F5
-
Netscaler
-
Airlock WAF
-
FortiWeb
-
Imperva
-
Apache HTTP
-
Nginx
-
Haproxy