SecureAuth versions affected: All versions
Description: In an environment where there are separate SecureAuth IdP server's for internal and external network traffic, an additional layer of security can be added by removing the direct datastore connection from the externally facing (DMZ) server. This can be accomplished by implementing a Web Service connection, on each DMZ realm, to an internal IdP realm which has a configured Data tab connection to the desired datastore. By connecting to an internal server, the DMZ server never touches the datastore directly; adding an additional layer of security.
This type of configuration can be implemented through the following:
- Establish a successful network connection from the DMZ IdP server to the internal IdP server. You should be able to open an internet browser from the DMZ server and browse to the internal IdP server through host name or IP-address.
- If any issue arise in completing this step, our network requirements documentation may be of
assistance: Network Communication Requirements for SecureAuth IdP 9.0.x
- Establish a successful SSL connection to the internal IdP server. You should be able to open an internet browser from the DMZ server and browse to the internal IdP server, through host name, without any certificate errors. Without a successful SSL connection, the Web Service realm will return an "invalid user" error upon login attempt.
- By default, SecureAuth servers have SecureAuth appliance certificates selected in their IIS Site
Bindings. These certificates are not publicly trusted, but the internal server's appliance certificate's
name can be added the DMZ server's host file as a work around to establish trust. For more
How To Edit Host File To Point To One SecureAuth Server
- Consult the following document to configure a Web Service connection type under the data tab:
Web Service (Muli-Data Store) Configuration Guide
- From the DMZ server, use the Add Realm from Another Server option to list a realm with the desired
data tab configuration from an internal server.
- Examples: https://YourDomainName.com/SecureAuth#
- From the internal server, configure the listed realm's FBA WebService section under the Workflow tab.
The Web Service realm on the DMZ server should now be functional. All settings will be configured from the DMZ like any other realm, but the Web Service realm will reference Data tab information from the internal server realm(s) it lists.