Sign in or 
Share this
Chapter 3 - Secure Setups
This section discusses some common PeopleSoft system layouts. The system layouts will have varying degree of scalability, availability, and security. Since every site is unique with unique requirements, different parts of the layout will require modification. PeopleSoft consulting can provide that support on a case-by-case basis. The following items are basic design assumptions and policies that should be addressed.
Security
Physical Layout
The following diagram includes these elements:
Physical Layout
Router Setup
Firewall Setup
* Based on the intranet IP address, it can be RFC 1918 address space.
Access to PIA/Portal from Outside
Access to Outside from Portal/Application Messaging Service
Access to Provider’s DNS Server from Local DNS Server
1 Do not allow the reverse path. For example, do not allow provider’s DNS updates to reach local DNS
Static Address Mapping for Inbound Firewall NAT
Static Address Mapping for Outbound Firewall Reverse NAT
Web Server Load Balancer Setup
Web Server Setup
The configuration parameters vary based on the web server clustering scheme you select. Refer to Cluste.ng and High Availability of PeopleSoft 8.4 red paper available on Customer Connection for more information.
* See Clustering and High Availability of PeopleSoft 8.4 red paper available on Customer Connection for values.1 Set to none if proxy load balancing is not used
Forward Proxy Setup
This is an optional setup for Portal, Application Messaging, and Business Interlinks outbound calls.
Forward Proxy Load Balancer Setup
This is an optional setup for Portal, Application Messaging, and Business Interlinks outbound calls.
Application Server Setup
LDAP Load Balancer Setup
This is an optional setup for LDAP load balancing.
Database Server Setup
1 Required only if database is clustered.
Security
- System should not have any single point of security failure in the architecture.
- Some security restrictions will reduce the overall scalability of the system.
- Name resolution is done using host files instead of using DNS (in most cases).
- Static routes are used within the system whenever possible.
- PeopleSoft system has been placed on the DMZ network.
- There is at least one level of NAT from outside the network to the web server tier.
- The architecture assumes the external/internet as well as internal/intranet network to be untrusted, so protection from both the internet and the intranet is needed.
- The architecture provides at least one extra level of security layer between the DMZ and the internal network. Should the security of the DMZ become compromised, the internal network shall still be protected.
- Each tier in the PeopleSoft Pure Internet Architecture has been leveraged to provide an additional security tier between the outside network and the protected data.
- Portal/Application Messaging calls from inside to outside are via a forward proxy.
- Default policy of firewall and router is to deny all.
- A three-pronged DMZ architecture is used. This has a single point of security failure limitation for the intranet site.
- Security is restricted to a single site in this version of the document. Disaster recovery over two physical security zones is not discussed in this red paper.
- System should be able to scale with demand as much as possible without requiring change of architecture.
- System should scale with commodity hardware whenever possible.
- System should scale with the most cost-effective solution.
- System should be expandable so that there is no any single point of failure in the architecture even though the configuration shown is not the expanded version.
NAT DMZ Infrastructure
In the NAT DMZ architecture, the DMZ occupies a private and non-routable (RFC 1918) internet address space. The web servers are placed in this private address space in the DMZ. NAT is performed by the firewalls 1 and 2. The load balancers route packets to the web servers on the same network. This configuration can only be used if the DMZ is not shared with non-NATable services, such as IPSec and Kerberos. If these non-NATable services must exist on the DMZ, the Publicly Addressed DMZ architecture from the next section must be used.Physical Layout
The following diagram includes these elements:
- Redundant ISP provider connections for high availability.
- Redundant routers 1 and 2 to connect to the internet.
- Redundant 3 prong firewalls 1 and 2 to perform NAT and connect the corporate network to the DMZ.
- Redundant load balancers 1 and 2 to load-balance requests to web servers 1 and 2.
- Redundant load balancers 3 and 4 used to load-balance outbound PIA requests to forward proxies 1 and 2.
- Web servers 1 and 2 that communicate to application servers 1 through 4.
- Application servers 1 through 4 optionally could use load balancers 5 and 6 to communicate to LDAP servers 1 and 2 for PIA authentication.
- LDAP servers 1 and 2 each has its own RAID storage for fault tolerance.
- Application servers 1 through 4 communicate with a clustered database server 1(2).
- Clustered database servers 1 and 2 share RAID storage for fault tolerance.
Physical Layout
| Unit | Router 1 (Active) | Router 2 (Standby) |
| IP Address | 123.123.123.2 | 123.123.123.3 |
| Subnet Mask | 255.255.255.0 | 255.255.255.0 |
| Packet filters (only if available) | Allow only HTTP/HTTPS to PeopleSoft system. If PeopleSoft portal is to call outside, then allow HTTP/HTTPS to outside from PeopleSoft system. Allow rules as needed by other non-PeopleSoft systems. | Same as Unit 1. |
Firewall Setup
| Unit | Firewall 1 (Active) | Firewall 2 (Active) |
| IP Address 1 | 123.123.123.6 | 123.123.123.7 |
| Subnet Mask 1 | 255.255.255.0 | 255.255.255.0 |
| Shared Address 1 | 123.123.123.5 | 123.123.123.5 |
| Default Route 1 | 123.123.123.1 | 123.123.123.1 |
| IP Address 2 | 10.0.0.2 | 10.0.0.3 |
| Subnet Mask 2 | 255.255.255.0 | 255.255.255.0 |
| Shared Address 2 | 10.0.0.1 | 10.0.0.1 |
| Default Route 2 | None | None |
| IP Address 3 | * | * |
| Subnet Mask 3 | * | * |
| Shared Address 3 | * | * |
| Default Route 3 | None | None |
Note. Both firewall units have the same security setup.
Access to PIA/Portal from Outside
| Protocol | Transport Protocol | Source IP | Source Port | Destination IP | Destination Port | Action |
| HTTP | TCP | Any | 80 | 123.123.123.100 | 80 | Allow |
| HTTPS | TCP | Any | 443 | 123.123.123.100 | 443 | Allow |
Access to Outside from Portal/Application Messaging Service
| Protocol | Transport Protocol | Source IP | Source Port | Destination IP | Destination Port | Action |
| HTTP | TCP | 10.0.0.50 | Any | Any | Any | Allow |
| HTTPS | TCP | 10.0.0.50 | Any | Any | Any | Allow |
| HTTP | TCP | 10.0.0.60 | Any | Any | Any | Allow |
| HTTPS | TCP | 10.0.0.60 | Any | Any | Any | Allow |
Access to Provider’s DNS Server from Local DNS Server
| Protocol | Transport Protocol | Source IP | Source Port | Destination IP | Destination Port | Action |
| DNS1 | UDP | Local DNS | Any | Provider’s DNS | 53 | Allow |
| DNS1 | TCP | Local DNS | Any | Provider’s DNS | 53 | Allow |
Static Address Mapping for Inbound Firewall NAT
| External IP Address | Transport Protocol | External Port | Internal Address | Internal Port |
| 123.123.123.100 | TCP | 80 | 10.0.0.100 | 80 |
| 123.123.123.100 | TCP | 443 | 10.0.0.100 | 443 |
Static Address Mapping for Outbound Firewall Reverse NAT
| Source IP | Transport Protocol | Source Port | Translated IP | Translated Port |
| 10.0.0.50 | TCP | Any | 123.123.123.50 | Any |
| 10.0.0.60 | TCP | Any | 123.123.123.60 | Any |
Web Server Load Balancer Setup
| Unit | Load Balancer 1 (Active) | Load Balancer 2 (Standby) |
| IP Address | 10.0.0.6 | 10.0.0.7 |
| Subnet Mask | 255.255.255.0 | 255.255.255.0 |
| Shared Address | 10.0.0.5 | 10.0.0.5 |
| Default Route | 10.0.0.1 | 10.0.0.1 |
| Virtual IP (portal.corp.com) | 10.0.0.100 | 10.0.0.100 |
| HTTP Service Port | 80 | 80 |
| HTTPS Service Port | 443 | 443 |
| HTTP Persistence (sticky) | Load balancer cookie | Load balancer cookie |
| HTTPS Persistence (sticky) | Load balancer SSL sticky | Load balancer SSL sticky |
Web Server Setup
The configuration parameters vary based on the web server clustering scheme you select. Refer to Cluste.ng and High Availability of PeopleSoft 8.4 red paper available on Customer Connection for more information.
| Unit | WebHost1:Instance1 | WebHost1:Instance2 | WebHost2:Instance1 | WebHost2:Instance2 |
| IP Address 1 | * | * | * | * |
| Subnet Mask 1 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 |
| Default Route 1 | 10.0.0.5 | 10.0.0.5 | 10.0.0.5 | 10.0.0.5 |
| HTTP Port | * | * | * | * |
| HTTPS Port | * | * | * | * |
| IP Address 2 | 10.0.1.10 | 10.0.1.10 | 10.0.1.20 | 10.0.1.20 |
| Subnet Mask 2 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 |
| Default Route 21 | 10.0.1.50 | 10.0.1.50 | 10.0.1.50 | 10.0.1.50 |
Forward Proxy Setup
This is an optional setup for Portal, Application Messaging, and Business Interlinks outbound calls.
| Unit | ForwardProxy1 | ForwardProxy2 |
| IP Address 1 | 10.0.0.50 | 10.0.0.60 |
| Subnet Mask 1 | 255.255.255.0 | 255.255.255.0 |
| Default Route 1 | 10.0.0.1 | 10.0.0.1 |
| IP Address 2 | 10.0.1.51 | 10.0.1.52 |
| Subnet Mask 2 | 255.255.255.0 | 255.255.255.0 |
| Default Route 2 | 10.0.0.50 | 10.0.0.60 |
| HTTP Port | 80 | 80 |
| HTTPS Port | 443 | 443 |
Forward Proxy Load Balancer Setup
This is an optional setup for Portal, Application Messaging, and Business Interlinks outbound calls.
| Unit | Load Balancer 3 (Active) | Load Balancer 4 (Standby) |
| IP Address | 10.0.1.2 | 10.0.1.3 |
| Subnet Mask | 255.255.255.0 | 255.255.255.0 |
| Shared Address | 10.0.1.1 | 10.0.1.1 |
| Default Route | None | None |
| Virtual IP for Proxy Service | 10.0.1.50 | 10.0.1.50 |
| HTTP Service Port | 80 | 80 |
| HTTPS Service Port | 443 | 443 |
| Persistence (sticky) | IP Based | IP Based |
Application Server Setup
| Unit | AppHost1:Domain1 | AppHost1:Domain2 | AppHost2:Domain1 | AppHost2:Domain2 |
| IP Address 1 | 10.0.1.100 | 10.0.1.100 | 10.0.1.110 | 10.0.1.110 |
| Subnet Mask 1 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 |
| Default Route 1 | 10.0.0.1 | 10.0.0.1 | 10.0.0.1 | 10.0.0.1 |
| JSH Port | 9000 | 9020 | 9000 | 9020 |
| IP Address 2 | 10.0.2.10 | 10.0.2.10 | 10.0.2.20 | 10.0.2.20 |
| Subnet Mask 2 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 |
| Default Route 1 | 10.0.0.5 | 10.0.0.5 | 10.0.0.5 | 10.0.0.5 |
| LDAP Host | 10.0.2.50 | 10.0.2.50 | 10.0.2.50 | 10.0.2.50 |
| LDAP Port | 389 | 389 | 389 | 389 |
| LDAPS Port | 636 | 636 | 636 | 636 |
LDAP Load Balancer Setup
This is an optional setup for LDAP load balancing.
| Unit | Load Balancer 5 (Active) | Load Balancer 6 (Standby) |
| IP Address | 10.0.2.2 | 10.0.2.3 |
| Subnet Mask | 255.255.255.0 | 255.255.255.0 |
| Shared Address | 10.0.2.1 | 10.0.2.1 |
| Default Route | None | None |
| Virtual IP for Proxy Service | 10.0.2.50 | 10.0.2.50 |
| LDAP Service Port | 389 | 389 |
| LDAPS Service Port | 636 | 636 |
| Persistence (sticky) | IP Based | IP Based |
Database Server Setup
| Unit | DBServer1 | DBServer2 |
| IP Address | 10.0.2.70 | 10.0.2.80 |
| Subnet Mask | 255.255.255.0 | 255.255.255.0 |
| Default Route | None | None |
| Service VIP1 | 10.0.2.60 | 10.0.2.60 |
| Service Port | DB Vendor Specific | DB Vendor Specific |
gregkelly |
Latest page update: made by gregkelly
, Feb 25 2009, 9:08 PM EST
(about this update
About This Update
Edited by gregkelly
view changes - complete history) |
|
Keyword tags:
None
More Info: links to this page
|
There are no threads for this page.
Be the first to start a new thread.
