Internal Supporting External Users
The scenario of having an on-premise installation serving internal users that also provides some access to external users/devices can be tricky. It is NOT recommended to publish grid routers directly accessible from Internet without having some filtering proxy in between. The recommended way to enable access to external users/devices is to have a VPN setup in a DMZ that users connect to.
Open communication on the internet (that is, any communication which takes place with clients outside the secure intranet) always carries an additional risk in terms of enabling the potential for security breaches.
Here we will discuss two options for allowing grid router access over the Internet to a grid application running on the intranet.
VPN
Infor strongly recommends that any client wishing to access a grid application from the Internet utilize a VPN tunnel to provide a secure connection between the client and server. There are a number of reasons why this method is preferable:
-
Secure - VPN offers a highly secured solution with a reduced ability for intrusion attacks to take place.
-
No client installation – Internet access and a web browser are the only requirements to create the tunnel to the corporate network without user or administrator overheads.
-
Support for any client-server architecture which can be accessed over the normal corporate LAN.
-
Ability to configure and restrict user access. For example, a contractor can be limited to only be able to connect to a specific grid router, so this does not fully open up the corporate network unless you want it to.
-
User access control is made simpler since there is one entry point for the corporate network . An administrator can configure and secure the system by allowing/denying users access to specific areas or the whole corporate network. this is a strong consideration when preventing someone accessing the system, for example, following termination.
-
VPN solutions are available as physical or virtual appliances giving different options for deployment depending on existing infrastructure.
Direct Connect – Client connection through the DMZ using SSL
As an alternative to the use of a VPN solution, it is possible to implement an SSL-encrypted route through the DMZ for clients to connect to.
This involves configuring static port forwarding such that changes are made to the external and internal firewalls to allow routing of traffic from a specified external port to an internal LRC router.
Configuration involves the following high-level steps:
-
Configure the grid router, determine the port which is secured, and ensure that encryption is enabled.
-
Select and open a port in the external firewall, configuring a static port forward to a selected port on the internal firewall.
-
Open the port specified in the previous step in the internal firewall, and configure a static port forward to the specified grid router port.
Considerations and notes:
-
A non-standard port must be opened in the external firewall and this has a rule based route to a port within the intranet on a specific host.
-
There is a risk with this approach since there is a direct route from the Internet to the intranet.
-
The security depends on the grid router and the security of each web application available through the published router.
-
All traffic is SSL encrypted.