A Forum reader asked this question:
“What is the best position for iChain servers? We are thinking to set both (Proxy- and Auth-server) into the DMZ.”
Here are two responses …
That’s a common and reasonable approach. In my opinion, an iChain box should *always* be behind a packet filtering firewall. After all, it’s just a NetWare box, and leaving all of those default NetWare ports exposed is asking for trouble.
Here, we NAT various public IPs to the iChain box “public” NIC, with packet filters limiting the traffic to port 80/443. The iChain box hangs off of a third NIC in the main BorderManager server, creating a separate DMZ for it to live in. The other interface in the iChain box then connects directly to the production LAN.
So far I’ve only been talking about the proxy box. The authorization server actually sits on the production LAN. The problem is that in most organizations, you want to sync the “ichain” authorization tree to the production tree (usually via DirXML or IDM). If the auth server is in
the DMZ, then you need to let eDirectory communications through the inner firewall, which is riskier (in my opinion) than simply leaving the auth box on the LAN, where it can sync to the production tree easily.
You can also filter traffic to/from the iChain “public” interface through the border firewall (for truly public Internet clients, not local ones), as there’s no point in letting non-HTTP
traffic to/from the proxy interface (unless you’re tunnelling, of course, but those are easy exceptions to add as well).
I think iChain is secure enough to sit in the DMZ, but I agree that you don’t keep LDAP trafic open through the DMZ.
The iChain boxes should have two NICs and be dual-homed, as they are secure enough to do this.
The proxy servers should have one leg into the DMZ, as would the Layer4 load balancer (if you load balance them), and one leg into the more protected “corp” network.
The Session Broker (if you are load balancing) and the eDirectory servers should sit in the more protected “corp” network.
The iChain servers authenticate to eDirectory through their “corp” leg, while proxying sessions on the DMZ side.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.