Configuring with firewalls (FileNet Web Services Client)
The use of firewalls with FileNet Web Services Client
requires additional configuration on the client, the web server, and the
Process Engine.
This topic explains the extra steps required.
Configuration settings when there is a firewall between the client and
the web server
For the web-server based workflow applications to function across a firewall
that restricts port-level configurations, you must make the following
changes to allow RMI data to be encapsulated in HTTP packets and passed
via port 80.
NOTE This
does not apply to non-Java applet applications such as HTML-based step
processors.
On the client
Open the Java Plug-in from the Windows Control Panel.
NOTE The
Java Plug-in is installed the first time the client accesses the IDMWS
home page. If the Java Plug-in does not appear in the Control Panel, it
has not been installed yet. Access the IDMWS home page to install it.
Under the Proxies tab, uncheck the Use browser
settings checkbox if necessary.
For the HTTP type, enter the firewall server's Proxy
Address and Port 80.
On the web server
Create a directory under the wwwroot called cgi-bin. The path on a
typical server might be c:\inetpub\wwwroot\cgi-bin.
Using the IIS Internet Services Manager, edit the properties of the
cgi-bin directory. (The directory is under the Default Web Site node.)
Under the Directory tab, set the Execute Permissions to Scripts and
Executables.
Obtain the java-rmi.cgi script file by doing the following:
Enter the name of the Process Engine
in the VW Host Server field.
Enter the name of the firewall server in the Local
Host field.
On the firewall
Be sure that only port 80 responds to requests. (If other ports acknowledge
requests, the client does not invoke the java-rmi.cgi script.) See your
firewall documentation for further information.
Configuration settings when there is a firewall between the web server
and Process Engine
For the PPM on the Process Engine
and Process Router
on the web server to communicate through a firewall, you must open two
ports on the firewall, and reference these ports when starting the PPM
and the router. In addition, if you have Image Services (IS) with imaging
or Content Services (CS) installed on a separate server, you must configure
them.
On the firewall
On the firewall, do the following. See your firewall documentation for
more information.
Forward all requests made on port 32771 to the Process Engine.
Open a user-selected port for the PPM Return
Port.
Specify the PPM Return Port to match
the port opened on the firewall.
Enter the name of the Process Engine
in the Local Host field.
On the Application Engine or web server
Modify the hosts file on the web server and map the IP address of
the firewall to the fully qualified domain name of the Process Engine.
Start a
router. Enter the name of the Process Engine
in the VW Host Server field.
On the IS server
If there is a firewall between the IS server and the web server, you
must do the following.
Use the System Configuration Editor to add the firewall address first
in the Network Address tab. See the online help for the System Configuration
Editor for additional information.
If your firewall uses a DMZ ("demilitarized zone'') and the routers
are not configured to automatically know where the address of the DMZ,
you must add a persistent route to the DMZ subnet. (A DMZ refers to
a part of the network that is neither part of the internal network nor
directly part of the Internet.) From a command prompt, enter:
route add [DMZ subnet IP root address] mask 255.255.255.0 [firewall
IP address]
On the CS server
Update the firewall IP address value in the database. Use the following
SQL commands:
update name_service set NS_CONNECTION_ADDR='[firewall IP address],1435'
where NS_SERVICE_TYPE='brserver';
update name_service set NS_CONNECTION_ADDR='[firewall IP address],1436'
where NS_SERVICE_TYPE='csserver';
NOTE Each
time you reboot the CS server, you must update this information. To
simplify this process, you can create a SQL script to run automatically
during your reboot procedure.
If your firewall uses a DMZ and the routers are not configured to
automatically know where the address of the DMZ, you must add a persistent
route to the DMZ subnet. From a command prompt, enter:
route add [DMZ subnet IP address] mask 255.255.255.0 [firewall IP
address]
Edit the services file. See "Configuring for WANs and Firewalls"
in the FileNet Content Services Installation Guide for more information.
Add the following information: