Skip navigation FileNet logo
Glossary  |  Help Directory  
  Help for Process Engine Administration
  Search  |  Index
Process Reference  
Process Engine Administration
Workflow administration tasks
System administration tasks
  Configuring the Process Engine
    Automatic startup (Windows)
    Manual startup (UNIX)
    One-way SSL (WorkPlace)
    Firewalls (FileNet Web Services Client)
  Configuring users and groups (Workplace)
  Configuring users and groups (Open Client/FileNet Web Services Client)
  Configuring optional features
  Running the Process Engine
  Improving system performance
  Troubleshooting
   

Configuring with firewalls (FileNet Web Services Client)

The use of firewalls with FileNet Web Services Client requires additional configuration on the client, the web server, and the Process Engine. This topic explains the extra steps required.

For background information about the use of firewalls with the Process Engine, see Network Address Translator (NAT) and firewall issues.

Configuration settings when there is a firewall between the client and the web server

For the web-server based workflow applications to function across a firewall that restricts port-level configurations, you must make the following changes to allow RMI data to be encapsulated in HTTP packets and passed via port 80.

NOTE This does not apply to non-Java applet applications such as HTML-based step processors.

On the client

Open the Java Plug-in from the Windows Control Panel.

NOTE The Java Plug-in is installed the first time the client accesses the IDMWS home page. If the Java Plug-in does not appear in the Control Panel, it has not been installed yet. Access the IDMWS home page to install it.

  1. Under the Proxies tab, uncheck the Use browser settings checkbox if necessary.
  2. For the HTTP type, enter the firewall server's Proxy Address and Port 80.

On the web server

  1. Create a directory under the wwwroot called cgi-bin. The path on a typical server might be c:\inetpub\wwwroot\cgi-bin.
  2. Using the IIS Internet Services Manager, edit the properties of the cgi-bin directory. (The directory is under the Default Web Site node.) Under the Directory tab, set the Execute Permissions to Scripts and Executables.
  3. Obtain the java-rmi.cgi script file by doing the following:
    1. Download JDK 1.1.8 from http://java.sun.com/products/archive.
    2. Install the JDK software on a machine other than the web server.
    3. Locate the file java-rmi.cgi and copy it to the directory you created on the web server in step 1.
  4. Start a router on the web server.
    1. Enter the name of the Process Engine in the VW Host Server field.
    2. Enter the name of the firewall server in the Local Host field.

On the firewall

Be sure that only port 80 responds to requests. (If other ports acknowledge requests, the client does not invoke the java-rmi.cgi script.) See your firewall documentation for further information.

Configuration settings when there is a firewall between the web server and Process Engine

For the PPM on the Process Engine and Process Router on the web server to communicate through a firewall, you must open two ports on the firewall, and reference these ports when starting the PPM and the router. In addition, if you have Image Services (IS) with imaging or Content Services (CS) installed on a separate server, you must configure them.

On the firewall

On the firewall, do the following. See your firewall documentation for more information.

  1. Forward all requests made on port 32771 to the Process Engine.
  2. Open a user-selected port for the PPM Return Port.

On the Process Engine

Start the PPM.

  1. Specify the PPM Return Port to match the port opened on the firewall.
  2. Enter the name of the Process Engine in the Local Host field.

On the Application Engine or web server

  1. Modify the hosts file on the web server and map the IP address of the firewall to the fully qualified domain name of the Process Engine.
  2. Start a router. Enter the name of the Process Engine in the VW Host Server field.

On the IS server

If there is a firewall between the IS server and the web server, you must do the following.

  1. Use the System Configuration Editor to add the firewall address first in the Network Address tab. See the online help for the System Configuration Editor for additional information.
  2. If your firewall uses a DMZ ("demilitarized zone'') and the routers are not configured to automatically know where the address of the DMZ, you must add a persistent route to the DMZ subnet. (A DMZ refers to a part of the network that is neither part of the internal network nor directly part of the Internet.) From a command prompt, enter:

    route add [DMZ subnet IP root address] mask 255.255.255.0 [firewall IP address]

On the CS server

  1. Update the firewall IP address value in the database. Use the following SQL commands:

    update name_service set NS_CONNECTION_ADDR='[firewall IP address],1435' where NS_SERVICE_TYPE='brserver';
    update name_service set NS_CONNECTION_ADDR='[firewall IP address],1436' where NS_SERVICE_TYPE='csserver';

    NOTE Each time you reboot the CS server, you must update this information. To simplify this process, you can create a SQL script to run automatically during your reboot procedure.

  2. If your firewall uses a DMZ and the routers are not configured to automatically know where the address of the DMZ, you must add a persistent route to the DMZ subnet. From a command prompt, enter:

    route add [DMZ subnet IP address] mask 255.255.255.0 [firewall IP address]

  3. Edit the services file. See "Configuring for WANs and Firewalls" in the FileNet Content Services Installation Guide for more information. Add the following information:

    idmds\<library name>\brserver 1435/tcp
    idmds\<library name>\fulltext 1436/tc