InfoCenter Home >
7: Multimachine management >
7.1: Using WebSphere Application Server in a multimachine environment >
7.1.3: Multimachine topologies >
7.1.3.6: HTTP server separation sample topologies >
7.1.3.6.3: Reverse proxy (IP forwarding) sample topology

7.1.3.6.3: Reverse proxy (IP forwarding) sample topology

Overview

Reverse proxy (or IP-forwarding) topologies use a reverse proxy server to receive incoming HTTP requests and forward them to a Web server. The Web server in turn forwards the requests to the application servers that do the actual processing. The following figure shows a simple reverse proxy topology.

Reverse proxy topology

In this example, a reverse proxy resides in a demilitarized zone (DMZ) between the outer and inner firewalls.  It listens on an HTTP port (typically port 80) for HTTP requests. The reverse proxy then forwards those requests to an HTTP server that resides on the same machine as WebSphere Application Server. After the requests are fulfilled, they are returned through the reverse proxy to the client, hiding the originating Web server.

Typical use

Reverse proxy servers are typically used in DMZ configurations to allow additional security between the public Internet and the Web servers (and application servers) servicing requests. A reverse proxy product used with WebSphere Application Server must support Network Address Translation (NAT) and WebSphere security.

Reverse proxy configurations support high-performance DMZ solutions that require as few open ports in the firewall as possible. The reverse proxy capabilities of the Web server inside the DMZ require as few as one open port in the second firewall (potentially two if using SSL - port 443).

The advantages of using a reverse proxy server in a DMZ configuration include the following:

  • The reverse proxy server does not need database access through the firewall.
  • It supports WebSphere security and NAT firewalls.
  • The basic reverse proxy configuration is well-known and tested in the industry, resulting in less customer confusion than other DMZ configurations.
  • It is reliable and its performance is relatively fast.
  • It eliminates protocol switching by using the HTTP protocol for all forwarded requests.
  • It does not affect the configuration and maintenance of a WebSphere application.
  • It uses only one firewall port (HTTP) for requests and responses.

This is also a disadvantage in some environments where security policies prohibit the same port or protocol being used for inbound and outbound traffic across a firewall.

The disadvantages of using a reverse proxy server in a DMZ configuration include the following:

  • The presence of a reverse proxy server in a DMZ might not be suitable for some environments.
  • It requires more hardware and software than similar topologies that do not include a reverse proxy server, which makes it more complicated to configure and maintain.
  • The reverse proxy server does not participate in WebSphere workload management.

Article 7.1.4, Firewall and demilitarized zone (DMZ) configurations, compares the reverse proxy topology to other topologies that support a DMZ configuration.

Instructions

The implementation specifics are determined by the reverse proxy server; refer to the documentation for the product you are using. No additional WebSphere administration is required for the reverse proxy server, although it can be needed for other elements of the reverse proxy topology.

Go to previous article: Semi-remote HTTP sample topology Go to next article: Demilitarized Zone (DMZ) sample topology

 

 
Go to previous article: Semi-remote HTTP sample topology Go to next article: Demilitarized Zone (DMZ) sample topology