When you install and configure a DMZ Secure Proxy Server for IBM® WebSphere® Application Server to
provide session affinity, failover support, and workload balancing
for your WebSphere Application Server topology, you need to understand
how the DMZ Secure Proxy Server for IBM WebSphere Application Server is
best used in your environment.
About this task
Procedure
- Set up a secure proxy server that only uses generic server
cluster (GSC) routing.
This scenario is similar to the
legacy Edge proxy server (WTE) DMZ scenario. In this scenario:
- The secure proxy server only uses generic server cluster (GSC)
routing.
- The secure proxy server is completely unaware of the backend topology
of the cells.
- Request routing service is provided based on pre-defined GSC routing
rules.
- Because Session affinity and failover support is limited, you
should provide another tier of intermediaries configured behind the
inner firewall to provide full session affinity and failover service.
The following diagram illustrates this
topology.

If
you use this topology, the secure proxy server cannot respond to management
events from backend cells because there is no administration communication
channel between the secure proxy sever and the backend cells. If you
have WebSphere Application Server managed applications that require
the secure proxy server to forward client information to the backend
servers, you must set the http.forwarded.as.was.managed proxy server
custom property to true.
See the topic
Routing rules for a description of how to configure GSC routing rules.
- Set up a secure proxy server that uses static routing.
This scenario is similar to the traditional IBM HTTP Server
with a Web server plug-in, running in a DMZ scenario. See the topic
Selecting a Web server topology diagram and roadmap for more information
about the traditional IBM HTTP Server with a Web server plug-in,
running in a DMZ scenario.
In a secure proxy server that uses
static routing scenario:
- The front end secure proxy server is sitting in DMZ.
- Routing information is exported from each cell and placed on secure
proxy node.
- The secure proxy server provides session affinity and fail over
service.
- The secure proxy server cannot actively respond to management
events on the backend server cells.
- The secure proxy server cannot dynamically reload routing configuration
files. Therefore, a restart is required in order to pickup changes
in configuration files.
The following diagram illustrates this topology.

See the topic Configure secure routing for a DMZ Secure
Proxy Server for a description of how to configure static routing.
- Set up a secure proxy server that uses dynamic routing.
This scenario iis similar to the traditional
WebSphere Application Server proxy server scenario, with one exception: the secure proxy
server is running in the DMZ instead of in a backend cell. In this
scenario:
- The front end secure proxy server is sitting in DMZ.
- Routing information is dynamically pulled from backend cells through
configured core group bridge tunnels.
- The secure proxy server can provide request routing, session affinity,
and failover service.
- The secure proxy server can dynamically adjust request routing
because the secure proxy can receive management events from the backend
server cells.
The following diagram illustrates this topology.

See the topic Configure secure routing for a DMZ Secure
Proxy Server for a description of how to configure static routing.