Hi,
I have done the setup for the reverse invoke. One IS is inside firewall and one is in DMZ. The DMZ box is connected to Trading partner via secure pipeline. And the port 80 is open for ourbound and 8080 for inbound.
How do I make http calls from internal IS to Trading partner?. Will reverse invoke work for only outbound calls?.
Thanks,
Jey.
Jey,
I can’t think of a reason to go through the reverse invoke IS for outbound.
Let’s see if anyone else can.
Regards
Mark,
If the inbound and outbound connectivity from DMZ is only through secure pipeline, Will the reverse invoke is worth to have?.
The outbound documents can be delivered to the DMZ IS through a invoke from internal IS and the DMZ IS can do a http post through the pipe line.
How the Trading Networks can be effectively used to deliver the documents with this architecture?. How the TN piece can access the ourside servers using delivery methods with out using a internal invoke from TN and a post? How the TN access the VPN from internal through DMZ?.
These are things I want to discuss.
Thanks
Jey.
I don’t think I fully understand the problem, but I do think that you are attempting to overengineer a solution. I will try to address what I understand.
1/2) Why a reverse invoke? For arguments sake, the internal IS handles the processing with your internal systems, and the DMZ IS handles external requests/replies. For any transaction, the DMZ IS would handle the receive from trading partners, and would also post (via https it seems) to the trading partner.
For the TN questions, I think you can have TN inside the firewall, assuming that the DMZ IS is just a pass through.???
I think my best suggestion would be to take a step back and define the architecture you are looking for to process the transactions. Then begin to define areas where there may be security issues. In my previous experiences (which includes industries that have sensative data such as banks and DoD), I have not needed to create an abnormal architecture. I have been to a client that had the DMZ IS provide all the core processing (receive, map, etc), and the internal IS makes the calls to the internal systems). The DMZ is would do a remote invoke to the internal IS. We didn’t do reverse invokes, but would assume it would occur in the same fashion.
Hope that helps a bit…
Jey,
A typical architecture for EDI would be to have your DMZ IS server act as a pass through poxy to your internal IS server. The reverse invoke works by allowing the internal IS server to establish a secure connection to the dmz based IS server. All external request(from your partners) go to the DMZ IS server, this DMZ server simply passes the connection through the secure established pipe to your internal IS server for processing. That way no http or https ports have to be poked through your firewall to allow inbound request which would be very insecure.
For your outbound requests(your are initiating the transaction), this would come from your internal IS server, no need to use the DMZ IS server for this.
In our configuration we are using the DMZ IS to do external posts because our trading partner is doing restricting by IP. Instead of having to maintain all of our proxy IPs at the trading partner, the DMZ IS gets a static IP, and they can restrict on that one.
RI Server can only be used for Inbound transaction! This is all it can do. RI cannot do outbound its not designed for that.
For outbound trabsactions you need a regular proxy inside DMZ
Hi Experts,
As one of my IS is in the DMZ and connected to the TN for Internal.Im proctecting My Internal Integration from the external world by making one of the IS in the DMZ…
My question is How are the outside world ports are mapped to the Internal ports.
Could anyone help me up???
Regards
Ramesh
Please review the webMethods Integration Server Administrator’s Guide. Chapter 7 has a section titled “Protecting Your Internal Integration Server with Reverse Invoke” which describes how to configure your DMZ and internal IS instances.