TN installation on DMZ or on Internal Server?

Hi there,

I got a doubt on installation of TN, which one would be the best option i.e

  1. Installation of TN on DMZ
  2. Installation of TN in the internal network.

Can someone please tell me which is the best option and why?

Thanks in advance,

For B2B transactions scenario you can install IS/TN in DMZ (outside firewall) and another IS/TN internal network processing (both share same DB).There can be other options also it depends on your env feasibility.


IMO, always put TN on an IS in the internal network. TN must have access to its DB tables. If TN is in the DMZ, then either DB server must also be there or the internal firewall would need to be configured to allow the access from IS/TN to the internal DB–neither are good options.

Use a proxy of some sort, such as the IS Gateway (formerly Reverse Invoke Server), in the DMZ and put everything else in the internal/protected network.

I totally second Reamon approach :

  • We had DMZ TN when we’re using 6.1 and it’s really a nightmare to manage … if your applying expected security rules. And in security point of view, it’s not good having some intelligence on DMZ. More, in order to process the business, we had to enable some bridge w/ the DMZ and our private network. Those bridge are initiated by the DMZ component which is another big security hole.
  • Now, with 7.1, we are using an http gateway. Almost no administration because it is transparent so everything is done in the inner TN. And the security is far better because this http GW has no right so unable to access by itself to our inner servers.



I understand the concept, but how does the scenario of sending meesages initiated internally to external parties work? Are they sent via the gateway, or directly from the internal IS?

Directly. The gateway is only for inbound traffic, never outbound.

I thought as much. Company I am currently working for a sensitive about sending outbound messages from an internal server. Any suggestions?

Outbound traffic could be directed via generic outbound proxy. IS provides support for doing so, if memory serves.

How is that setup done same via HTTP Reverse gateway route?


It isn’t. The wM Gateway cannot be used as a proxy for outbound traffic.

RMG, just wondering if we could be confronted with such a need/requirement… though I feel the route Internal IS → RI/Wm Gateway → Proxy → External Partner would make a clean implementation for all outbound traffic.


Yes agreed:

What does “clean implementation” mean?

What would wM Gateway do that a general-purpose proxy could not?