webMethods Outbound connectivity using DMZ

Is there any way to use DMZ for outbound connectivity?All inbound traffic is flowing through DMZ (Enterprise Gateway) and outbound is through proxy. Is it possible to use DMZ /Enterprise Gateway instead of proxy?

No. EGW is incoming only.

What is prompting the desire to have the outgoing traffic go via path other than your normal corporate egress?

1 Like

we have DMZ (EGW) for inbound, but security has a concern on default corp proxy for outbound traffic , so we are evaluating the options like DMZ proxy for outbound traffic. I just want to make sure I’m not missing any design or architectural points for outbound traffic.

Hi Mohith,

in this case you might want to consider providing a separate proxy environment for the technical interfaces instead of your regular proxy environment for normal users.

Regards,
Holger

What concern would that be? The amount of traffic? Hopefully not a security-specific concern – whether some traffic uses egress 1 and other traffic uses egress 2, they both need the same level of security protection. :slight_smile:

That’s correct. Amount of traffic from all the users since default proxy is the gateway for all the users. From webMethods side, the amount of traffic is low. However, team is requesting to use dedicated proxy for applications.

Hi Mohith,

this is not really a webMethods issue then, but should be checked with your IT and Security departments.
When the regular Proxy-Environment is not available for your technical requirements they should provide you a proxy environment for infrastructure environment (we call it “Forward proxy area” , FPA) which you can configure in your IS to allow the messages to be transferred to your external partner.

Regards,
Holger

Why? What issue is being addressed? If it is simply to separate the traffic for some reason, that’s okay but as @Holger_von_Thomsen noted that has nothing to do with IS nor EGS. Networking can set things up so that traffic from your IS instances can use whatever egress they want – IS will have no idea that is happening. IS can be explicitly configured to know about outbound proxies but from a “separation of concerns” aspect, let the network handle those details so the IS administrators don’t need to worry about it.

1 Like

Hi reamon

That’s true.As per the guidelines, all the outbound traffic has to go through DMZ and not through the proxy. And default proxy is designed for users and not for the apps. So team asking us to use a dedicated proxy (like NGINX or building new Forward Proxy platform in DMZ for IS). Its not IS or WebMethods issue.

Hi Mohith,

as far as I understood DMZ is defined for incoming traffic (to DMZ) only and not for outgoing traffic in neither direction.
Enterprse Gateway therefore provides connections coming from internal IS to Gateway IS, but data flow is then reversed from the Gateway IS to the internal IS of these existing connections. This is just to avoid the Gateway IS needs to have outbound connections out of the DMZ to your internal IS.

When your default proxy is only allowed for regular users and not for apps, it is up to your IT department to provide you an additional (forward) proxy for apps usage.

Regards,
Holger