webMethods Reverse Invoke - HTTP Gatweway
WebMethods Reverse invoke is a mechanism which allows to implement an architectural solution for securing the integration servers. This solution can be implemented by setting up a Reverse HTTP Gateway on DMZ to allow the Internal Server to process requests from external clients.
WebMethods reverse invoke is implemented by configuring:
- Internal Server: Responsible for user validation and transaction processing.
- Revere HTTP gateway server: Responsible for passing the inbound requests to the internal server and outbound response to the client.
How Reverse HTTP Gateway Works
For an Integration Server to function as a Reverse HTTP Gateway Server, it must have a gateway external port to listen for requests from external clients (partners) and a gateway registration port through which it maintains its connection to the Internal Server. For security purposes, the Internal Server initiates the connections to the Reverse HTTP Gateway Server's registration port. The following steps summarize how an external client request is handled in a Reverse HTTP Gateway scenario:
§ The external client sends a request to the Reverse HTTP Gateway Server.
§ The Reverse HTTP Gateway Server streams the message between the inbound connection and the outbound connection to the Internal Server.
§ The Internal Server processes the request then sends a response to the Reverse HTTP Gateway Server.
§ The Reverse HTTP Gateway Server sends a response to the external client. The following diagram shows the location of the gateway external port and gateway registration port in the Reverse HTTP Gateway configuration
Setting Up the Reverse HTTP Gateway Server
The two main steps to setting up a Reverse HTTP Gateway configuration are:
§ Configuring an Integration Server in the DMZ to be a Reverse HTTP Gateway Server
o Ask your network/firewall administrator to open a firewall port for this communication.
o Disable the Developer and Replicator usersInstall an Integration Server in your DMZ to be your Reverse HTTP Gateway Server.
o Disable the Developer and Replicator users
o Set up the gateway external port
o Set up the gateway registration port
§ Configuring your Internal Integration Server to connect to the Reverse HTTP Gateway Server.
o Set up the Internal Server port
Example - Reverse Invoke
Below example will demonstrate the step by step implementation of reverse invoke.
Ã° Install an Integration server in the DMZ to be your Reverse HTTP Gateway Server. Any external client on the Internet can access your Reverse HTTP Gateway Server; therefore, be very security conscious about the services you make available and the users you define.
Ã° Disable the Developer and Replicator users. You will not need these users on a Reverse HTTP Gateway Server. Disabling these users prevents someone from gaining access to your Reverse HTTP Gateway Server through them.
Ã° Get a firewall port opened from internal network. You need to get in touch with your network/firewall administrator for this.
Ã° To set up the gateway external port and gateway registration port login to the gateway server and go to Security > Ports and click on Add Port link.
Ã° As we are going to configure HTTP revere gateway server so select port type âReverse HTTP Gateway Serverâ and click on submit button.
Ã° Now select the protocol âHTTPâ or âHTTPSâ, port number and rest of the input parameters. In this example we have selected HTTP port and rest of the parameters as below. For âGateway Registration Portâ provide bind address (IP of internal server to avoid outside access).Once all required parameters are provided click on âsave changesâ button.
Ã° Now, you will see these ports as below:
Ã° From security reasons, edit the 'IP access' for Gateway Registration port and if needed also for gateway external port. Click on link 'Change IP Access Mode to Deny by Default'.
Ã° Now click on the link 'Add Hosts to Allow List' and then provide the host names/IP address to be allowed for this.
Ã° To set up the Internal server port, login to the internal Integration server and go toSecurity > Ports > Add Port. Select type of port as âInternal Serverâ and click on submit button.
Ã° Select the protocol and provide the details for gateway server with registration credentials and then click on save changes.
Ã° You will see below the internal server port as below:
Thatâs all to configure the reverse invoke in webmethods.