DMZ Secure Proxy Environment setup for IP Forwarding

DMZ Secure Proxy Environment setup for IP Forwarding The DMZ Secure Proxy Server for IBM WebSphere Application Server was a new feature introduced in the WebSphere Application Server V7.0 product. An IBM DMZ Secure Proxy server provides a more secure proxy server that can be installed and used in demilitarized zone (DMZ) topologies. The reduced risk is achieved by removing all functions/features not required for a proxy from the application server. Also, the DMZ Secure proxy is designed to improve security by minimizing the number of external ports opened. In the diagram below, a topology is shown of DMZ Secure Proxy Server(s) configured and deployed between a network of inner and outer firewalls. IP Forward with 2 DMZ Proxies fronted by F5 in a different subnet Intranet DMZ Load balancer front end Subnet 2 Load balancer back end Subnet 3 F5 Public Network sipp WAS1 WAS2 DMZ Proxy Subnet 5 Subnet 4 Subnet 1 4 Inner Firewall Outer Firewall 2013 IBM Corporation Hardware and Software required for setup Machines For Single DMZ environment Use one machine, Host 1 For Dual DMZ environment Use two machines, Host 1 and Host 2 Need to install and configure the following: - DMZ Secure Proxy Server - WAS ND for Administrative Agent and Secure proxy (configuration-only) For WAS ND environment Use one machine, Host 3 1

Need to install and configure the following: - WAS ND clustered environment Note: This document assumes that Host 3 has existing WAS 8.5.5.0 ND clustered environment installed/configured and ready to be fronted by the DMZ Secure Proxy Servers. Software - IBM Installation Manager (IM) 1.6.2 - DMZ Secure Proxy Server for IBM WebSphere Application Server Version 8.5.5.0 - IBM WebSphere Application Server Network Deployment Version 8.5.5.0 Software can be obtained from a number of external sources. Install DMZ Secure Proxy Server on Host 1 and Host 2 (for Dual) (1) Install IBM Installation Manager (IM) 1.6.2 (2) After install completes, and IM brought up, go to File->Preferences and hit Add Repository button (3) In Repository field, enter the build repository location, for example, /WASV855_NDDMZ/DMZ/repository.config (4) After repository accepted, hit OK (5) Now, click Install icon (6) From the Installation Packages panel, select DMZ Secure Proxy Server for IBM WebSphere Application Server Version 8.5.5.0 On the Panel click the Next> button (7) The License Agreement panel appears Select I accept the terms in the license agreement and then click the Next> button (8) On this panel, take default or change the Shared Resources Directory and click the Next> button (9) The Installation Directory Panel appears On this panel, take default or change Installation Directory, and then click the Next> button (10) The Translations panel appears On this panel, take default and click the Next> button (11) The Features panel appears, take defaults and click the Next> button (12) The Summary panel appears On this panel, click the Install button to begin the installation 2

(13) The Results panel appears when Install finishes For Which program do you want to start, take default, Profile Management Tool to create a profile. Click Finish button Create the DMZ Secure Proxy Server profile on Host 1 and Host 2 (for Dual) The IBM DMZ secure proxy server is equipped with capabilities to provide protection from security risks. The security levels that can be assigned when creating the DMZ Secure Proxy Server are High, Medium, or Low. The Medium and Low DMZ security levels support only dynamic routing, while the High DMZ security level supports only static routing. Static routing means the server obtains the routing information from local flat files. Dynamic routing means the server obtains the routing information from a Hypertext Transfer Protocol (HTTP) tunnel connection from the proxy server to a server in the secure zone. The High DMZ security level cannot be used for SIP proxy servers because static routing is not supported for the SIP proxy server. When creating the secure proxy server profile, select the Low security level so that the DMZ servers can be used for SIP proxy servers. (1) Profile Management Tool panel appears (2) On the Profiles panel Click the Create button (3) On Environment Selection panel Select the Secure proxy environment Click Next> button (4) On Profile Creation Options panel Select the Advanced profile creation and click Next> (5) On Profile Name and Location panel Take defaults and click Next> button (6) On Node and Host Names panel Take defaults and click Next> (7) On Security Level Selection panel Select the Low proxy security level De-select the Web protocol Click Next> 3

(8) On Administrative Security panel Enable administrative security, enter User name and Password in fields and click Next> (9) On Security Certificate (Part 1) panel Take defaults and click Next> (10) On Security Certificate (Part 2) panel Take defaults and click Next> Note: keystore password should be later changed/updated (11) On Port Values Assignment panel Take defaults and click Next> (12) On Service Definition panel Take defaults and click Next> (13) On Profile Creation Summary panel Important: Remember the Profile name, Node name, and Server name, these exact names are needed to be used during the ND Secure proxy (configuration-only) setup Click Create (14) On Profile Creation Complete panel Uncheck Launch the First steps console and click Finish (15) On Profile Management Tool panel File > Exit To exit out of the Profile Management Tool Install WAS Version 8.5.5 Network Deployment on Host 1 and Host 2 (for Dual) Install the IBM WebSphere Application Server Network Deployment (ND) code from the product media or from an installation image onto machines where the real DMZ secure proxy servers will be hosted. The ND install is performed so that an Administrative agent and a DMZ Secure proxy (configuration-only) profile can be configured on those machines. (1) Back on the IBM Installation Manager panel Go to File->Preferences and hit Add Repository button (2) In Repository field, enter the build repository location, for example, /WASV855_ND/WAS/repository.config 4

(3) After repository accepted, hit OK click Install icon (4) From the Install Packages panel, select IBM WebSphere Application Server Network Deployment Version 8.5.5.0 and Click Next> button (5) On License Agreement panel Select I accept the terms in the license agreement and click Next> button (6) On location panel, enter Installation Directory and click Next> button (7) The Translations panel appears On this panel, take default and click Next> button (8) On Features panel On this panel, take defaults and click Next> button (9) On Summary panel Click Install> to begin installation (10) When Installation finishes For which program do you want to start, take default and click Finish. Create the Administrative Agent and Server proxy (configuration-only) profiles on Host 1 and Host 2 (for Dual) An Administrative agent is a component that provides enhanced management capabilities for stand-alone application servers. This was a new concept introduced with the WebSphere Application Server V7.0. The administrative agent can only manage application servers that are installed in the same operating system image as the administrative agent. Create an Administrative agent profile, with its sole purpose to be used to administer a DMZ Secure proxy (configuration-only) profile. After the profile creation, start the Administrative agent. A secure proxy (configuration-only) profile is for use with a DMZ secure proxy server. This configuration-only profile is intended to be used only to configure the profile using the administrative console of the Administrative agent. The configuration-only server cannot be started or used for any work. Create the DMZ Secure proxy (configuration-only) profile with the same server name, profile name, node name, security level, and port values as the real DMZ secure proxy server. (1) On the Profile Management Tool panel Click the Create button 5

(2) On Environment Selection panel Select Management and click Next> (3) On Server Type Selection panel Select Administrative agent and click Next> (4) On Profile Creation Options panel Select Typical profile creation and click Next> (5) On Administrative Security panel Enable administrative security here Note: You must also enable administrative security when doing the Secure proxy (configuration-only) profile creation, otherwise the Admin agent will not be able to manager the node Enter User name and Password in fields and click Next> (6) On Profile Creation Summary panel Click Create (7) On Profile Creation Complete panel Uncheck Launch the First steps console and click Finish (8) On Profiles panel again Click Create (9) On Environment Selection panel Select Secure proxy (configuration-only) and click Next> (10) On Profile Creation Options panel Select Advanced profile creation and click Next> (11) On Profile Name and Location panel Important: Make sure Profile name matches that of the DMZ Proxy Server created earlier in step(13) on page 4 of this document and click Next> (12) On Node and Host Names panel Important: Make sure Node name and Server name match that of the DMZ Proxy Server created earlier in step(13) on page 4 of this document and click Next> (13) On Secure Level Selection panel Select Low 6

De-select the Web protocol Click Next> (14) On Administrative Security panel If you enabled administrative security on the Administrative agent creation, you must also enable now and Enter User name and Password in fields and click Next> (15) On Security Certificate (Part 1) panel Take defaults and click Next> (16) On Security Certificate (Part 2) panel Take defaults and click Next> Note: keystore password should be later changed/updated (17) On Port Values Assignment panel Click the Default Port Values to match the ports setup during the DMZ Secure Proxy configuration Click Next> (18) On Profile Creation Summary panel Make sure Profile name, Node name and Server name match those of DMZ Secure Proxy server created earlier and click Create (20) On Profile Creation Complete panel Click Finish (21) On Profiles panel File > Exit To exit out of Profile Management Tool Need to register the Secure proxy (configuration-only) profile node with the Administrative Agent on Host 1 and Host 2 (for Dual) After the Secure proxy (configuration-only) profile has been created, register the node to the Administrative agent. This is performed so that the secure proxy profile can be configured using the administrative console of the Administrative agent. (1) After the Secure proxy (configuration-only) profile has been created, start the Administrative agent from directory <WAS_HOME_ND_AdminAgent_profile_directory>/bin Start the Administrative Agent startserver adminagent 7

Once the Administrative agent is started (2) Register the Secure proxy (configuration-only) node with Administrative agent From <WAS_HOME_ND_AdminAgent_profile_directory>/bin Run registernode command registernode -conntype SOAP -port <SOAP_port> -profilepath <WAS_HOME_ND_Secure proxy_configuration_only_profile_directory> -username <admin_agent_user> -password <admin_agent_passwd> -nodeusername <secure_config_only_user> -nodepassword <secure_config_only_passwd> Note: The default SOAP port is 8877, but my be different. The SOAP port value is listed in the "AboutThisProfile.txt" file located at <WAS_HOME_ND_AdminAgent_profile_directory>/logs Once profile is registered, changes can be made to the Secure proxy (configuration-only) profile thru the Administrative Agent console (http://<admin_agent_hostname>:<administrative_port>/ibm/console) Note: The Administrative default port is 9060, but may be different. The Administrative port value is listed in the "AboutThisProfile.txt" file located at <WAS_HOME_ND_AdminAgent_profile_directory>/logs Create Core Group Tunnel connection between the DMZ Secure Proxy server(s) and WAS 8.5.5 ND Cell On Host 3 with WAS 8.5.5.0 ND internal cell clustered environment If you are using a DMZ secure proxy server with dynamic routing, the routing information is exchanged using core groups. In this case, you need to create a tunnel access point group to establish a core group bridge tunnel between the core groups and DMZ proxy server. The core group contains a bridge service that supports cluster services that span multiple core groups. Core groups are connected by access point groups. A core group access point defines a set of bridge interfaces that resolve IP addresses and ports. It is through this set of bridge interfaces that the core group bridge provides access to a core group. Any WebSphere Application Server process (dmgr, node agent, application server) can be a core group bridge process for a core group. A process that is chosen for a core bridge should have production activities or response times that will not be affected by the core bridge workload. Node agents or application servers that do not host any applications can be used as bridges, but it is best, if system resources permit, to use dedicated non-clustered application servers that do not host applications. Also it is best for a core group to have the core group bridges reside on different physical systems, if possible. One bridge is typically sufficient for workload purposes, but two are recommended in the event a bridge fails. The bridges in a core group partition high availability (HA) data amongst the active bridges. To enable seamless core group failover, whereby the HA state of the failed bridge will be recovered by the remaining bridge(s) without the data being unavailable in the local core group, one should set the WAS Core Group custom property IBM_CS_HAM_PROTOCOL_VERSION to 6.0.2.31. 8

For additional information on core group bridges, check the WebSphere Application Server Version 8.5 information center (see Appendix). To create the core group tunnel, go to the administrative console of the WebSphere Application Server Network Deployment (ND) internal cell and do the following: Log in to the WAS 8.5.5.0 ND Administrative Console The steps below should be followed for each of the DMZ Secure Proxy servers. Each DMZ external cell should have a tunnel to the WAS 8.5.5.0 ND internal cell nodes. (1) Create Tunnel peer access points for the DMZ Secure Proxy server(s) Go to Servers -> Core Groups -> Core group bridge settings Under the Additional Properties click the Tunnel peer access points link Click New Name field enter <Anything unique> Cell field enter <CELL_NAME_OF_DMZ_SECURE_PROXY1> can be found under directory <DMZ_Secure_Proxy_Profile_directory>/config/cells 9

Accept the remaining defaults Clcik OK and Save directly to master configuration Repeat the above steps for the second DMZ secure proxy server Click New Name field enter <Anything unique> Cell field enter <CELL_NAME_OF_DMZ_SECURE_PROXY2> can be found under directory <DMZ_Secure_Proxy_Profile_directory>/config/cells 10

Accept the remaining defaults Clcik OK and Save directly to master configuration (2) Create Tunnel Template Go to Core Groups -> Core group bridge settings Under Additional Properties click Tunnel templates link Click New Enter Name for the template Click OK and Save directly to the master configuration (3) Create a Tunnel Access Point Group Go to Core Groups -> Core group bridge settings Under Additional Properties click the Tunnel access point groups link Click New (a) Step 1: Specify a Tunnel access point group name and then hit Next 11

Then hit Next (b) Step 2: Add core group access points The DefaultCoreGroup contains all the servers and node agents in the WAS ND cell. Select the DefaultCoreGroup and add (>) to the Core group access points in Tunnel access point group and click Next (c) Step 3: Add tunnel peer access points The tunnel peer access points are those created prior for each DMZ Secure Proxy server. Select the available core group tunnel peer access points and add (>) to the Tunnel peer access points in the Tunnel accces point group Then click Next (d) Step 4: Review summary and Click Finish Save directly to the master configuration (4) Create Bridge Interface(s) This step can be done one time and is not related to the number of DMZ proxies. For the bridge interface(s), the node agents in the default core group listed from the WAS internal cell SIP nodes will be used. (a) Go to Core group bridge settings -> Access point groups Click DefaultAccessPointGroup link Under Access points Click Core group access points (b) Select the DefaultCoreGroup (make sure it becomes highlighted) and click Show Detail button 12

(c) In the Core Group page under Additional Properties Click on the Bridge interfaces (d) Select New In the Bridge interfaces dropdown, select a node agent Hit OK and Save directly to the master configuration. Now select New again, and in the Bridge interfaces dropdown, select another node agent Hit OK and Save directly to the master configuration. 13

Now two node agents are defined to act as core group bridges. (e) Go to Core Groups -> Core group settings Click on DefaultCoreGroup link Under Additional Properties click Custom properties link Click New and add property Name IBM_CS_HAM_PROTOCOL_VERSION Value 6.0.2.31 14

Click OK and Save directly to the master configuration. (5) Export the Tunnel Group information from the Cell (a) Export the Tunnel Template Go to Core Groups -> Core group bridge settings -> Tunnel templates Associate the Tunnel Access Point Group to the template Name Click on template Name link (b) Select the Tunnel Access Point Group (make sure becomes highlighted) from the dropdown list Click OK and Save directly to the master configuration. Make sure Tunnel Access Point Group is now associated with tunnel template. (6) Export the Tunnel template (a) Select(check) the Tunnel template and click the Export button 15

Make sure the export was successful. The MyTunnel.props file is created and placed in the <WAS_HOME>/dmgr_profile directory. Import the Tunnel Template with DMZ Secure Proxy and ND Secure proxy (configuration-only) profile on Host 1 and Host 2 (Dual) (1) Go to the <Secure Proxy (configuration-only) profile>/bin directory on each machine Run wsadmin command wsadmin -conntype NONE -username <userid> -password <passwd> From the wsadmin prompt, type wsadmin>$admintask importtunneltemplate -interactive Import tunnel template. Import a tunnel template and its children into the cell-scoped configuration. *Input file name. (inputfilename): <Name/location of WAS ND tunnel.props file> *Bridge Interface Node Name. (bridgeinterfacenodename): <Name of Secure proxy node> *Bridge Interface Server Name. (bridgeinterfaceservername): <Name of Secure proxy server> Import tunnel template. F (Finish) C (Cancel) Select [F, C]: [F] F 16

Example of command generated WASX7278I: Generated command line: $AdminTask importtunneltemplate {-inputfilena me /MyTunnel.props -bridgeinterfacenodename svt-r1c3b06node01 -bridgeinterfaceser vername proxy1} wsadmin>$adminconfig save wsadmin>quit Configure the DMZ Secure Proxy Server using Administrative Console on Host 1 and Host 2 (for Dual) for IP Forwarding The secure proxy server configurations are created and maintained as configuration-only profiles and managed using the administrative console of the Administrative agent. Make sure the Administrative agent is running. (1) Access the Administrative Agent console to make changes to the Secure proxy (configurationonly) profile on each machine http://<admin_agent_hostname>:<administrative_port>/ibm/console (2) Select the <Secure proxy (configuration-only) node> to administer and click Continue button and log in to console (3) Go to Servers -> Server Types -> WebSphere proxy servers (4) Click the <proxy_name> link Under Proxy Settings Open Sip Proxy Server Settings and click Sip proxy settings link In the Default cluster field, Enter the name of the WAS ND cluster you want the DMZ Secure proxy to route traffic thru. The cluster name is the one defined on the WebSphere Application Server ND cell. 17

Click OK and Save directly to the master configuration. (5) Click the <proxy_name> link Under Proxy Settings Open SIP Proxy Server Settings and click the Sip proxy settings link Under Additional Properties click Custom properties link Click New and add the properties below, clicking OK and Save to the master configuration after each entry 18

Name sipclustercellname Value <CellName of Remote ND Cluster routing traffic thru> Name LBIPAddr Value <IP of Load Balancer> Name SIPAdvisorMethodName Value OPTIONS Name UDPMultiThreadingEnabled Value true Name burstresetfactor Value 120 Name clusterrouteconfigupdatedelay Value 60000 Name forcerport Value true Name issipcomplianceenabled Value false Name keepalivefailures Value 3 Name keepaliveinterval Value 2000 Name localoutboundtcpaddress Value <IP or hostname of DMZ proxy> Name localoutboundtcpport Value 1080 Name maxdeflatorratio Value 10 Name maxthroughputfactor Value 90 Name mindeflatorratio Value 6 Name persecondburstfactor Value 200 Name proxytransitionperiod Value 360 Name receivebuffersizesocket Value 3000000 Name sendbuffersizesocket Value 3000000 Name tcp.ipsprayer.host Value <Load Balancer cluster IP> Name tcp.ipsprayer.port Value <Port for TCP> for example 5060 Name tls.ipsprayer.host Value <Load Balancer cluster IP> Name tls.ipsprayer.port Value <Port for TLS> for example 5061 Name useviasentbyforoutboundconnections Value true Import and export of the configuration should preserve the port settings. The serverindex.xml should no longer be needed to be copied manually to the DMZ Secure Proxy server. (6) Go to Servers -> Server Types -> WebSphere proxy servers Click the <proxy_name> link 19

Under Communications Click Ports link Click on PROXY_HTTPS_ADDRESS and change * to <IP or hostname of DMZ proxy> and click OK and Save to the directly to the master Click on PROXY_HTTP_ADDRESS and change * to <IP or hostname of DMZ proxy> and click OK and Save directly to the master configuration Click on PROXY_SIPS_ADDRESS and change * to <IP or hostname of DMZ proxy> and click OK and Save directly to the master configuration Click on PROXY_SIP_ADDRESS and change * to <IP or hostname of DMZ proxy> and click OK and Save directly to the master configuration (7) Go to Servers -> Server Types -> WebSphere proxy servers Click the <proxy_name> link Under Java and Process Management Click Process definition and then Java Virtual Machine Enable (check) Verbal garbage collection 20

Set Initial heap size 300 MB Set Maximum heap size 450 MB Set Generic JVM arguments -Xtrace:none -Xmo120m -Xgcpolicy:gencon -Xtgc:parallel -Xgc:noAdaptiveTenure,tenureAge=8,stdGlobalCompactToSatisfyAllocate -Xdump:heap:events=user,request=exclusive+prepwalk+compact -Xloa -Xloaminimum0.03 -XX:MaxDirectMemorySize=256000000 -Xcompactexplicitgc Click OK and Save to the master configuration (8) Go to Servers -> Server Types -> WebSphere proxy servers Click the <proxy_name> link Under Java and Process Management Click Monitoring policy Change Maximum startup attempts to 2 21

Change Ping interval to 30 Change Ping timeout to 60 Click OK and Save to the master configuration (9) Go to Servers -> Server Types -> WebSphere proxy servers Click the <proxy_name> link Under Troubleshooting Click Logging and trace and click JVM Logs System.out Change File Size Maximum to 20 MB Change Maximum Number of Historical Log Files to 2 System.err Change File Size Maximum to 20 MB Change Maximum Number of Historical Log Files to 2 Click OK and Save to the master configuration (10) Go to Servers -> Server Types -> WebSphere proxy servers Click the <proxy_name> link Under Administration Click Custom properties Clck New and add Name IBM_CLUSTER_RUNRULES_TIMER_TIME Value 1000 Click OK and Save to the master configuration Export the Proxy Profile from Secure proxy (configuration-only) on Host 1 and Host 2 (for Dual) and transfer to DMZ Secure Proxy servers The secure proxy server (configuration-only) profile configuration is exported to a configuration archive (CAR) file using the exportproxyprofile wsadmin command. The CAR file is then transferred to the real secure proxy server installation, where it is then imported into the DMZ Secure Proxy Server using the importproxyprofile wsadmin command. Repeat this process if any additional changes are made to the secure proxy server configuration. (1) Go to the <Secure proxy (configuration-only) profile>/bin directory for each DMZ Proxy Server Run the following wsadmin command wsadmin -conntype NONE -lang jython From wsadmin prompt export the proxy profile wsadmin>admintask.exportproxyprofile(['-archive, mycell.car']) '' wsadmin>quit 22

(2) Transfer/copy archive file to appropriate DMZ Secure proxy server on Host 1 and Host 2 Copy/transfer the mycell.car to the <DMZ Secure proxy server runtime profile>/bin directory. Import the Secure proxy (configuration-only) archive to appropriate DMZ Secure Proxy server (1) Start the DMZ Secure proxy server Go to the <DMZ Secure proxy server runtime profile>/bin directory for each DMZ Proxy Server startserver <proxy_server_name> Run the following wsadmin command wsadmin -lang jython -username <user> -password <passwd> From the wsadmin prompt import the proxy profile wsadmin>admintask.importproxyprofile(['-archive', 'mycell.car', - deleteexistingservers, true ]) '' wsadmin>adminconfig.save() '' wsadmin>quit The importproxyprofile command used with the deleteexistingservers option should ensure all configuration data (including serverindex.xml information) was transferred properly to the runtime DMZ Secure Proxy server profile. Configure the Trust association between the DMZ Secure Proxy servers and the internal WebSphere 8.5.5 ND Cell Make sure the dmgr and node agents and cluster members on the WebSphere 8.5.5. ND internal cell have been started. (1) The ssl.client.props file contains the location of the key.p12 and trust.p12 files on the systems. On the DMZ Secure proxy servers, the ssl.client.props is located in the <DMZ Secure proxy server profile>/properties directory. For the DMZ Secure proxy servers, modify the following lines: com.ibm.ssl.keystore=${user.root}/etc/key.p12 to com.ibm.ssl.keystore=$ {user.root}/config/cells/<dmzcellname>/nodes/<dmznodename>/key.p12 and com.ibm.ssl.truststore=${user.root}/etc/trust.p12 to com.ibm.ssl.truststore=$ {user.root}/config/cells/<dmzcellname>/nodes/<dmznodename>/trust.p12 23

This will ensure that the key and trust store files are located in the proper profile configuration location for the DMZ proxy servers. (2) Go to the <DMZ Secure proxy server runtime profile>/bin directory for each DMZ proxy server Run the retrievesigners command retrievesigners -conntype SOAP -port <dmgr_soap_port> -host <dmgr_host_name> -username <dmgr_user> -password <dmgr_user_passwd> -listremotekeystorenames listlocalkeystorenames -autoacceptbootstrapsigner This command configures the trust association between the WebSphere internal cell servers and the DMZ external cell by adding the cell s signer to the DMZ proxy server s trust store (trust.p12). For Windows, if the Administrative agent server is running on the machine, then execute the retrievesigners command again with the configured interprocess communications (IPC) port. retrievesigners username <dmzuser> -password <dmzpasswd> NodeDefaultTrustStore ClientDefaultTrustStore -conntype IPC -host localhost -port <local_ipc_port> -autoacceptbootstrapsigner For backup, copy the trust.p12 file from the <DMZ Secure proxy server runtime profile>/config/cells/<dmzcellname>/nodes/<dmznodename> directory to the <DMZ Secure proxy server runtime profile>/etc directory. (3) Stop and restart each DMZ Secure Proxy server Now ready to start sending SIP traffic through the Load Balancer with the multiple fronted DMZ Secure proxy servers. Configuring DMZ Firewalls Configuration setup for the DMZ Secure proxies fronted by an F5 with Inner and Outer firewalls. 24

IP Forward with 2 DMZ Proxies fronted by F5 in a different subnet Intranet DMZ Load balancer front end Subnet 2 Load balancer back end Subnet 3 F5 Public Network sipp WAS1 WAS2 DMZ Proxy Subnet 5 Subnet 4 Subnet 1 4 Inner Firewall Outer Firewall 2013 IBM Corporation Inner Firewall rules From IP From Port To IP To Port Protocol Comments DMZ Secure proxies Ephemeral port range Core Bridge servers (on WAS internal cell node agents Bridge DCS port TCP or TLS Incoming DCS DMZ Secure proxies DMZ Secure proxies Keep SSH port open. Block all other ports not used Ephemeral port range Ephemeral port range ) WAS internal cell SIP containers WAS internal cell DMGR 5060,5061,5062,5063 TCP or TLS SIP TCP,TLS DMGR SOAP port SOAP Incoming SOAP* The To IP for each Core Bridge server is listed in the MyTunnel.props file from step 4(d) on page 13. The To Port for each Core Bridge server can be found as port for DCS_UNICAST_ADDRESS. DMZ Secure proxies to WAS containers are available over TCP or TLS protocols. * In order to have the DMZ external cells trust the WAS internal cell servers, the retrievesigners command is performed on page 24, which uses this SOAP port. 25

Outer Firewall rules From IP From Port To IP To Port Protocol Comments Incoming Any Virtual IP of 5060,5061 TCP/TLS Incoming Clients* Load Clients DMZ Secure proxies Block all other ports not used Any Balancer Outgoing Clients* 5060,5061 TCP/TLS Outgoing Clients * In case of a gateway, the clients are external communities/other gateways and their IP(s) or range of IP(s) are known, and thus the customer will open the firewall to those specific IP(s) or range of IP(s). Appendix WebSphere Application Server Version 8.5 information center http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp IBM WebSphere Application Server V8.5 Concepts, Planning, and Design Guide http://www.redbooks.ibm.com/redbooks/pdfs/sg248022.pdf Configuring and Deploying WebSphere SIP Environments https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/websphere SIP and CEA/page/Configuring and Deploying WebSphere SIP Environments 26