Reverse proxy (IP forwarding)

Reverse proxy, or IP-forwarding topologies use a reverse proxy server, such as the Caching Proxy in the WAS Edge Components, to receive incoming HTTP requests and forward them to a Web server. The Web server forwards the requests to the Application Servers for actual processing. The reverse proxy returns completed requests to the client, hiding the originating Web server.

The following figure shows a simple reverse proxy topology.

In this example, a reverse proxy resides in a demilitarized zone (DMZ) between the outer and inner firewalls. It listens on an HTTP port, typically port 80, for HTTP requests. The reverse proxy then forwards such requests to an HTTP server that resides on the same machine as WAS. After the requests are fulfilled, they are returned through the reverse proxy to the client, hiding the originating Web server.

 

Typical use

Reverse proxy servers are typically used in DMZ configurations to provide additional security between the public Internet and the Web servers (and appservers) servicing requests. A reverse proxy product used with WAS must support Network Address Translation (NAT) and WAS security.

Reverse proxy configurations support high performance DMZ solutions that require as few open ports in the firewall as possible. The reverse proxy capabilities of the Web server inside the DMZ require as few as one open port in the second firewall, potentially two if using Secure Sockets Layer (SSL) - port 443.

Advantages of using a reverse proxy server in a DMZ configuration include:

• The reverse proxy server does not need database access through the firewall.

• The reverse proxy configuration supports WAS security and NAT firewalls.

• The basic reverse proxy configuration is well known and tested in the industry, resulting in less customer confusion than other DMZ configurations.

• The reverse proxy configuration is reliable and its performance is relatively fast.

• The reverse proxy configuration eliminates protocol switching, by using the HTTP protocol for all forwarded requests.

• The reverse proxy configuration does not affect the configuration and maintenance of an application deployed on WAS.

• The reverse proxy server uses only one HTTP firewall port for requests and responses.

The reverse proxy configuration is also a disadvantage in some environments where security policies prohibit using the same port or protocol for inbound and outbound traffic across a firewall.

Disadvantages of using a reverse proxy server in a DMZ configuration include the following:

• The presence of a reverse proxy server in a DMZ is not suitable for some environments.

• The reverse proxy configuration requires more hardware and software than similar topologies that do not include a reverse proxy server, which makes it more complicated to configure and maintain.

• The reverse proxy server does not participate in WAS workload management.

Instructions

Implementation specifics are determined by the reverse proxy server. Refer to the documentation for the product you are using. No additional WAS administration is required for the reverse proxy server, although you might need it for other elements of the reverse proxy topology.

---

Web server separation

Setting up a multinode environment

 

---