It's all about the answers!

Ask a question

RTC Offshore Access


1
1
Jirong Hu (1.5k7271256) | asked Oct 05 '12, 9:49 a.m.
edited Oct 05 '12, 9:56 a.m.
https://jazz.net/forum/questions/60869/is-there-a-way-to-achieve-jazz-quotmultisitequot

Within the above thread, I asked the same question. This time, I would like to take this specific question out of there and open a new post.

We have a lot of developers (we outsource to IBM, then IBM to India) in India, and we don't want them to get into our WAN/LAN. Currently we are issuing VPN token to them but we are not comfortable. Is there a better way to allow these offshore developers access the source code in our RTC?

I believe many companies out there will have the same question as we do. Currently how do you handle this issue? All using VPN?

Technical questions (I am not a network guy): 

1. Is it possible to put an extra HTTP server to receive these requests from India and then router them into our internal RTC server?

2. Since all communication from RTC client and server are using HTTPS, how about we open our RTC server URL directly to the Internet so anyone can access it. I can create user/password in RTC for them, even without using our LDAP (I assume pain user/password method and LDAP users can co-exist in RTC).

Thanks
Jirong

2 answers



permanent link
Guido Schneider (3.4k1380103) | answered Oct 05 '12, 10:02 a.m.

A possible solution could be to have an IBM-HTTPS Server (IHS) with the IHS/WAS Plugin in the Extranet.

The Plugin Configuration will forward the calls to the IHS in the Intranet and from there it goes into the WAS and Jazz.

Because of the fact Jazz needs a stable URI, you have to provide the DNS Name of your Jazz to the Internet with the IP address of the Extranet server.

The same DNS Name has so a different IP in the Internet than in the Intranet.

This solution is quite easy and straight forward to configure.

One open point are the usernames. If you use LDAP integration, the users need to be registered in your company LDAP registry.


Comments
Jirong Hu commented Oct 10 '12, 10:34 p.m.

Please see my post below. I find there is limitation in this comment column.


permanent link
Jirong Hu (1.5k7271256) | answered Oct 10 '12, 10:33 p.m.
edited Oct 10 '12, 10:47 p.m.
I have a couple of things to consider:

1. Our corporate architecture rule requires us to separate the web server from the application server (they will be in a different zone). In a standard RTC installation, there is only a couple of war files installed in WAS 7, with no extra IHS server. So I need to install an extra IHS even for LAN users.

2. I found some information regarding the reverse proxy server here:
http://pic.dhe.ibm.com/infocenter/clmhelp/v3r0m1/topic/com.ibm.jazz.install.doc/topics/c_reverse_proxy.html

To follow this solution, I need to add another reverse proxy server in front of the IHS server, possibly in another zone. Is that what you mean?

There is a note here in the RTC inforcenter:
Note: A reverse proxy cannot be used if you also plan to use the Rational® Build Forge® Build Engine.

We do want to use BuildForge to do the build, so we can't use your idea?

When I propose your idea to our IT group, they have this comment below:

 The solution below suggests that you want to make a tool available to the Internet. All you are doing is creating separation of security zones by adding a reverse proxy. This does not change the risk of RTC being available directly on the internet. The security experts can provide their opinion on this but I think this would be an issue.


Comments
Guido Schneider commented Oct 11 '12, 4:34 a.m.

Yes, I mean some sort of a Reverse-Proxy in the Extranet in front of the Webserver in the Intranet. IHS is just an example. Could also be e.g. a Squid server.

The comment of your IT is correct. It's always some sort of a risk, if an application must be available for external users. Important is to limit this risk and manage it.

The use of a reverse proxy in the Extranet limits the access to exactly one Port e.g. 9443 on one server. And the users need at least a login on the Jazz environment.

Additionaly you could implement also a front-door Login in the reverse-proxy.


Jared Russell commented Oct 11 '12, 6:12 a.m.

@guido  "Additionaly you could implement also a front-door Login in the reverse-proxy." - my company tried this with RTC 3.0 and found that doing this prevents the eclipse client from connecting to the server because the client expects to be able to retrieve certain resources without authenticating. I've not tried this with 3.0.1.x+ but it's something to be aware of.


Guido Schneider commented Oct 11 '12, 11:35 a.m.

Thanks let me know. Was an idea. I have not tried it.

Your answer


Register or to post your answer.