Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

RTC Offshore Access

Questions
Tags
Users
Badges
Jirong Hu
(1.5k9295258) edited
Oct 05 '12, 9:56 a.m.
https://jazz.net/forum/questions/60869/is-there-a-way-to-achieve-jazz-quotmultisitequot

Within the above thread, I asked the same question. This time, I would like to take this specific question out of there and open a new post.

We have a lot of developers (we outsource to IBM, then IBM to India) in India, and we don't want them to get into our WAN/LAN. Currently we are issuing VPN token to them but we are not comfortable. Is there a better way to allow these offshore developers access the source code in our RTC?

I believe many companies out there will have the same question as we do. Currently how do you handle this issue? All using VPN?

Technical questions (I am not a network guy): 

1. Is it possible to put an extra HTTP server to receive these requests from India and then router them into our internal RTC server?

2. Since all communication from RTC client and server are using HTTPS, how about we open our RTC server URL directly to the Internet so anyone can access it. I can create user/password in RTC for them, even without using our LDAP (I assume pain user/password method and LDAP users can co-exist in RTC).

Thanks
Jirong

1

1 vote

2 answers
7,195 views
1 vote

2 answers

Permanent link
Guido Schneider
(3.4k1491115) Oct 05 '12, 10:02 a.m.

A possible solution could be to have an IBM-HTTPS Server (IHS) with the IHS/WAS Plugin in the Extranet.

The Plugin Configuration will forward the calls to the IHS in the Intranet and from there it goes into the WAS and Jazz.

Because of the fact Jazz needs a stable URI, you have to provide the DNS Name of your Jazz to the Internet with the IP address of the Extranet server.

The same DNS Name has so a different IP in the Internet than in the Intranet.

This solution is quite easy and straight forward to configure.

One open point are the usernames. If you use LDAP integration, the users need to be registered in your company LDAP registry.

2 votes

Comments
Jirong Hu
Oct 10 '12, 10:34 p.m.

Please see my post below. I find there is limitation in this comment column.

Permanent link
Jirong Hu
(1.5k9295258) edited
Oct 10 '12, 10:47 p.m.
I have a couple of things to consider:

1. Our corporate architecture rule requires us to separate the web server from the application server (they will be in a different zone). In a standard RTC installation, there is only a couple of war files installed in WAS 7, with no extra IHS server. So I need to install an extra IHS even for LAN users.

2. I found some information regarding the reverse proxy server here:
http://pic.dhe.ibm.com/infocenter/clmhelp/v3r0m1/topic/com.ibm.jazz.install.doc/topics/c_reverse_proxy.html

To follow this solution, I need to add another reverse proxy server in front of the IHS server, possibly in another zone. Is that what you mean?

There is a note here in the RTC inforcenter:
Note: A reverse proxy cannot be used if you also plan to use the Rational® Build Forge® Build Engine.

We do want to use BuildForge to do the build, so we can't use your idea?

When I propose your idea to our IT group, they have this comment below:

 The solution below suggests that you want to make a tool available to the Internet. All you are doing is creating separation of security zones by adding a reverse proxy. This does not change the risk of RTC being available directly on the internet. The security experts can provide their opinion on this but I think this would be an issue.

0 votes

Comments
Guido Schneider
Oct 11 '12, 4:34 a.m.

Yes, I mean some sort of a Reverse-Proxy in the Extranet in front of the Webserver in the Intranet. IHS is just an example. Could also be e.g. a Squid server.

The comment of your IT is correct. It's always some sort of a risk, if an application must be available for external users. Important is to limit this risk and manage it.

The use of a reverse proxy in the Extranet limits the access to exactly one Port e.g. 9443 on one server. And the users need at least a login on the Jazz environment.

Additionaly you could implement also a front-door Login in the reverse-proxy.

Jared Russell
Oct 11 '12, 6:12 a.m.

@guido  "Additionaly you could implement also a front-door Login in the reverse-proxy." - my company tried this with RTC 3.0 and found that doing this prevents the eclipse client from connecting to the server because the client expects to be able to retrieve certain resources without authenticating. I've not tried this with 3.0.1.x+ but it's something to be aware of.

Guido Schneider
Oct 11 '12, 11:35 a.m.

Thanks let me know. Was an idea. I have not tried it.

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 12,019

Question asked: Oct 05 '12, 9:49 a.m.

Question was seen: 7,195 times

Last updated: Oct 11 '12, 11:35 a.m.

Confirmation Cancel Confirm