Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1215
Views
0
Helpful
3
Replies

ECE Web Server Architecture

paul.popour
Level 1
Level 1

‎11-01-2018 04:39 AM - edited ‎03-14-2019 06:35 PM

I'm trying to do an architecture review of a design where the ECE Web Server is in a DMZ and I'm unable to find the answer to some pretty basic questions. 

 

1. We have a request for inbound from any address on the Internet to the ECE Web Server on TCP 443 - What's the authentication mechanism for this connection?

 

2. The installation guide shows a connection from the Web Server to the Application Server on TCP 15006 - What's the authentication mechanism for this connection?

 

3. The installation guide (p.53) under Web Server Details shows "Domain User Account Parameters" implying the Web Server needs to be an AD domain member. This would require several ports to be open inbound to AD DCs from a DMZ server with inbound Internet connections. Is domain membership a requirement for a ECE Web Server located in a DMZ? If so, what drives this requirement?

 

 

1 person had this problem
Labels:
0 Helpful
3 Replies 3

touma.kayal
Level 1
Level 1

‎06-26-2023 11:06 AM

Hello everyone, 

Anyone can answer point 3 as one of our clients is refusing to join the web server to the domain.

0 Helpful

bill.king1
VIP
VIP
In response to touma.kayal

‎06-26-2023 12:28 PM

I believe based on this defect, it doesn't have to be for the web server?
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx41518

0 Helpful

Marek (gaman-gt.com)
Level 3
Level 3
In response to touma.kayal

‎06-27-2023 12:48 AM - edited ‎06-27-2023 12:51 AM

Hi @touma.kayal 
In my recent deployments, I didn't have to use a domain account on the web server. When it was in DMZ it was always a standalone server.

I can also say that the good practive for the Web Server in DMZ is that this machine should have 2 NIC's - to separate traffic:

  • external NIC - communication with Internet
  • internal NIC - communication between DMZ and internal (public) network - to Application Server

As for point 2 - in my opinion Web Server acts as a reverse proxy and forwards the requests to the Application Server that is bind ot WebServer. You can check that in isap_redirect logs. Most of the communication between ECE servers is based on Java RPC protocol. I'm not sure if there is any "authentication" mechanism between them.

Marek https://gaman-gt.com
UCCE, PCCE, UCCX, WxCC, Cisco Finesse, Custom Gadget, CVP, CUIC, CUCM
0 Helpful
Customers Also Viewed These Support Documents