If you want to make the ITA web client or Tenant Portal available to your colleagues or customers directly from the Internet, make sure you have a proxy configuration in the DMZ.
Note: The DMZ setup protecting ITA against direct Internet access is entirely your own responsibility!
Here are some recommendations on how to set up the proxy server.
This is not a complete guide. You should already have a working knowledge of scripting, web proxy, and DMZ configuration, or find it easy to acquire this knowledge.
About DMZ proxy and firewall port configuration
The ITA server should be on a protected network behind a firewall and not exposed directly on the Internet.
The only incoming traffic allowed through the firewall to the ITA server should be on ports 80/443.
Note: It is required that you set up a proxy server in the DMZ, only supporting incoming https on port 443 and proxying requests to the ITA server on port 80/443 to the path: /web/ only.
You may want to use Nginx, Apache, AH Proxy, or some other proxy tools. Examples here will be referring to an Nginx setup.
You should only use secure https protocols, not e.g. SSL v2. For an Nginx setup, the default protocols: TLSv1, TLS1.1, TLSv1.2 are supported.
Configuring a proxy for the Tenant Portal
Proxy specific commands are explained in this section. For more information, refer to the complete Nginx configuration guide.
- Ensure the Nginx server only handles https.
If an http request is made, it will be forwarded to https.
# Redirect browsers from http to https
server {
listen 80;
rewrite ^(.*) https://$host$1 permanent;
} -
Set up the actual ssl connection pointing to the certificates.
# Set up the proxy to ITAserver {listen 443 ssl;server_name $NGINX_ADDRESS;ssl_certificate $PATH_TO_CERTIFICATE_FILE;ssl_certificate_key $PATH_TO_PRIVATE_KEY_FILE;
}
-
Proxy to the Tenant Portal
# First handle requests to the actual application path /web
location /web/ {
proxy_pass http://$ITA_ADDRESS;
} - Proxy root requests to the same location.
This is an additional option to proxy root requests to the same location, allowing the user to exclude /web in the URL when accessing the Tenant Portal.
NOTE: The order matters! The location /web must be specified before location /.
# Handle root requests and forward to /web
location / {
proxy_pass http://$ITA_ADDRESS/web/;
}
