Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Placement Between Firewall and Web Servers

    WebApp Secure acts as a reverse proxy and actively manipulates traffic between the protected web application and the Internet. It is deployed between the protected webserver and the last system which can alter user-facing traffic. This location gives WebApp Secure full visibility into the HTTP traffic destined for the webservers (including any errors caused by authentication failures), and lets it inject and strip out any code it uses in protecting the application. This topology has the added benefit of minimally impacting internal network bandwidth. The following figure shows the WebApp Secure deployed in its most simple form as a reverse proxy connected to a load balancer.

    Figure 1: WebApp Secure Placement in the Network - Between Firewall and Web Servers

    WebApp Secure Placement in the Network - Between Firewall
and Web Servers

    Network placement requirements for WebApp Secure are as follows:

    • Because WebApp Secure only processes HTTP and HTTPS traffic, it must live behind a device that can separate Application Layer (Layer 7) traffic.
    • In order to prevent a WebApp Secure issue from impacting a protected application, the upstream device (that is, the router or load balancer) must perform Health Check monitoring on WebApp Secure over HTTP. If the Health Check fails, the load balancer or Layer 7 router should pass traffic directly to the protected application servers, rather than to WebApp Secure.

    The actual implementation depends on the user's specific network topology. The following figure shows a more complex environment with clustered webservers and clustered appliances.

    Figure 2: WebApp Secure Deployment - Connected to Load Balancer

     WebApp Secure Deployment - Connected to Load Balancer

    Published: 2014-06-27