Firewall Gateway
This section describes:
• Orientation to the firewall gateway — introduces the e-speak firewall gateway framework and describes the firewall gateway’s constraints to clarify standard scenarios and protocols
• Infrastructure requirements — specifies hosting parameters and
requirements for making a connection (for example, from an intranet to a demilitarized zone (DMZ))
• Firewall gateway configuration — describes configuration files for the firewall gateway
• Internal engine configuration — defines when to modify the internal engine’s e-speak configuration file
• How an external engine connects to the firewall gateway — covers associated configuration properties
• Reconfiguring the firewall gateway without stopping it — lists the procedures for performing administrative tasks while the gateway is running
• Limitations — lists currently-known limitations
Orientation
The e-speak firewall gateway (also called the SLS gateway) is software-based and mediates access between external clients and e-speak services that reside behind a corporate firewall (internal services). The clients may be located either on the
Internet or on the Intranet of another company. The firewall gateway acts as an access control point between external clients and internal services by authenticating and authorizing external clients based on SLS attribute certificates.
In a typical scenario, the gateway resides between an external client's engine and an internal service's engine. It Authenticates and authorizes all requests from the external entities (both clients and engines) based on company-wide access
requirements. A company can use the SLS gateway to impose certain basic, or default, access control requirements on external entities before they access any internal e-speak engines or services. These requirements are over and above the
access control requirements imposed by the individual internal engines or services.
In e-speak terms, an external client/engine must possess valid certificates to satisfy both the requirements of the internal engine/service and those of the gateway to access the internal engine/service.
Infrastructure Requirements
The gateway is typically hosted in the a company’s DMZ. Because the gateway cannot make inbound connections to internal engines, the engines must make an outbound connection to the gateway. This is a connection from the Intranet to the DMZ and requires either an HTTP proxy or a Socks (>= V4) server at the firewall to
make the connection.
Firewall Gateway Configuration
This section lists the configuration files necessary configure the firewall gateway.
E-speak-Specific Configuration File
The gateway uses the standard e-speak configuration file (by default $espeak_home/config/espeak.cfg) to read e-speak specific configuration information. This includes security configuration such as security role, the location of the pse file, and the location of certificates. Although the gateway runs as a standalone Java™ application, it re-uses various e-speak libraries (especially the security code). This is the man reason it needs the e-speak configuration file: for the sake of the e-speak libraries that need this file.
Bookmarks