I have a need to expose the CPS Web Access to one of our payers. GE states that to provide adequate security, one must place it behind reverse proxy border security. This was a pretty simple setup and I now have an IIS web server reverse proxying to my CPS JBOSS server. The login screen comes right up but when you click the "login" button, you immediately get "Inactivity period exceeded" and are returned to the login screen. This seems to have something to do with JBOSS session ID. Anyone out there done this successfully?? Any hints, tips or suggestions? I've got a call into GE but expectations are low that I will get a good answer.
Greg
I've seen a CPS read only website referenced before but haven't set it up myself.
I just want to point out that I would not expose the JBOSS server directly to the internet. I wouldn't trust the proxy to filter anything. The version of JBOSS is probably quite old and almost certainly has vulnerabilities that could allow an attacker to gain unauthorized access.
Also last time I checked I believe credentials and all other data are passed in the clear, so that's not good to send over the internet. Well, I suppose if your IIS server is only listening for SSL connections, then that part might be covered.
I'd suggest VPN of some type with your payor. Then you know they can only connect across the VPN tunnel. No internet exposure that way. You can set up access lists to allow only the traffic required as well.
That would be the exact reason. RDP never works with external entities. They never put you on the HR List to disable user accounts etc. and when they forget the password, it is call to our much smaller I.T. group or worse yet, they tend to share credentials. Not to mention the additional overhead to the RDP farm servers of managing those desktops. I'd feel much better about the web access. It winds up creating a much larger security hole. this way you can proxy nothing but the minimal necessary ports and keep foreign machines completely off of the network. The revers proxy is in fact GE's recommended security method for securing the HTTPS web interface. They just don't know how to do it 🙁
Here is some documentation on how to do it through Apache.
It is using URL rewrites instead of proxy's.
It was originally written by one of the GE programmers.
Hmmm.... I could do that. I was hoping to be opportunistic and use the IIS Role on an existing server. I'll see what I can do with this info. Thanks!
didn't read the response re: apache but would agree that would be the way to go. unless you are an IIS expert. Apache documentation is clear and info is plentiful.
re: security, i might try to get a IP list from the external party and restrict access to your apache server to that IP range.
Can someone please send me a copy of the instruction file from designitsolutions.com? That url only directs to their home page now. [email protected]
Thanks!