Front-End Server Architecture

This article discusses front-end server architecture to make Xton Access Manager available from the outside of the corporate network.

Front-end Architecture for Production Deployment

For the production deployment of XTAM that could be accessed from the outside of the network we usually recommend to install a reversed proxy (load balancer) on the computer in DMZ to handle the inbound HTTPS traffic with SSL certificates. This reversed proxy will forward all requests to XTAM server inside the network.

 

HTTPS configuration with SSL certificate is optional for the trial use to test application functionality. However, if testing with SSL is desirable or for the production use the pre-requisite is to have a fully qualified domain name (FQDN) resolvable to the XTAM reversed proxy computer in DMZ (for example xtam.company.com) and an SSL certificate for this FQDN signed by an internet certificate authority trusted by browsers accessing the system. In this example XTAM will be accessed at https://xtam.company.com/xtam/

 

XtonTech-BLOG-XTAM-with-Load-Balancer-768x384

Front-end Architecture for Test or Trial Deployment

The alternative way to test the external setup is to install XTAM itself at the computer in DMZ, optionally load there a trusted SSL certificate mentioned earlier and switch it to bind directly to HTTP(s) port. It is slightly easier to do and will demonstrate XTAM functionality for the trial purposes.

 

XtonTech-BLOG-XTAM-in-DMZ-768x384

 

The discussion below assumes two-server setup with one computer with reversed proxy at DMZ and the other one with XTAM behind the firewall. XTAM licensing does not count load balancer / reversed proxy computer as a node to purchase.

Details for Different OS

For Windows load balancers / reversed proxy we recommend to use Microsoft IIS. XTAM installation includes preliminary installation and configuration of Microsoft IIS as a load balancer option redirecting traffic to (possibly remote) XTAM farm. To install and configure IIS load balancer on an isolated computer at DMZ run XTAM setup on the computer at DMZ and select only Load Balancer option. Specify host name of the XTAM server when prompted. Follow Microsoft documentation to deploy SSL certificate bound to HTTPS port to secure IIS traffic after installation.

 

On Unix computers the typical load balancer choice is Apache HTTP server. Here is an FAQ article about how to configure it on RedHat / CentOS.

 

Here is the article that discussed load balancer configuration for Debian and Ubuntu.

Additional Considerations

When forwarding WEB traffic from a reversed proxy to XTAM server using https protocol make sure that XTAM uses trusted certificate or disable certificate check on the load balancer or direct the traffic on the unsecured HTTP port (XTAM listens an unprotected HTTP protocol on the port 8080 for test purposes). Below is an FAQ article to replace generated self-signed certificate of XTAM server with the one trusted by the load balancer.

 

Note that XTAM server and load balancers could be installed on similar or on different operating systems (for example, Windows hosting XTAM server and Unix hosting the reversed proxy / load balancer). Also, it is possible to utilize existing load balancer in case the one is already in place (for example F5).