Network / Security Considerations

This page addresses components and characteristics of a typical Unanet installation.  Unanet does not recommend the use of any particular configuration, but provides this information to assist you in your planning process.

The topics covered on this page include:

 

You may also be interested in:


Components and Characteristics of a Typical Unanet Installation

A typical Unanet installation may resemble:

  1. An external firewall between the Internet and the DMZ, configured to allow access via port 80 to the Unanet server

  2. A Unanet server on the DMZ with:

  1. An internal firewall between the DMZ and the internal network, configured to allow connections to the database server on the appropriate port (usually either 1433 or 1521) only from the Unanet server

  2. A database server with either SQL Server or Oracle on the internal network


Multi-Web Server Considerations:

Should you decide to scale your platform for performance or redundancy reasons, consider running with multiple front end web servers.  When doing so, keep the following in mind:

  1. Keep all front end servers up to date regarding Unanet versions (including having them on the same point release).
  2. Make sure your property file settings are consistent across the front end servers as well (unless you specifically want to have a setting different on a particular server).
  3. Keep the server clocks synchronized across all front end servers.
  4. When considering a load balancing solution for multi-front ends, you'll want to be sure to utilize a 'sticky' option (server affinity), that is, take measures to ensure that when a user is serviced by a particular server, they stick with that server.  This is necessary for certain features in the system, for example, when you attempt to export a file, the temporary file is created on a particular server and thus you'll want to make sure that the user's subsequent request to download that file is serviced by the same front end server.
  5. Ensure email is configured on all front end servers.
  6. Ensure the scheduler is enabled on only one front end machine.  You may consider disabling the scheduler via unanet.properties entries on all but one machine, thereby controlling whether the scheduler can be enabled via the UI on one front end server only.  Having multiple schedulers running against the same database instance can produce unpredictable results.


Security Considerations in a Typical Unanet Installation

This section provides additional information on security.

Security Considerations of Setting Up Unanet in DMZ or SSL

Securing your Unanet system should be treated the same as securing any web server on your network.

Setting up your Unanet System in a DMZ

If a hacker were able to break into your web server, it would be possible for them to see your database.properties file.  If they had the ability to get that far, they would be able to see the password that is set for your database.  Thus, the database.properties file should have the minimal permissions set for the servlet engine to read the file.  You may want to configure SQL Server such that the Unanet login ID (e.g., "unanet") can only access the unanet database and no other database on the SQL Server machine.

Setting up your Unanet System to Use SSL

Some points to think about when considering the usage of SSL:

 

Security Note: Usually, the reason for encrypting data is to avoid having hackers sniff packets going across the internet connection.