Deployment Considerations
Enterprise Services applications are typically installed on the Web server or on a remote application server. Figure 11.3 shows the two typical deployment scenarios for Enterprise Services. From a security perspective, the notable difference with the remote deployment scenario is that data passed to and from the serviced component is passed over the network, often through an internal firewall used to separate the internal and perimeter networks.
Figure 11.3: Enterprise Services typical deployment configurations
Developers and administrators need to be aware of the following deployment- related issues:
-
Firewall restrictions, including port requirements for DCOM and DTC
-
Run-as account configuration
-
Storing secrets in object constructor strings
For more information about applying secure configuration at deployment time, see Chapter 17, "Securing Your Application Server."
Firewall Restrictions
If the client and Enterprise Services application are separated by an internal firewall, the relevant ports that support DCOM and possibly the DTC (if your application uses distributed transactions) must be open .
DCOM uses RPC dynamic port allocation that by default randomly selects port numbers above 1024. In addition, port 135 is used by the RPC endpoint mapper. You can restrict the ports required to support DCOM on the internal firewall in two ways:
-
Define port ranges .
This allows you to control the ports dynamically allocated by RPC.
-
Use static endpoint mapping .
Windows 2000 SP3 (or Quick Fix Engineering [QFE] 18.1 and greater) or Windows Server 2003 allow you to configure Enterprise Services applications to use a static endpoint. Static endpoint mapping means that you only need to open two ports in the firewall. Specifically , you must open port 135 for RPC and a nominated port for your Enterprise Services application.
For more information about defining port ranges and static endpoint mapping, see "Firewall Considerations" in Chapter 17, "Securing Your Application Server."
Using Web Services
If opening ports on the internal firewall is not an option, then you can introduce a Web services fa §ade layer in front of the serviced components on the application server. This means that you only need to open port 80 for HTTP traffic and specifically for Simple Object Access Protocol (SOAP) messages to flow in both directions as shown in Figure 11.4.
Figure 11.4: Using a Web services fa §ade layer to communicate with Enterprise Services using HTTP
This approach does not allow you to flow transaction context from client to server, although in many cases where your deployment architecture includes a middle- tier application server, it is appropriate to initiate transactions in the remote serviced component on the application server.
For information about physical deployment requirements for service agents and service interfaces such as the Web services fa §ade layer, see "Physical Deployment and Operational Requirements" in the Reference section of the MSDN article, " Application Architecture for .NET: Designing Applications and Services. "
DTC Requirements
If your application uses COM+ distributed transactions and these are used across remote servers separated by an internal firewall, then the firewall must open the necessary ports to support DTC traffic.
If your deployment architecture includes a remote application tier, transactions are usually initiated within the Enterprise Services application and propagated to the database server. In the absence of an application server, the Enterprise Services application on the Web server initiates the transaction and propagates it to the SQL Server resource manager.
For information about configuring firewalls to support DTC traffic, see Chapter 18, "Securing Your Database Server."
EAN: 2147483647
Pages: 613