External Access Using a Virtual Private Network (VPN) - Security Best Practices - Foundation 23.1 - Foundation 23.1 - Ready - OnBase - Essential - Premier - Standard - external - Standard - Essential - Premier

Security Best Practices

Platform
OnBase
Product
Security Best Practices
Release
Foundation 23.1
License
Standard
Essential
Premier

Many organizations need to make some data archived in OnBase available to users outside the organization. A Virtual Private Network (VPN) is often used to provide access to remote employees or a manageable set of external users.

Many of the concepts already discussed for securing the OnBase Web and Unity Clients (see Web and Application Server Access) provides a foundation for expanding access to OnBase through one of the OnBase custom portals or a custom application that uses the OnBase API.

Typically, these external components communicate with the OnBase Application Server through HTTPS using a separate VPN, which creates the ability to control and isolate any traffic that is entering the internal portion of a network.

For solutions in which the OnBase Web Client is used by users both internal and external to the organization, it is recommended to consider separate instances of the OnBase Web Server, one for internal users and the other for external users. Additional OnBase Web Servers would require additional Web Server licensing.

Tip:

See the Web Server module reference guide for complete details on configuring the OnBase Web Server.

The following illustration shows the flow of traffic for a solution with both internal and external access to a single OnBase system using a VPN. OnBase modules that use a server for the presentation layer, such as the Web Server or Commerce Server, require a component that resides in an outer layer of the network.

The VPN approach may also be considered for internal use in organizations that are going to incorporate strict levels of network segregation. This additional level of network segregation provides the ability to restrict access levels of the components within each segment, with the client further separated from the OnBase database and Disk Groups with minimal overhead. Furthermore, firewalls can control the traffic between the segments.