It is recommended to separate the OnBase Web Server, which handles the presentation or user interface tier, and the OnBase Application Server, which is the application or processing tier. This provides an additional security layer between users and the OnBase data because all direct access to the OnBase database and the OnBase Disk Groups is isolated to the OnBase Application Server.
The following illustration shows a typical configuration in highly secure networks with three distinct firewalls, each of which allowing only a certain type of traffic to pass.
The firewalls are depicted in this illustration as the brick-patterned dividers. The first firewall, between the user and the Web Server, allows for Internet traffic through Port 443 using HTTPS.
The second firewall, between the Web and Application Servers, is not required for adequate security, but it should be employed when designing a highly secure and scalable solution. If the two servers are on the same computer you can allow standard HTTP traffic through Port 80.
The third firewall, between the Application Server and OnBase, allows the traffic to the OnBase database and Disk Groups to be managed, allowing you to take advantage of additional security measures, such as Distributed Disk Groups (DDS).
When the OnBase Web and Application Servers are on the same machine, that machine accepts inbound user traffic from the Internet and has direct access to the OnBase data, which can create an attractive target for attacks. Separating the Web and Application Servers means the Web server is exposed to inbound communications from the Internet, but does not require direct access to the OnBase database and Disk Groups. Instead, the Web Server must communicate with the Application Server through a controlled channel, and the Application Server performs all application logic with isolated access to the OnBase data.
The following illustration shows a configuration for a highly secure network that employs additional layers of security beyond separating the servers.
The separation of the Web and Application Servers provides the foundation for implementing these additional security measures. The following items should be considered when adding additional layers of security:
-
When evaluating firewall options, it is a good practice to use different vendors if multiple firewalls are used in the solution. This ensures that vulnerability in one brand of firewall does not permit an attacker to bypass all firewalls.
-
When the Web and Application Servers are on separate Microsoft IIS servers, the Application Pools can be configured to run as distinct network accounts. Each of those network accounts should be configured following the concepts of least-privilege access.
-
Additional network segregation can further prevent access to the OnBase database and Disk Groups by users. For example, the OnBase Web Server can reside in a user network and the Application Server in a private network, with HTTPS used as the method of communication between the two networks.
Tip:See also, Distributed Disk Services (DDS).
-
HTTPS should be considered for internal communication between OnBase components, as well as external communication, to further secure network traffic.
Note that the separation of the Web and Application Servers does not require two single-purpose servers. While single-purpose servers provide value when troubleshooting, significant value can be found in existing servers that are already performing similar functionality to the OnBase components. For example, if an organization already has an internal Web server for an intranet site, the OnBase Web Server can be installed on the same machine with a separate machine for the OnBase Application Server.