0

I work for an organization that uses a managed host for App1 and a collection of apps, App2..N

App1 is a web application, hosted on a linux webfarm by a large vendor - and it uses a forms-like authentication (e.g. simple username + password).

The collection of apps App2..N are available freely to users inside our network without a sign-in required by virtue of requests coming from our gateway IP address.

The apps (App2..N) is approx. 10 separate vendors of online information, who share in common a licensing model where they contract with my employer to provide information services via each of their web apps - and they seem to all use a scheme where they record the IP address of our organization's gateway IP - and allow requests from that specific IP to use the service without a login/password.

Approximatley 1/10th of our users are on-site here behind our firewall, and 9/10ths are spread world-wide.

These remote users authenticate to use App1 using the forms-like user/pass authentication.

While using App1, there are certain requirements where they must access the resources of App2..N - exposed as links within App1.

The vendors of App2..N tend to use various other means of allowing for our remote users, however they always seem to change and break down over time - all the schemes are different, and all change at different times, and most of these vendors do not have easily accessible client support services - e.g. it's difficult for me to keep up with all the breakage and poor access to solutions from the vendors.

I would like to come up with some type of web-based app that can accept incoming requests from all around the net - then channel them through our internal network somehow, so that these various requests could authenticate by right of having "come from" our on-site gateway IP address.

I don't know what this type of solution is called, I thought it would be reverse-proxy, but not 100% certain.

What type of solution do I need? What is is called?

Is there some type of server we can run within our network and/or in a DMZ that can re-route requests to App2..N so as to have them be treated as though they came from a user within our network?

Constraint: The number of users outside our network is far greater than the users inside our network, thus we do not wish to provide VPN access to our network for this purpose.

Since I don't exactly know what the tools and/or concepts are properly called, I open welcome editing of this question to make it more clear to the SF community.

EDIT: I might not require that the source IP address for our requests to App2..N be from exactly our gateway IP, but if they came from a single IP (not necessarily our gateway IP) - that could work too.

qxotk
  • 1,434
  • 2
  • 15
  • 26
  • The answer depends on whether or not you have a domain in place or whether or not you have trust set up across the two applications' domains. In some cases, you can try federated authentication. – CIA Mar 06 '14 at 03:26
  • @CIA - do you mean if we have a Windows Domain (as in Domain controller)? Can you give me an example of "federated authentication" - it sound complicated. – qxotk Mar 06 '14 at 03:53
  • This seems very vague. What type of authentication do you use for App1 (Windows Domain auth, LDAP, DB backed password auth, ...)? App1 is a web application that provides links (URLs?) to other applications? – Slartibartfast Mar 06 '14 at 04:33
  • @Slartibartfast I apoogize for vagueness I will edit question increase detail - don't want to reveal too much about my situation/employer/industry. – qxotk Mar 06 '14 at 04:36
  • 1
    You mentioned that VPNs were a nogo and it sounded like resources may be the reason. IN that case remember that a proxy connecting off site users to off site content will use about as much bandwidth as a VPN doing the same thing. – Rik Schneider Mar 06 '14 at 07:20
  • @RikSchneider Thanks for that info, to be specific, it's more the administrative/policy/security/hardware resources - as the remote users are not members of our organization, so names, contact info, etc. would be unmanageable inside our organization. Further, if I experimented with this, I might want to host the box outside our firewall/DMZ - as there would be no sensitive info on that web app - it would only accept requests from App1 and re-route to App2..N sites. Does that make sense? (oh, but that defeats the source IP feature doesn't it?...) – qxotk Mar 06 '14 at 17:43

1 Answers1

3

It sounds as though you are speaking of a reverse proxy. The way this would work is that you would run the reverse proxy in your DMZ. You would give the URL of the reverse proxy to your outside users.

When the users browse to the URL you gave them, your reverse proxy receives the connection and request. It then translates or rewrites or just forwards the request (as itself / from your IP address) to App1. App1 authenticates the user.

You need to work out how to detect on the reverse proxy whether they are authenticated to App1. This could be a cookie, or a URL element, or ...???. The reverse proxy sees all of the web traffic, so it should be do-able.

Once the reverse proxy knows whether you've authenticated, you configure it to selectively forward connections to App2..N only for authenticated users/connections.

You do need to ensure that either App1 presents URLs that point through the reverse proxy, or that you rewrite App1 presented links to pass through the reverse proxy.

The configuration of this can be painful. If you're using Apache, you're looking for something like mod_rewrite or mod_rewrite2 (if I recall correctly) There is other software that does things like this (BlueCoat is one, I think, but I don't know how configurable it is)

Hope this helps.

Slartibartfast
  • 3,265
  • 17
  • 16
  • 1
    jmsmcfrlnd, it seems to me that you're getting perilously close to asking for software/product recommendations, and that would render your question off-topic for ServerFault. – MadHatter Mar 06 '14 at 06:18
  • @Slartibarfast wouldn't all users (inside and out) first visit App1 directly, and *then* have all URLs to App2..Z point to the reverse proxy - where the reverse proxy forwards bonafide request from App1 authenticated users om to App2..N ? Above you say all users start at the reverse proxy which doesn't seem right. – qxotk Mar 06 '14 at 12:03
  • If all users start at App1 directly, it may interfere with your ability to detect whether they have authenticated to App1. But whatever works for you. Separately, people already inside your network are already taken care of; there is no need to change things for them. – Slartibartfast Mar 07 '14 at 06:20