Allow PowerWeb Access Through a Firewall

If PowerWeb will only be used on your organization’s intranet, no special configuration is necessary. PowerWeb is as secure as any other IIS website. But if you want to allow access from outside the organization for remote users, contractors, vendors, or other business partners, your network will need to be configured to allow access through one or more firewalls to the PowerWeb server. A description of this configuration follows and is illustrated in the following figure with example IP addresses:

Example topology of web access allowed through firewalls.

This configuration is necessary because the Meridian application server communicates with PowerWeb running on the IIS server via the DCOM protocol. PowerWeb always starts a DCOM session with a request on the TCP port 135 of the Meridian application server. If a response is received, DCOM handles further communications, and determines which port will be used. The Meridian application server needs to be accessible from the IIS server on its own IP address because DCOM doesn’t support Network Address Translation (NAT).

To allow PowerWeb through a firewall:

  1. Install Meridian and PowerWeb on their respective computers as described in Installation.
  2. By default, DCOM communicates over a very wide port range (135 and 1025 to 5000 and 49152 to 65535 on Windows Vista and Windows Server 2008 and later). Use the netsh tool on the Meridian application server to view the DCOM properties of the computer as described in the Microsoft Support article The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008. Restrict the range of TCP port numbers it is able to use to, for example, 135 and 4000–5000. It’s essential to ensure that DCOM is running with TCP/IP only. If possible, delete all other protocols except TCP/IP if you are not using them. If you only have a restricted number of ports to use, refer to the Microsoft MSDN site for the current recommendation for the minimum number of ports to allocate.
  3. Configure the Meridian IIS applications (created by PowerWeb installation) of the default website to enable SSL.

    Note:

    If the Windows firewall is used, enable World Wide Web Services (HTTP Traffic in) and World Wide Web Services (HTTPS Traffic in) in Windows Firewall with Advanced Security.

  4. In the example configuration shown in the preceding figure, a small modification is necessary in the routing table for Windows. That is, the default gateway is 192.168.1.1, which means that the subnet of 192.168.2.0 can never normally be reached. This could be solved with two network cards, but could also be solved by adding an explicit routing to the routing table as shown in the following example:

    ROUTE –p ADD 192.168.2.0 MASK 255.255.255.0 192.168.1.3
    Note:

    If errors occur from mtx.exe, this means that you have restricted the Meridian website to run in a separate memory space, which is not allowed.

  5. Configure the firewall between the Meridian server and the IIS server to allow communications within the port range specified in step 2. Following are example lines to add to an /etc/ipf.rules file:

    #dcom connection from PowerWeb to EDM Server
    pass in quick on ed0 proto tcp from any port > 1024 to any port = 135 flags S keep state keep frags
    #dcom connection from EDM Server to PowerWeb
    block in on ed0 proto tcp from any port > 1024 to any port > 5000 flags S keep state keep frags
    pass in quick on ed0 proto tcp from any port > 1024 to any port > 4000 flags S keep state keep frags
    Note:

    If the Windows firewall is used, add inbound and outbound rules in Windows Firewall with Advanced Security for the Meridian executable AMEDMW.exe.

  1. When the firewall has been configured and the connection between the IIS and Meridian servers is working properly, publish a Meridian vault as described in Create a PowerWeb Location.
  2. The last step is to create a simple port mapping on the firewall between the LAN and the DMZ so that the IIS server on the private LAN can be reached via the Internet using a real IP address.

On the firewall computer, edit the /etc/ipnat.rules file as below:

#test web client
bimap fxp1 192.168.1.240/32 -> x.x.x.x/32

(x.x.x.x = a real life Internet address)

Also edit the /etc/ipf.rules file as shown below:

#test web client
pass in quick on fxp1 proto tcp from any port > 1024 to 192.168.1.240/32 port = 80 flags S keep state keep frags
pass in quick on fxp1 proto tcp from any port > 1024 to 192.168.1.240/32 port = 443 flags S keep state keep frags

Your Meridian application server is now accessible securely via the Internet.

The preceding steps relate to this configuration scenario only. However, the technique of using protocol levels in this way is the same for all configurations.