Configuring Laserfiche Web Products for Use With Firewalls.

January 7, 2005 | KB: 1000853
Agenda Manager 6, Web Access 6, WebLink 6, Agenda Manager 7, Web Access 7, WebLink 7

Summary

Laserfiche web products can provide vast amounts of information quickly and easily to users on the Internet via a standard HTTP client (web browser). However, while you may wish to provide as much helpful information as possible to the end-user, you may not want to make everything publicly available. A network firewall is a tool that an administrator can use to limit access to information in a private network.

For sites wishing to use Laserfiche web products (Agenda Manager, Web Access, and WebLink), they can be configured for use with a firewall. However, there are certain issues that need to be considered. These issues are discussed in the More Information section below.

Note: If you have never configured a firewall, it is strongly recommended that you refer to another source for information on firewall configuration. You should also contact a network security professional prior to implementing the contained information.

Laserfiche 6: If a firewall exists between the Laserfiche Server and another Laserfiche product, then you will need to open port 1888 on the firewall.

Laserfiche 7: If a firewall exists between the Laserfiche Server and another Laserfiche product, then the Laserfiche Server and the desired Laserfiche product will require additional configuration. For more information, please refer to the Laserfiche 7 and Firewalls section below.

More Information

When a user attempts to access a Laserfiche repository through a Laserfiche web product (Agenda Manager, Web Access, and WebLink), the user first communicates with the web server hosting the Laserfiche web product. The web server then communicates with the Laserfiche Server, which then sends back the appropriate response, which travels back to the user. You can configure your setup so that the firewall resides anywhere along that route. There may be no firewall between the user and the web server. There may be a firewall between the user and the web server. There may be a firewall between the web server and the Laserfiche Server. Or there may be a firewall between each step in the network.

The following are basic network configurations available when using Laserfiche web products with a firewall.

Web server and Laserfiche Server outside the firewall

With this configuration, the firewall's security is not compromised in any way; the data protected within the firewall remains secure. On the down side, the Laserfiche Server is exposed to the outside world, which can be problematic if there is sensitive data on it.

How does it work?

  1. An Internet user (via web browser) requests information from the Laserfiche repository through a web site incorporating the Laserfiche web product.
  2. The request is received by the web server. The web server opens a connection with the Laserfiche Server using the Laserfiche web product.
  3. The Laserfiche Server receives the connection command and provides the requested information back to the user through the web server.
  4. The firewall is configured to allow Internet access from the private network. All access initiated from the Internet to the private network is restricted.

Web Server Outside the Firewall; Laserfiche Server Inside the Firewall

With this configuration, the Laserfiche Server remains protected behind the firewall. The firewall configuration would have to be changed to allow a connection to be made from the web server to the Laserfiche Server. On the plus side, such a configuration would keep the Laserfiche Server relatively secure within the firewall. However, because a tunnel must exist to allow the web server to communicate with the Laserfiche server, if the web server were compromised, it could be used as a launching point of an attack through the firewall to the Laserfiche Server.

How does it work?

  1. An Internet user (via web browser) requests information from the Laserfiche repository through a web site incorporating the Laserfiche web product.
  2. The request is received by the web server, which opens a connection with a Laserfiche web product.
  3. A Laserfiche web product opens a connection with the Laserfiche Server via the firewall (as a proxy).
  4. The firewall is configured to allow Internet access from the private network. All direct access initiated from the Internet to the private network is restricted. When the web server makes a connection to the firewall, the firewall passes the request on to the Laserfiche Server located on the private network. Special care should be taken to only allow access to the TCP/IP port that Laserfiche needs for connection and to only allow connections coming from the web server hosting the Laserfiche web product.
  5. The Laserfiche Server receives the connection command and provides the requested information back to the user through the web server.

Web Server and Laserfiche Server Inside the Firewall

This type of configuration allows access to the Laserfiche Server and the web server only through the firewall. In this case, the firewall acts as a proxy or a filtering gateway depending upon your network configuration. This requires careful configuration and entails an extra level of complexity for the firewall.

With this configuration, the firewall would need to be reconfigured to allow arbitrary connections from the Internet through to the web server inside. However, if access to Laserfiche documents from the Internet is not desired or if the web server is only being used for an intranet and not for Internet access, then not allowing connections through the firewall would be acceptable. Please be aware that you will be lowering the integrity of your firewall if you do configure the firewall to allow arbitrary connections from the Internet through to the web server inside.

How does it work?

  1. An Internet user (via web browser) requests information from the Laserfiche repository through a web site incorporating the Laserfiche web product.
  2. The firewall is configured to allow Internet access from the private network. In addition, the firewall is configured to act as an HTTP proxy or router (depending on whether the firewall is proxy-based or filter-based). In other words, users would point their web browsers to the firewall itself and the firewall would forward the request to the web server located on the private network.
  3. The request is received by the web server, which opens a connection to the Laserfiche Server.
  4. The Laserfiche Server receives the connection command and provides the requested information back to the user through the web server.

Dual Firewalls

This configuration allows access to the Laserfiche Server and the web server only through the firewall. In this case, the firewall acts as a proxy or a filtering gateway depending upon your network configuration. It requires careful configuration and entails an extra level of complexity for the primary firewall.

This setup is similar to the single within-firewall example, with the addition of a second firewall. In the case of a network compromise, a properly configured dual-firewall setup will provide a method of localizing the security breach. It offers additional security over an all-or-nothing security model.

How does it work?

  1. An Internet user (via web browser) requests information from the Laserfiche repository through a web site incorporating the Laserfiche web product.
  2. The firewall is configured to allow Internet access from the private network. In addition, the firewall is configured to act as an HTTP proxy or router (depending on whether the firewall is proxy-based or filter-based). In other words, users would point their web browsers to the firewall itself and the firewall would forward the request to the web server located on the private network.
  3. The request is received by the web server, which opens a connection with the Laserfiche Server.
  4. The Laserfiche Server receives the connection command and provides the requested information back to the user through the web server.
  5. A second firewall is configured to allow Internet and Laserfiche access from the private network. All access initiated from the Internet or from the Laserfiche Server to the private network is restricted.

Laserfiche 7 and Firewalls

Please refer to the following Laserfiche Knowledge Base articles for information on how to configure the desired Laserfiche product to be firewall compatible.

1000765 Configuring Laserfiche to be Firewall Compatible.

1011184 Configuring Agenda Manager to be Firewall Compatible.

1011185 Configuring Web Access to be Firewall Compatible.

1011186 Configuring WebLink to be Firewall Compatible.