This page addresses components and characteristics of a typical Unanet installation. Unanet does not recommend the use of any particular configuration, but provides this information to assist you in your planning process.
The topics covered on this page include:
You may also be interested in:
Product Security (measures taken to minimize product security vulnerabilities)
A typical Unanet installation may resemble:
An external firewall between the Internet and the DMZ, configured to allow access via port 80 to the Unanet server
A Unanet server on the DMZ with:
A servlet engine (e.g., Tomcat)
Optionally a web server (e.g., IIS or Apache)
The Unanet software
An internal firewall between the DMZ and the internal network, configured to allow connections to the database server on the appropriate port (usually either 1433 or 1521) only from the Unanet server
A database server with either SQL Server or Oracle on the internal network
Should you decide to scale your platform for performance or redundancy reasons, consider running with multiple front end web servers. When doing so, keep the following in mind:
Ensure the scheduler is enabled on only one front end machine. You may consider disabling the scheduler via unanet.properties entries on all but one machine, such that controlling whether the scheduler is enable can be done via the UI on one front end server only. Having multiple schedulers running against the same database instance can produce unpredictable results.
This section provides additional information on security.
Securing your Unanet system should be treated the same as securing any webserver on your network.
If the webserver and the database server are the same machine, you may want to allow a connection to the database server only from localhost.
If the webserver and the database server are separate machines, the webserver should be the only machine configured to communicate to the database server through the port specified. This would depend on the database platform used (SQL Server default 1433, Oracle default 1521).
If a hacker were able to break into your webserver, it would be possible for them to see your database.properties file. If they had the ability to get that far, they would be able to see the password that is set for your database. Thus, the database.properties file should have the minimal permissions set for the servlet engine to read the file. You may want to configure SQL Server such that the Unanet login ID (e.g., "unanet") can only access the unanet database and no other database on the SQL Server machine.
Some points to think about when considering the usage of SSL:
Additional cost obtaining and maintaining an SSL certificate
Increased overhead will result in a slight performance reduction
Using SSL may not provide any protection against a compromise of the machine. This is especially true if port 80 is still open.
If your site is to be configured for exclusive access via SSL, you should enable the unanet.cookie.secure for added security.
Security Note: Usually, the reason for encrypting data is to avoid having hackers sniff packets going across the internet connection.