Network configuration for typical deployments
These instructions are aimed at a single protected application. To add more applications, follow these steps for each deployment.
Inline, no load balancer
For each application to be protected by the Broker, change the appropriate DNS entries to resolve to the Secfense Broker IP address. Further configuration in the Broker will direct traffic to the application servers.
Keep in mind that client sessions will be terminated on the Broker - this means any TLS termination will also happen there. Please add Secfense CA to the trust store or maintain proper certificates in the Application Representation.
In a cluster setup, use both Brokers' IPs in DNS resolution to maintain high availability or set up VRRP.
To prepare a test deployment, use a temporary test domain name.
Inline, with load balancer
For this setup, no changes need to be made on the frontend of the load balancer. To move traffic to the Broker, replace nodes in the backend configuration with Secfense servers. TLS will be terminated on the load balancer.
To keep high availability in a cluster setup, utilize load balancer rules to configure an active/standby solution using proper health checks (described further in this guide).
For test purposes, create a new test frontend (independent from production traffic) and use DNS to properly direct test users.
On a stick
Follow these steps on load balancer to successfully deploy Secfense Broker "on a stick" for a Follow these steps on the load balancer to successfully deploy Secfense Broker "on a stick" for a particular application:
- Create a new frontend (VIP, VServer - depends on the type of load balancer) that will only be reachable by Secfense Broker. Configure the backend the same as the production frontend (forward traffic to application servers).
- Create a pool that includes Broker servers. To maintain high availability, utilize proper health checks and active/standby configuration.
-
To test the setup (without impacting production traffic), create a separate test frontend for the application (with the same settings as the production frontend, but use a different IP). Direct traffic from this frontend to the newly created pool for Secfense Brokers. You can use DNS to direct test users to this test frontend.
-
While configuring the application in the Broker GUI, use the frontend created in step 1 as the upstream URL. After these steps, you should have a fully functional test environment for a single application.
- To move the above setup to production, change the backend in the production frontend to the Broker backend. After this change, all users should have the same experience as users testing the setup from point 4.
- To roll back the production change, restore the original backend in the production frontend.