Proxy servers
Guidewire recommends deploying proxy servers to insulate PolicyCenter from the external Internet. This is recommended for any other outgoing requests to computers on the external Internet and to insulate PolicyCenter from incoming requests from the Internet.
Several PolicyCenter integration options require outgoing messages. Placing a proxy server between the external Internet and PolicyCenter insulates PolicyCenter from some types of attacks and partitions all network access for maximum security.
Additionally, some of the integration points require encrypted communication. Because encryption in Java tends to be lower performance than in native code that is part of a web server, encryption can be off-loaded to the proxy server. For example, instead of the PolicyCenter server directly encrypting HTTPS/SSL connections to an outsider server, PolicyCenter can contact a proxy server with standard HTTP requests. Standard requests are less resource intensive than SSL encrypted requests. The proxy server running fast compiled code connects to the outside service using HTTPS/SSL.
A proxy server that handles incoming connections from an external Internet service to PolicyCenter and not just outgoing requests from PolicyCenter is sometimes called a reverse proxy server. For the sake of simplicity, this topic refers to any server that handles incoming requests as a proxy server. Your server might handle only outgoing requests if you do not need to intercept incoming requests.
Resources for understanding and implementing SSL
Some proxy server configurations use SSL encryption. Encryption concepts and proxy configuration details are complex, and full documentation on this process is outside the scope of PolicyCenter documentation.
For more information about SSL encryption and Apache-specific documentation related to SSL, refer to all of the following resources.
|
Encryption-related documentation |
For more information, see this location |
|---|---|
|
High-level overview of public key encryption |
|
|
Detailed description of public key encryption |
ftp://ftp.pgpi.org/pub/pgp/7.0/docs/english/IntroToCrypto.pdf |
|
Detailed description of SSL/TLS Encryption |
http://httpd.apache.org/docs/current/ssl/ssl_intro.html |
|
Overview of Apache’s SSL module |
http://httpd.apache.org/docs/current/mod/mod_ssl.html |
|
Overview of Apache’s proxy server module |
http://httpd.apache.org/docs/current/mod/mod_proxy.html |
Web services and proxy servers
If your PolicyCenter deployment must call out to web services hosted by other computers, for maximum security always connect to it through a proxy server.
You can vary the URL to remote-hosted web services based on configuration environment
settings on your server, specifically the env and serverid
settings. For example, if running in a development environment, directly connect to the
remote service or through a testing-only proxy server. In contrast, if running in the
production environment, always connect through the official proxy server.
See also
- For configuring web services URLs to support proxy servers, see the Configuration Guide.