Web parts hardening

<< Click to Display Table of Contents >>

Navigation:  Bizagi Studio > Bizagi from external applications > Portals integration > Using Web parts for other portals >

Web parts hardening

Overview

When you have an external application, which is connected to your Bizagi Environment using Web Parts, it is important to perform configurations that provide an adequate level of security.

 

We recommend creating an instance of your Bizagi Web Application which can be accessible by external users. This Web Application should have access to your Project database so both applications (internal and external) uses the same data.

 

The following diagram gives you an example of the suggested architecture:

 

HardeningWP_01

 

External users access Bizagi Web Application through a custom portal where you install Web Parts. The access to this portal must be done through a reverse proxy where hardening configurations are required to protect unauthorized access.

 

Before you start

Consider the following before performing the hardening configuration for external users:

The reverse proxy must be previously configured.

The custom portal must be previously created.

The external custom portal must be accessed through Internet.

 

What you need to do

Follow these steps to set up this configuration

 

1. Configure a domain in your DNS server to the external application

This step creates a connection from your militarized zone to the external server where the external users access through Internet.

 

2. Create in your external Internet Information Service a copy of your Bizagi Web Application

This step lets you have a Bizagi Web Application in your demilitarized zone which is connected to your Bizagi Database. This avoid external users to have access to your internal Bizagi Web Application

 

3. Configure the Web Parts in your Custom Portal

Configure the Web Parts in your custom external portal so they expose the external Bizagi Web Application.

 

4. Set block rules for login and authentication APIs.

As your Web Parts uses Form Authentication, you need to block any access to your internal Bizagi Web Application.

 

Procedure

To harden Bizagi Web Parts, follow these steps:

 

1. Configure a domain in your DNS server to the external application

Open your DNS Manager in your internal server (Start -> All Programs -> Administrative Tools - DNS Manager), then locate your domain inside the Forward Lookup Zones node.

 

Right click the domain and click New Host. Add the following information in the wizard.

Name: name of the external site. This name is required in the next step.

IP address: IP address of the external site.

 

HardeningWP_02

 

2. Create in your external Internet Information Service a copy of your Bizagi Web Application

2.1 Copy the content of your project's folder (i.e C:\Bizagi\[Project_Name]\WebApplication) and paste it into a new path in your server.

 

HardeningWP_03

 

Create the same path in your internal server and paste all the folders copied.

 

2.2 In your external server, open the Internet Information Service (IIS) Manager and add a new site using the name used in the DNS Server in step one.

 

HardeningWP_04

 

2.3 Select Bindings in your server and add [SiteName].[YourDomain] to the Host Name parameter of the http and https bindings.

 

HardeningWP_05

 

2.4 Right click the site created in your IIS Manager and select Add Application, use the following information

Alias: select a descriptive name. For example, you may use the same name of the internal application plus "External".

Physical path: choose the path where you copied the WebApplication folder including it.

 

HardeningWP_06

 

3. Configure the Web Parts in your Custom Portal

Set the URL of the external application in your custom portal to connect the Web Parts

 

HardeningWP_07

 

4. Set block rules for login and authentication APIs

As your Web Parts uses Form Authentication against your internal application, you need to block some features of the external application. Follow the next steps:

 

4.1 Back in the Internet Information Service (IIS) Manager, select the external site and select URL Rewrite.

 

HardeningWP_08

 

4.2 Add the following rules by clicking Add Rule option.

 

Rule 1

Name: NotLoginPage

Conditions

oInput: {URL}

oType: Matches the Pattern

oPattern: login.desktop.production.tmpl.html

Action

oAction type: Redirect

oRedirect URL: URL of your reverse proxy

 

HardeningWP_09

 

Rule 2

Name: AuthN backend protection

Conditions

oInput: {URL}

oType: Matches the Pattern

oPattern: Api/Authentication/User$

Action

oAction type: Custom Response

oStatus code: 401

 

HardeningWP_10

 

4.3 It is strongly recommended to perform the recommendations mentioned in the intermediate hardening of the IIS, mainly steps two and three.

 

At this point you have hardened your architecture to let external user connect to your Bizagi application.