IMPORTANT:Security is a complex subject and Novell does not attempt to suggest a complete defense solution with this example. Novell recommends that you consult with your security professional to implement Filr in a DMZ.
To provide an additional level of security, you can set up Filr in a DMZ. You might want to consider setting up Filr in a DMZ especially if you are planning to allow external users to access the Filr system (as described in Section 10.1, Allowing External Users Access to Your Filr Site). It is most secure to restrict external user access to Filr appliances that are located in the DMZ, rather than allowing external users access to a Filr appliance behind the internal firewall.
The actual data is never stored in the DMZ. It is stored behind the internal firewall on the database and search appliances, on the Windows and OES servers (for your Net Folders), and on a SAN for files in personal storage.
Figure 29-1 illustrates a basic setup with Filr running in a DMZ, including information about the ports that you need to open for the firewalls and for communication between the various servers.
Figure 29-1 Filr in a DMZ
Only traffic destined to the DMZ is allowed through the front-end firewall, and only traffic from the DMZ to the internal network is allowed through the back-end firewall.
In a clustered environment, it is also possible for some of the Filr appliances in the cluster to run behind the internal firewall while others run in the DMZ. Doing so can result in performance benefits for internal users. Setting up Filr in this way requires that you use memcached caching. For more information about configuring memcached caching, see Section 1.7, Changing Clustering Configuration Settings.
For more information about port configuration in Filr, see Section 1.2.2, Port Numbers.
For information about setting up NetIQ Access Manager as a reverse proxy, see Section 27.0, NetIQ Access Manager.