We are about to publish Tessitura on The Go outside of our network. We have a dedicated instance of the REST application with TOG for this. Of course we want to keep the REST resources private for security reasons, while publishing TOG to the outside.
Can anyone point me to any documentation or discussion around locking down REST with an open TOG app?
We can think of several options, but they all seem too fussy, we're looking for the simple solution.
Thanks,Mark
Hi Mark,
Have you referenced this document: https://www.tessituranetwork.com/en/Files/Docs/Installation/Tessitura-Web-External-Access-Guide-v14 ?
-Kevin
Hi Kevin,
Thanks, I have been over that document carefully. It does not really address the question about locking down the REST services. I can reinstate the issue this way:
When you do a default instillation you get a website that publishes the REST services with something like:
https://LiveREST.mydomain.com/
Then when you add Tessitura on The Go, you get another website at a sub-folder like:
https://LiveREST.mydomain.com/TessituraWeb/
We want to publish TOG to the outside world, we do not want to publish the REST services to the outside. We can do fancy things with the firewall, and or virtual directories and multiple forward domains.
But I suspect there is a simple solution that I'm not thinking of.
Thanks,
Mark
Maybe I'm missing something, but I think generally you will want:
Tessitura DB Server <-(1)-> REST API Server <-(2)-> TOG Server
Where (2) is the connection you perhaps use a firewall for restriction, such that e.g. only the TOG Server can access the REST server. That way you do not have to publish a REST service on a machine that also needs open external https access for other services.
That implies that the TOG application functions remotely from the REST application. Which begs the question why did Tessitura set up TOG as a subfolder in the REST application?
This separation that you suggest just might be the right way to do it, we could do that even on the same server but just in different websites, each with their own certificate.
But there may be a simpler way.