We are about to publish Tessitura on The Go outside of our network. We have a dedicated instance of the REST application with TOG for this. Of course we want to keep the REST resources private for security reasons, while publishing TOG to the outside.
Can anyone point me to any documentation or discussion around locking down REST with an open TOG app?
We can think of several options, but they all seem too fussy, we're looking for the simple solution.
Thanks,Mark
Hi Mark,
Have you referenced this document: https://www.tessituranetwork.com/en/Files/Docs/Installation/Tessitura-Web-External-Access-Guide-v14 ?
-Kevin
Hi Kevin,
Thanks, I have been over that document carefully. It does not really address the question about locking down the REST services. I can reinstate the issue this way:
When you do a default instillation you get a website that publishes the REST services with something like:
https://LiveREST.mydomain.com/
Then when you add Tessitura on The Go, you get another website at a sub-folder like:
https://LiveREST.mydomain.com/TessituraWeb/
We want to publish TOG to the outside world, we do not want to publish the REST services to the outside. We can do fancy things with the firewall, and or virtual directories and multiple forward domains.
But I suspect there is a simple solution that I'm not thinking of.
Thanks,
Mark
Maybe I'm missing something, but I think generally you will want:
Tessitura DB Server <-(1)-> REST API Server <-(2)-> TOG Server
Where (2) is the connection you perhaps use a firewall for restriction, such that e.g. only the TOG Server can access the REST server. That way you do not have to publish a REST service on a machine that also needs open external https access for other services.
That implies that the TOG application functions remotely from the REST application. Which begs the question why did Tessitura set up TOG as a subfolder in the REST application?
This separation that you suggest just might be the right way to do it, we could do that even on the same server but just in different websites, each with their own certificate.
But there may be a simpler way.
Hi Mark - I'm going to assume you are placing a TOTG server in a DMZ for external access. On that server, you would just install the Tessitura Web (On The Go) portion of TIM. Installing Tessitura Service (REST) is not a prerequisite and is not required for installing Tessitura Web.
Once you do that, you can pinhole from that server to REST services you host on the inside via your firewall or something to that effect.
I hope that helps...
Thanks,David
Ah, thanks David! If TOG runs fine independently, we certainly will have it and only it on that server. I was just confused by the default instillation.
And I'm forgetting: it needs more than just REST, right? TOG also includes access to SSRS reports?
Correct, I'm assuming it can consume SSRS remotely.