We are about to publish Tessitura on The Go outside of our network. We have a dedicated instance of the REST application with TOG for this. Of course we want to keep the REST resources private for security reasons, while publishing TOG to the outside.
Can anyone point me to any documentation or discussion around locking down REST with an open TOG app?
We can think of several options, but they all seem too fussy, we're looking for the simple solution.
Thanks,Mark
Hi Mark,
Have you referenced this document: https://www.tessituranetwork.com/en/Files/Docs/Installation/Tessitura-Web-External-Access-Guide-v14 ?
-Kevin
Hi Kevin,
Thanks, I have been over that document carefully. It does not really address the question about locking down the REST services. I can reinstate the issue this way:
When you do a default instillation you get a website that publishes the REST services with something like:
https://LiveREST.mydomain.com/
Then when you add Tessitura on The Go, you get another website at a sub-folder like:
https://LiveREST.mydomain.com/TessituraWeb/
We want to publish TOG to the outside world, we do not want to publish the REST services to the outside. We can do fancy things with the firewall, and or virtual directories and multiple forward domains.
But I suspect there is a simple solution that I'm not thinking of.
Thanks,
Mark
Maybe I'm missing something, but I think generally you will want:
Tessitura DB Server <-(1)-> REST API Server <-(2)-> TOG Server
Where (2) is the connection you perhaps use a firewall for restriction, such that e.g. only the TOG Server can access the REST server. That way you do not have to publish a REST service on a machine that also needs open external https access for other services.
That implies that the TOG application functions remotely from the REST application. Which begs the question why did Tessitura set up TOG as a subfolder in the REST application?
This separation that you suggest just might be the right way to do it, we could do that even on the same server but just in different websites, each with their own certificate.
But there may be a simpler way.
Hi Mark - I'm going to assume you are placing a TOTG server in a DMZ for external access. On that server, you would just install the Tessitura Web (On The Go) portion of TIM. Installing Tessitura Service (REST) is not a prerequisite and is not required for installing Tessitura Web.
Once you do that, you can pinhole from that server to REST services you host on the inside via your firewall or something to that effect.
I hope that helps...
Thanks,David
Ah, thanks David! If TOG runs fine independently, we certainly will have it and only it on that server. I was just confused by the default instillation.
And I'm forgetting: it needs more than just REST, right? TOG also includes access to SSRS reports?
Correct, I'm assuming it can consume SSRS remotely.
To follow up on this thread:
Tessitura on The Go can exist as a stand alone application on it's own server. It does not need any REST components in the filesystem. All it needs is the path to the relevant REST server and a DB connection.
Setting it up like this allows us to only open 443 to the outside and keep backend traffic to the SQL ports and REST app. (I think the SSRS reports are all handled via the REST service.)
On top of that we installed our two factor authentication app at the IIS level.
Setting it up this way allows us to really lock down public TOG access.
Thanks for the help.
Hi Mark - out of curiosity, what do you use for 2FA for TOTG? We use Incapsula Login Protect, which works, but the user interface is a bit confusing. I'm interested in other options. Thanks!
Hi David,
We use DUO, and are very happy with it, it's pretty flexible. https://duo.com/
Thanks, Mark. We use DUO for many things as well, but hadn't found a clean way to protect TOTG with it in our environment.. But it's been a while since we looked at it so perhaps something changed. Are you using Duo Network Gateway?
I'm going to have to ask my network guy, he's out today, I'll get back to you.