I can understand why Dorothy was so worried. Customers often struggle with the question of if they should integrate their OAM environment and applications with WebGates on each application, or use a general reverse proxy farm. This question recently came up on a customer project, and the simple answer is: “It depends."
The below diagram shows how the reverse proxy model works:
When integrating with OAM using the reverse proxy model, a web server that is owned by the OAM team is used to do all OAM specific work. This includes:
The primary advantage to this approach is that all hardware and software is owned by the OAM team. Any issues with authentication or authorization that occur can be managed internally by the OAM team without direct interaction with the customer. Issues with application integration may still require working with the customer.
The disadvantage to this approach is that all application traffic flows through ICAM servers, requiring the OAM team to manage enough hardware to handle the load of authentication traffic AND application traffic. This model works well in scenarios that:
In these scenarios an application can generally be integrated quickly into the environment.
Because there is no “phone-home” from the application to OAM to verify the security context (usually a header), it’s important that this method lock down connections from the reverse proxy to the application using firewall rules and/or SSL/TLS mutual authentication. This will protect the application from spoofing attempts.
The alternative to the reverse proxy model is to use a WebGate. A WebGate, or Agent, is a component that runs in a webserver that acts as a “gate keeper” using OAM. This component intercepts all requests, and will redirect the user to the OAM login server for authentication when needed.
WebGates offer several advantages over a reverse proxy hosted by the OAM Team:
The main disadvantage to this model is that the WebGate needs to be installed onto the application’s web server. This means the ICAM team will need to be available for installation and testing as well as trouble shooting when issues occur.
While the Reverse Proxy model offers more simplicity, the WebGate model offers more power and control. This model is effective on applications with:
Integrations using this method generally take longer but require less in the way of locking down connections between OAM and the application as there is built-in security in those connections.
The model used for an application should be determined on an application-by-application basis. Simpler applications will often benefit from the speed of a rapid integration, whereas larger and more complex applications will often require the power and flexibility of a local Web Gate.
Once you break down the requirements of an application and see that there are several options for handling them, neither WebGates nor proxies seem all that scary.