In some corporate networks, PPM front-end and PPM client server are operated in different network segments, with the individual segments being protected by a combination of firewall and HTTPS proxy (e.g., by Microsoft® Internet Security and Acceleration Server – ISA). Most of the times, these firewall-proxy chains are very restrictive so that only encrypted data exchange is possible on just a few available ports (port 80 and/or 443). If this type of network topology exists, the https-proxy operation mode is an option to enable data transfer between PPM front- end and client server.
Example
The following illustration describes the data traffic between PPM front-end and PPM server taking the case described above as an example, i.e., PPM front-end and PPM client server are separated by one or multiple firewalls. Direct communication between PPM front-end and PPM client server is impossible. HTTP tunneling is also impossible with encrypted data traffic. Therefore, an operation mode with data transfer via HTTPS proxy needs to be applied. The PPM front-end firewall must support this operation mode.
Configuration
You enable this operation mode by assigning the value https-proxy to the UseSSL key in the global configuration file Registry_settings.properties. SSL-encrypted data transfer is used automatically.
The configuration of SSL encryption is described in detail in the chapters on Registry and SSL. It must also be ensured that the PPM front-end used is using the HTTPS proxy required. This applies to both the Java browser plug-in and the Analysis GUI.
JAVA browser plug-in (Java Control Panel)
The PPM user interface running in the browser uses the proxy server specified in the Java Runtime Configuration (Java Control Panel in the Control Panel). Use the Java Control Panel to specify the proxy server to be used by entering the computer name and port number in the Network settings dialog. Open the dialog by clicking Network settings... in the Network settings box on the General tab.
You can also edit the https proxy server using the Java Runtime Settings dialog. To do so, go to the Java tab and click Display in the Java Applet Runtime Settings box. Specify the https proxy in the Java Runtime Parameter box as follows:
-Dhttps.proxyHost=<host name> -Dhttps.proxyPort=<port number>
JAVA application (Analysis GUI)
If you want to access a PPM server using PPM Analysis GUI via https proxies you need to specify the https proxy in the environment variable PPM_PROXY. The syntax is the same as for the Java Runtime parameter described before.
Example
PPM_PROXY=-Dhttps.proxyHost=mypc.company.com -Dhttps.proxyPort=3128
If you activate data transfer via HTTPS proxies, a loss in performance is to be expected due to the additional intermediate stations.
If the HTTPS proxy specified in the configuration is not available, a corresponding error message is output.
If no HTTPS proxy is specified in the configuration and the environment variable PPM_PROXY is not defined, data transfer is encrypted and takes place directly (as for UseSSL=true). To avoid the performance loss caused by the HTTPS proxies you should not specify any HTTPS proxy on the PPM server computer so that PPM command line programs started on the server are able to exchange data with the server via local connections.
Restrictions
PPM operation in such a scenario results in restrictions in network operation because only specific ports (such as 443) may be used. Free port selection is no longer possible.
If you want to operate multiple PPM servers and the Apache Load Balancer with only one port number available, multiple NICs must be installed which can provide a separate unique address (IP and port) for each service. PPM supports this scenario to the extent that individual services (such as PPM registry and client server) can be configured to a fixed IP and port combination.
Configuration
To to so, you need to edit the file Registry_settings.properties in the directory <installation directory>\ppmmashzone\server\bin\work\data_ppm\config of the PPM installation. Specify the network address and port number of the PPM registry in the key RMIServerURL. Assign the value true to the key RMIBindRegistryToSingleAddress. The PPM registry will then exclusively use the specified network address.
For each relevant PPM server, edit the file RMIServer_settings.properties in the client-specific configuration directory. To do so, specify the relevant network address (IP or network name) of the PPM server in the key RMIObjectsBindAddress. The port number is specified in the key RMIObjectsPort. With this configuration, the PPM server uses the specified network address exclusively.
Only the Standard server operation mode supports this procedure. Scaled systems are not supported.
Warning
The procedure described is valid for all PPM transmission types specified in the configuration file RMIServer_settings.properties under RMISocketFactory. It is invalid for default RMI data exchange.
Example
You want to operate two clients via a single port. The PPM server computer has three network adapters that are configured in a way that the computer can be addressed via the network with the names ppmsrv, ppmsrv1 (client ppm1), and ppmsrv2 (client ppm2). The port number for PPM is 5010.
Procedure