Can the WebSphere Virtual Enterprise deployment manager be in the demilitarized zone?
The WebSphere Virtual Enterprise Best Practices Redbook indicates that "On demand routers (ODR) should not be placed (neither supported nor recommended) in a DMZ because the ODR requires complex communication between autonomic managers, application servers, and deployment managers...". This statement refers to WebSphere Application Server Network Deployment V8.5, and to topologies that contain nodes augmented with WebSphere Virtual Enterprise V6.1.1, and later versions.
The WebSphere Virtual Enterprise deployment manager can be in the demilitarized zone, if you meet specific configuration requirements:
WebSphere Application Server Network Deployment V8.5, as well as WebSphere Virtual Enterprise V6.1.1.x, and later versions, rely on the the Service Overlay Network (SON) communication layer. If the communication between processes is restricted or isolated by firewalls, the SON communication can be inadvertently blocked. Blocked SON communication can cause several issues, because SON is part of several product core features.
If you use firewalls to divide your topology, ensure that you meet the following requirements:
- The following ports must remain open (bi-directionally) for TCP and UDP protocols:
- The ephemeral port range must remain open for UDP traffic between all processes. The overlay uses an ephemeral UDP port as source port when sending UDP messages. Ephemeral port ranges are defined based on your operating system, and the range can be restricted.
For more information, go to:
To verify whether these ports are set already, confirm that the deployment manager serverindex.xml file content is similar to:
<endPoint xmi:id="EndPoint_1269363042020" host="*" port="16410"/>
<endPoint xmi:id="EndPoint_1269363042021" host="*" port="16409"/>
<endPoint xmi:id="EndPoint_1269363042017" host="*" port="16413"/>