Having secured your Web server machine, you now must secure your WebSpeed server. This machine has, at least, an AdminServer and a WebSpeed server running on it. When you installed OpenEdge on this machine, you should have also enabled the AdminServer security mentioned in OpenEdge Getting Started: Installation and Configuration. You should make sure that all the vendor's security patches for this operating system have been applied, and check to see that the latest Progress Service Pack has also been installed. As you did with the Web server, you should also minimize other services running on this machine. This provides better security, as the fewer things running on this machine, the fewer things can go wrong.
The WebSpeed broker's configuration should also specify an owner. This allows the WebSpeed broker and agents to be started with the specified user's rights, not the root or system administrator's rights. See OpenEdge Application Server: Developing WebSpeed Applications for details.
You should always have a separate WebSpeed server for development/testing and production. These should also use different Web server machines and be assigned to different NameServers to reduce the chance of outside access to the development machine.
Figure 15 shows a deployment model that uses separate machines for the Internet production, intranet production, and the development/test servers. The databases are all installed on the same machine as the WebSpeed servers. This is the preferred route if your machine has the capacity to host both, as it will provide the best performance.
Figure 15. Deployment model with separate machines for Internet Production, Intranet Production, and Development/Test servers
Figure 16 shows a deployment model that uses two NameServers and puts all the production databases on one machine. This is useful because the intranet and Internet applications might be sharing some of the data from each database, and it lets you split the number of agents between Internet and intranet access, saving license fees.
Figure 16. Deployment with two NameServers
All access from the Internet goes through the Internet NameServer, and all intranet access (both production and development/test) goes through the intranet NameServer. This means that the Internet NameServer only knows about the Internet applications and cannot hand requests to the intranet production or development/test WebSpeed servers.
Using an AppServer to run your business logic allows you to place another level of indirection between your application and the database. This enhances the security of the application, as the WebSpeed server does not directly connect to the database; it accesses the data through the AppServer. See OpenEdge Application Server: Developing WebSpeed Applications for information on how this can be achieved.
