Using Message Brokers with a Firewall

In some cases, you may have users who need to access an MPX-enabled server configuration over the public Internet without using a Virtual Private Network (VPN). A common technique for providing access to ActiveMQ MPX is to install the StarTeam Server on a computer in the “DMZ” area of the corporate firewall (while hosting persistent data such as the database on a separate system behind the firewall).

Typically, that computer has two IP addresses and host names: an internal address/host name used by inside users, and an external address/host name used by outside users. In this scenario, a Message Broker can be operated on the same computer as StarTeam Server and be accessed by both internal and external users.

Alternatively, you could operate a Message Broker on a separate computer, also within the “DMZ”, and therefore also accessible to both internal and external users. However, in some cases (such as when corporate policy seeks to minimize the number of applications operating within the “DMZ”), you may wish to operate one or more internal Message Brokers behind the firewall and perhaps one Message Broker outside of the firewall. When the Message Brokers are formed into a cloud, both internal and external users receive the appropriate messages for the server configurations to which they are connected.

To connect an external Message Broker into a Message Broker cloud, it is best to modify the ActiveMQMessageBroker.ini file of one or more internal Message Brokers to point out to the external Message Broker. That is, modify the internal Message Broker’s server_names parameter to include the address of the external Message Broker. This technique is preferred because the firewall may not allow outside-in connections, thereby preventing the cloud from being formed in the opposite direction.

From a security perspective, a Message Broker can operate safely within the “DMZ” or completely external to a firewall for two reasons:

  • The Message Broker is a communications server only and stores no persistent data that could become the target of a security attack.

  • The cache messages are encrypted with a key dynamically generated by each MPX Event Transmitter session. Only clients who are successfully authenticated with a StarTeam Server through the logon sequence receive the key required to decipher the cache messages. Consequently, packet snooping and other eavesdropping techniques aimed at Message Broker traffic will not produce any meaningful data.