Here's the basic scenario:
I have a set of internal machines with no public ips. I want to front something in the DMZ with a public IP then forward http (and websocket) data to the internal machines. I appreciate this may be a basic use of DataPower, but I have access to an XI52 and have been playing with it.
I'm a complete novice on DP, but I managed to configure a Web Application Firewall which would front internal ip:port on the DP boxes public ip:some other port.
However, this does not appear to allow websocket connections. Research suggests my V7 box can do websockets but I can only see options when configuring a http front side handler, which is only available AFAK if I configure a Multi Protocol Gateway.
So - a few questions:
1 - Can you enable websockets for a WAF 2 - Is using a WAF even the right call here - how will I add in new internal machines - create a new WAF each time one is added?
Any thoughts greatly appreciated,
Sam R
WebSocket support is indeed introduced with v7 of the DataPower firmware. I don't have a v7 appliance available to confirm, but my understanding is that, from 7.0 onwards, you configure a multiprotocol gateway with a http front side handler, and specify that the http upgrade for web socket should be permitted. From that point on, DP will simply proxy the traffic to the configured backend.
I don't know if the WAF too supports the web socket upgrade, under 7.0, but it should be easy to verify. Under 7.1, the WAF support changes significantly - ISAM support is effectively rolled into firmware - see http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS214-394&appname=USN.
I think that having DP serve web socket traffic is okay if DP is filling a gap, or value adding by performing some other function like TLS termination or doing client authentication (i.e. password verification). Otherwise, it's a bit like killing a fly with a bazooka.