Allowing access to emPath Employee Self Service (ESS) outside the firewall
Request: A client asked for suggestions for allowing access to emPath Employee Self Service (ESS) outside the firewall.
Response: Following are diagrams and suggestions previously shared at user conferences on this subject. Additional suggestions and links have been added for consideration.
(1) use VPN to access from outside the firewall
- Note that several clientless VPN alternatives are available for consideration.
(2) Place ESS webtier outside the firewall with tunnel through to the database
- The ESS webtier servers, for ESS, should:
- Be dedicated
- have no source loaded
- have no shares defined
- have no ODBC connections
- have administrator functions limited
- be locked down (part of emPath web installation)
- use NTFS security
- database should be referemced by an alias
(2) Consider requiring client certificates. Read more about SSL and client certificates at Verisign.com