Menu

β„Ή️ What is JBoss? What is JBoss Domain Management ? πŸ› ️ Install JBOSS-EAP 6.4 πŸ“œ Start & Stop JBOSS script. πŸš€ Application Deployment Methods - 1. πŸš€ Application Deployment Methods - 2. πŸš€ Application Deployment Methods - 3. ⚙️ Multiple Instance of JBoss EAP. πŸ” SSL on JBOSS EAP. 🧰 WINDOWS service for JBOSS EAP. πŸ› ️ JBoss EAP 7 - DOMAIN Installation. πŸš€ DOMAIN DEPLOYMENT - GUI MODE. πŸ” SSL on JBOSS 7.1 Admin console & Application. 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Issue SocketTimeoutException 🧰 JBoss-Remote JMX Connection (jvisualvm) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🧯 Out of space in CodeCache 🧯 java.sql.SQLRecoverableException: Closed Connection 🧯 sun.security.provider.certpath.SunCertPathBuilderException πŸ“ˆ JBOSS EAP 6 TO 7 Migration πŸ” Host Header injection on JBOSS EAP 7.2 πŸ” Encrypting Datasource Passwords using Vault in JBOSS
β„Ή️ Some useful links of IBM. πŸ› ️ WAS Installation using command line. πŸ› ️ Installing Suppliments (IHS/Plugins/WCT) command line. πŸ› ️ Uninstalling Suppliments (IHS/Plugins/WCT) command line. πŸ“ˆ Installing fix-pack using command line. β„Ή️ Profiles in WebSphere® Application Server ND. πŸ“œ WebSphere Profiles list & Basics Commands πŸ› ️ Commands for Custom / Application server / Dmgr Profiles πŸ› ️ Creating WAS-ND Cluster using GUI MODE. πŸš€ Application Deployment on WAS-ND - Cluster Env. πŸ“œ Analyze - JVM logs. 🧰 What is MustGather script ? 🧯 PsList to troubleshoot high CPU usage in Windows πŸ› ️ WebSphere App Server - Updating ports in existing profiles πŸ› ️ Installation Manager (IM) on non-default location πŸ› ️ Websphere Base or ND Installation using Command πŸ“ˆ Install or Update FIXPACK on WebSphere 8.5.+ πŸ› ️ Install SDK 8.0 on Websphere 8.5.5.9+ using Command method. πŸ› ️ How to Create a Clone of any profiles on WAS. πŸ› ️ Installation Manager (IM) on non-Administrator user. πŸ› ️ WebSphere Application Server 7.0.0.X & FIXPACK install / Update on the non-default location. πŸ“ˆ WebSphere ND Migration 7.0 to 8.0 / 9.0 πŸ› ️ IBM WebSphere 9.0.0.0 and IHS (IBM HTTP SERVR) Installation with Fixapck using Command Line (non-root) user
πŸ› ️ Configure IHS (IBM HTTP Server) with WAS 8.5.X.X. πŸ› ️ Multiple IHS in front of WAS (On Single Install). πŸ“Š Monitor IBM HTTP Server connections. πŸ” Self-signed Cert using ikeyman tool. πŸ” Self-Signed Cert using command line. πŸ” Decrypt Stash File.
🌐 Apache HTTP Server β„Ή️ HTTP STATUS CODES πŸ“œ Apache Rewrite Rules πŸ› ️ How to configure Apache MPM. πŸ› ️ Install Apache HTTP Server 2.4.27 ver. on LINUX πŸ› ️ Apache Tomcat - 9.0.0.M21 Installation on WIN 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Apache error : Server ran out of threads to serve requests (Windows) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🌐 Redirect traffic during maintenance 🧯 httpd (Apache) Error: systemd-tty-ask-password-agent tool! πŸ” SSL certificate supports Weak Ciphers πŸ” How to install opensource mod_security on Apache 2.4 πŸ“ˆ How to upgrade opensource apache from 2.4.39 to 2.4.46 (Minor Version Upgrade). πŸ› ️ What is Nginx & How to install on RHEL πŸ› ️ Install Nginx plus on RHEL 7.4 / UNIX πŸ“Š Monitor Apache httpd process/thread status πŸ“Š Monitor Apache httpd ModJK status πŸ“Š Monitor Apache httpd Proxy balancer-manager status πŸ“Š Monitoring of JBoss servers through Nagios.
πŸ›‘️ Tomcat ghostcat vulnerability (JBoss /Tomcat) πŸ›‘️ SSL certificate supports Weak Ciphers/Encoding (3DES) (Apache 2.4) πŸ›‘️ SSL Medium Strength Cipher Suites Supported (SWEET32) [Tomcat Server] πŸ›‘️ ETag vulnerability & X-Powered-By : jsp/2.2 πŸ›‘️ Missing Security Header(x-xss-protection) & Clickjacking πŸ›‘️ Disable HTTP TRACE / TRACK / OPTIONS/DELETE Method. πŸ›‘️ Information disclosure through server response headers Apache-Coyote & X-Powered-By (JBoss) πŸ›‘️ Local File Inclusion Vulnerabilities OR Directory traversal attack πŸ›‘️ HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Restrict application Accessible by IP Address & HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Disable/Remove Server: Apache header info version (Apache2.4) πŸ” TLS1.2 Protocol enable for IBM WebSphere with SSL Handshake Debug
🌩️ How I Cleared My AZ-900 Microsoft Azure Fundamentals Exam 🌐🧱 Enterprise Network Architecture — Akamai, DNS, WAF, DMZ, SSL & Firewall Flow Explained for Middleware & DevOps Engineers 🌩️ AZ-104 Microsoft Azure Administrator – Beginner’s Guide (2025 Edition)
⚙️ DevOps vs DevSecOps Explained:Learning Path for Beginners πŸ’» Top 100+ Linux Commands for Middleware & DevOps Engineers 🐧 Linux Shell Scripting for Beginners – Complete Tutorial Series
☕ how-to-manually-install-new-java-path ☕ SunCertPathBuilderException ☕ out of space in CodeCache for adapters ☕ What is GC , Heap Memory & Metaspace ? ☕ Types of GC , analyze GC logging and REDHAT JVM Tool. πŸ§ͺ How to make datasource test-connection to Oracle / PostgreSql / MSSQL DB Instance.. πŸ§ͺ How to make datasource test-connection to MSSQL DB Instance πŸ§ͺ How to make datasource test-connection to Postgresql DB Instance πŸ§ͺ How to make datasource test-connection to Oracle DB Instance πŸ§ͺ How to Check DB latency using Datasource Test-Connection ☕ Install a new java path to the alternatives 🧰 Xmanager and Set Display. πŸ› ️ Install LAMP on SUSE Linux with example
πŸ” Openssl Commands for Wildcard & SAN certificates. πŸ” What is SSL, What is One-Way SSL & Two-Way SSL? πŸ” Openssl Self-Signed SAN's certificate πŸ” SSL certificate supports Weak Ciphers πŸ” Some SSL issues (Client TLS1.2 , Truststore & SSL debug) with Solutions πŸ” TLS / SSL Certificate Lifetimes Reduced to 47 Days. πŸ” SSL Certificate Renewal on Akamai WAF and Its Impact on Applications. ✨ Worked on VMC SSL Today – A Simple Explanation for Everyone πŸ“ŒWebSphere Outbound SSL & SNI – Troubleshooting Guide
☁️ IBM Bluemix - Free 30 Days‎ ☁️ Create a IBM Bluemix Account ☁️ IBM WebSphere® Application Server on IBM Bluemix Cloud.

25 Oct 2025

🌐🧱 Enterprise Network Architecture — Akamai, DNS, WAF, DMZ, SSL & Firewall Flow Explained for Middleware & DevOps EngineersπŸ”’πŸ”‘

  • 🏒 In an enterprise environment, understanding how network traffic flows from users to internal applications is essential for performance, security, and compliance.
  • 🌐 This post explains the complete inbound and outbound flow — covering DNS, Akamai WAF, Firewall, DMZ, and SSL certificate management across enterprise systems.

πŸ“‘ Table of Contents

πŸ—Ί️ Network Flow Diagram

πŸ”Ή Inbound Flow (User → Application → Database):
🌐 User → 🧭 Akamai DNS → πŸ›‘️ Akamai WAF → 🚧 Firewall → 🏰 DMZ → πŸ“‘ Load Balancer → πŸ–₯️ Web Server → ⚙️ App Server → πŸ’Ύ Database


πŸ”Ή Outbound Flow (Internal App → Internet):
πŸ–₯️ VM/App → 🧭 Internal DNS → πŸ›‘️ Proxy Server → πŸšͺ Firewall (SNAT) → 🌍 Internet

🧰 Setup Phase (One-Time Configurations)

  • 🧭 DNS (Domain Name System): Resolves domain names into IP addresses for user access.
  • πŸ“„ A Record: Maps a domain name to an IP address (e.g., app.company.com → 104.85.32.11).
  • DNS Validation: Verifies domain ownership during SSL or CDN setup using a TXT record.
  • πŸ”’ SSL Certificate Setup: Enables secure HTTPS communication between users and servers.
  • 🌍 Public SSL (Internet Apps): Managed by Akamai CPS, DigiCert, or Let’s Encrypt.
  • 🏒 Internal SSL (Intranet Apps): Used for applications accessed inside an organization’s private network — typically using Microsoft ADCS or HashiCorp Vault PKI for certificate management. Additionally, internal SSL certificates are often deployed directly on web servers such as:
    • 🌐 Apache HTTP Server — configured in ssl.conf or virtual host files.
    • ⚙️ NGINX — defined using ssl_certificate and ssl_certificate_key directives.
    • πŸͺŸ Microsoft IIS — managed via IIS Manager or PowerShell scripts.
    • πŸ–₯️ IBM IHS or F5 / Radware — for SSL termination or offloading at the load balancer level.
  • πŸ›‘️ Firewall & DMZ Setup: Protects internal systems from public exposure.

🌐 How CDN & DNS Flow Works

Let’s simplify what happens when someone accesses https://app.company.com and you’re using a CDN like Akamai:

  1. 🧭 DNS resolution (First Step)
    app.company.com → app.company.com.edgesuite.net # The domain is not directly mapped to your firewall. Instead, it's pointed to Akamai’s CDN hostname (CNAME). This lets Akamai handle global routing, SSL, and caching before hitting your network.
  2. 🌍 Akamai Edge IP resolution
    app.company.com.edgesuite.net → 104.85.32.11 # Akamai DNS picks the nearest edge server IP based on user location. This gives low latency and faster content delivery (geo-DNS routing).
  3. πŸ›‘️ User connects to Akamai Edge
    Akamai Edge performs:
    - WAF (Web Application Firewall) checks
    - SSL/TLS termination
    - Content caching for faster response
    - Origin fetch (only if needed) # The user’s browser never touches your firewall directly. Akamai acts as the “front door” — securing, filtering, and caching content. This is where DDoS protection and certificate validation happen.
  4. 🏰 CDN connects to your enterprise public IP
    Akamai Edge → 203.122.10.55 # Akamai now makes a backend (origin) call to your organization’s public IP. This IP is provided by your ISP and configured on your enterprise firewall as a VIP (Virtual IP). It represents your app’s public presence on the Internet.
  5. 🚧 Firewall DNAT Mapping (Public → Private)
    203.122.10.55 → 10.10.5.21 # The firewall receives the request on the public IP and uses DNAT (Destination NAT) to map it to the private IP of your internal web/app server. This keeps internal servers hidden while maintaining full access control.
  6. πŸ–₯️ Private App Server Processing
    The request reaches 10.10.5.21 → app logic executes → response generated. # This is where your actual business logic runs (Tomcat, WebSphere, NGINX, etc.). The app prepares a response that travels back the same path — but in reverse.
  7. πŸ” Response Path (Reverse Flow)
    App Server → Firewall SNAT → Akamai Edge → User Browser # The firewall uses SNAT (Source NAT) to mask internal IPs with the public IP. Akamai then caches or delivers the content to the user securely. 

πŸ§‘‍πŸ’» User Browser
   ↓
🧭 DNS → 🌐 app.company.com → πŸŒ€ app.company.com.edgesuite.net
   ↓
🌍 Akamai Edge IP (104.85.32.11)
   ↓
πŸ›‘️ Akamai Edge → 🚧 Firewall Public IP (203.122.10.55)
   ↓
🏒 Firewall DNAT → πŸ–₯️ Internal DMZ / Web / App Server (10.10.5.21)
   ↓
πŸ” Response → πŸšͺ Firewall SNAT → 🌍 Akamai Edge → πŸ§‘‍πŸ’» User
πŸ’¬ In short:
  • πŸ‘₯ Users never connect directly to your private network.
  • πŸ›‘️ Requests first hit Akamai’s Edge IPs — acting as a secure global shield for your applications.
  • 🌍 Akamai forwards clean traffic to your enterprise Public IP (assigned by ISP).
  • 🚧 The Firewall performs DNAT to map the public IP to a Private App Server (10.x.x.x).
  • πŸ” During the return flow, the Firewall uses SNAT to mask internal IPs before sending responses back to the user.

⚙️ Runtime Flow (When Users Access the App)

Inbound Flow (Internet → App)

  • 🌍 User opens https://app.company.com
  • 🧭 DNS resolves to Akamai Edge IP.
  • πŸ›‘️ Akamai WAF filters and forwards clean traffic.
  • 🚧 Firewall performs DNAT to internal private IP.
  • 🏰 DMZ hosts load balancer/web proxies.
  • πŸ“‘ Load balancer distributes traffic to web/app servers.
  • πŸ–₯️ App processes request and sends response back through the same path.

πŸ”  Key Terms (Full Forms)

TermFull FormSimple Meaning
DNSDomain Name SystemConverts website names into IPs
WAFWeb Application FirewallBlocks bad web traffic
CDNContent Delivery NetworkDelivers cached web content faster
DMZDemilitarized ZoneBuffer zone between internet & private network
NATNetwork Address TranslationMaps public ↔ private IPs
DNATDestination NATInbound mapping (public → private)
SNATSource NATOutbound mapping (private → public)
PKIPublic Key InfrastructureManages SSL certificates
LBLoad BalancerDistributes traffic across servers

✅ Summary

  • DNS only maps names to IPs — it doesn’t store servers.
  • CDNs like Akamai act as a smart middle layer for caching and security.
  • Public IPs are used on firewalls or load balancers; private IPs stay hidden inside.
  • DNAT and SNAT handle IP translation for inbound and outbound traffic.
  • SSL ensures secure HTTPS connections both at the CDN and internal layers.

πŸ”§ Authored by Pradeep Vishwakarma — Senior Middleware & DevOps Engineer | MiddlewareBox.com

Posted by:
Tags: , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)