Until release 7.0, TIBCO BusinessConnect (BC) utilized TIBCO Rendezvous (RV) for all Intercomponent communication which includes the message channel from the gateway servers in the demilitarized zone (DMZ) to the interior servers. The RV communication from DMZ to the interior was typically routed via TIBCO Rendezvous routing daemons (RVRD) across the different subnets of the DMZ and the interior.   When RVRDs are configured for communication from DMZ to interior, the RVRD in the DMZ is passive and the TCP connection is established from the active interior RVRD to the passive RVRD in DMZ. Effectively, this avoids the need to open up firewall ports from DMZ to the interior. 

The use of TIBCO BusinessConnect 7.0 requires the opening of a port through a firewall from DMZ to interior subnet, since EMS servers are typically hosted on the interior network. This raises security concerns as an inbound TCP connection is allowed through the firewall that separates the DMZ from the interior.

For the existing BC 70 deployment architecture please see attached: Existing BC 70.PNG

All platforms

To address this issue, BusinessConnect 7.0 hotfix 1 introduced a new configuration for the EMS server in the intercomponent configuration.   The new intercomponent configuration allows an additional EMS server instance in the DMZ that is dedicated for gateway to interior server communication. The GS will then connect to this EMS server in the DMZ rather than the interior.  The DMZ EMS server can then be configured for passive connections from an interior EMS server, and BC inbound GS traffic can be routed without opening a port to the Interior EMS server.

In the absence of this additional EMS server, all Intercomponent communication flows through the interior EMS server and this defaults to the existing architecture as of 7.0.

Summary of Changes :
New deployment UI setting to configure the optional DMZ EMS server.
Deployment changes to effect the gateway to interior server communication, in order to use the optional EMS server for DMZ, if one has been configured.

For the proposed BC 70 HF1 deployment architecture please see attached:  Proposed BC 70 HF1.PNG

The additional DMZ EMS setting resolves the security concern of opening up an EMS server port a customer firewall.