Edge enPortal Technical Overview · White Paper | ©2016 Edge Technologies, Inc. 1 White Paper PaperPape r Edge Technologies 1881 Campus Commons Drive

www.edge-technologies.com

White Paper | ©2016 Edge Technologies, Inc.

1

White Paper

PaperPape

r

Edge Technologies 1881 Campus Commons Drive

Suite 101 Reston, VA 20191

T 703.691.7900 F 703.691.4020

888.771.EDGE

enPortal®

OSS/BSS Integration Platform

Technical

Overview

April 2016



2

Table of Contents Overview ....................................................................................................................... 4

Core Features and Capabilities ......................................................................... 6

Integration .............................................................................................................. 6

COTS-Based Product Integration Modules (PIMs) ........................ 6

PIM Failover and Traffic Management ................................................ 7

Content Retrieval ............................................................................................ 7

Application Hardening: Real-time Content Filtering and Modification ...................................................................................................... 8

Custom Integrations ..................................................................................... 9

Advanced Security ........................................................................................... 10

Attack Prevention ....................................................................................... 10

Password Management Policies .......................................................... 10

Access Control List Rules ......................................................................... 11

SSL Communications Support ............................................................... 11

Proxy Technology ........................................................................................ 11

Firewall Support .......................................................................................... 12

Protection of Private Networks and Application Assets ......... 12

User Management ............................................................................................ 13

Single Sign-On ................................................................................................ 13

Provisioning of Single Sign-On Tokens ............................................ 14

Single Sign-Out .............................................................................................. 14

Kerberos ........................................................................................................... 14

Authentication and Login Processing ............................................... 15

External User Authentication ............................................................... 15

CAC/PKI ............................................................................................................ 16

CA Single Sign-On (formerly CA SiteMinder) ................................ 16

Customer Portal to enPortal Authentication Mapping ............ 17

Two-factor Authentication Systems .................................................. 17

Web Access Management ........................................................................ 18

Custom Authentication ............................................................................. 18

IP Address and Session Limiting ......................................................... 18



3

Branding and Customization ..................................................................... 19

Executive Views................................................................................................. 20

enPortal Deployment Models ......................................................................... 23

Deployment Model 1: For Internal Users ............................................ 23

Deployment Model 2a: For External Users or Customers with Multi-Tenancy .................................................................................................... 24

Deployment Model 2b: In Your Existing External Portal ............ 25

Customer Example ...................................................................................... 26

Architecture ............................................................................................................. 27

Design Architecture ........................................................................................ 27

Scalability, Clustering, and Failover ....................................................... 27

Basic Deployment ........................................................................................ 28

High Availability (Failover) ................................................................... 28

Optimized Performance with Failover (Clustering) ................. 28

Running in Modern Environments ......................................................... 29

Virtualized Networks (VMware) ......................................................... 29

IPv6 Network ................................................................................................. 29

Through an Existing Proxy Server ...................................................... 29

Remote Application Delivery ................................................................ 30

Software Component Architecture ......................................................... 30

Request Engine ............................................................................................. 31

Business Logic Engine ............................................................................... 31

Integration Engine ...................................................................................... 31

Web Application Proxy and Content Filtering ............................. 32

Object Database ............................................................................................ 32

About Edge Technologies, Inc. ....................................................................... 33

Appendix A: enPortal Product Integrations ........................................... 34



4

Overview

Integration is no longer just a nice-to-have – it has become a must-have in commercial

and government environments around the globe.

Managers of modern companies face many challenges for providing the necessary

information and tools to their users:

Too Much Information: End-users are presented an overwhelming amount of

data. It is difficult to find the relevant data and assess the impact of issues from a

business perspective.

Numerous OSS/BSS Tools: When working with Operations Support Systems or

Business Support Systems, each tool has its own URL, login, interface, product

terminology, and unique training requirements. There is often limited native

interoperability between all of these tools.

Complexity: Users need to use data collected by monitoring tools, but want to be

shielded from the complexity of the underlying technologies.

Security and Compliance: Customers need direct, real-time access to many tools

across the network, while the security of the network is maintained.

This white paper details how the patented technology of Edge Technologies’ enPortal®

tackles all of the above challenges. enPortal provides solutions to the integrator with

elements that are critical for any deployment, including:

Time: Rapid integration of existing products from multiple vendors.

Standardization: Integration of information provided by various applications into a

single cohesive, branded display.

Flexibility: An integration platform that creates interoperability between disparate

tools, and can be rapidly adapted to meet unknown future requirements.

Convenience: A single, secure access point for all tools, with minimal disruption to

end-users when applications are replaced or upgraded.

Scalability: Support for large numbers of concurrent users without impacting

system performance.

This is why, since its release in 2000, enPortal has been a valuable tool for a diverse set

of customers, including Telecommunications companies, Managed Service Providers,

large banks, manufacturing companies, federal agencies, the U.S. Department of

Defense, foreign militaries, and other global corporations.



5

"The implementation has been very successful and has allowed us, in a very short

period of time, to reach our primary objectives: Secure revenue assurance and

improved Quality of Service perceived by end customers. We have achieved savings

by means of providing automated reports and proactive management of incidents for

clients avoiding SLA penalties and economic loss for the company.” - Vicente Espinaza,

Project Manager and Senior Engineer for Telefonica



6

Core Features and Capabilities

The core software components of enPortal combine to provide advanced capabilities

and significant benefits – many of which are unique to enPortal and not possible

through other products. enPortal offers a vast array of features and functions. The core

features/capabilities of enPortal include:

Integration of existing web-based tools and applications

Advanced Security

Single Sign-On

Integration with external user authentication systems

Branding and Customization

Dashboard Views

Multi-tenancy

Scalability

Integration

To get the most from an integration platform, customers need the ability to integrate

new content elements quickly and securely. Customers also need the ability to enable

partners and other third parties to organize application services, multi-media streams,

and web-based utilities into any number of user or role-specific views – without

complex software development.

To meet the challenge of integrating, controlling, protecting, and multiplexing fully

interactive back-end applications and content into a virtual desktop, over private and

public networks, Edge developed the patented Content Retrieval System (CRS).

COTS-Based Product Integration Modules (PIMs)

A distinct advantage of enPortal is rapid deployment, made possible by enPortal’s

prepackaged PIMs. enPortal PIMs provide plug-and-play Commercial Off-The-Shelf

(COTS)-based integration of products from BMC, CA, Cisco, EMC, HP, InfoVista, IBM,

Oracle, SevOne, VMware, and many more.

PIMs offer immediate value to an organization that has made existing investments in

these applications. Interfaces from multiple applications can be presented side-by-side

in the enPortal display to the user.



7

PIMs are essentially XML definitions that define how enPortal will integrate the third-

party products and applications into content Channels and Views. To integrate a new

application with enPortal using a PIM, an administrator specifies the IP address, web

server port, and configuration information for a live application. enPortal then

automatically creates content Channels for the third-party application for immediate

incorporation into an enPortal page.

A list of web-based products for which Edge offers PIMs is available in Appendix A:

enPortal Product Integrations.

enPortal also provides integration of applications that are not web-based and which

cannot typically be integrated into other portals. Integration with non-web application

GUIs is via an integration module to remote access tools that enable non-web or thick-

client applications to be accessed from any Java-enabled web browser.

PIM Failover and Traffic Management

The PIM Failover option configures enPortal to connect to more than one instance of an

integrated application. If there is a failure of the primary application server, the

enPortal PIM will “failover” to the backup instance of the application, providing

uninterrupted access to the application by enPortal users.

The Round-Robin option can also be enabled, which will direct users to alternate

between accessing different instances of an integrated application. This spreads the

load across the multiple back-end application servers and allows a large number of

concurrent users of the proxied tool.

Content Retrieval

An integral part of enPortal, the CRS patented technology detects, modifies, stores, and

disseminates information being retrieved from the web applications integrated through

the enPortal framework. The CRS is designed to incorporate any number of fully

interactive dynamic applications into a single cohesive view. From an administrative

perspective, CRS manages user access and control to fully interactive applications and

web content based on user, domain, and role.

CRS also provides for the multiplexing of disparate external HTTP(S) communication

streams over a single HTTP(S) port to the web browser by:

Supporting remote access to an unlimited number of fully interactive

applications through firewalls and multi-layer DMZ environments utilizing

network address translation – regardless of the application’s IP address or port



8

number – for transport over public networks

Supporting the ability to conceal IP addresses and port numbers to applications,

web resources and their network elements, thereby protecting the operational

network and corporate applications

Application Hardening: Real-time Content Filtering and Modification

Most companies have well-known policies in place for hardening or securing their

servers, VMs, and Operating Systems, and to look for vulnerabilities that are common

to web applications. Application and web UI hardening is a natural extension of these

critical requirements. For Managed Service Providers and IT organizations that act as

service providers, this is an essential element in delivering customer-facing views of

third-party tools safely and securely.

Only Edge Technologies, with enPortal’s HTML content filtering and modification

capabilities, can effectively harden or secure most web-based applications by

controlling which features of an application’s user interface are dynamically filtered or

modified before presentation to the user. Additionally, applications may be modified

to "behave properly" within the browser (e.g. remove pop-up windows).

Examples of content filtering, modification, and addressing potential security risks for

proxied applications often include:

Locking down access to specific URLs

Obfuscating URLs

Removing available buttons and links on web pages

Modifying menu options or labels

Removing breadcrumb trails from headers or URLs

Hiding or replacing logos

Preventing script execution that may pose a threat, e.g. cross-site scripting (XSS)

In this real-world example, the customer needed to harden the application by removing

several elements from the native user interface.



9

Figure 1: The original content of the user interface

enPortal CRS rules are used to secure the application by dynamically removing the

customer-specified links and associated functionality.

Figure 2: The hardened application UI

Custom Integrations

The content retrieval and modification capabilities of the CRS are what enable Edge and

its customers to write custom integration modules. These modules extend the same



10

features of Edge’s COTS-based PIMs to all of your custom applications. These custom

integrations can also include applications that would not integrate into most standard

portals – such as Java applets or non-standard web applications.

The tools for building and testing these integrations are provided in the Integration

Manager, which resides in the enPortal administration UI.

Advanced Security

enPortal has a strong security model with powerful features to restrict access to

content based on domain, role (group), and/or user. enPortal also provides a

combination of firewall infrastructure support, port mapping, content filtering, and a

sophisticated security manager.

Enhanced security features include multiple N-Factor authentication methods, secure

communications channels, security policies, directory services support, and more – as

detailed in the following sections.

Attack Prevention

enPortal provides comprehensive protection against cross-site scripting attacks. All

aspects of the HTTP communication are tested by the proxy, including requests,

headers, and body. Captured attacks display HTTP 500 responses and are detailed in

the system log files for investigation. Updates to the output encoding scheme are also

implemented to improve system efficiency and to eliminate cross-site scripting attacks.

The default behavior is to deny requests that contain malicious characters if the page

that initiated the request is not from the enPortal server.

Password Management Policies

The security of the system is enhanced by the ability to define password management

policies for users’ passwords. The following types of policies can be instituted:

Specifying a password lifetime, which forces users to change passwords

Syntax polices, to avoid the use of predictable passwords

Account lockout upon consecutive failed login attempts

When integration of third-party authentication tools (such as LDAP) is used for user

management, enPortal will also cooperatively sync with any password policies in effect

on the associated server.



11

Access Control List Rules

enPortal enables Administrators to create "allow" and "deny" rules that can be

enforced from the global and/or Channel-specific level. For example, these rules can

prevent users from accessing specific URLs.

SSL Communications Support

Communications between enPortal clients and the enPortal server can be secured using

HTTPS (HTTP over SSL). This protects the communications streams as they pass through

the public Internet. enPortal’s Tomcat web server provides the HTTPS support, and the

configuration rules to enable this are delivered with the stock configuration files.

The enPortal server can also communicate with external HTTPS web servers. This

typically occurs within the web resource proxy (discussed below) and is dictated by the

protocol field of the URL that the Proxy has been directed to retrieve.

Proxy Technology

A key component, and differentiator, of enPortal is its proxy technology. enPortal’s bi-

directional proxy technology provides protected access to fully interactive applications

over public and private networks. It works by allowing access to specifically identified

back-end web applications and content to authorized enPortal users. Of significant

importance, enPortal’s web resource proxy does not require installation of additional

software on the servers being proxied.

Figure 3a: Secure data access in enPortal

Figure 3b: Un-proxied data access in typical portal



12

The figures above illustrate two communications methods by which various portal

systems interact with, and render, fully interactive applications to the user. The

“enPortal” example (Figure 3a: Secure data access in enPortal) illustrates data flow

between applications and client browsers through the enPortal web resource proxy

technology. The “Typical Portal” example (Figure 3b: Un-proxied data access in typical

portal) illustrates data flow between applications and client browsers within other

portal frameworks.

Note that in a typical portal system, direct communication is required between the

browser and the external application. In these systems, the login page, initial portal

page, and wrapper-based pages are requested directly from the portal server.

However, when the user begins interacting with an embedded application, the browser

begins communicating directly to the external application.

The enPortal system, on the other hand, uses a web resource proxy approach to

provide controlled access to fully interactive web applications. The web resource proxy

approach allows the web browser to communicate entirely with the enPortal server for

all interaction with the external web applications. Yet enPortal seamlessly handles all

interaction as if the browser were communicating directly with the application. The

enPortal solution provides a higher level of security, because end-users never directly

connect to the back-end proxied servers.

Firewall Support

The enPortal web resource proxy provides users with a single access point - exactly one

HTTP(S) port - to all integrated HTTP(S)-based applications. enPortal content retrieval

allows all HTTP(S)-based content and applications to be accessed through a single

socket connection within a network DMZ, network address translation (NAT), and

firewall environment.

Referring again to Figures 3a and 3b, the enPortal solution (Figure 3a: Secure data

access in enPortal) only requires a single firewall rule to allow access from the user’s

browser to enPortal. The “typical portal” solution (Figure 3b: Un-proxied data access in

Typical Portal) requires additional holes in the firewall between the user and each

integrated application.

Protection of Private Networks and Application Assets

The protection and concealment of back-end applications and network assets are of

critical concern to organizations that must provide application access to users and

customers over a public network. enPortal allows multiple dynamic HTTP(S)-based



13

applications to be integrated into the enPortal framework, concealed, and pushed

through a DMZ environment for presentation to external users on a public network.

The web resource proxy does not allow clients to directly connect to these resources.

Additionally, external entities have no knowledge of applications’ addresses, port

numbers or operational networks. The enPortal proxy provides an additional layer of

protection between internal resources and external users.

User Management

A key component of any integration platform is managing the accounts and credentials

for users in each of the underlying systems. enPortal provides a suite of tools that

allow the administrator to either create and manage new users, or to leverage the

users and accounts that are already in place in your organization.

Single Sign-On

Out of the box, Single Sign-On is a feature of enPortal where all of a user's credentials

to multiple applications are securely stored by enPortal. This allows users to access and

display information from back-end applications without having to manually log in to

each of these applications. Once a user logs into enPortal, no other credentials are

required from that user. Using enPortal’s pre-built PIMs, this capability is provided

with no custom software development or modification to back-end applications.

Figure 4: Single Sign-On accesses all integrated applications with a single login



14

An additional benefit of enPortal’s Single Sign-On is that a single account for a back-end

application can be shared across and entire group of users if desired. This allows the

application administrator to configure access options for many users through a single

account and also limits the number of named user accounts that are needed in the

application. A Group membership attribute in LDAP can be leveraged for this purpose,

so that no special group configuration needs to be implemented by the enPortal

administrator.

The enPortal Single Sign-On feature supports the integration of various security and

authentication schemes presented by existing applications. This capability is

implemented through a component called the Login Proxy Service (LPS) that handles all

authentication interactions between the user and third-party services.

Because many applications have unique or proprietary mechanisms, web-based Single Sign-

On can be difficult for other portal solutions to standardize into a solution that fits in all

cases. Each single login implementation for an application is a unique integration with its

own distinct interface. However, while the method of presentation can vary, most

methods of authentication use the HTTP protocol to submit credentials and maintain

authentication. The powerful enPortal CRS engine allows Single Sign-On to be rapidly

configured for virtually any application.

Provisioning of Single Sign-On Tokens

If the integrated backend applications and enPortal are tied to a common external user

authentication system, SSO tokens can be configured to simply pass user credentials to the

backend applications. If a user enters his credentials and there is no matching SSO token

stored for that user and that backend application, the credentials are no longer valid and

the user will be re-prompted for their credentials.

Single Sign-Out

When a user logs out of enPortal, Single Sign-Out automatically logs the user out of all

integrated applications with open sessions. This provides additional security and

performance by limiting the number of open sessions. It also can lower costs and

eliminate lockouts by reducing the number of concurrent licenses that are needed for

the integrated applications.

Kerberos

enPortal currently supports Kerberos-controlled SSO access to proxied applications.

Kerberos authentication differs from basic HTTP, NTLM-based, and application (PIM)



15

specific authentication in that enPortal needs to communicate with both the proxied

web application and the Kerberos authentication server.

Kerberos also requires an additional configuration file that contains details about the

authentication domain and servers. The Kerberos Configuration page in the Edge

online documentation provides additional information. Edge does not currently

support Kerberos as the authentication mechanism to login to enPortal itself.

Authentication and Login Processing

enPortal provides a complete UI and embedded database for internally managing

domains, users, and roles. However, some organizations already have one or more

LDAP servers in place to manage this information. This enables the organization to

store all user information and credentials in one centralized location. In this case,

enPortal can simply map to the existing LDAP configuration and rely on LDAP for

externally managing this information. Typical LDAP repositories supported by enPortal

include Active Directory and OpenLDAP, but others are also supported.

Figure 5: Delegated user management with LDAP

enPortal provides a full toolset for mapping LDAP groups to enPortal roles, enforcing

password policies, and keeping user credentials in sync between the LDAP server and

enPortal.

External User Authentication

enPortal supports several common authentication tools that are already in use by many

customers. This allows enPortal to rapidly integrate with an existing login management

infrastructure.

http://docs.edge-technologies.com/docs/enportal/5.6/admin/user_administration/sso/kerberos



16

CAC/PKI

Common Access Card (CAC) is a two-factor authentication mechanism used by certain

organizations, including the United States Department of Defense. This allows Single

Sign-On integration with the desktop authentication via a Client Certificate, a feature of

Public Key Infrastructure (PKI). Use of this module requires that the desktop operating

system and web browser are configured with the necessary hardware and middleware

to support the physical CAC token and associated protocols. This module can be

adapted to other single- and two-factor authentication mechanisms that present a

Client Certificate to web applications.

CA Single Sign-On (formerly CA SiteMinder)

To facilitate enPortal integration with CA Single Sign-On, CA’s Web Agent must be

installed at enPortal’s access point. A common implementation is to have an Apache

version of the Web Agent installed on an Apache HTTP Server which is then configured

as a reverse proxy to enPortal.

When a user accesses enPortal via the Apache server, the CA Web Agent will check to

see if the user has been authenticated for enPortal access. If not, it will forward to

request to the CA Single Sign-On instance which then prompts the user with the CA

login page. Once a user authenticates successfully through CA Single Sign-On, all the

subsequent enPortal access requests will be granted.

In this deployment scenario, enPortal is configured in Trusted Authentication mode so

there is no authentication required for enPortal’s login request. However, enPortal also

supports an on-demand, or “lazy load,” to allow role assignment in which case enPortal

will then communicate with the LDAP server with which CA Single Sign-On is also

communicating.



17

Figure 6: enPortal deployed with CA Single Sign-On

Customer Portal to enPortal Authentication Mapping

Similar to the CA Single Sign-On deployment described above, in this scenario there is

another portal already in place that provides a reverse proxy capability. The external

customer or end-user is required to access this other system first which in-turn picks up

a token that is sent in response to the initial request to enPortal. If enPortal does not

detect that the request has a valid session, it will look for the access token and then

respond back to that other system to:

a) Validate the token

b) Make a request for user information from the other portal

c) Check to see if the user exists and if not, perform on-demand user creation

d) Create the session

Two-factor Authentication Systems

Two-factor authentication (2FA), adds a second level of authentication to a basic login

procedure requiring that the user provide additional credentials in order to access

secured resources. Examples of 2FA include Google Authenticator, RSA SecurID tokens,

and CAC. enPortal provides the means to satisfy security requirements by providing a

single, secure access point to backend applications through enhanced authentication.

One possible scenario illustrating the integration of enPortal with 2FA is as follows:



18

An administrator has configured their system to require 'clientAuth', meaning that the

Secure Sockets Layer (SSL) connection requires a valid certificate chain from the client.

The enPortal server will send the chain to an Online Certificate Status Protocol (OCSP)

Responder to validate the certificate. It may also look up the user name information in

the certificate and additionally request a valid password. This password has typically

been validated against an LDAP server which in turn may perform an on-demand, or

“lazy load,” of the user and any role assignments before a valid session is created.

Web Access Management

Web Access Management (WAM) tools have become more commonly used in recent

years. These tools include CA Single Sign-On (formerly SIteMinder), Oracle Access

Manager, and Novell Access Manager. The WAM tool provides authentication

management, policy-based authorizations, and reporting services. By having the

capability to quickly integrate with these tools, enPortal allows an organization to

continue using these tools for authentication while implementing all of the integration

and proxying capabilities provided by enPortal.

Custom Authentication

The powerful enPortal CRS provides the capability and tools for quickly creating custom

authentication modules. This allows enPortal users to leverage Single Sign-On to

enable them to auto-login to any application, including custom home-built applications

with proprietary login mechanisms. Over the years, Edge has developed many of these

custom authentications for a variety of applications.

IP Address and Session Limiting

One of the validations that can be required before a session is established is to check

the user’s source network address and only allow certain roles to be accessed from

specified networks. The administrator is able to restrict the content available to that

role to only users who are assigned that role and who are accessing the system from

within a known and approved network.

enPortal provides for several session-based constraints including:

1. Limiting the number of simultaneous active sessions for a specific set of users

or Domains

2. Limiting initial sessions to a set time and/or defining the duration of extensions

when users are actively using the system



19

3. Determining what action to take if a user attempts to start a new session when

an existing session already exists: Block access, terminate previous sessions, or

prompt user to terminate the active session or cancel the login request

4. Displaying a security statement to be acknowledged prior to login

Branding and Customization

enPortal offers many features for uniquely branding the presentation of the Edge user

interface, along with HTML content from proxied applications, so the user has a

completely customized and unified experience.

Custom Login Page – The default enPortal login screen can be customized,

allowing for a variety of static or dynamic content to be displayed as users access

the system. Custom login screens can also provide links to relevant information

or resources. A service provider, for example, might include information on new

customer offerings.

Figure 7. Default login screen

Figure 8. Custom login screen



20

Look and Feel – By using the configuration tools in the enPortal administration

interface, the administrator can modify the enPortal Look and Feel (LAF), create

multiple versions of the LAF, and assign different LAFs on a per-domain or per-

role basis.

Content Views – When logging in to enPortal, the content presented to each

user is tailored to meet the needs of his business function. This is accomplished

by customizing the Views that are assigned to each role in the system. The

enPortal administration interface provides all of the tools for managing this

customization.

Security Policies – The administrator can also set custom security policies. This

locks down the content in the system and ensures that users can only access the

information to which they have security privileges. Read, write, and view

privileges can be restricted by user, role, or domain.

API – In addition to the customization options noted above which are available in

the standard UI, enPortal also provides an API to allow for additional

customization of the system at a programmatic level.

Executive Views

An integration platform needs to provide different types of information to different

types of employees. In addition to the GUI-layer integrations provided by enPortal,

Edge offers an add-on visualization layer capability, called AppBoardTM, which provides

additional integration directly at the data layer through data adapters. This unique

deployment model now allows for customer, executive, or situational awareness views

of information while still allowing access in context directly to web layer tools. This also

offers additional ways for the system designer to always provide the right data to the

right user with clear and concise visualizations.

The AppBoard visualization view can add value with elements such as:

Providing high-level summaries, with drill-down to greater detail

Providing drill-down to full use of integrated tools

Transforming event data to service impact information

Providing visualization of information derived from multiple data sources

Supporting presentation on mobile devices

The combination of the GUI-based AppBoard Builder, SDK, widgets, and data adapters

allow the dashboard builder to rapidly integrate and visualize raw data. These



21

visualizations are then available for presentation alongside the enPortal views of

integrated application GUIs. AppBoard is licensed separately from enPortal but both

servers are deployed together as a single, cohesive server.

Figure 9 demonstrates how enPortal and AppBoard work together to provide a full

suite of integration. enPortal’s PIMs provide GUI-layer integration of existing

application interfaces, while AppBoard’s Data Adapters provide data-layer integration

through direct connections to application databases or web services:

Figure 9: Comparing integration through enPortal and AppBoard

Figures 10 and 11 show examples of visualizations that combine enPortal GUI-layer PIM

integrations together with AppBoard data-layer visualizations:

Figure 10: Device Status, Network Topology, Bandwidth Utilization, and Ticket List from

suite of integrated IBM Tivoli Software applications



22

Figure 11: Enterprise View using PIMs and Data Adapters



23

enPortal Deployment Models

enPortal solves different integration challenges for different organizations. The

following sections outline the typical models for how enPortal can be deployed.

Deployment Model 1: For Internal Users

The first deployment option for enPortal is for internal use, such as in a Network

Operations Center. In this model, enPortal augments both the security and operational

efficiency of your organization (see Figure 12: enPortal internal deployment).

Figure 12: enPortal internal deployment

enPortal provides different application views to different teams, such as Engineering,

Management, or Executive. Each team is provided direct, secure access to only the

applications relevant to their function. This enables enPortal to always provide the

right picture to the right user.

For Government agencies, the advanced security features of enPortal enhance

applications to meet stringent security requirements that go beyond the existing

capabilities of those individual native applications.

Edge Technologies’ enPortal is the industry’s only COTS-based integration platform

focused specifically on network management application integration. The Internal

delivery model of enPortal enhances security and operational efficiency in many ways:

Allowing organizations to provide secure access to interactive back-end

applications



24

Providing consolidated Single Sign-On

Centrally coordinating interaction between applications – with little or no coding

Improve user experience by providing a more unified look and feel for disparate

existing applications

Deployment Model 2a: For External Users or Customers with Multi-Tenancy

The second enPortal deployment option is frequently used by Managed Service

Providers to generate revenue. These organizations service multiple external

customers by allowing their end-users to access enPortal via the internet (see Figure

13: enPortal deployment to multiple customers).

Figure 13: enPortal deployment to multiple customers

Each customer is segmented into their own “domain”, with customer access credentials

often managed by integration with an existing user repository, such as LDAP or a web

access management tool like CA SiteMinder. The concept of “multi-tenancy” is utilized,

in which multiple customers are accessing the same enPortal system, but each user can

only access the information and tools that they are authorized to see within that

domain. By locking down access to URLs and content, enPortal can also impose multi-

tenancy on proxied applications, even if the tools do not natively provide it. Each

customer’s experience is also uniquely branded by their marketing team to optimize

the end-user experience.



25

This deployment model leverages enPortal’s core features - Single Sign-On, PIMs, re-

branding, security, and content manipulation (see Core Features and Capabilities) - to

provide only the appropriate content to each customer and to each individual in that

customer’s user base.

The integration capabilities of enPortal can also provide web access to legacy thick-

client applications that would not otherwise be web accessible.

Deployment Model 2b: In Your Existing External Portal

For many successful organizations, a portal strategy serves as the foundation for

integration. As such, the concept of a portal is maturing rapidly. The original concept of

a portal addressed the need to publish information to users via a web page. Companies

today, however, need a portal that provides more than just static displays of back-end

applications and information. They need a tool that can rapidly integrate applications

into their existing portal infrastructure.

Companies with existing external-facing portals already in place can leverage enPortal’s

proxy technology to increase the value of their existing portal. enPortal reaches well

beyond the capabilities of existing portal solutions that focus primarily on document

management, indexed searches, and static displays of data. enPortal provides true

integration - especially when leveraging enPortal's COTS-based PIMs for integration of

vendor-specific tools and content.

Working with your existing portal, enPortal can rapidly integrate new applications into

the portal framework (see Figure 14: enPortal deployment Inside an existing portal).



26

Figure 14: enPortal deployment inside an existing portal

As seen in the above illustration, enPortal increases the value of the existing customer

portal by integrating additional applications. The enPortal proxy integrates applications

as portlets into the existing portal container. enPortal can run in parallel to the existing

portal, immediately providing value without requiring a full replacement of the existing

portal.

In addition to integrating applications, portlets can also integrate individual enPortal

tools into a portal. This can provide enPortal features to administrative users beyond

what may be supported by the existing customer portal. Examples include user/role

management, LDAP integration, Single Sign-On, and dashboard visualizations.

Customer Example

A large telecommunications company used an in-house portal to deliver access to their

customers, over the internet, to a suite of tools for managing their voice, data, and IP

services. The company had requirements for additional features that were not

provided by their existing portal.

The company added enPortal to the existing portal platform. enPortal provided Single

Sign-On capability, application link provisioning, system administration capabilities, and

enhanced security.



27

Architecture

The enPortal system runs as a web application inside an Apache Tomcat server, and

accesses a JDBC-compliant database (or database cluster). The system is designed with

flexible deployment options, to meet the varying needs of an organization. The

following sections detail these available options.

Design Architecture

Edge enPortal is a standards-based, XML-driven portal application. enPortal was

developed with Java technologies to provide unparalleled flexibility, scalability,

application and content protection, application interaction, and complete platform

independence. enPortal is deployed in a self-contained Tomcat web application with an

embedded H2 database.

In a multi-tier deployment architecture, the first tier is typically one or more customer-

provided hardware load-balancers and/or SSL accelerators. These front-end load-

balancers pass incoming requests to one or more enPortal servers on tier two, running

as Java web applications executing under the Tomcat web/application server (referred

to as the Servlet/JSP engine). The enPortal configuration database is then resident on

tier three, and will often be a redundant database cluster to provide load-balancing and

high availability.

All components support maximum platform independence (UNIX or Windows),

scalability, and overall system performance.

Scalability, Clustering, and Failover

The enPortal system is implemented as a web application. The enPortal web

application server can scale horizontally by replication on additional servers/platforms.

Redundant nodes can also be implemented to provide fault tolerance, allowing users to

be redirected to alternate servers in the event of an outage.

The scalability of enPortal is related to number of page views per second. The

scalability of proxied web integrations can be variable and dependent on the

complexity of the specific integrations used. Typical integrations allow between 5 and

25 integration page requests per second before CPU utilization can become stressed.



28

With a typical user making three page views per minute and a conservative estimate of

5 integration requests per second, a single enPortal server should handle 150 or more

concurrent users in a typical configuration. The core user model can support essentially

an unlimited number of users who are not logged in.

Basic Deployment

A single enPortal server may be sufficient for handling the requirements of smaller

deployments (see Figure 15: Basic enPortal deployment).

Figure 15: Basic enPortal deployment

High Availability (Failover)

Many organizations require that enPortal will have limited down time over the lifetime

of the deployment. In this case, failover can be implemented by configuring redundant

enPortal servers. If there is an outage on the primary server, enPortal can continue to

provide uninterrupted service by switching to the backup server until the primary

server is repaired (see Figure 16: Failover deployment for High Availability).

Figure 16: Failover Deployment for High Availability

Optimized Performance with Failover (Clustering)

Some organizations further require a platform where many users can access the system

concurrently without impacting the performance of the application. In this case,

clustering of enPortal servers can be implemented to route user sessions to servers

with the smallest load or network traffic (see Figure 17: Clustered deployment for

optimal performance).



29

Figure 17: Clustered deployment for optimal performance

Running in Modern Environments

enPortal’s Java and Tomcat infrastructure allow it to be platform independent and run

on any operating system that supports the Java Development Kit (JDK v1.6+). The

enPortal views can be accessed by any supported web browser, including Internet

Explorer, Firefox, or Google Chrome.

enPortal’s flexible configuration options also enable it to co-exist with other software

applications on the same server. By co-locating enPortal on an existing application

server, this can reduce deployment cost and network latency.

Since its initial release in 2000, enPortal has shown the flexibility to run in a variety of

customer environments. Some of these are noted in the following sections.

Virtualized Networks (VMware)

enPortal fully supports running on a virtualized server, or in a virtualized network.

enPortal can also be configured to auto-start so that it will automatically come back

online when a server is re-started. The enPortal license will run on any server that can

resolve to a static hostname or IP address.

IPv6 Network

enPortal can run on an IPv4 network, IPv6 network, or dual-stack network that requires

simultaneous support for both protocols.

Through an Existing Proxy Server

enPortal contains special configuration options for applications that are not directly

accessible and can only be accessed through a separate proxy server. The details for

both the proxy server and back-end application are stored and managed by the

enPortal proxy.



30

Remote Application Delivery

Several options are available for integrating enPortal with Oracle Secure Global Desktop

(SGD) or similar Remote Application Delivery technologies (e.g. Citrix, Ericom

AccessNow, Resource Dynamics Go-Global). There are different architectures that can

work with enPortal and its proxy, but there are some differences in what may be

supported in each.

Oracle SGD software provides remote access to published applications and published

desktops from a variety of client platforms and devices. The software web-enables

legacy applications and, when used along with enPortal, provides for the delivery of

those applications side-by-side with typical web-based apps.

The enPortal PIM for Oracle SGD lets you to deliver the published application or

desktop in a portal channel. This allows applications that do not natively provide a web-

based interface to be accessed through enPortal. enPortal aggregates application

views, enforces security policies, and presents the application interface. The user’s web

browser client communicates directly and exclusively with enPortal. enPortal proxies

the communication between the web client and the back-end application through the

Oracle SGD server.

Security and performance are top priorities with any web-enablement solution. The

Oracle SGD PIM enforces strict user authentication and controlled role-based access to

specific content as well as the ability to restrict content delivery to defined IP

addresses. The solution tracks all sessions and creates a detailed audit trail for each

session. The Oracle SGD PIM also provides bandwidth management end-to-end with no

change to existing firewalls.

Software Component Architecture

The primary functions of enPortal are contained within five system components:

Request Engine

Business Logic Engine

Integration Engine

Web Resource Proxy and Content Filtering

Object Database



31

Request Engine

The Request Engine serves all requests coming from a user via a web browser.

In fact, all external communications with an enPortal system are requested through the

Request Engine. The Request Engine’s primary responsibilities are to translate HTTP(S)

requests into object requests and to dynamically translate the application-specific

results into HTML for transmission to the client web browser.

The Request Engine executes within a Servlet/JSP engine; Java Servlets and JSPs are the

primary components of the Request Engine. The Request Engine also provides an extra

level of access security by verifying that the user is logged in to the system before

accepting and servicing the request.

Business Logic Engine

The Business Logic Engine is responsible for the overall business logic of the system,

enPortal’s security, and the storage of system objects. These responsibilit ies pertain to

users, roles, domains, virtual directory access, and content management.

Business Logic manages and stores system objects to a chosen object

repository/database. The Business Logic Engine runs on the same process (Tomcat as

the JSP/Servlet Engine) as the Request Engine.

Integration Engine

The Integration Engine allows new content Channels to be created and integrated into

an enPortal system at runtime. The Integration Engine consists of a Channel

classification model and a set of Request Handlers that are implemented as Java

Servlets or JSPs. Request Handlers are the public web interfaces into enPortal Channels

that service the Channel requests being made from web browser clients. The

Integration Engine provides an external interface through the Portal Request Engine

that allows HTTP(S) requests to be sent to any plugged-in visual Channel.

Upon receipt of a request to render a content Channel, the Integration Engine retrieves

the specified Channel (if security allows it) from the enPortal server and calls the

specified Request Handler to render the Channel content.



32

Web Application Proxy and Content Filtering

The web application proxy and content filtering function facilitates the delivery of and

interaction with existing HTTP(S)-based content. It is responsible for applying Single

Sign-On rules to the retrieval of external HTTP(S) requests, and for manipulating the

resulting data streams being returned from an integrated application for control and

data customization. The HTTP(S) stream manipulation support within enPortal is both

extensive and configurable and is available as a Proxy Channel. A potential example of

the use of this function is the removal of an image from an HTML stream as enPortal

delivers the HTTP(S) stream to the browser client.

Object Database

The enPortal Database is a JDBC-compliant RDBMS, and enPortal supports numerous

databases, including Microsoft SQL Server, MySQL, and Oracle. enPortal ships with an

embedded H2 database. The enPortal Database handles mapping between the object-

based data model used within enPortal and the relational database model that stores

the actual content.



33

About Edge Technologies, Inc.

Edge Technologies is an innovative and proven software company specializing in the

Access, Integration, Visualization, and Understanding of information. Edge products

and services facilitate faster, more complete data integration; user-centric, customized

visualizations; easy, secure information sharing; and enhanced operational awareness

across a diverse set of information stakeholders.

Edge has been delivering leading-edge solutions in many of the world’s most

sophisticated network, intelligence, operational and logistics environments since 1993.

Recognized for the ability to identify, adopt and deploy emerging technology platforms,

Edge’s industry-leading products have proven to be ground breaking solutions that

stand the test of time.

Edge’s technological expertise in developing lasting innovation is fortified by the

company’s value-focused customer and partner relationships. Recognized for

meticulous software engineering and a high-touch customer service approach, Edge’s

success is built on innovative technology driven by experienced, customer-focused

personnel.

The Edge Agile Development Methodology first identifies customer challenges, then

applies design expertise and innovation to create better solutions and backs it all by the

people and technology to ensure the solutions work in the real-world and for the long-

haul.

Unlike competitive offerings, Edge’s products are designed with both the development

staff and the executive team in mind. Edge software toolkits do the heavy lifting to

streamline internal development efforts, accelerate time to market, and empower staff

to focus on situational and operational objectives. What’s more, Edge’s advanced

software architecture enables its products to easily scale to handle hundreds of

concurrent users.

Edge empowers businesses and government agencies to fulfill the potential of their

network and business systems management assets to make better decisions faster.



34

Appendix A: enPortal Product Integrations

Edge provides pre-built integrations for products from these vendors:

AirTight Networks

Alcatel-Lucent

Apica

AppDynamics

AppNeta

Arbor Networks

Axios Systems

BMC Software

CA Technologies

Cisco Networks

Citrix

Compuware

Cuculus

EIQ

EMC

eMite

Entuity

Fluke Networks

Fortinet

HP

IBM

IneoQuest

Infoblox

InfoVista

Interactive Intelligence

Ipanema Technologies

Koverse

LiveAction

ManageEngine

McAfee

Monolith Software

MYCOM OSI

Nagios

NetBoss

NetWitness

Oracle

Plixer

Resilient Systems

Riverbed

SAP

ScienceLogic

ServiceNow

SevOne

SolarWinds

Splunk

Tableau

Talisma

Tektronix

Viador

Visionael

VMware

Websense

xMatters

Zenoss

The above list continues to expand as Edge generates PIMs for new applications. The

complete list of PIMs can be found on the Edge Documentation site.

http://docs.edge-technologies.com/docs/integrations

http://docs.edge-technologies.com/docs/Main_Page

Documents

Edge enPortal Technical Overview · White Paper | ©2016 Edge Technologies, Inc. 1 White Paper PaperPape r Edge Technologies 1881 Campus Commons Drive