Just to add to what Duane has already indicated...
We generally recommend that instead of opening the firewall to allow
access directly to your LiveCycle server, you instead place an Apache
or IIS server in your DMZ and have that forward requests to the
LiveCycle server. You can either set up Apache as a reverse proxy, or
you can use the MOD_JK extension. Either of these options will give
you a great level of security for your internal network, since your
firewall will be configured to only allow traffic from the Apache
server, rather than from anyone on the internet.
Notes:
* You must set up SSL on the apache server.
* You must set up DNS so that the Rights management hostname resolves
to the Apache server for external users, and the LiveCycle server for
internal users. (Or you can point internal users also at the Apache
server.)
Duane, I'd love to see that white paper - please dig it up...
Howard
http://www.avoka.com
On Sep 26, 1:40 am, Duane Nickull <
dnick...@adobe.com> wrote:
> There are two different deployment options. When you deploy it to an
> internal (behind firewall) IP address, you will have to get your network
> admin to open up the IP address and map it to the DMZ and allow packets
> traveling to it (port too) to reach it. Another way to use documents
> outside the firewall is to extend the offline lease period (whoever the
> policy owner is has to do this). The second option is to use it only
> internally.
>
> You will also need to note that when you are using signed documents with
> policy server, there is a very specific set of steps required since the
> policy server creating a Microsafe can change the hash value for the
> computations the signature uses. PCS is the general rule (Policy Protect,
> Certify, Signatures). There is a white paper I wrote on this somewhere that
> explains the nauseating details. I¹ll try to dig it up and see if it is
> still relevant WRT LC ES.
>
> Duane
>