MQ

I have a customer who intends to use MQ to do direct messaging with its partner over MQ, read going outside their firewall. What would be the objection?? Any best practices?? And if not to be advised, why not??

------------------------------
Pierre Mijnsbergen
Solution Architect
IBM
Amsterdam
------------------------------

If you want to terminate the connection at the network boundary, rather than allowing direct connections from the internet the queue manager, consider placing MQIPT as a proxy in the DMZ. See https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.pro.doc/ipt0000_.html for more information.

Regards

Gwydion

------------------------------
Gwydion Tudur
------------------------------

Original Message:
Sent: Tue March 02, 2021 07:02 AM
From: Pierre Mijnsbergen
Subject: MQ for inter-company communications

I have a customer who intends to use MQ to do direct messaging with its partner over MQ, read going outside their firewall. What would be the objection?? Any best practices?? And if not to be advised, why not??

------------------------------
Pierre Mijnsbergen
Solution Architect
IBM
Amsterdam
------------------------------

Potentially look at having a "Gateway" Queue Manager in the mix too. This redbook discusses it https://www.redbooks.ibm.com/redbooks/pdfs/sg248069.pdf.
I would also always advise two-way TLS authentication between all parts, Partner<->MQIPT<-> Gateway<->internal QM

------------------------------
John Hawkins
Integration Consultant
------------------------------

Original Message:
Sent: Tue March 02, 2021 07:02 AM
From: Pierre Mijnsbergen
Subject: MQ for inter-company communications

I have a customer who intends to use MQ to do direct messaging with its partner over MQ, read going outside their firewall. What would be the objection?? Any best practices?? And if not to be advised, why not??

------------------------------
Pierre Mijnsbergen
Solution Architect
IBM
Amsterdam
------------------------------

Is this the architecture?
qmgr  customer <-> firewall <-> internet <-> firewall <-> qmgr partner


------------------------------
Matthias Jungbauer
------------------------------

Original Message:
Sent: Tue March 02, 2021 07:02 AM
From: Pierre Mijnsbergen
Subject: MQ for inter-company communications

I have a customer who intends to use MQ to do direct messaging with its partner over MQ, read going outside their firewall. What would be the objection?? Any best practices?? And if not to be advised, why not??

------------------------------
Pierre Mijnsbergen
Solution Architect
IBM
Amsterdam
------------------------------

One of my customers is running a similar scenario and they use gateway qmgrs with two-way tls authentication as suggested by John. The traffic isn't coming from Internet, they have  dedicated connection though infra service provider core network, but it still goes outside their firewall. If you have to go through Internet then MQIPT is a good option as already mentioned.


------------------------------
Hermanni Pernaa
------------------------------

Original Message:
Sent: Tue March 02, 2021 07:02 AM
From: Pierre Mijnsbergen
Subject: MQ for inter-company communications

I have a customer who intends to use MQ to do direct messaging with its partner over MQ, read going outside their firewall. What would be the objection?? Any best practices?? And if not to be advised, why not??

------------------------------
Pierre Mijnsbergen
Solution Architect
IBM
Amsterdam
------------------------------

Hi All and first thanks for all your support....
Also proves I certainly need to brush-up on my apparent rusty MQ knowledge.

From all comments etc. I distilled there are probably from an architecture point of 2 basic options:

or

Any guidance on which to be preferred and/or why or not feasible??

Again all views, remarks, comments etc. will be most appreciated.

Stay safe and kind regards.

------------------------------
Pierre Mijnsbergen
Solution Architect
IBM
Amsterdam
------------------------------

Original Message:
Sent: Tue March 02, 2021 07:02 AM
From: Pierre Mijnsbergen
Subject: MQ for inter-company communications

I have a customer who intends to use MQ to do direct messaging with its partner over MQ, read going outside their firewall. What would be the objection?? Any best practices?? And if not to be advised, why not??

------------------------------
Pierre Mijnsbergen
Solution Architect
IBM
Amsterdam
------------------------------

I've looked really hard at this and can't see any difference in the images? However...
it's preferable to put two-way authenticated TLS between the "SSL Proxy" as you have called it and the MQServer. There are two ways to setup MQIPT - either as a pass-thru or as a TLS termination. I always prefer the TLS termination - but I always want the internal MQ to authenticate to the MQIPT and MQIPT to authenticate to the internal MQ i.e. two-way auth. 

I would also recommend to the partner (if you can) that they use MQIPT as well - and that you can do it for them - for a fee of course ;-)

You haven't put in the Gateway MQ to your diagram. What you have is fine IMO but a gateway is best-practice.


------------------------------
John Hawkins
Integration Consultant
------------------------------

Original Message:
Sent: Wed March 03, 2021 09:44 AM
From: Pierre Mijnsbergen
Subject: MQ for inter-company communications

Hi All and first thanks for all your support....
Also proves I certainly need to brush-up on my apparent rusty MQ knowledge.

From all comments etc. I distilled there are probably from an architecture point of 2 basic options:

or

Any guidance on which to be preferred and/or why or not feasible??

Again all views, remarks, comments etc. will be most appreciated.

Stay safe and kind regards.

------------------------------
Pierre Mijnsbergen
Solution Architect
IBM
Amsterdam

Original Message:
Sent: Tue March 02, 2021 07:02 AM
From: Pierre Mijnsbergen
Subject: MQ for inter-company communications

I have a customer who intends to use MQ to do direct messaging with its partner over MQ, read going outside their firewall. What would be the objection?? Any best practices?? And if not to be advised, why not??

------------------------------
Pierre Mijnsbergen
Solution Architect
IBM
Amsterdam
------------------------------

Hi John, sorry my mistake....call it lost in translation.
The difference being in the upper schema TLS terminates at the "proxy" so in the DMZ. In the lower schema TLS to be used between Internet and the "proxy" in the DMZ but also between DMZ and the Secure Zone.

On behalf of the customer thanks to all for your constructive comments, remarks etc. Basically the customer now decided to implement the lower schema model but also to include Gateway.

Thanks again, stay safe and kind regards.

------------------------------
Pierre Mijnsbergen
Solution Architect
IBM
Amsterdam
------------------------------

Original Message:
Sent: Tue March 02, 2021 07:02 AM
From: Pierre Mijnsbergen
Subject: MQ for inter-company communications

I have a customer who intends to use MQ to do direct messaging with its partner over MQ, read going outside their firewall. What would be the objection?? Any best practices?? And if not to be advised, why not??

------------------------------
Pierre Mijnsbergen
Solution Architect
IBM
Amsterdam
------------------------------