edge enportal and appboard technical overview · appboard client component ... -based integration...

www.edge-technologies.com

White Paper | ©2016 Edge Technologies, Inc.

1

White Paper

PaperPape

r

Edge Technologies 1881 Campus Commons Drive

Suite 101 Reston, VA 20191

T 703.691.7900 F 703.691.4020

888.771.EDGE

enPortal®/ AppBoard®

Technical

Overview

April 2016



2

Table of Contents Overview ....................................................................................................................... 5

Core Features and Capabilities ......................................................................... 7

Edge Integrations ............................................................................................. 10

enPortal Integrations ..................................................................................... 11

COTS-Based Product Integration Modules (PIMs) ..................... 11

PIM Failover and Traffic Management ............................................. 11

Content Retrieval ......................................................................................... 12

Application Hardening: Real-time Content Filtering and Modification ................................................................................................... 12

Custom Integrations .................................................................................. 14

AppBoard Integrations ................................................................................. 15

Data Adapters ................................................................................................ 15

Data Sources ................................................................................................... 15

Advanced Security ........................................................................................... 16

Attack Prevention ....................................................................................... 16

Password Management Policies .......................................................... 16

Access Control List Rules ......................................................................... 16

SSL Communications Support ............................................................... 17

Proxy Technology ........................................................................................ 17

Firewall Support .......................................................................................... 18

Protection of Private Networks and Application Assets ......... 18

User Management ............................................................................................ 20

Single Sign-On ................................................................................................ 20

Provisioning of Single Sign-On Tokens ............................................ 21

Single Sign-Out .............................................................................................. 21

Kerberos ........................................................................................................... 21

Authentication and Login Processing ............................................... 22

External User Authentication ............................................................... 22

CAC/PKI ............................................................................................................ 22

CA Single Sign-On (formerly CA SiteMinder) ................................ 23

Customer Portal to enPortal Authentication Mapping ............ 24



3

Two-factor Authentication Systems .................................................. 24

Web Access Management ........................................................................ 24

Custom Authentication ............................................................................. 25

IP Address and Session Limiting ......................................................... 25

Branding and Customization ..................................................................... 26

enPortal and AppBoard Deployment Models ........................................ 28

Deployment Model 1: For Internal Users ............................................ 28

Deployment Model 2a: For External Users or Customers with Multi-Tenancy .................................................................................................... 30

Deployment Model 2b: In Your Existing External Portal ............ 31

Customer Example ...................................................................................... 32

Architecture ............................................................................................................. 33

Design Architecture ........................................................................................ 33

Scalability, Clustering, and Failover ....................................................... 34

Basic Deployment ........................................................................................ 34

High Availability (Failover) ................................................................... 34

Optimized Performance with Failover (Clustering) ................. 35

Running in Modern Environments ......................................................... 36

Virtualized Networks (VMware) ......................................................... 36

IPv6 Network ................................................................................................. 36

Through an Existing Proxy Server ...................................................... 36

Remote Application Delivery ................................................................ 36

enPortal and AppBoard Component Architecture ......................... 38

Request Engine ............................................................................................. 38

Business Logic Engine ............................................................................... 38

Integration Engine ...................................................................................... 38

Data Source Engine ..................................................................................... 39

Web Application Proxy and Content Filtering ............................. 39

Object Database ............................................................................................ 39

AppBoard Client Component Architecture ......................................... 40

Data Source ..................................................................................................... 40

Data Collections ............................................................................................ 41

Widgets ............................................................................................................. 41



4

Stacks and Boards ....................................................................................... 42

About Edge Technologies, Inc. ....................................................................... 43

Appendix A: enPortal Product Integrations ........................................... 44



5

Overview

Integration is no longer just a nice-to-have – it has become a must-have in commercial

and government environments around the globe.

Managers of modern companies face many challenges for providing the necessary

information and tools to their users:

Too Much Information: End-users are presented an overwhelming amount of

data. It is difficult to find the relevant data and assess the impact of issues from a

business perspective.

Numerous OSS/BSS Tools: When working with Operations Support Systems or

Business Support Systems, each tool has its own URL, login, interface, product

terminology, and unique training requirements. There is often limited native

interoperability between all of these tools.

Complexity: Users need to use data collected by monitoring tools, but want to be

shielded from the complexity of the underlying technologies.

Security and Compliance: Customers need direct, real-time access to many tools

across the network, while the security of the network is maintained.

This white paper details how the patented technology of Edge Technologies’ enPortal®

and AppBoard® tackles all of the above challenges. enPortal and AppBoard provide

solutions to the integrator with elements that are critical for any deployment,

including:

Time: Rapid integration of existing products and data from multiple vendors

Standardization: Integration of information provided by various applications into a

single cohesive, branded display

Flexibility: An integration platform that creates interoperability between disparate

tools, and can be rapidly adapted to meet unknown future requirements

Convenience: A single, secure access point for all tools, with minimal disruption to

end-users when applications are replaced or upgraded

Scalability: Support for large numbers of concurrent users without impacting

system performance



6

This is why, since its release, Edge's solution delivered significant value for a diverse set

of customers, including Telecommunications companies, Managed Service Providers,

large banks, manufacturing companies, federal agencies, the U.S. Department of

Defense, foreign militaries, and other global corporations.

"The implementation has been very successful and has allowed us, in a very short

period of time, to reach our primary objectives: Secure revenue assurance and

improved Quality of Service perceived by end customers. We have achieved savings

by means of providing automated reports and proactive management of incidents for

clients avoiding SLA penalties and economic loss for the company.” - Vicente Espinaza,

Project Manager and Senior Engineer for Telefonica



7

Core Features and Capabilities

The core software components of enPortal and AppBoard combine to provide

advanced capabilities and significant benefits – many of which are unique to Edge's

solution offering and not possible through other products.

enPortal offers a vast array of features and functions. The core features/capabilities

include:

Integration of existing web-based tools and applications

Advanced security

Single Sign-On

Integration with external user authentication systems

Branding and customization

Dashboard views

Multi-tenancy

Scalability

In addition to the web-layer integrations provided by enPortal, Edge offers an

information visualization component, called AppBoard, which provides additional

integration through data-layer adapters. This unique model allows for the seamless

combination of new visualizations based on raw data with native, in-context views from

existing tools into role-based custom dashboards. This also offers additional ways for

the system designer to always provide the right data to the right user with clear and

concise visualizations.

AppBoard adds value by:

Providing high-level summaries, with filtering and drill-down

Providing seamless transition from custom visualizations to fully interactive

use of integrated tools

Transforming event data to service impact information

Providing visualizations of information derived from multiple data sources

Supporting presentation on mobile devices

The combination of the GUI-based AppBoard Builder, widgets, and data adapters allow

the dashboard designer to rapidly integrate and visualize raw data. These visualizations

are then available for presentation alongside the enPortal views of integrated

application GUIs. AppBoard is licensed separately from enPortal but both applications

are designed to be deployed together as a single, cohesive solution.



8

The figure below demonstrates how enPortal and AppBoard work together to provide a

full suite of integration. enPortal’s Product Integration Modules (PIMs) provide GUI-

layer integration of existing application interfaces, while AppBoard’s Data Adapters

provide data-layer integration through direct connections to application databases or

Web Services:

Figure 1: Comparing integration through enPortal and AppBoard

Below are examples of visualizations that combine enPortal GUI-layer PIM integrations

together with AppBoard data-layer visualizations:

Figure 2: Device Status, Network Topology, Bandwidth Utilization, and Ticket List from a

suite of integrated OSS applications



9

Figure 3: Enterprise View using PIMs and Data Adapters



10

Edge Integrations

To get the most from an integration platform, customers need the ability to integrate

new content elements quickly and securely. Customers also need the ability to enable

partners and other third parties to organize application services, multi-media streams,

and web-based utilities into any number of user or role-specific views – without

complex software development.

To meet the challenge of integrating, controlling, protecting, and multiplexing fully

interactive back-end applications and content into a virtual desktop, over private and

public networks, Edge offers three types of integration:

Product Integration Modules (PIMs) - Proxied views of web-based applications

combined with user authentication, Single Sign-On, secure multi-tenancy, and

HMTL content manipulation

Data Adapters - Direct connections to data from a variety of files and

databases via Web Services, JDBC, APIs, scripts, or other mechanisms

Integration Packages - Bundled integrations and content, purpose-built for

specific applications or application suites. Integration packages may include

web and/or data-layer integrations, preconfigured dashboards, widgets, and

actions, and pre-packaged sample content.

Figure 4: A single dashboard driven by multiple data sources and integration types



11

enPortal Integrations

COTS-Based Product Integration Modules (PIMs)

A distinct advantage of enPortal is rapid deployment, made possible by enPortal’s

prepackaged PIMs. enPortal PIMs provide plug-and-play Commercial Off-The-Shelf

(COTS)-based integration of products from BMC, CA, Cisco, EMC, HP, InfoVista, IBM,

Oracle, SevOne, VMware, and many more.

PIMs offer immediate value to an organization that has made existing investments in

these applications. Interfaces from multiple applications can be presented side-by-side

in the enPortal display to the user.

PIMs are essentially XML definitions that define how enPortal will integrate the third-

party products and applications into content Channels and Views. To integrate a new

application with enPortal using a PIM, an administrator specifies the IP address, web

server port, and configuration information for a live application. enPortal then

automatically creates content Channels for the third-party application for immediate

incorporation into an enPortal page.

A list of web-based products for which Edge offers PIMs is available in Appendix A:

enPortal Product Integrations.

enPortal also provides integration of applications that are not web-based and which

cannot typically be integrated into other portals. Integration with non-web application

GUIs is via an integration module to remote access tools that enable non-web or thick-

client applications to be accessed from any Java-enabled web browser.

PIM Failover and Traffic Management

The PIM Failover option configures enPortal to connect to more than one instance of an

integrated application. If there is a failure of the primary application server, the

enPortal PIM will “failover” to the backup instance of the application, providing

uninterrupted access to the application by enPortal users.

The Round-Robin option can also be enabled, which will direct users to alternate

between accessing different instances of an integrated application. This spreads the

load across the multiple back-end application servers and allows a large number of

concurrent users of the proxied tool.



12

Content Retrieval

An integral part of enPortal, the CRS patented technology detects, modifies, stores, and

disseminates information being retrieved from the web applications integrated through

the enPortal framework. The CRS is designed to incorporate any number of fully

interactive dynamic applications into a single cohesive view. From an administrative

perspective, CRS manages user access and control to fully interactive applications and

web content based on user, domain, and role.

CRS also provides for the multiplexing of disparate external HTTP(S) communication

streams over a single HTTP(S) port to the web browser by:

Supporting remote access to an unlimited number of fully interactive

applications through firewalls and multi-layer DMZ environments utilizing

network address translation – regardless of the application’s IP address or port

number – for transport over public networks

Supporting the ability to conceal IP addresses and port numbers to applications,

web resources and their network elements, thereby protecting the operational

network and corporate applications

Application Hardening: Real-time Content Filtering and Modification

Most companies have well-known policies in place for hardening or securing their

servers, VMs, and Operating Systems, and to look for vulnerabilities that are common

to web applications. Application and web UI hardening is a natural extension of these

critical requirements. For Managed Service Providers and IT organizations that act as

service providers, this is an essential element in delivering customer-facing views of

third-party tools safely and securely.

Only Edge Technologies, with enPortal’s HTML content filtering and modification

capabilities, can effectively harden or secure most web-based applications by

controlling which features of an application’s user interface are dynamically filtered or

modified before presentation to the user. Additionally, applications may be modified

to "behave properly" within the browser (e.g. remove pop-up windows).

Examples of content filtering, modification, and addressing potential security risks for

proxied applications often include:



13

Locking down access to specific URLs

Obfuscating URLs

Removing available buttons and links on web pages

Modifying menu options or labels

Removing breadcrumb trails from headers or URLs

Hiding or replacing logos

Preventing script execution that may pose a threat, e.g. cross-site scripting (XSS)

In this real-world example, the customer needed to harden the application by removing

several elements from the native user interface.

Figure 5: The original content of the User Interface

enPortal CRS rules are used to secure the application by dynamically removing the

customer-specified links and associated functionality.



14

Figure 6: The hardened application UI

Custom Integrations

The content retrieval and modification capabilities of the CRS are what enable Edge and

its customers to write custom integration modules. These modules extend the same

features of Edge’s COTS-based PIMs to all of your custom applications. These custom

integrations can also include applications that would not integrate into most standard

portals – such as Java applets or non-standard web applications.

The tools for building and testing these integrations are provided in the Integration

Manager, which resides in the enPortal administration UI.



15

AppBoard Integrations

Data Adapters

Edge AppBoard’s Data Adapters function as a liaison between the AppBoard data

service and an organization’s various files, application APIs, and databases. Data

sources can be on the AppBoard server or on remote hosts. Virtually any type of

structured data can be used in AppBoard, through an ever-expanding library of data-

layer integrations. Standards-based integrations include:

Local: CSV, Microsoft Excel XLS files, shell commands

Web Services: CSV, XML/SPAP, JSON

Databases (via JDBC and SQL queries):

DB2 Oracle

MySQL PostgreSQL

Microsoft SQL Server Sybase

OLAP systems (via XML/A and MDX queries):

Microsoft Server Analysis Services

Pentaho Analysis (Mondrian)

SQP BW

Edge customers have used AppBoard’s integration options to incorporate data from a

variety of applications including:

BMC Atrium CMDB & Orchestrator IBM Tivoli Service Request Manager

BMC Remedy ARS ServiceNow

EMC lonix SAM SevOne

HP ArcSight Tripwire Enterprise & Log Detector

HP NNMi Fluke Networks Visual TruView

IBM Tivoli Netcool/OMNIbus

Data Sources

AppBoard Data Sources identify the adapter and the configuration settings required to

connect and filter the external data sources to be accessed by the AppBoard server.

Data is brought into the AppBoard server as data sets (Entities) and returned to the

AppBoard Client as Data Collections. A Data Source may bring one or more unique data

sets into the system. Relationships between Entities are modeled as Associations. They

can be established through the Data Source UI or imported from existing associations

defined by the external data source.



16

Advanced Security

enPortal and AppBoard have a strong security model with powerful features to restrict

access to content based on domain, role (group), and/or user. The solution also

provides a combination of firewall infrastructure support, port mapping, content

filtering, and a sophisticated security manager.

Enhanced security features include multiple N-Factor authentication methods, secure

communications channels, security policies, directory services support, and more – as

detailed in the following sections.

Attack Prevention

enPortal provides comprehensive protection against cross-site scripting attacks. All

aspects of the HTTP communication are tested by the proxy, including requests,

headers, and body. Captured attacks display HTTP 500 responses and are detailed in

the system log files for investigation. Updates to the output encoding scheme are also

implemented to improve system efficiency and to eliminate cross-site scripting attacks.

The default behavior is to deny requests that contain malicious characters if the page

that initiated the request is not from the enPortal server.

Password Management Policies

The security of the system is enhanced by the ability to define password management

policies for users’ passwords. The following types of policies can be instituted:

Specifying a password lifetime, which forces users to change passwords

Syntax polices, to avoid the use of predictable passwords

Account lockout upon consecutive failed login attempts

When integration of third-party authentication tools (such as LDAP) is used for user

management, enPortal will also cooperatively sync with any password policies in effect

on the associated server.

Access Control List Rules

enPortal enables Administrators to create "allow" and "deny" rules that can be

enforced from the global and/or Channel-specific level. For example, these rules can

prevent users from accessing specific URLs.



17

SSL Communications Support

Communications between clients and the enPortal/AppBoard server can be secured

using HTTPS (HTTP over SSL). This protects the communications streams as they pass

through the public Internet. The Tomcat web server provides the HTTPS support, and

the configuration rules to enable this are delivered with the stock configuration files.

The enPortal server can also communicate with external HTTPS web servers. This

typically occurs within the web resource proxy (discussed below) and is dictated by the

protocol field of the URL that the Proxy has been directed to retrieve.

Proxy Technology

A key component, and differentiator, of enPortal is its proxy technology. enPortal’s bi-

directional proxy technology provides protected access to fully interactive applications

over public and private networks. It works by allowing access to specifically identified

back-end web applications and content to authorized enPortal users. Of significant

importance, enPortal’s web resource proxy does not require installation of additional

software on the servers being proxied.

Figure 7a: Secure data access in enPortal

Figure 7b: Un-proxied data access in typical portal

The figures above illustrate two communications methods by which various portal

systems interact with, and render, fully interactive applications to the user. The

“enPortal” example (Figure 7a: Secure data access in enPortal) illustrates data flow



18

between applications and client browsers through the enPortal web resource proxy

technology. The “Typical Portal” example (Figure 7b: Un-proxied data access in typical

portal) illustrates data flow between applications and client browsers within other

portal frameworks.

Note that in a typical portal system, direct communication is required between the

browser and the external application. In these systems, the login page, initial portal

page, and wrapper-based pages are requested directly from the portal server.

However, when the user begins interacting with an embedded application, the browser

begins communicating directly to the external application.

The enPortal system, on the other hand, uses a web resource proxy approach to

provide controlled access to fully interactive web applications. The web resource proxy

approach allows the web browser to communicate entirely with the enPortal server for

all interaction with the external web applications. Yet enPortal seamlessly handles all

interaction as if the browser were communicating directly with the application. The

enPortal solution provides a higher level of security, because end-users never directly

connect to the back-end proxied servers.

Firewall Support

The enPortal web resource proxy provides users with a single access point - exactly one

HTTP(S) port - to all integrated HTTP(S)-based applications. enPortal content retrieval

allows all HTTP(S)-based content and applications to be accessed through a single

socket connection within a network DMZ, network address translation (NAT), and

firewall environment.

Referring again to Figures 7a and 7b, the enPortal solution (Figure 7a: Secure data

access in enPortal) only requires a single firewall rule to allow access from the user’s

browser to enPortal. The “typical portal” solution (Figure 7b: Un-proxied data access in

typical portal) requires additional holes in the firewall between the user and each

integrated application.

Protection of Private Networks and Application Assets

The protection and concealment of back-end applications and network assets are of

critical concern to organizations that must provide application access to users and

customers over a public network. enPortal allows multiple dynamic HTTP(S)-based

applications to be integrated into the enPortal framework, concealed, and pushed

through a DMZ environment for presentation to external users on a public network.

The web resource proxy does not allow clients to directly connect to these resources.



19

Additionally, external entities have no knowledge of applications’ addresses, port

numbers or operational networks. The enPortal proxy provides an additional layer of

protection between internal resources and external users.



20

User Management

A key component of any integration platform is managing the accounts and credentials

for users in each of the underlying systems. enPortal provides a suite of tools that

allow the administrator to either create and manage new users, or to leverage the

users and accounts that are already in place in your organization.

Single Sign-On

Out of the box, Single Sign-On is a feature of enPortal where all of a user's credentials

to multiple applications are securely stored by enPortal. This allows users to access and

display information from back-end applications without having to manually log in to

each of these applications. Once a user logs into enPortal, no other credentials are

required from that user. Using enPortal’s pre-built PIMs, this capability is provided

with no custom software development or modification to back-end applications.

Figure 8: Single Sign-On accesses all integrated applications with a single login

An additional benefit of enPortal’s Single Sign-On is that a single account for a back-end

application can be shared across and entire group of users if desired. This allows the

application administrator to configure access options for many users through a single

account and also limits the number of named user accounts that are needed in the

application. A Group membership attribute in LDAP can be leveraged for this purpose,

so that no special group configuration needs to be implemented by the enPortal

administrator.



21

The enPortal Single Sign-On feature supports the integration of various security and

authentication schemes presented by existing applications. This capability is

implemented through a component called the Login Proxy Service (LPS) that handles all

authentication interactions between the user and third-party services.

Because many applications have unique or proprietary mechanisms, web-based Single Sign-

On can be difficult for other portal solutions to standardize into a solution that fits in all

cases. Each single login implementation for an application is a unique integration with its

own distinct interface. However, while the method of presentation can vary, most

methods of authentication use the HTTP protocol to submit credentials and maintain

authentication. The powerful enPortal CRS engine allows Single Sign-On to be rapidly

configured for virtually any application.

Provisioning of Single Sign-On Tokens

If the integrated backend applications and enPortal are tied to a common external user

authentication system, SSO tokens can be configured to simply pass user credentials to the

backend applications. If a user enters his credentials and there is no matching SSO token

stored for that user and that backend application, the credentials are no longer valid and

the user will be re-prompted for their credentials.

Single Sign-Out

When a user logs out of enPortal, Single Sign-Out automatically logs the user out of all

integrated applications with open sessions. This provides additional security and

performance by limiting the number of open sessions. It also can lower costs and

eliminate lockouts by reducing the number of concurrent licenses that are needed for

the integrated applications.

Kerberos

enPortal currently supports Kerberos-controlled SSO access to proxied applications.

Kerberos authentication differs from basic HTTP, NTLM-based, and application (PIM)

specific authentication in that enPortal needs to communicate with both the proxied

web application and the Kerberos authentication server.

Kerberos also requires an additional configuration file that contains details about the

authentication domain and servers. The Kerberos Configuration page in the Edge

online documentation provides additional information. Edge does not currently

support Kerberos as the authentication mechanism to login to enPortal itself.

http://docs.edge-technologies.com/docs/enportal/5.6/admin/user_administration/sso/kerberos



22

Authentication and Login Processing

enPortal provides a complete UI and embedded database for internally managing

domains, users, and roles. However, some organizations already have one or more

LDAP servers in place to manage this information. This enables the organization to

store all user information and credentials in one centralized location. In this case,

enPortal can simply map to the existing LDAP configuration and rely on LDAP for

externally managing this information. Typical LDAP repositories supported by enPortal

include Active Directory and OpenLDAP, but others are also supported.

Figure 9: Delegated user management with LDAP

enPortal provides a full toolset for mapping LDAP groups to enPortal roles, enforcing

password policies, and keeping user credentials in sync between the LDAP server and

enPortal.

External User Authentication

enPortal supports several common authentication tools that are already in use by many

customers. This allows enPortal to rapidly integrate with an existing login management

infrastructure.

CAC/PKI

Common Access Card (CAC) is a two-factor authentication mechanism used by certain

organizations, including the United States Department of Defense. This allows Single

Sign-On integration with the desktop authentication via a Client Certificate, a feature of

Public Key Infrastructure (PKI). Use of this module requires that the desktop operating

system and web browser are configured with the necessary hardware and middleware



23

to support the physical CAC token and associated protocols. This module can be

adapted to other single- and two-factor authentication mechanisms that present a

Client Certificate to web applications.

CA Single Sign-On (formerly CA SiteMinder)

To facilitate enPortal integration with CA Single Sign-On, CA’s Web Agent must be

installed at enPortal’s access point. A common implementation is to have an Apache

version of the Web Agent installed on an Apache HTTP Server which is then configured

as a reverse proxy to enPortal.

When a user accesses enPortal via the Apache server, the CA Web Agent will check to

see if the user has been authenticated for enPortal access. If not, it will forward to

request to the CA Single Sign-On instance which then prompts the user with the CA

login page. Once a user authenticates successfully through CA Single Sign-On, all the

subsequent enPortal access requests will be granted.

In this deployment scenario, enPortal is configured in Trusted Authentication mode so

there is no authentication required for enPortal’s login request. However, enPortal also

supports an on-demand, or “lazy load,” to allow role assignment in which case enPortal

will then communicate with the LDAP server with which CA Single Sign-On is also

communicating.

Figure 10: enPortal deployed with CA Single Sign-On



24

Customer Portal to enPortal Authentication Mapping

Similar to the CA Single Sign-On deployment described above, in this scenario there is

another portal already in place that provides a reverse proxy capability. The external

customer or end-user is required to access this other system first which in-turn picks up

a token that is sent in response to the initial request to enPortal. If enPortal does not

detect that the request has a valid session, it will look for the access token and then

respond back to that other system to:

a) Validate the token

b) Make a request for user information from the other portal

c) Check to see if the user exists and if not, perform on-demand user creation

d) Create the session

Two-factor Authentication Systems

Two-factor authentication (2FA), adds a second level of authentication to a basic login

procedure requiring that the user provide additional credentials in order to access

secured resources. Examples of 2FA include Google Authenticator, RSA SecurID tokens,

and CAC. enPortal provides the means to satisfy security requirements by providing a

single, secure access point to backend applications through enhanced authentication.

One possible scenario illustrating the integration of enPortal with 2FA is as follows:

An administrator has configured their system to require 'clientAuth', meaning that the

Secure Sockets Layer (SSL) connection requires a valid certificate chain from the client.

The enPortal server will send the chain to an Online Certificate Status Protocol (OCSP)

Responder to validate the certificate. It may also look up the user name information in

the certificate and additionally request a valid password. This password has typically

been validated against an LDAP server which in turn may perform an on-demand, or

“lazy load,” of the user and any role assignments before a valid session is created.

Web Access Management

Web Access Management (WAM) tools have become more commonly used in recent

years. These tools include CA Single Sign-On (formerly SIteMinder), Oracle Access

Manager, and Novell Access Manager. The WAM tool provides authentication

management, policy-based authorizations, and reporting services. By having the

capability to quickly integrate with these tools, enPortal allows an organization to

continue using these tools for authentication while implementing all of the integration

and proxying capabilities provided by enPortal.



25

Custom Authentication

The powerful enPortal CRS provides the capability and tools for quickly creating custom

authentication modules. This allows enPortal users to leverage Single Sign-On to

enable them to auto-login to any application, including custom home-built applications

with proprietary login mechanisms. Over the years, Edge has developed many of these

custom authentications for a variety of applications.

IP Address and Session Limiting

One of the validations that can be required before a session is established is to check

the user’s source network address and only allow certain roles to be accessed from

specified networks. The administrator is able to restrict the content available to that

role to only users who are assigned that role and who are accessing the system from

within a known and approved network.

enPortal provides for several session-based constraints including:

1. Limiting the number of simultaneous active sessions for a specific set of users

or Domains

2. Limiting initial sessions to a set time and/or defining the duration of extensions

when users are actively using the system

3. Determining what action to take if a user attempts to start a new session when

an existing session already exists: Block access, terminate previous sessions, or

prompt user to terminate the active session or cancel the login request

4. Displaying a security statement to be acknowledged prior to login



26

Branding and Customization

enPortal offers many features for uniquely branding the presentation of the Edge user

interface, along with HTML content from proxied applications, so the user has a

completely customized and unified experience.

Custom Login Page – The default enPortal login screen can be customized,

allowing for a variety of static or dynamic content to be displayed as users access

the system. Custom login screens can also provide links to relevant information

or resources. A service provider, for example, might include information on new

customer offerings.

Figure 11. Default login screen

Figure 12. Custom login screen

Look and Feel – By using the configuration tools in the enPortal administration

interface, the administrator can modify the enPortal Look and Feel (LAF), create

multiple versions of the LAF, and assign different LAFs on a per-domain or per-

role basis.

Content Views – When logging in to enPortal, the content presented to each

user is tailored to meet the needs of his business function. This is accomplished



27

by customizing the Views that are assigned to each role in the system. The

enPortal administration interface provides all of the tools for managing this

customization.

Security Policies – The administrator can also set custom security policies. This

locks down the content in the system and ensures that users can only access the

information to which they have security privileges. Read, write, and view

privileges can be restricted by user, role, or domain.

API – In addition to the customization options noted above which are available in

the standard UI, enPortal also provides an API to allow for additional

customization of the system at a programmatic level.



28

enPortal and AppBoard Deployment Models

enPortal and AppBoard solve different integration challenges for different

organizations. The following sections outline the typical models for how enPortal and

AppBoard can be deployed.

Deployment Model 1: For Internal Users

The first deployment option for enPortal is for internal use, such as in a Network

Operations Center. In this model, enPortal augments both the security and operational

efficiency of your organization (see Figure 13: enPortal/AppBoard internal deployment).

Figure 13: enPortal/AppBoard internal deployment

enPortal and AppBoard provide different application and data views to different teams,

such as Engineering, Management, or Executive. Each team is provided direct, secure

access to only the applications and data relevant to their function. This enables

enPortal and AppBoard to always provide the right picture to the right user.

For Government agencies, the advanced security features of enPortal enhance

applications to meet stringent security requirements that go beyond the existing

capabilities of those individual native applications.

Edge Technologies’ enPortal is the industry’s only COTS-based integration platform

focused specifically on network management application integration. The Internal

delivery model of enPortal enhances security and operational efficiency in many ways:



29

Allowing organizations to provide secure access to interactive back-end

applications

Providing consolidated Single Sign-On

Centrally coordinating interaction between applications – with little or no coding

Improve user experience by providing a more unified look and feel for disparate

existing applications



30

Deployment Model 2a: For External Users or Customers with Multi-Tenancy

The second deployment option is frequently used by Managed Service Providers to

generate revenue. These organizations service multiple external customers by allowing

their end-users to access enPortal and AppBoard via the Internet (see Figure 14:

enPortal/AppBoard deployment to multiple customers).

Figure 14: enPortal/AppBoard deployment to multiple customers

Each customer is segmented into their own “domain”, with customer access credentials

often managed by integration with an existing user repository, such as LDAP or a web

access management tool like CA SiteMinder. The concept of “multi-tenancy” is utilized,

in which multiple customers are accessing the same enPortal and AppBoard system, but

each user can only access the information and tools that they are authorized to see

within that domain. By locking down access to URLs and content, enPortal and

AppBoard can also impose multi-tenancy access controls on proxied applications and

data, even if the tools do not natively provide it. Each customer’s experience is also

uniquely branded by their marketing team to optimize the end-user experience.

This deployment model leverages enPortal and AppBoard’s core features - Single

Sign-On, PIMs, re-branding, security, tailored data access and content manipulation

(see Core Features and Capabilities) - to provide only the appropriate content to each

customer and to each individual in that customer’s user base.

The integration capabilities of enPortal can also provide web access to legacy thick-

client applications that would not otherwise be web accessible.



31

Deployment Model 2b: In Your Existing External Portal

For many successful organizations, a portal strategy serves as the foundation for

integration. As such, the concept of a portal is maturing rapidly. The original concept of

a portal addressed the need to publish information to users via a web page. Companies

today, however, need a portal that provides more than just static displays of back-end

applications and information. They need a tool that can rapidly integrate applications

and data into their existing portal infrastructure.

Companies with existing external-facing portals already in place can leverage enPortal’s

proxy technology and AppBoard’s data integration capabilities to increase the value of

their existing portal. enPortal and AppBoard reach well beyond the capabilities of

existing portal solutions that focus primarily on document management, indexed

searches, and static displays of data. enPortal and AppBoard provide true integration by

combining COTS-based PIMs for integration of vendor-specific tools and their data.

Working with your existing portal, enPortal and AppBoard can rapidly integrate new

applications into the portal framework (see Figure 15: enPortal/AppBoard deployment

inside an existing portal).

Figure 15: enPortal/AppBoard deployment inside an existing portal

As seen in the above illustration, enPortal and AppBoard increase the value of the

existing customer portal by integrating additional applications and their data. The

enPortal proxy integrates applications as portlets into the existing portal container.

enPortal and AppBoard can run in parallel to the existing portal, immediately providing



32

value without requiring a full replacement of the existing portal.

In addition to integrating applications, portlets can also integrate individual enPortal

tools into a portal. This can provide enPortal features to administrative users beyond

what may be supported by the existing customer portal. Examples include user/role

management, LDAP integration, Single Sign-On, and dashboard visualizations.

Customer Example

A large telecommunications company used an in-house portal to deliver access to their

customers, over the Internet, to a suite of tools for managing their voice, data, and IP

services. The company had requirements for additional features that were not

provided by their existing portal.

The company added enPortal and AppBoard to the existing portal platform to provide

Single Sign-On capability, data visualization, application link provisioning, system

administration capabilities, and enhanced security.



33

Architecture

The enPortal and AppBoard systems run as a web application inside an Apache Tomcat

server, and access a JDBC-compliant database (or database cluster). The system is

designed with flexible deployment options, to meet the varying needs of an

organization. The following sections detail these available options.

Design Architecture

The enPortal and AppBoard products are built upon a standards-based, XML-driven

application. They have been developed with Java technologies to provide unparalleled

flexibility, scalability, application and content protection, application interaction, and

complete platform independence. Both are deployed in a self-contained Tomcat web

application with an embedded H2 database.

In a multi-tier deployment architecture, the first tier is typically one or more customer-

provided hardware load-balancers and/or SSL accelerators. These front-end load-

balancers pass incoming requests to one or more enPortal servers on tier two, running

as Java web applications executing under the Tomcat web/application server (referred

to as the Servlet/JSP engine). The configuration database is then resident on tier three,

and will often be a redundant database cluster to provide load-balancing and high

availability.

All components support maximum platform independence (UNIX or Windows),

scalability, and overall system performance.



34

Scalability, Clustering, and Failover

The enPortal and AppBoard system is implemented as a web application. The web

application server can scale horizontally by replication on additional servers/platforms.

Redundant nodes can also be implemented to provide fault tolerance, allowing users to

be redirected to alternate servers in the event of an outage.

The scalability of the solution is related to number of page views per second. The

scalability of proxied web integrations can be variable and dependent on the

complexity of the specific integrations used.

Basic Deployment

A single enPortal/AppBoard server may be sufficient for handling the requirements of

smaller deployments (see Figure 16: Basic enPortal deployment).

Figure 16: Basic enPortal/AppBoard deployment

High Availability (Failover)

Many organizations require that enPortal and AppBoard will have limited down time

over the lifetime of the deployment. In this case, failover can be implemented by

configuring redundant enPortal servers. If there is an outage on the primary server,

enPortal/AppBoard can continue to provide uninterrupted service by switching to the

backup server until the primary server is repaired (see Figure 17: Failover deployment

for High Availability).

Figure 17: Failover deployment for High Availability



35

Optimized Performance with Failover (Clustering)

Some organizations further require a platform where many users can access the system

concurrently without impacting the performance of the application. In this case,

clustering of enPortal/AppBoard servers can be implemented to route user sessions to

servers with the smallest load or network traffic (see Figure 18: Clustered deployment

for optimal performance).

Figure 18: Clustered deployment for optimal performance



36

Running in Modern Environments

Edge Solution’s Java and Tomcat infrastructure allow it to be platform independent and

run on any operating system that supports the Java Development Kit (JDK v1.6+). The

enPortal/AppBoard views can be accessed by any supported web browser, including

Internet Explorer, Firefox, or Google Chrome.

The solution flexible configuration options also enable it to co-exist with other software

applications on the same server. By co-locating enPortal and AppBoard on an existing

application server, this can reduce deployment cost and network latency.

Since its initial release, enPortal and AppBoard have shown the flexibility to run in a

variety of customer environments. Some of these are noted in the following sections.

Virtualized Networks (VMware)

enPortal and AppBoard fully support running on a virtualized server, or in a virtualized

network. enPortal and AppBoard can also be configured to auto-start so that it will

automatically come back online when a server is re-started. The license will run on any

server that can resolve to a static hostname or IP address.

IPv6 Network

enPortal and AppBoard can run on an IPv4 network, IPv6 network, or dual-stack

network that requires simultaneous support for both protocols.

Through an Existing Proxy Server

enPortal contains special configuration options for applications that are not directly

accessible and can only be accessed through a separate proxy server. The details for

both the proxy server and back-end application are stored and managed by the

enPortal proxy.

Remote Application Delivery

Several options are available for integrating enPortal with Oracle Secure Global Desktop

(SGD) or similar Remote Application Delivery technologies (e.g. Citrix, Ericom

AccessNow, Resource Dynamics Go-Global). There are different architectures that can

work with enPortal and its proxy, but there are some differences in what may be

supported in each.

Oracle SGD software provides remote access to published applications and published



37

desktops from a variety of client platforms and devices. The software web-enables

legacy applications and, when used along with enPortal, provides for the delivery of

those applications side-by-side with typical web-based apps.

The enPortal PIM for Oracle SGD lets you to deliver the published application or

desktop in a portal channel. This allows applications that do not natively provide a web-

based interface to be accessed through enPortal. enPortal aggregates application

views, enforces security policies, and presents the application interface. The user’s web

browser client communicates directly and exclusively with enPortal. enPortal proxies

the communication between the web client and the back-end application through the

Oracle SGD server.

Security and performance are top priorities with any web-enablement solution. The

Oracle SGD PIM enforces strict user authentication and controlled role-based access to

specific content as well as the ability to restrict content delivery to defined IP

addresses. The solution tracks all sessions and creates a detailed audit trail for each

session. The Oracle SGD PIM also provides bandwidth management end-to-end with no

change to existing firewalls.



38

enPortal and AppBoard Component Architecture

The primary functions of enPortal are contained within six system components:

Request Engine

Business Logic Engine

Integration Engine

Data Source Engine

Web Resource Proxy and Content Filtering

Object Database

Request Engine

The Request Engine serves all requests coming from a user via a web browser.

In fact, all external communications with an enPortal/AppBoard system are requested

through the Request Engine. The Request Engine’s primary responsibilities are to

translate HTTP(S) requests into object requests and to dynamically translate the

application-specific results into HTML for transmission to the client web browser.

The Request Engine executes within a Servlet/JSP engine; Java Servlets and JSPs are the

primary components of the Request Engine. The Request Engine also provides an extra

level of access security by verifying that the user is logged in to the system before

accepting and servicing the request.

Business Logic Engine

The Business Logic Engine is responsible for the overall business logic of the system’s

security, and the storage of system objects. These responsibilities pertain to users,

roles, domains, virtual directory access, and content management.

Business Logic manages and stores system objects to a chosen object

repository/database. The Business Logic Engine runs on the same process (Tomcat as

the JSP/Servlet Engine) as the Request Engine.

Integration Engine

The Integration Engine allows new content to be created and integrated into a system

at runtime. The Integration Engine consists of a Channel classification model and a set

of Request Handlers that are implemented as Java Servlets or JSPs. Request Handlers

are the public web interfaces into enPortal Channels that service the Channel requests



39

being made from web browser clients. The Integration Engine provides an external

interface through the Portal Request Engine that allows HTTP(S) requests to be sent to

any plugged-in visual Channel.

Upon receipt of a request to render a content Channel, the Integration Engine retrieves

the specified Channel (if security allows it) from the enPortal server and calls the

specified Request Handler to render the Channel content

Data Source Engine

The Data Source Engine provides a mechanism for data retrieval, common record

formatting, enrichment/transformation and delivery to the AppBoard client. The Data

Source engine consists of a data model and management framework that is

implemented in Java. New data source adapters can be incorporated into the Data

Source Engine using either a Java SDK or a scripting/command line interface. The Data

Source Engine employs a data caching mechanism to minimize unnecessary requests

against relatively static data sources.

Upon receipt of a request for data, the Data Source Engine retrieves, normalizes,

transforms and then delivers the requested data to the AppBoard client UI.

Web Application Proxy and Content Filtering

The web application proxy and content filtering function facilitates the delivery of and

interaction with existing HTTP(S)-based content. It is responsible for applying Single

Sign-On rules to the retrieval of external HTTP(S) requests, and for manipulating the

resulting data streams being returned from an integrated application for control and

data customization. The HTTP(S) stream manipulation support within enPortal is both

extensive and configurable and is available as a Proxy Channel. A potential example of

the use of this function is the removal of an image from an HTML stream as enPortal

delivers the HTTP(S) stream to the browser client.

Object Database

The Object Database is a JDBC-compliant RDBMS, and enPortal/AppBoard supports

numerous databases, including Microsoft SQL Server, MySQL, and Oracle.

enPortal/AppBoard ships with an embedded H2 database. The database handles

mapping between the object-based data model used within enPortal/AppBoard and the

relational database model that stores the actual content.



40

AppBoard Client Component Architecture

AppBoard features a web client consisting of a Viewer mode for normal (read only) use

and a Builder mode for administrators to configure AppBoard content. There are also

mobile apps (Viewer mode) for both the iOS and Android platforms.

The AppBoard Builder has three major components:

Data Sources

Data Collections

Visualization (Widgets, Stacks & Boards)

Data Source

Good data visualization requires good data. This data can be stored in a variety of

different locations and formats, which can lead to problems when trying to create

holistic summary views. AppBoard has a dedicated Data Source mode that allows for

access to all this information, regardless of where it is or what format it is in.

Appboard provides powerful data manipulation tools to optimize data so that it can be

effectively visualized:

Ability to Group, Pivot, and Sort information both on the client, and at the

server

"Server Side Filters" to optimize large data sets before you bring it into a

memory on the client

"Client Side Filters" to take advantage of information that's already available in

client memory

Caching and Polling settings to optimize the performance of refreshing data



41

Data Collections

Any data that is pulled into AppBoard gets placed into a Data Collection. This

information is stored in memory on the client, so it is rapidly available to any Widget or

Board that has appropriate permissions. Like Data Sources, AppBoard has a dedicated

mode for managing Data Collections. The Data Collections Wizard provides control over

how much information is brought into memory via Server Side Filters, but the data

already in memory can also be manipulated via Client Side Filters.

Data Collections are the foundational block that all AppBoard visualizations are based

upon.

Widgets

Data visualization inside AppBoard is done by associating a Data Collection with a

Widget. AppBoard contains a number of Widgets, and every Widget requires a Data

Collection.

In addition to visualizing data, Widgets can have defined Actions. For example, the

contents of one Widget can be contextually filtered based on a selection in another, or

a Widget can be configured to drill down into a child board that shows details based on

an item selected in the parent. The key is knowing that clicking on a Widget is actually

clicking on the piece of data that's being represented by the Widget. Actions allow for

the use of this piece of data as context to alter Client or Server Side Filters for any Data

Collection inside AppBoard. This flexibility allows for extremely powerful interactions.



42

Stacks and Boards

In AppBoard, Widgets are placed on Boards. A collection of Boards is called a Stack.

Each Stack has a corresponding tab in the banner area of the builder which let the user

navigate to that Stack. Stacks are an important concept because user permissions are

provisioned at the Stack level.



43

About Edge Technologies, Inc.

Edge Technologies is an innovative and proven software company specializing in the

Access, Integration, Visualization, and Understanding of information. Edge products

and services facilitate faster, more complete data integration; user-centric, customized

visualizations; easy, secure information sharing; and enhanced operational awareness

across a diverse set of information stakeholders.

Edge has been delivering leading-edge solutions in many of the world’s most

sophisticated network, intelligence, operational and logistics environments since 1993.

Recognized for the ability to identify, adopt and deploy emerging technology platforms,

Edge’s industry-leading products have proven to be ground breaking solutions that

stand the test of time.

Edge’s technological expertise in developing lasting innovation is fortified by the

company’s value-focused customer and partner relationships. Recognized for

meticulous software engineering and a high-touch customer service approach, Edge’s

success is built on innovative technology driven by experienced, customer-focused

personnel.

The Edge Agile Development Methodology first identifies customer challenges, then

applies design expertise and innovation to create better solutions and backs it all by the

people and technology to ensure the solutions work in the real-world and for the long-

haul.

Unlike competitive offerings, Edge’s products are designed with both the development

staff and the executive team in mind. Edge software toolkits do the heavy lifting to

streamline internal development efforts, accelerate time to market, and empower staff

to focus on situational and operational objectives. What’s more, Edge’s advanced

software architecture enables its products to easily scale to handle hundreds of

concurrent users.

Edge empowers businesses and government agencies to fulfill the potential of their

network and business systems management assets to make better decisions faster.



44

Appendix A: enPortal Product Integrations

Edge provides pre-built integrations for products from these vendors:

AirTight Networks

Alcatel-Lucent

Apica

AppDynamics

AppNeta

Arbor Networks

Axios Systems

BMC Software

CA Technologies

Cisco Networks

Citrix

Compuware

Cuculus

EIQ

EMC

eMite

Entuity

Fluke Networks

Fortinet

HP

IBM

IneoQuest

Infoblox

InfoVista

Interactive Intelligence

Ipanema Technologies

Koverse

LiveAction

ManageEngine

McAfee

Monolith Software

MYCOM OSI

Nagios

NetBoss

NetWitness

Oracle

Plixer

Resilient Systems

Riverbed

SAP

ScienceLogic

ServiceNow

SevOne

SolarWinds

Splunk

Tableau

Talisma

Tektronix

Viador

Visionael

VMware

Websense

xMatters

Zenoss

The above list continues to expand as Edge generates PIMs for new applications. The

complete list of PIMs can be found on the Edge Documentation site.

http://docs.edge-technologies.com/docs/integrations

http://docs.edge-technologies.com/docs/Main_Page

edge enportal and appboard technical overview · appboard client component ... -based integration...

Documents