Relay Server architecture

A Relay Server deployment consists of the following:

Mobile devices running client applications and services that need to communicate with back-end servers running in a corporate LAN.
Optional load balancer to direct requests from the mobile devices to a group of Relay Servers.
One or more Relay Servers running in the corporate DMZ.
At least one back-end server running in a corporate LAN that is responsible for servicing client requests. The following back-end servers are supported for use with the Relay Server:
- Afaria
- Mobile Office
- MobiLink
- SQL Anywhere
- Unwired Server,
- Sybase Unwired Platform
Note

Relay Server is tested with specific back-end servers and clients that communicate using well-defined HTTP requests and responses. Deployments that use custom HTTP traffic, including using SQL Anywhere as a Web server, must thoroughly test the traffic to ensure that it works with the Relay Server.

Refer to your license agreement or the SQL Anywhere Components by Platforms page for information about which back-end servers are supported. See http://www.sybase.com/detail?id=1061806 .
There is usually only one, but there may be several, Relay Server Outbound Enablers (RSOE) per back-end server. The Outbound Enabler manages all communication between a back-end server and the Relay Server farm.

The following diagram shows the Relay Server architecture with a single Relay Server.

Relay Server architecture diagram with a single Relay Server.

Note

Refer to your license agreement or the SQL Anywhere Components by Platforms page for information about which back-end servers are supported. See [external link] http://www.sybase.com/detail?id=1061806 .

The following diagram shows the Relay Server architecture for a more complex system with a Relay Server farm and a back-end server farm.

Relay Server architecture diagram showing multiple Relay Servers and multiple back-end servers.

Note

The Relay Server consists of a set of web extensions, a background process for maintaining state information, and a web server.

Because the Relay Server is a web extension running in a web server, all communication is performed using HTTP or HTTPS. Using HTTP easily integrates with existing corporate firewall configurations and policies. The Relay Server requires that the connection from the corporate LAN to the Relay Server be initiated from inside the corporate LAN. This provides a more secure deployment environment because it does not require inbound connections from the DMZ into the corporate LAN.

The Relay Server contains two web extensions: a client extension and a server extension. The client extension handles client requests made from applications running on mobile devices. The server extension handles requests made by the Outbound Enabler on behalf of a back-end server.

Shared Memory and Security

The Relay Server uses shared memory to transfer HTTP requests and responses between the client and server plug-ins. Secure deployments use HTTPS between the client and the Relay Server, and between the Outbound Enabler and the Relay Server. In this scenario, the Web Server decrypts the HTTPS into HTTP, then the Relay Server re-encrypts the HTTP on its way to the Outbound Enabler. The brief interval during which the data is unencrypted in the Relay Server is sometimes called the Wireless Application Protocol gap or WAP Gap.

There are two ways to secure this data from rogue processes on the same computer. The primary approach is to use clients and back-end servers supporting end-to-end encryption. Most MobiLink clients support end-to-end-encryption. The second approach, which is minimally recommended for all Relay Servers, is to harden the Web server and operating system (OS) for deployment to the DMZ using the standard techniques documented for each supported Web server and OS. This hardening should include steps to reduce the number of OS accounts on the Web server computer. Ideally, the hardening also restricts the computer/VM to only run the Relay Server and the Web server -- nothing else. The goal is to minimize the number of processes on the computer to a bare minimum, while hardening to prevent rogue agents from adding rogue programs.

The Relay Server farm
Relay Server security

Discuss this page in DocCommentXchange.