BizTalk Server uses the SOAP adapter to publish (receive) and consume (send) Web services. For more information about the SOAP adapter, see SOAP Adapter. For more information about Web services, see Using Web Services in BizTalk Server. It is recommended you follow these guidelines for securing and deploying the SOAP adapter in your environment.
- For security recommendations for publishing Web services, see Enabling Web Services.
- The SOAP adapter leverages the Hypertext Transfer Protocol (HTTP) to send and receive messages to BizTalk Server. Therefore, you must follow the security recommendations for securing Internet Information Services (IIS). If you use IIS 6.0, ensure you follow the IIS 6.0 recommendations for configuring application isolation. For more information, see the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=25222. If you use IIS 5.0 or 5.1, ensure you follow the IIS 5.0 recommendations for securing IIS 5.0. For more information, see the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=24776.
- When you create an application pool for a SOAP receive location, you must configure it to run under an account that is a member of the Windows group for the isolated host running the SOAP receive adapter and the Internet Information Services Worker Process group (IIS_WPG group). You must then configure the host instance for the SOAP receive adapter to use this account. If you change the account for the IIS_WPG group, you must ensure you also update the host instance to run under the new account.
- When you use SSL client certificates with the SOAP send adapter, you must manually configure these certificates. For more information about configuring the SSL client certificates, see Configuring a SOAP Send Port by Using BizTalk Explorer.
- When consuming Web services, you can use anonymous, basic, digest, windows integrated, or client certificates for authentication. When consuming Web services by using basic Authentication, it is recommended to use Secure Sockets Layer (SSL) to ensure that an unauthorized person cannot read the user credentials from the message.
- You can use Enterprise Single Sign-On (SSO) in scenarios where you need to map the content of the front-end user to credentials in a back-end system. For more information, see Enterprise Single Sign-On Scenarios.
- When using basic authentication, or when you do not use encryption at the message level, it is recommended to use Secure Sockets Layer (SSL) for both receiving and sending messages to ensure that an unauthorized person cannot sniff the user credentials.
- It is recommended to use Windows integrated authentication for both sending and receiving messages.
- The computer running the SOAP adapter also has the BizTalk Server runtime. It is recommended you do not put the SOAP adapter in the perimeter network. If you do, you have to open ports from the perimeter network to the data domain for SQL Server traffic to the MessageBox database, and you are exposing the BizTalk runtime to potential attacks. It is recommended you configure the SOAP adapter in the processing domain (that is, not the perimeter network). You can then configure the outmost firewall (FW4) to forward SOAP requests through the firewall in the processing domain (FW3). This mechanism is called reverse proxy (The ISA implementation is called Web Publishing.)
See Also
Ports for the Receive and Send Servers
Minimum Security User Rights
Security Recommendations for BizTalk Server Components