180 likes | 327 Views
Automating EMSS Security and Access from the Internet. Presented by: Amy Cordell September 29, 2009. About Truman Medical Center. Two-Hospital, not-for-profit located in the Kansas City Metro Area Primary teaching hospital for University of Missouri-Kansas City Schools
E N D
Automating EMSS Security and Access from the Internet Presented by: Amy Cordell September 29, 2009
About Truman Medical Center • Two-Hospital, not-for-profit located in the Kansas City Metro Area • Primary teaching hospital for University of Missouri-Kansas City Schools • Specializes in asthma, bariatrics, diabetes, women’s health, and trauma services • Downtown location is the largest provider of outpatient care in Kansas City • Busiest adult emergency room in the city with more than 60,000 visits per year
Objectives • Binding to Active Directory • Automating Adding / Deleting Users in EMSS • Access to EMSS from the Internet
Advantages of Binding to Active Directory • Eliminates another user name and password • No separate administration for the Lawson app • If AD account is terminated / inactivated, so is access to the Lawson application • Identifies if duplicate AD accounts are being used • AD account was added as a user field in Lawson on HR11 and a daily import runs to add this information for use in Lawson Security
Disadvantages of Binding to AD • Unable to log in as other users to test production issues in test • Must delete and reload user if AD account is changed (name change, middle initial added)
Adding Users in Lawson Security • Automation process will depend on the organization’s tools • Process Flow Integrator (PFI) is the most efficient tool to accomplish automation • Perl Script in combination with MS Addins or another query tool may be used if organization doesn’t own Process Flow Integrator • Doesn’t fully automate the process • Limits the amount of data entry • More streamlined than adding the account through the security application
Process Flow Integrator (PFI) to Add Users • Add users by hire date or employee ID • Query for employees with input data of hire date or employee ID • RM action is to add • Message Builder to capture output from each record for adding by hire date • Write to File for review
Input Data • When process flow is ran either put in the employee ID or the hire date • Hire date used must not return large amounts of records or process flow will fail. If user is an older hire then it is best to add by the employee ID
Deleting Users with PFI • Similar process to adding users • Query for employees with a termination date in a specified range • RM action is to delete • Message Builder to capture output from each record • Write to File for review
Access to EMSS from the Internet • Internal DNS name created for ME.TMCMED.org • This DNS entry points back to the Lawson server and is set up on the server in the configs for the application as ME.TMCMED.org • The SSL Certificate for ME.TMCMED.org is bound here • External DNS name created for ME.TMCMED.org • This DNS entry points to the publicly available address for TMC • That address terminates on our external firewall and is translated back to the DMZ where we have Microsoft ISA (Internet Security and Acceleration) Server • Intrusion detection and additional network security is applied before ISA server receives traffic.
ISA Server • ISA Server securely publishes the content from that point • In addition, Intrusion Detection and IP Protection occur here as well • All HTTP and HTTPS requests that do not match paths or other security stated below are redirected to https://me.tmcmed.org/lawson/portal • The SSL Certificate for ME.TMCMED.org is bound here • ISA Server inspects traffic and forwards to the internal server, Lawson production server
ISA Server • Authentication #1
Access to the Lawson Server • The only allowed paths are: • /ssoconfig • /sso • /sites/hr • /servlet • /sePlugins • /Lawson • /cgi-lawson • In order to limit access to only required paths on the Lawson server • If a subdirectory is included, then access to other subdirectories under the parent directory are not
Network Security Precautions • All incidental HTTP (unsecure) traffic is redirected to SSL port 443 • Only authenticated Domain users are allowed to connect through the rule • Customized forms were created to allow for authentication to the domain • Once authenticated, access to Lawson prod server can occur • Delegation was not possible due to the configuration of the Lawson application • Access to Lawson production server is through another web form on that server
Logging into Lawson • Authentication #2 • Lawson portal is only compatible with Internet Explorer • Firefox, Mozilla will not function properly with Lawson portal