TM1 Forum

Discussing all things TM1, Planning Analytics, PAx and PAW
https://www.tm1forum.com/

TM1 Web security

https://www.tm1forum.com/viewtopic.php?t=1797

Page 1 of 1

TM1 Web security

Posted: Sun Nov 15, 2009 6:01 pm
by doerrstop
I'm in the process of rolling out TM1 with the help of an IBM partner. I'm only planning on allowing remote access through the web frontend using Integrated login and IIS-SSL. Our administrators will also have access through excel.

While reading some posts on this site I noticed a couple mentions of concerns around IIS-SSL, and that made me a bit nervous.

Does anyone have any experience securing TM1Web using IIS and SSL that could give me some pointers or a higher comfort level? I'd rather not use TS or a Citrix solution due to both cost considerations (TM1Web was included in my license) and management overhead. Do I really need to have everyone log in via our Cisco VPN to ensure the tools are secure?

Any help would be appreciated as I'm a noob to both these tools and this board.

Thanks!
-bd

Re: TM1 Web security

Posted: Mon Nov 16, 2009 2:17 am
by kangkc
If TM1 Web and TM1 server is on a same physical server. It's not difficult to run integrated login with SSL, I have used NTLM with success.

But if TM1 Web and TM1 server is on different machine, you will have to use Kerberos. This is hell to me as getting IIS to use Kerberos is not a straight forward task. Especially is Windows 2003 has a locked down IIS. So far I only managed to did it once but in a very control environment (I can anything I want on the server).

Re: TM1 Web security

Posted: Mon Nov 16, 2009 6:05 am
by Martin Erlmoser
>
Does anyone have any experience securing TM1Web using IIS and SSL that could give me some pointers or a higher comfort level?
<
i think a ssl cert. will make the communication between browser and iis secure enough, without vpn. (my netbanking works this way, maybe without iis, so what? ;) )
but its a really big step from an internal application to an application which is also accessible from outside, if possible, leave everything in your lan.

you have to ensure that every tm1user has a pwd which is strong enough, i don't think that SSO will work over internet. / i expect that you want to use it from external because you said somethink like vpn.. \

can you maybe explain how your environment looks like? maybe you will have to user a ts environment..

if you only use tm1/web in your LAN, there really should be no security risk.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited