Topology
In this article you'll find the recommended setup for the Ometa Framework. All network ports can be adjusted to accomodate the requirements of the implementation. The network ports listed in the images are the defaults for that protocol or service.
Note
The topology description here assumes a local SQL Server instance within the company network. Depending on how the Ometa framework is installed and setup, Azure SQL Databases
can be used as well but this may be a slightly more complicated setup. Nonetheless, the flow itself between the framework components, storage and other services remains
the same.
Download
If you'd like to use the diagrams listed in this article to start your network schema, you can download the PDF file here.
Recommended Setup
The following image displays the recommended setup for production environments:
Communication Flow ADM
On the following diagram you'll see the connections between devices or services during the flow of ADM. A full descriptive flow can be found below the image. Notice that SharePoint Online is used. If SharePoint On Premise is used, you'll probably place the SharePoint server in the DMZ or even in the internal network using the same reverse proxy or gateway.
- The client requests a SharePoint page from the SharePoint environment. The SharePoint server is configured with an SSL certificate and uses the HTTPS protocol on TCP 443.
- The SharePoint environment returns a page containing an Ometa ADM component.
- The ADM discovers all URLs at the Ometa Core Service (https://ometa-core.example.com) on TCP 443. The Ometa Core Service is configured with an SSL certificate.
- The URLs of the Ometa Generic REST Service and Ometa Authority Service are returned.
- The ADM starts a request to the Ometa Authority Service (https://ometa-authority.example.com) to obtain an access token on TCP 443. The Ometa Authority Service is configured with an SSL certificate.
- The client is redirected by the authority service to one of the identity providers.
- After a successful login, the client redirects to the Ometa Authority Service and an access token is provided by the Ometa Authority Service.
- The ADM starts a request to the Ometa Generic REST Service (https://ometa-rest.example.com) with the access token on TCP 443. The Ometa Generic REST Service is configured with an SSL certificate.
- The Ometa Generic REST Service connects with SharePoint on TCP 443 to fetch extra context. The configured user needs to be a site collection administrator if no client id and secret are used.
- The Ometa Generic REST Service connects with the Ometa Framework on TCP 2005.
- The Ometa Framework connects with the Ometa Databases on TCP 1433 (the default for a SQL instance).
- The Ometa Framework connects to the ERP system to retrieve the requested data.
- The port for this connection depends on the type of ERP system.
- The account used is specified in the profile.
- The data is returned to the Ometa Framework.
- The Ometa Framework sends the data back to the Ometa Generic REST Service.
- The Ometa Generic REST Service sends the data back to the client.
On top of this flow, all Ometa web services need to have a connection to their databases to retrieve configuration settings and runtime data for security validation.
The following ports are used in the diagram:
| Port |
Description |
| 389 |
LDAP unsecured, used for retrieving the Active Directory profile of the user if necessary*. |
| 443 |
HTTPS. Provides a secure web connection. |
| 636 |
LDAP secured, used for retrieving the Active Directory profile of the user if necessary*. |
| ODBC (1433) |
Default SQL port. This can be a custom port as well. |
| 2005 |
Framework BCM port. Allows for incoming connections to the framework. |
* A secure connection is preferred. When using Azure Active Directory, the Microsoft Graph API is used to retrieve the profile of the user which communicates over 443 (HTTPS).
The following list describes the role of each device in the flow.
Client Device
Trigger of the entire flow. Requests a page on a collaboration platform.
Laptop, desktop, smartphone, ... used to navigate to the collaboration platform.
Sends requests to the Ometa Web Services for the data to be rendered by the ADM.
Presents an optional login page when the user should still authenticate.
SharePoint Online
Collaboration platform, can be replaced by a SharePoint server installation or other collaboration platforms.
Contains the definition of the pages where content for the ADM will be rendered but not the actual content of the ADM. This means that data rendered by ADM will never be known by the collaboration platform.
Reverse Proxy or Gateway
Provides access to the internal Ometa Web Services in a secured and highly controllable way.
Web Server
Serves the Ometa Authority, Ometa Core and Ometa Generic REST service.
Requests extra context from the SharePoint site collection and caches the context for 4 hours.
Requests the user profile using the Graph Api (Azure Active Directory) or the LDAP protocol (Active Directory).
Has a connection to the Ometa databases for configuration settings and runtime data (like authorization and case management).
Connects to the BCM service of the Ometa Framework installation to retrieve the configuration and data of what the user is requesting.
Heart of the Ometa Framework installation. Manages incoming requests for ERP/CRM/... data retrieval.
Has a connection to the Ometa databases for configuration settings.
Connects to ERP/CRM/... based on the configured profile for that connection.
SQL Server
Contains the databases that are used to store configuration settings and runtime data.
It is recommended to have a separate SQL installation for the Ometa Framework databases on a custom port.
Optionally, the Ometa Core Service, Ometa Generic REST Service and Ometa Authority Service can be configured to write logging to the Ometa BAM Logging Database instead of text files on the server. If configured to write logging to the database, the connection runs over TCP 1433. If the SQL instance is configured to allow connections on a different port, that port is used.
This network traffic is optional but frequently configured for the purpose of error tracking.
The Ometa Business Connector is the configuration tool of the Ometa Framework. On the following diagram you'll see the communication flow of a client in the internal network connecting to the Ometa Framework server with the Ometa Business Connector. This piece of software is often installed on the Ometa Framework server itself.
- A client opens the Ometa Business Connector. The Ometa Business Connector discovers the URLs at the Ometa Core Service (https://ometa-core.example.com) on TCP 443. The Ometa Core Service is configured with an SSL certificate.
- The Ometa Business Connector obtains an access token via the Ometa Authority Service (https://ometa-authority.example.com) on TCP 443. The Ometa Authority Service is configured with an SSL certificate.
- The Ometa Business Connector uses TCP 2005 to connect with the Ometa Framework.
- The Ometa Framework connects with the Ometa Databases on TCP 1433 (the default for a SQL instance).
- The Ometa Core Service and Ometa Authority Service directly communicates with the Ometa databases.
- The Ometa Framework connects to the ERP system to retrieve the requested data.
- The port for this connection depends on the type of ERP system.
- The account used is specified in the profile.
The following ports are used in the diagram:
| Port |
Description |
| 389 |
LDAP unsecured, used for retrieving the Active Directory profile of the user if necessary*. |
| 443 |
HTTPS. Provides a secure web connection. |
| 636 |
LDAP secured, used for retrieving the Active Directory profile of the user if necessary*. |
| ODBC (1433) |
Default SQL port. This can be a custom port as well. |
| 2005 |
Framework BCM port. Allows for incoming connections to the framework. |
* A secure connection is preferred. When using Azure Active Directory, the Microsoft Graph API is used to retrieve the profile of the user which communicates over 443 (HTTPS).
The following list describes the role of each device in the flow.
Client Device
Trigger of the entire flow. Opens the Ometa Business Connector application.
Laptop, desktop, smartphone, server ... used to open the Ometa Business Connector application.
Sends requests to the Ometa Web Services for authentication and installation details of the Ometa Framework.
Presents an optional login page when the user should still authenticate.
Note
The Ometa Business Connector application is installed by default on the server that hosts the Ometa Framework.
You can also install the application on a client device to manage your configuration remotely. We don't recommend opening port 2005 to the external network.
Web Server
Serves the Ometa Authority, Ometa Core and Ometa Generic REST service.
Requests the user profile using the Graph Api (Azure Active Directory) or the LDAP protocol (Active Directory).
Has a connection to the Ometa databases for configuration settings and runtime data (like authorization).
Heart of the Ometa Framework installation. Manages incoming requests for ERP/CRM/... data retrieval when testing methods. Manages configuration retrieval and storage.
Has a connection to the Ometa databases for configuration settings.
Connects to ERP/CRM/... based on the specified profile when testing methods or profiles.
SQL Server
Contains the databases that are used to store configuration settings and runtime data.
It is recommended to have a separate SQL installation for the Ometa Framework databases on a custom port.
Optionally, the Ometa Core Service and Ometa Authority Service can be configured to write logging to the Ometa BAM Logging Database instead of text files on the server. If configured to write logging to the database, the connection runs over TCP 1433, the connection runs over TCP 1433. If the SQL instance is configured to allow connections on a different port, that port is used.
This network traffic is optional but frequently configured for the purpose of error tracking.
Communication Flow Site Creation
On the following diagram you'll see the communication flow of site creation with the Ometa Business Connector Site Provisioner service.
SharePoint Online
- The BCSP service uses the credentials from a SharePoint (Building Blocks) Profile to connect to the SharePoint Admin Tenant URL and create a new SharePoint site collection on TCP 443.
- The Ometa Framework connects with the Ometa Databases on TCP 1433 (the default for a SQL instance).
SharePoint On Premise
- The BCSP service connects to the SharePoint Central Administration web service to create a new SharePoint site collection on the central administration port.
- The Ometa Framework connects with the Ometa Databases on TCP 1433 (the default for a SQL instance).
The following ports are used in the diagram:
| Port |
Description |
| 443 |
HTTPS. Provides a secure web connection. |
| ODBC (1433) |
Default SQL port. This can be a custom port as well. |
* A secure connection is preferred. When using Azure Active Directory, the Microsoft Graph API is used to retrieve the profile of the user which communicates over 443 (HTTPS).
The following list describes the role of each device in the flow.
Trigger of the entire flow.
Heart of the Ometa Framework installation. The BCSP service manages the site creation flow.
Has a connection to the Ometa databases for configuration settings and runtime case information.
Connects to the SharePoint API for the creation of the site.
SQL Server
Contains the databases that are used to store configuration settings and runtime data.
It is recommended to have a separate SQL installation for the Ometa Framework databases on a custom port.
Validation
You can validate your setup after installation. A client device that is not part of the server should be able to navigate to:
Replace ometa-*.example.com with your urls.
