How can I have a publicly accessible application server that can securely access our database server

We have been using a reporting application called Crystal Reports Server internally for several months.  What we want to do is provide a link off of our website to a server running the application, while at the same time enabling secure access to the server inside our network that hosts our database.

We have a second IP address which we can use and obviously link to from our website.  I assume that simply placing this application server outside of our firewall and then using its other ethernet port to connect to our network would be considered a security worst practice, even with server anti-virus software and the server locked down.

I'm not very knowledgeable about networking/security.  What would be an easy and secure approach to this issue?

We have external webhosting.  All of our servers are running Windows Server 2003.  It is an SQL database.  I have some ability to acquire additional resources, e.g. an additional firewall.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

arcaexConnect With a Mentor Commented:
An easy approach to this, if your firewall can handle, it would be to create a DMZ (demilitarized zone) using that additional IP address. You can attach that IP to an untrusted interface on your firewall and then create appropriate security for the passing of information between the DMZ and the trusted interface. You can even only allow specific traffic to travel between the interfaces as well. You stated above that this was 'worst practice' but if the server is configured correctly and the policies in your firewall are also correct, it would work.

How you do this really depends on your firewall. A Juniper firewall would have you create Mapped IP's or Virtual IP's depending on your configuration. ALso, alot of firewalls come in specific PORT modes and you mind find yourself having to modify your existing mode. Either way once, you have the DMZ you can customize outgoing and incoming traffic to your preference.

You could also turn Terminal Services on the 2003 Box on and allow port 3389 traffic to hit your firewall and be directed directly to your application server. Then the users on the internet could simply Remote Desktop into the server. The problem with this is it will suck resources off your host server and requires a Per Seat licensing scheme from Microsoft.

I know this probably seems overwhelming, but its fairly simple when you look at it.

I don't know about the secure access but you may need to check you Crystal Reports Server license to ensure you don't violate the license.

bradlee27514Author Commented:
I can have up to 10 remote users without violating our license agreement
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

bradlee27514Author Commented:
remote desktop won't fly.  Currently I could set up VPN connections for the external users, but that's not what we want.

DMZ is not an option for our firewall.  May be able to get one that can, any other options?  Thanks for the reply.
Can you elaborate a bit more on how you 'see' the server functioning from the web link you want? Will users be running Crystal off the server or is it to get Crystal reports up so people can view the reports remotely? your server acting more like the backend for the DB side and the front side will be the data which is shown on the website?
bradlee27514Author Commented:
Its for folks to be able to view reports remotely.  The link needs to go to a machine with Crystal Reports Server.  The machine with CR server needs secure connection to the dataabase server and at the same time be publicly accessible (or else the website link wouldn't work).
What about:
"a .NET Windows application or an ASP.NET Web application is used as a client to view reports that are processed by a remote server which hosts the CE Embedded (RAS) Server or Crystal Enterprise (CE).  
Since the reports are already being hosted by RAS/CE, this does not require any Crystal Reports runtime files to be distributed."

Now I am not too sure if this snippet I found is assuming that the front-end ASP/IIS server is within your DMZ. If so, that would be a show stopper.
Actually you could not do this because the server you would put the ASP.NET app is not owned by you hence the EULA:

"You are prohibited by license to deploy a CR .NET application on a server not owned by you (following the information in this article would put you in violation of the CR license). Again, section 4.2 states "After you have activated your copy of the Software, you may install and use Server/Web Applications in one or more Server Environments owned or operated by you for your internal business purposes."

You might have to contact your contact for CS and see what solution they can provide for you.
All Courses

From novice to tech pro — start learning today.