Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How can I have a publicly accessible application server that can securely access our database server

Posted on 2007-12-04
Medium Priority
Last Modified: 2013-12-04
We have been using a reporting application called Crystal Reports Server internally for several months.  What we want to do is provide a link off of our website to a server running the application, while at the same time enabling secure access to the server inside our network that hosts our database.

We have a second IP address which we can use and obviously link to from our website.  I assume that simply placing this application server outside of our firewall and then using its other ethernet port to connect to our network would be considered a security worst practice, even with server anti-virus software and the server locked down.

I'm not very knowledgeable about networking/security.  What would be an easy and secure approach to this issue?

We have external webhosting.  All of our servers are running Windows Server 2003.  It is an SQL database.  I have some ability to acquire additional resources, e.g. an additional firewall.
Question by:bradlee27514
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 101

Expert Comment

ID: 20406443
I don't know about the secure access but you may need to check you Crystal Reports Server license to ensure you don't violate the license.


Author Comment

ID: 20406480
I can have up to 10 remote users without violating our license agreement

Accepted Solution

arcaex earned 750 total points
ID: 20407001
An easy approach to this, if your firewall can handle, it would be to create a DMZ (demilitarized zone) using that additional IP address. You can attach that IP to an untrusted interface on your firewall and then create appropriate security for the passing of information between the DMZ and the trusted interface. You can even only allow specific traffic to travel between the interfaces as well. You stated above that this was 'worst practice' but if the server is configured correctly and the policies in your firewall are also correct, it would work.

How you do this really depends on your firewall. A Juniper firewall would have you create Mapped IP's or Virtual IP's depending on your configuration. ALso, alot of firewalls come in specific PORT modes and you mind find yourself having to modify your existing mode. Either way once, you have the DMZ you can customize outgoing and incoming traffic to your preference.

You could also turn Terminal Services on the 2003 Box on and allow port 3389 traffic to hit your firewall and be directed directly to your application server. Then the users on the internet could simply Remote Desktop into the server. The problem with this is it will suck resources off your host server and requires a Per Seat licensing scheme from Microsoft.

I know this probably seems overwhelming, but its fairly simple when you look at it.

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.


Author Comment

ID: 20411620
remote desktop won't fly.  Currently I could set up VPN connections for the external users, but that's not what we want.

DMZ is not an option for our firewall.  May be able to get one that can, any other options?  Thanks for the reply.

Expert Comment

ID: 20413012
Can you elaborate a bit more on how you 'see' the server functioning from the web link you want? Will users be running Crystal off the server or is it to get Crystal reports up so people can view the reports remotely?

Or..is your server acting more like the backend for the DB side and the front side will be the data which is shown on the website?

Author Comment

ID: 20414256
Its for folks to be able to view reports remotely.  The link needs to go to a machine with Crystal Reports Server.  The machine with CR server needs secure connection to the dataabase server and at the same time be publicly accessible (or else the website link wouldn't work).

Expert Comment

ID: 20414715
What about:
"a .NET Windows application or an ASP.NET Web application is used as a client to view reports that are processed by a remote server which hosts the CE Embedded (RAS) Server or Crystal Enterprise (CE).  
Since the reports are already being hosted by RAS/CE, this does not require any Crystal Reports runtime files to be distributed."

Now I am not too sure if this snippet I found is assuming that the front-end ASP/IIS server is within your DMZ. If so, that would be a show stopper.

Expert Comment

ID: 20414855
Actually you could not do this because the server you would put the ASP.NET app is not owned by you hence the EULA:

"You are prohibited by license to deploy a CR .NET application on a server not owned by you (following the information in this article would put you in violation of the CR license). Again, section 4.2 states "After you have activated your copy of the Software, you may install and use Server/Web Applications in one or more Server Environments owned or operated by you for your internal business purposes."

You might have to contact your contact for CS and see what solution they can provide for you.

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out what's been happening in the Experts Exchange community.
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question