How can I have a publicly accessible application server that can securely access our database server

Posted on 2007-12-04
Last Modified: 2013-12-04
We have been using a reporting application called Crystal Reports Server internally for several months.  What we want to do is provide a link off of our website to a server running the application, while at the same time enabling secure access to the server inside our network that hosts our database.

We have a second IP address which we can use and obviously link to from our website.  I assume that simply placing this application server outside of our firewall and then using its other ethernet port to connect to our network would be considered a security worst practice, even with server anti-virus software and the server locked down.

I'm not very knowledgeable about networking/security.  What would be an easy and secure approach to this issue?

We have external webhosting.  All of our servers are running Windows Server 2003.  It is an SQL database.  I have some ability to acquire additional resources, e.g. an additional firewall.
Question by:bradlee27514
  • 4
  • 3
LVL 100

Expert Comment

ID: 20406443
I don't know about the secure access but you may need to check you Crystal Reports Server license to ensure you don't violate the license.


Author Comment

ID: 20406480
I can have up to 10 remote users without violating our license agreement

Accepted Solution

arcaex earned 250 total points
ID: 20407001
An easy approach to this, if your firewall can handle, it would be to create a DMZ (demilitarized zone) using that additional IP address. You can attach that IP to an untrusted interface on your firewall and then create appropriate security for the passing of information between the DMZ and the trusted interface. You can even only allow specific traffic to travel between the interfaces as well. You stated above that this was 'worst practice' but if the server is configured correctly and the policies in your firewall are also correct, it would work.

How you do this really depends on your firewall. A Juniper firewall would have you create Mapped IP's or Virtual IP's depending on your configuration. ALso, alot of firewalls come in specific PORT modes and you mind find yourself having to modify your existing mode. Either way once, you have the DMZ you can customize outgoing and incoming traffic to your preference.

You could also turn Terminal Services on the 2003 Box on and allow port 3389 traffic to hit your firewall and be directed directly to your application server. Then the users on the internet could simply Remote Desktop into the server. The problem with this is it will suck resources off your host server and requires a Per Seat licensing scheme from Microsoft.

I know this probably seems overwhelming, but its fairly simple when you look at it.


Author Comment

ID: 20411620
remote desktop won't fly.  Currently I could set up VPN connections for the external users, but that's not what we want.

DMZ is not an option for our firewall.  May be able to get one that can, any other options?  Thanks for the reply.
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.


Expert Comment

ID: 20413012
Can you elaborate a bit more on how you 'see' the server functioning from the web link you want? Will users be running Crystal off the server or is it to get Crystal reports up so people can view the reports remotely? your server acting more like the backend for the DB side and the front side will be the data which is shown on the website?

Author Comment

ID: 20414256
Its for folks to be able to view reports remotely.  The link needs to go to a machine with Crystal Reports Server.  The machine with CR server needs secure connection to the dataabase server and at the same time be publicly accessible (or else the website link wouldn't work).

Expert Comment

ID: 20414715
What about:
"a .NET Windows application or an ASP.NET Web application is used as a client to view reports that are processed by a remote server which hosts the CE Embedded (RAS) Server or Crystal Enterprise (CE).  
Since the reports are already being hosted by RAS/CE, this does not require any Crystal Reports runtime files to be distributed."

Now I am not too sure if this snippet I found is assuming that the front-end ASP/IIS server is within your DMZ. If so, that would be a show stopper.

Expert Comment

ID: 20414855
Actually you could not do this because the server you would put the ASP.NET app is not owned by you hence the EULA:

"You are prohibited by license to deploy a CR .NET application on a server not owned by you (following the information in this article would put you in violation of the CR license). Again, section 4.2 states "After you have activated your copy of the Software, you may install and use Server/Web Applications in one or more Server Environments owned or operated by you for your internal business purposes."

You might have to contact your contact for CS and see what solution they can provide for you.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now