Solved

How can I have a publicly accessible application server that can securely access our database server

Posted on 2007-12-04
8
203 Views
Last Modified: 2013-12-04
We have been using a reporting application called Crystal Reports Server internally for several months.  What we want to do is provide a link off of our website to a server running the application, while at the same time enabling secure access to the server inside our network that hosts our database.

We have a second IP address which we can use and obviously link to from our website.  I assume that simply placing this application server outside of our firewall and then using its other ethernet port to connect to our network would be considered a security worst practice, even with server anti-virus software and the server locked down.

I'm not very knowledgeable about networking/security.  What would be an easy and secure approach to this issue?

We have external webhosting.  All of our servers are running Windows Server 2003.  It is an SQL database.  I have some ability to acquire additional resources, e.g. an additional firewall.
0
Comment
Question by:bradlee27514
  • 4
  • 3
8 Comments
 
LVL 100

Expert Comment

by:mlmcc
Comment Utility
I don't know about the secure access but you may need to check you Crystal Reports Server license to ensure you don't violate the license.

mlmcc
0
 

Author Comment

by:bradlee27514
Comment Utility
I can have up to 10 remote users without violating our license agreement
0
 
LVL 2

Accepted Solution

by:
arcaex earned 250 total points
Comment Utility
An easy approach to this, if your firewall can handle, it would be to create a DMZ (demilitarized zone) using that additional IP address. You can attach that IP to an untrusted interface on your firewall and then create appropriate security for the passing of information between the DMZ and the trusted interface. You can even only allow specific traffic to travel between the interfaces as well. You stated above that this was 'worst practice' but if the server is configured correctly and the policies in your firewall are also correct, it would work.

How you do this really depends on your firewall. A Juniper firewall would have you create Mapped IP's or Virtual IP's depending on your configuration. ALso, alot of firewalls come in specific PORT modes and you mind find yourself having to modify your existing mode. Either way once, you have the DMZ you can customize outgoing and incoming traffic to your preference.

You could also turn Terminal Services on the 2003 Box on and allow port 3389 traffic to hit your firewall and be directed directly to your application server. Then the users on the internet could simply Remote Desktop into the server. The problem with this is it will suck resources off your host server and requires a Per Seat licensing scheme from Microsoft.

I know this probably seems overwhelming, but its fairly simple when you look at it.



0
 

Author Comment

by:bradlee27514
Comment Utility
remote desktop won't fly.  Currently I could set up VPN connections for the external users, but that's not what we want.

DMZ is not an option for our firewall.  May be able to get one that can, any other options?  Thanks for the reply.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Expert Comment

by:arcaex
Comment Utility
Can you elaborate a bit more on how you 'see' the server functioning from the web link you want? Will users be running Crystal off the server or is it to get Crystal reports up so people can view the reports remotely?

Or..is your server acting more like the backend for the DB side and the front side will be the data which is shown on the website?
0
 

Author Comment

by:bradlee27514
Comment Utility
Its for folks to be able to view reports remotely.  The link needs to go to a machine with Crystal Reports Server.  The machine with CR server needs secure connection to the dataabase server and at the same time be publicly accessible (or else the website link wouldn't work).
0
 
LVL 2

Expert Comment

by:arcaex
Comment Utility
What about:
"a .NET Windows application or an ASP.NET Web application is used as a client to view reports that are processed by a remote server which hosts the CE Embedded (RAS) Server or Crystal Enterprise (CE).  
Since the reports are already being hosted by RAS/CE, this does not require any Crystal Reports runtime files to be distributed."

Now I am not too sure if this snippet I found is assuming that the front-end ASP/IIS server is within your DMZ. If so, that would be a show stopper.
0
 
LVL 2

Expert Comment

by:arcaex
Comment Utility
Actually you could not do this because the server you would put the ASP.NET app is not owned by you hence the EULA:

"You are prohibited by license to deploy a CR .NET application on a server not owned by you (following the information in this article would put you in violation of the CR license). Again, section 4.2 states "After you have activated your copy of the Software, you may install and use Server/Web Applications in one or more Server Environments owned or operated by you for your internal business purposes."

You might have to contact your contact for CS and see what solution they can provide for you.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now