How can I have a publicly accessible application server that can securely access our database server

Posted on 2007-12-04
Last Modified: 2013-12-04
We have been using a reporting application called Crystal Reports Server internally for several months.  What we want to do is provide a link off of our website to a server running the application, while at the same time enabling secure access to the server inside our network that hosts our database.

We have a second IP address which we can use and obviously link to from our website.  I assume that simply placing this application server outside of our firewall and then using its other ethernet port to connect to our network would be considered a security worst practice, even with server anti-virus software and the server locked down.

I'm not very knowledgeable about networking/security.  What would be an easy and secure approach to this issue?

We have external webhosting.  All of our servers are running Windows Server 2003.  It is an SQL database.  I have some ability to acquire additional resources, e.g. an additional firewall.
Question by:bradlee27514
  • 4
  • 3
LVL 100

Expert Comment

ID: 20406443
I don't know about the secure access but you may need to check you Crystal Reports Server license to ensure you don't violate the license.


Author Comment

ID: 20406480
I can have up to 10 remote users without violating our license agreement

Accepted Solution

arcaex earned 250 total points
ID: 20407001
An easy approach to this, if your firewall can handle, it would be to create a DMZ (demilitarized zone) using that additional IP address. You can attach that IP to an untrusted interface on your firewall and then create appropriate security for the passing of information between the DMZ and the trusted interface. You can even only allow specific traffic to travel between the interfaces as well. You stated above that this was 'worst practice' but if the server is configured correctly and the policies in your firewall are also correct, it would work.

How you do this really depends on your firewall. A Juniper firewall would have you create Mapped IP's or Virtual IP's depending on your configuration. ALso, alot of firewalls come in specific PORT modes and you mind find yourself having to modify your existing mode. Either way once, you have the DMZ you can customize outgoing and incoming traffic to your preference.

You could also turn Terminal Services on the 2003 Box on and allow port 3389 traffic to hit your firewall and be directed directly to your application server. Then the users on the internet could simply Remote Desktop into the server. The problem with this is it will suck resources off your host server and requires a Per Seat licensing scheme from Microsoft.

I know this probably seems overwhelming, but its fairly simple when you look at it.

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.


Author Comment

ID: 20411620
remote desktop won't fly.  Currently I could set up VPN connections for the external users, but that's not what we want.

DMZ is not an option for our firewall.  May be able to get one that can, any other options?  Thanks for the reply.

Expert Comment

ID: 20413012
Can you elaborate a bit more on how you 'see' the server functioning from the web link you want? Will users be running Crystal off the server or is it to get Crystal reports up so people can view the reports remotely? your server acting more like the backend for the DB side and the front side will be the data which is shown on the website?

Author Comment

ID: 20414256
Its for folks to be able to view reports remotely.  The link needs to go to a machine with Crystal Reports Server.  The machine with CR server needs secure connection to the dataabase server and at the same time be publicly accessible (or else the website link wouldn't work).

Expert Comment

ID: 20414715
What about:
"a .NET Windows application or an ASP.NET Web application is used as a client to view reports that are processed by a remote server which hosts the CE Embedded (RAS) Server or Crystal Enterprise (CE).  
Since the reports are already being hosted by RAS/CE, this does not require any Crystal Reports runtime files to be distributed."

Now I am not too sure if this snippet I found is assuming that the front-end ASP/IIS server is within your DMZ. If so, that would be a show stopper.

Expert Comment

ID: 20414855
Actually you could not do this because the server you would put the ASP.NET app is not owned by you hence the EULA:

"You are prohibited by license to deploy a CR .NET application on a server not owned by you (following the information in this article would put you in violation of the CR license). Again, section 4.2 states "After you have activated your copy of the Software, you may install and use Server/Web Applications in one or more Server Environments owned or operated by you for your internal business purposes."

You might have to contact your contact for CS and see what solution they can provide for you.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question