We help IT Professionals succeed at work.

How to access File server on Domain from IIS in DMZ

Need to access Files on our domain from IIS on DMZ, How can we accomplish this without compromising security.
Comment
Watch Question

There is no way to do what you suggest without at least minimally compromising security, however, it is certainly possible to do securely "enough".  What is the (general) content of the files it needs to access?  Are they sensitive?  What type of access -- relayed to the end user or just accessed by IIS?  Is the IIS machine in the domain or out of it?

Author

Commented:
Hi, the access through IIS only, our clients need to view, upload and download work contracts via our website. The various contractors login to our webportal and upload their work contracts or view any past work contracts and sometimes they need to modify perivouly worked contracts so need to download them. The IIS machine is on DMZ.  our current config is Internet -- DMZ  IIS7 server-- Firewall-- application server. The communication is set between IIS DMZ and APP server over port 80.  Appserver communicates with the DB server, Internal IIS server, FIle server,Report server.  currently files are stored on Filer server
The App server in this scenario would have to enable uploading and downloading the file(s) within its code through some mechanism on the web server.  Is IIS essentially only a relay for WebSphere or something similar?

Author

Commented:
Yes IIS just a relay..
Brad HoweDevOps Manager
Top Expert 2011
Commented:
Hi,

Firewalls are excellent tools, but they are only one of many levels you can and should utilize. You should consider using a DMZ because it puts one more level of defense between a potential cracker and your sensitive information. The more levels of security you have in place, the more protected your information is.

Now to answer your question about allowing SMB over TCP through from a DMZ to an internal network is a large security risk. In my company, I have IT security policies in place that require written exceptions/approval from the President to allow such changes.

Here is one approach. If possible, I would setup an Read Only Domain Controllers (RODCs) in the perimeter network to allow you to bind the machine to the domain.

Once the WebServers are on the domain, you can then setup DFSR (Distributed File System Replication) with a 1 way from for replication from INTERNAL to PERIMETER AD.

Then setup the webserver to communicate with your RODC DFS Store.

At that point, You can have the webserver in the DMZ read the UNC source inside the DMZ and have clients write content on the internal network DMZ.  

At the same time, the DMZ is only open 1 way from internal to external so IF your webserver is hacked, SMB hacks cant be used since the firewall is restricting it.
 
The only other option is to use something like FTPS, SFTP.

Hope it gives you some ideas.

Good Luck & Best Regards,
Hades666
Since IIS is just a relay for the app server, there is really nothing to change on IIS.  The java code on the app server needs to manage upload and download of files as part of the web app.  I believe both WebSphere and JBoss have "canned" libraries for handling this, but you'll have to talk to your web developers and see how easy/hard it is for them to implement that.  It isn't a monumental change, but might be something they haven't done before.

There is no way to accomplish this in IIS, since IIS doesn't have any access to the internal network and the app server is probably the only way to get at the data.  Even if you could, you wouldn't want to reduce the security to allow that functionality.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.