Application Server Publishing

Dear Experts,

I have an application server on my LAN, and I want to publish it for home users. I want to know what is best practices ?
1)- I should put in DMZ zone and publish it directly with public IP (I have public ip available) ?
2)- or through VPN, only if user connect via VPN then user can use this application server ( I have SSL vpn) ?

what will be the best and what could be pros/cons ?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

There are some advantatges and disadvantatges.

If you publish it directly on your server by using a public IP this is not very secure.
If you only allow users to connect via VPN then users have to configure VPN and also start it every time they want to access to your application.

If I had to choose between these options, I would choose the second one.

However, an intermediate solution should be to enable DNAT (Destination Network Address Translation) so your users access to your application using a public IP on a specific port, and then this traffic is redirected internally to your server on your DMZ. This way users think that they are accessing directly to server by using a public IP, and you still could have good security.

Hope it helps. Regards.
Sajid Shaik MSystem AdminCommented:
the VPN is the best option... option no.2

it's more secure compared to others...
Security involve a lot of things. As I said, VPN is more secure than allowing users to access to server directly by a public IP.
However, probably the intermediate option I told you (using DNAT) is better, even in security. If users access to your server via VPN, these users are accessing the server as if they were "inside the lan". If you allow users to access via a public IP which is on an intermediate machine protected with firewalls, etc... and then this intermediate machine is making a DNAT to redirect just the correct port to your server in order to access to your application, for me is the best option, and also is better for users as they don't have to install any VPN client, etc...

Hope it helps. Regards.
nainasipraAuthor Commented:
Dear gplana,

Thank you very much for your help, I am more clear now and I will very appreciate if you can give me more pros and cons.

Thanks again.
When your users connect on VPN, then they are on a secured network which emulates to be "in" your local network. This is safe from the point of view that no external people can access (although they can guess some VPN user and password).

When you use a DMZ server accessing it from a firewall, you can config your firewall in order to just let pass the desired traffic, so you are securing agains external people and internal people.

Also VPN sometimes is a little bit tricky to be configured (not just for you, but for your users). However is a very userful tool to access to a lan from outside and work just as if you were inside.

The most insecure option is to use a public IP address directly on your server, because then this server is exposed to some hacker attacks as this IP is accessible for anybody.

Hope it's clear now. Regards.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.