What is the appropriate security measure for this kind of remote access?
I have a client who has a database of customer information running on a server on his local LAN. He accesses it from a browser via (for example) http://192.168.1.25/DatabaseProg. He wants to give some of his customers access to that database from the Internet. He does not run a web server per se, just this database program.
Two questions:
1. What is the appropriate security and mechanism for this? He's hoping to simply open a port on the router.
2. Assuming I open a port on the router, is this syntax correct? http://MyDomain.com/DatabaseProg:[portnumber]. My experience has only been with urls such as http://MyDomain.com:[portnumber]
Two questions:
1. What is the appropriate security and mechanism for this? He's hoping to simply open a port on the router.
2. Assuming I open a port on the router, is this syntax correct? http://MyDomain.com/DatabaseProg:[portnumber]. My experience has only been with urls such as http://MyDomain.com:[portnumber]
Jason Crawford
If you're just opening a port you're not locking down access to only include those users accessing the database. If they have static IPs you could always create an ACL on your firewall and use PAT to direct the connection to the DB server.
ASKER
Thanks very much for your answer. I think basically what I'm asking is this:
The user currently is able to connect to the database via http://192.168.1.25/DatabaseProg which is an activeweb database, seemingly running is IIS as a website, since it is accessed through the browser. What I need to know is exactly how does this user access the same database from outside the building? I'm not versed in IIS but I just want to give this guy a little help.
Thanks.
The user currently is able to connect to the database via http://192.168.1.25/DatabaseProg which is an activeweb database, seemingly running is IIS as a website, since it is accessed through the browser. What I need to know is exactly how does this user access the same database from outside the building? I'm not versed in IIS but I just want to give this guy a little help.
Thanks.
I apologize for the delay in my reply, I've been out of town.
The http://192.168.1.25/DatabaseProg URL will not be accessible externally since it's pointing to a LAN IP (sorry if I'm telling you something you already know). You'll have to publish an A record in public DNS pointing to your WAN IP...let's call the A record DBProg.domain.com and the IP 1.1.1.1. The record would look like this:
Type: A
Host: DBProg
Target: 1.1.1.1
Once that is in place you can optionally install an SSL cert in IIS to support https on port 443 to secure the connection to the DB. On your firewall you'll want to first create an ACL allowing any IP (or his static IP if applicable) on port 80 or 443 then NAT the external connection coming in to 1.1.1.1 to 192.168.1.25.
Either that or create a VPN on your firewall and help him configure the VPN client on his workstation. With a VPN he can use the same http://192.168.1.25/DatabaseProg URL he's already using the VPN will use DHCP to hand him a LAN IP and set an internal DNS server.
The http://192.168.1.25/DatabaseProg URL will not be accessible externally since it's pointing to a LAN IP (sorry if I'm telling you something you already know). You'll have to publish an A record in public DNS pointing to your WAN IP...let's call the A record DBProg.domain.com and the IP 1.1.1.1. The record would look like this:
Type: A
Host: DBProg
Target: 1.1.1.1
Once that is in place you can optionally install an SSL cert in IIS to support https on port 443 to secure the connection to the DB. On your firewall you'll want to first create an ACL allowing any IP (or his static IP if applicable) on port 80 or 443 then NAT the external connection coming in to 1.1.1.1 to 192.168.1.25.
Either that or create a VPN on your firewall and help him configure the VPN client on his workstation. With a VPN he can use the same http://192.168.1.25/DatabaseProg URL he's already using the VPN will use DHCP to hand him a LAN IP and set an internal DNS server.
ASKER
Thanks very much. I'll be on site tomorrow. Assuming I want to just connect to the external IP for now, once I do the port 80 port forward pointing to the server's LAN IP, what do I use as a complete URL externally, knowing that internally they navigate to http://192.168.1.10/DatabaseProg? Assuming an external static IP of 123.456.789, is the access from outside now http://123.456.789/DatabaseProg?
Ah good point...yes you can just use the IP. I guess it's just automatic I create A records because I generally deal with Exchange that requires an SSL cert. Either way works.
ASKER
I don't understand how the port forward gives enough info to run the database, given the internal URL is http://192.168.1.10/DatabaseProg. With that internal URL I would have thought that the external URL would be http://223.456.789/DatabaseProg. No?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, http://123.456.789:2222/DatabaseProg works fine. Created an A record for a subdomain at the web host DNS records, pointing to the client's server IP and that works fine too. I'll likely have a question about installing an SSL certificate next week, so I'll update this question next week.
If the original question is answered you'll want to mark this one as complete and open a new question. Feel free to send me a message when you do and we can continue working together.