What is the appropriate security measure for this kind of remote access?

I have a client who has a database of customer information running on a server on his local LAN.  He accesses it from a browser via (for example) http://192.168.1.25/DatabaseProg.  He wants to give some of his customers access to that database from the Internet.  He does not run a web server per se, just this database program.

Two questions:
1. What is the appropriate security and mechanism for this?  He's hoping to simply open a port on the router.
2. Assuming I open a port on the router, is this syntax correct? http://MyDomain.com/DatabaseProg:[portnumber].  My experience has only been with urls such as http://MyDomain.com:[portnumber]
LVL 1
DaveWWWAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason CrawfordTransport NinjaCommented:
If you're just opening a port you're not locking down access to only include those users accessing the database.  If they have static IPs you could always create an ACL on your firewall and use PAT to direct the connection to the DB server.
0
DaveWWWAuthor Commented:
Thanks very much for your answer. I think basically what I'm asking is this:

The user currently is able to connect to the database via http://192.168.1.25/DatabaseProg which is an activeweb database, seemingly running is IIS as a website, since it is accessed through the browser.  What I need to know is exactly how does this user access the same database from outside the building? I'm not versed in IIS but I just want to give this guy a little help.

Thanks.
0
Jason CrawfordTransport NinjaCommented:
I apologize for the delay in my reply, I've been out of town.

The http://192.168.1.25/DatabaseProg URL will not be accessible externally since it's pointing to a LAN IP (sorry if I'm telling you something you already know).  You'll have to publish an A record in public DNS pointing to your WAN IP...let's call the A record DBProg.domain.com and the IP 1.1.1.1.  The record would look like this:

Type: A
Host: DBProg
Target: 1.1.1.1

Once that is in place you can optionally install an SSL cert in IIS to support https on port 443 to secure the connection to the DB.  On your firewall you'll want to first create an ACL allowing any IP (or his static IP if applicable) on port 80 or 443 then NAT the external connection coming in to 1.1.1.1 to 192.168.1.25.

Either that or create a VPN on your firewall and help him configure the VPN client on his workstation.  With a VPN he can use the same http://192.168.1.25/DatabaseProg URL he's already using the VPN will use DHCP to hand him a LAN IP and set an internal DNS server.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

DaveWWWAuthor Commented:
Thanks very much.  I'll be on site tomorrow.  Assuming I want to just connect to the external IP for now, once I do the port 80 port forward pointing to the server's LAN IP, what do I use as a complete URL externally, knowing that internally they navigate to http://192.168.1.10/DatabaseProg? Assuming an external static IP of 123.456.789, is the access from outside now http://123.456.789/DatabaseProg?
0
Jason CrawfordTransport NinjaCommented:
Ah good point...yes you can just use the IP.  I guess it's just automatic I create A records because I generally deal with Exchange that requires an SSL cert.  Either way works.
0
DaveWWWAuthor Commented:
I don't understand how the port forward gives enough info to run the database, given the internal URL is http://192.168.1.10/DatabaseProg.  With that internal URL I would have thought that the external URL would be http://223.456.789/DatabaseProg. No?
0
Jason CrawfordTransport NinjaCommented:
Correct the external URL would be whatever your WAN IP is  unless you are on a VPN in which case the internal URL can still be used.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DaveWWWAuthor Commented:
Yes, http://123.456.789:2222/DatabaseProg works fine.  Created an A record for a subdomain at the web host DNS records, pointing to the client's server IP and that works fine too.  I'll likely have a question about installing an SSL certificate next week, so I'll update this question next week.
0
Jason CrawfordTransport NinjaCommented:
If the original question is answered you'll want to mark this one as complete and open a new question.  Feel free to send me a message when you do and we can continue working together.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.