web application integration with .NET application

D_wathi used Ask the Experts™
Dear Experts

We have CRM which is web application on a LAMP stack deployed on premise, the external users can access this application via 2FA, the 2FA solution that we have used is Duo Security (where CRM application uses Duo Access gateway and Duo Access Gateway use Windows AD for authentication).
  As We could not achieve advanced Reporitng though CRM application hence we went for custom development using .NET.   This takes csv output from CRM and generates the expected reports.
 We have to integrate these 2 applications and based on feasibility between 2 application implementers understood in the CRM application they will provide link of .NET application when click on it, this will open up the new tab of the Reporitng server from here the reports are fetched. CRM login user and reporting system login user will be same they will use the tokens for each user but the .net implementer says static token once in few days this can be changed.

Suggestion /advice requested.

From IT point of view:  CRM server URL is published to public/internet but reporting server URL is not published for public/internet, in this case when external user access the CRM application via 2FA and then click on advanced reporting will it resolve the reporting server URL (for the external user who has already gained access of CRM application please suggest). I think it is not possible please suggest.
Please help me with best way to ensure the security and reporting server URL also accessible for the external users once they already accessed CRM and click for Reporting server URL (will publish Reporitng server to public/internet but if someone steals the URL) as .NET implementer says static token integration with CRM application, if this URL is leaked then other can access the Reporitng server.)
Please suggest the best practice. Thanks in advance.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Fractional CTO
Distinguished Expert 2018
Your question is a bit confusing.

As I understand you have some reporting URLs which resolve locally (no public IP).

What I'm missing is if you require people logged in to be able to access these or not.

1) If the answer is yes, then you'll move your .NET code to a public IP.

2) If the answer if no, then just ACL the .NET reporting URLs at the SugarCRM level, so they don't show up.

You may require running your SugarCRM -> .NET requests through a public IP (proxy) with code to do ACLs + tell some people they have access + other people they don't have access.


sorry for any confusion. yes will have to make .NET code to a public IP so that the users of CRM application will click on link this will resolve to the Reporting server URL. what I would like to achieve is the reporting server access to be possible only when it happens via the CRM application only, should I have to ask CRM implementer to pass the encrypted token with mapping table. please suggest.
How big is the issue of external users accessing the CRM and reporting? Do you need a solution for 2 users or for a 1000 users?
How big is the security concern?
How big is your budget?

Your method of managing authentication is lame, but it works inside your network.
The most obvious way is to make the reporting service available to external users is to fool the system into thinking that they are still on the internal network, by using a VPN.  
Only users with a valid VPN connection will be able to access the reporting server.

The alternative to a VPN is to use a Zero trust service.
Akamai EAA
Cloudflare Access
David FavorFractional CTO
Distinguished Expert 2018

Normally what you're describing is handled already by all CMS or CRM platforms.

In other words, until a person logs in, they can't access any content or reporting URLs or any system functions.

Once logged in, the role management system inside the CMS/CRM will allow access to various URLs.
David FavorFractional CTO
Distinguished Expert 2018

Oh... Maybe you've written a CRM from scratch (shudder) + that's why your asking these questions.

Mention the exact CRM you're using or if you've written custom code from scratch.

This will help with next round of answers to your question.


Thanks for the reply, we use sugar crm and use duo security for 2 levels of authentication the design as follows
1. configuried  sugar crm to use the Duo Access Gateway and the Duo Access Gateway to use AD
2, having an authentication source that  Duo Access Gateway can use is the requirement
3.Duo access gateway on DMZ
as we found limitations on sugar reports hence custom developed on .net and c sharp and MSSQL now , now I am looking for single sign on when users login to sugarcrm they should also get access to .net application. please suggest.
SugarCRM supports AD as an authentication source.
Use AD, and define the access authorization in AD.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial