web application integration with .NET application

Dear Experts

We have CRM which is web application on a LAMP stack deployed on premise, the external users can access this application via 2FA, the 2FA solution that we have used is Duo Security (where CRM application uses Duo Access gateway and Duo Access Gateway use Windows AD for authentication).
  As We could not achieve advanced Reporitng though CRM application hence we went for custom development using .NET.   This takes csv output from CRM and generates the expected reports.
 We have to integrate these 2 applications and based on feasibility between 2 application implementers understood in the CRM application they will provide link of .NET application when click on it, this will open up the new tab of the Reporitng server from here the reports are fetched. CRM login user and reporting system login user will be same they will use the tokens for each user but the .net implementer says static token once in few days this can be changed.

Suggestion /advice requested.

From IT point of view:  CRM server URL is published to public/internet but reporting server URL is not published for public/internet, in this case when external user access the CRM application via 2FA and then click on advanced reporting will it resolve the reporting server URL (for the external user who has already gained access of CRM application please suggest). I think it is not possible please suggest.
Please help me with best way to ensure the security and reporting server URL also accessible for the external users once they already accessed CRM and click for Reporting server URL (will publish Reporitng server to public/internet but if someone steals the URL) as .NET implementer says static token integration with CRM application, if this URL is leaked then other can access the Reporitng server.)
Please suggest the best practice. Thanks in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Your question is a bit confusing.

As I understand you have some reporting URLs which resolve locally (no public IP).

What I'm missing is if you require people logged in to be able to access these or not.

1) If the answer is yes, then you'll move your .NET code to a public IP.

2) If the answer if no, then just ACL the .NET reporting URLs at the SugarCRM level, so they don't show up.

You may require running your SugarCRM -> .NET requests through a public IP (proxy) with code to do ACLs + tell some people they have access + other people they don't have access.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
D_wathiAuthor Commented:
sorry for any confusion. yes will have to make .NET code to a public IP so that the users of CRM application will click on link this will resolve to the Reporting server URL. what I would like to achieve is the reporting server access to be possible only when it happens via the CRM application only, should I have to ask CRM implementer to pass the encrypted token with mapping table. please suggest.
Shalom CarmelCTOCommented:
How big is the issue of external users accessing the CRM and reporting? Do you need a solution for 2 users or for a 1000 users?
How big is the security concern?
How big is your budget?

Your method of managing authentication is lame, but it works inside your network.
The most obvious way is to make the reporting service available to external users is to fool the system into thinking that they are still on the internal network, by using a VPN.  
Only users with a valid VPN connection will be able to access the reporting server.

The alternative to a VPN is to use a Zero trust service.
Akamai EAA
Cloudflare Access
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Normally what you're describing is handled already by all CMS or CRM platforms.

In other words, until a person logs in, they can't access any content or reporting URLs or any system functions.

Once logged in, the role management system inside the CMS/CRM will allow access to various URLs.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Oh... Maybe you've written a CRM from scratch (shudder) + that's why your asking these questions.

Mention the exact CRM you're using or if you've written custom code from scratch.

This will help with next round of answers to your question.
D_wathiAuthor Commented:
Thanks for the reply, we use sugar crm and use duo security for 2 levels of authentication the design as follows
1. configuried  sugar crm to use the Duo Access Gateway and the Duo Access Gateway to use AD
2, having an authentication source that  Duo Access Gateway can use is the requirement
3.Duo access gateway on DMZ
as we found limitations on sugar reports hence custom developed on .net and c sharp and MSSQL now , now I am looking for single sign on when users login to sugarcrm they should also get access to .net application. please suggest.
Shalom CarmelCTOCommented:
SugarCRM supports AD as an authentication source.
Use AD, and define the access authorization in AD.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.