5 Replies Latest reply on Feb 8, 2012 2:04 PM by dmshimself

    Ideas on how to install DMZ App Server without opening SQL Ports?

    jkstillman1 Rookie

      Does anyone know of a way to install Service Desk app server in DMZ without opening the SQL ports thru your firewall and allowing that direct access to the DB..

        • 1. Re: Ideas on how to install DMZ App Server without opening SQL Ports?
          dmshimself ITSMMVPGroup

          You could have a TPS web service inside your internal infrastrucure and that would use the SQL server conenction as normal.  Then point the apps server services in the DMZ to use that framework instead.  It can run over https too.  So it should be pure web traffic and that is secured.

          • 2. Re: Ideas on how to install DMZ App Server without opening SQL Ports?
            wamccoid Specialist

            I am trying to set this up in 7.5 and have a custom instance created pointing to the framework on my internal server that has access to the SQL DB.  however, I am assuming I need to have a Web Access Application so that it knows where to go when you go to the DMZ server.  however to do that, you have to have a App Pool and the Web Access needs direct access it looks like to the SQL DB.  any ideas would be greatly appreciated.

             

            Thanks,

            Will

            • 3. Re: Ideas on how to install DMZ App Server without opening SQL Ports?
              dmshimself ITSMMVPGroup

              Specifically for webaccess you will need to open the database ports to the inside world so that it can function and port 80/443 to the outside world so people can use access webaccess.  For services like mail etc you could point those as a TPS Framework running on another server and that could be over https, but I suspect you are not wanting to run any applications in the DMZ.  You'll also need to consider how authentication is to be done.

              • 4. Re: Ideas on how to install DMZ App Server without opening SQL Ports?
                wamccoid Specialist

                Thank you for your comments I appreciate it.  So here is what we have.  We have an internal 7.5 Service Desk app server and an internal Database server.  Everything inside the network is fine and works great.  Now, on in the DMZ we have another 7.5 server of which I configured a custom instance and pointed it to my internal framework, however, I think you have to have a webaccess pointing to a app pool and with that seems like you have access to the database meaning we'd have to open up our firewall to the SQL ports.  am I understanding your correctly?  thanks again for your help.  We really need to avoid opening anything other than 443 to the outside world on our server sitting in the DMZ. 

                • 5. Re: Ideas on how to install DMZ App Server without opening SQL Ports?
                  dmshimself ITSMMVPGroup

                  I think I can see what you are doing.  The app pool isn't important here, it's the configuration of the various services you have created in your instance.  Let's stick to just WebAcecss for the moment.  For WebAccess you have a configuration on the instance you have created which specifies the pool for sure, but the key is the database credentials.  WebAccess has it's own thread to the database and has to have access to that.

                   

                  But for a typical DMZ configuration you would only open port 80/443 to the outside world and open the database ports just to the inside world.  Indeed you would probably setup firewall rules to restrict access to the internal DB server by MAC address to the WebAccess server as well.  You would not allow the outside world access to the DB ports and this isn't needed for WebAccess to work.

                   

                  The only other ports to consider are those for authentication if you are going to need LDAP or AD authentication and for file access if you are going to allow people to get knowledge searches.  Again these can be tied down by MAC address and are from the WebAccess server to the inside world.

                   

                  Depending on where you are in the world, you may be able to make use of LANDesk consultants who have experience of setting these sorts of systems up.