Loading User Information from Channel 9
Something went wrong getting user information from Channel 9
Loading User Information from MSDN
Something went wrong getting user information from MSDN
Loading Visual Studio Achievements
Something went wrong getting the Visual Studio Achievements
Oops, something didn't work.
Can some help and give any idea to call a web service running inside secure network (domain) from a DMZ zone.
I have some idea that we may need to open port 80 for the server inside domain. I want to know is there any security risk? what is intensity? and how can we authenticate to the web service?
Is there any other better option?
Thanks
Sorry I'm a little confused... So the web-service is located behind a NAT and you are located outside of it?
If that is the case then you have three options off the top of my head -
1) Static Routing (External:80 -> Internal:80)
2) Dyanmic Routing (If the IP is from the Whitelist then External:80 -> Internal:80)
3) VPN (Your machine becomes part of the remote intranet)
As far as security goes... #2 is the most secure if you limit it to ports you need and make a logical whitelist. #3 is roughly even with #1 in that it entirely depends on how good your infrastructure is and strong passwords are etc.
ManipUni said:Sorry I'm a little confused... So the web-service is located behind a NAT and you are located outside of it?
If that is the case then you have three options off the top of my head -
1) Static Routing (External:80 -> Internal:80)2) Dyanmic Routing (If the IP is from the Whitelist then External:80 -> Internal:80)
3) VPN (Your machine becomes part of the remote intranet)
As far as security goes... #2 is the most secure if you limit it to ports you need and make a logical whitelist. #3 is roughly even with #1 in that it entirely depends on how good your infrastructure is and strong passwords are etc.
Thanks for your reply. Lets say if we run our web service in internal server and enable SSL with required client certificate, and setup certificate to the DMZ server, do we need to setup any extra authentication for the web service? if yes how?
I want to make sure that no one should have access to these web service and the internal web server other that the server with client side certificate in DMZ zone. Please shed some light. Is there any thing else that I sould also considering (security point of view)?
figuerres
???
Avid said:ManipUni said:*snip*Thanks for your reply. Lets say if we run our web service in internal server and enable SSL with required client certificate, and setup certificate to the DMZ server, do we need to setup any extra authentication for the web service? if yes how?
I want to make sure that no one should have access to these web service and the internal web server other that the server with client side certificate in DMZ zone. Please shed some light. Is there any thing else that I sould also considering (security point of view)?
you can do many things...
one minor example:
in IIS you can configure the web site running the service to only accept connections from a single IP address if you wish to limit what can connect to it.
if you are going to use a client certificate and ssl you will also need to open the SSL / HTTPS port.
web services and wcf can use certificates, passwords and other methods to secure them.
but given the case you describe i might just use routing and ip to manage it.
ssl adds overhead. ssl would be more usefull of the two servers were in different offices and had to cross the internet to reach each other.
just my opinion.
Avid said:ManipUni said:*snip*Thanks for your reply. Lets say if we run our web service in internal server and enable SSL with required client certificate, and setup certificate to the DMZ server, do we need to setup any extra authentication for the web service? if yes how?
I want to make sure that no one should have access to these web service and the internal web server other that the server with client side certificate in DMZ zone. Please shed some light. Is there any thing else that I sould also considering (security point of view)?
Why are you putting a server into the DMZ?
Is this certificate one you have generated in-house? And is the security configured to only allow that exact certificate and not, for example, to allow anything generated by that certificate authority? Also have you considered configuring Windows Firewall to only allow connections to your SSL ports from this known server?
© 2013 Microsoft. Except where designated as licensed by
Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License,
Microsoft reserves all rights associated with the materials on this site.
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.