Thanks for your reply. Lets say if we run our web service in internal server and enable SSL with required client certificate, and setup certificate to the DMZ server, do we need to setup any extra authentication for the web service? if yes how?
I want to make sure that no one should have access to these web service and the internal web server other that the server with client side certificate in DMZ zone. Please shed some light. Is there any thing else that I sould also considering (security point
you can do many things...
one minor example:
in IIS you can configure the web site running the service to only accept connections from a single IP address if you wish to limit what can connect to it.
if you are going to use a client certificate and ssl you will also need to open the SSL / HTTPS port.
web services and wcf can use certificates, passwords and other methods to secure them.
but given the case you describe i might just use routing and ip to manage it.
ssl adds overhead. ssl would be more usefull of the two servers were in different offices and had to cross the internet to reach each other.
just my opinion.