|
Focus on Microsoft
Re: Unknown workgroup in Microsoft Windows Network Nov 14 2002 09:49PM Tony Gordon (tony gordon hewitt com) (1 replies) ASP, Biztalk server SQL DB and Firewall architecture. Nov 20 2002 02:19PM Sarbjit Singh Gill (ssgill gilltechnologies com) (1 replies) |
|
|
Privacy Statement |
It's a good DMZ security practice to avoid allowing any connections to the
private network to be initiated from the dmz. Helps reduce likelihood of
that connection mechanism to be exploited. You could set up a scheduled job
on your BizTalk server that would poll the web server periodically for new
files, and pull them down. You could do this via a secure method like
ipsec, ssh, etc. You probably have some method for remotely copying files
to the DMZ web servers already, and you may be able to simply use that
method, just automate it.
If you need the files to be copied to the BizTalk server on demand (i.e. the
customer needs immediate confirmation the files have been uploaded to the
back-end), you could set up a method by which your web server sends a
message (via a more secure protocol like http? :) to the BizTalk server to
pick up the files, then use the above automated copy method (or something
like it) to pull the files from the web server. This breaks the rule of NOT
initiating communications from the DMZ, but at the least it mitigates some
risk by not allowing any method that pushes files from the DMZ to the
private network.
If you don't care about whether communications are initiated, and files
pushed, from the DMZ, then the sky is the limit. Although you'd be adding
some risk to your environment.
Sincerely
Marcus
-----Original Message-----
From: Sarbjit Singh Gill [mailto:ssgill (at) gilltechnologies (dot) com [email concealed]]
Sent: Wednesday, November 20, 2002 8:19 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: ASP, Biztalk server SQL DB and Firewall architecture.
Greetings folks,
I am facing the following problem and hope to get some valuable advise from
all of you. I would appreciate it if there could be some response on this.
In our architecture, we have a web server, a Biztalk server and a database
server. The Web server hosts the ASP page where the external customer will
access. The external customer will submit files via this ASP page. ASP page
will upload the file and store in some directories so that BIZTALK can
process.
But now the problem is that Web server is hosted in DMZ(between external and
internal firewall), and Biztalk server and database server are hosted
behinds the firewall. Also, since the file receive function of BIZTALK can
only poll the file from the local hard disk, the files to be processed by
BIZTALK must somehow be available in BIZTALK server.
Can ASP sitting in DMZ upload the file to the BIZTALK server which is
sitting behind firewall? Can BIZTALK server be accessible from web server
since they are separated by firewall. If yes is there any setting needs to
be done to achieve this? Or is there other better methods that u can think
of to process the file using the current architecture? Do u knows what are
the common implementation for this type of scenerio?
Thanks in advance for the help.
Kind Regards
Gill
[ reply ]