Bonjour, What you describe is standard is fairly standard. You want to create a front-end to a database, but you want to expose as little as possible to the Internet. For example, many websites throughout the Internet have been hacked recently through MS-SQL because they exposed to much on the DMZ. I'm assuming you are using IIS with ASP scripting as your front end, and some other server in the backend. My first question is why you bother using SSL. It really will not make your connectivity any more secure. SSL is primarily used to protect against sniffing and to authenticate both the server and the client. Since this is your DMZ and you've a firewall, presumably all that can be handled with a switched network and appropriate firewall rules (which you'd want in place anyway). The word "redirect" is not correct. This word has meaning in HTTP, and means that the first webserver sends an error code back to the browser and tells it to directly contact the second HTTP server. What you want instead is "proxying" or "forwarding". The key question is how you want to forward the request. It sounds like you want to do a raw "proxy" of the request, which means that you simply want to pass the entire request onchanged from the frontend server to the backend server, and that you want to pass the results from the backend server unchanged to the browser. In this case, ASPhttp is likely too generic for you needs. ASPhttp is designed for situations where the HTTP connection from the front-end to the back-end is completely different than the communication with the browser. In other words, the front end is composing the page, but needs a tidbit of info from the backend to do it. Unfortunately, you've chosen to use SSL, which right now dramatically limits your options. Since this requires RSA patents until this September, finding code to establish SSL connections is difficult. Therefore, you are probably limited to what's built into whatever products you are using. In any event, your alternatives are to use CGI programs or ISAPI DLLs, both of which are likely to be dramatically more complex from your point of view than ASP. Rob. --- stephane.dorion@hrdc-drhc.gc.ca wrote: > ---------------------------------------------------- > Hi, we're trying to setup a 3-tiered architecture with a dmz but we're kinda > stuck on our analysis because there's something > we can't figure out. I'll explain... and please bear with me since I'm really > > new to that kind of technology and may be > using wrongs terms or definitions. > > Here's the path that we would like a web request to follow : > (Better seen with a fixed font) > | | > [ -- INTERNET ---]|[---------------- D M Z > ---------------------]|[----------- INTRANET----------------] > [Browser] -http-->|[FIREWALL] -http-> [Web Server] --> [FIREWALL]| -https-> > [Web Server] ---> [Database] > [Browser] <-http--|[FIREWALL] <-http- [Web Server] <-- [FIREWALL]| <-https- > [Web Server] <--- [Database] > HTML | ASP > | ASP > | | > > In this diagram, the Web Server in the DMZ is used as a "redirect" server, it > > will transfer the request to our > intranet web server,which will process the request, send it back to the DMZ > WS, which will send it to the browser > > Now, first of all, can someone tell me if anything is wrong with that ? If > so... what ? > > But my main question would be : > How can we establish a connection between our 2 web servers, is it secure to > allow SSL in the firewall ? and more > importantly, how can we use http to effectively transmit data between the > servers, we have found a way of doing that but I > believe it's not a good way. That is using a ASPhttp object but what we have > to do to transmit the data is the crappiest > method I've ever seen in my whole life and I can't believe it's the only way > (with a series of request.form and > response.write) > > I'm not sure I'm being clear, if anyone wants clarifications, I'll be glad to > > help you out as much as I can. > > Thanks > > Stephane Dorion > > > Merci > Bonne journée > > Stéphane Dorion > Programmer-Analyst > HRI & Self-Services > Phone : (819) 997-3027 > Fax : (819) 997-6562 > stephane.dorion@hrdc-drhc.gc.ca > > ===== Robert Graham http://www.robertgraham.com/pubs __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:40 PDT