We have a vendor-provided application running internally (LAN) on a Windows/MS-SQL 2012 server, providing access via IIS on the same box. The application is able to store attached documents - these are physically held in a share on this server.
There is a new component we are trying to get working - a DMZ-based 2008R2 / IIS 7.5 server that is intended to provide downloadable access to the same documents, but to external users.
We are struggling to get permissions sorted out so that the DMZ server can access the internal share, and I am wondering if what we are trying to do is not possible. The vendors are trying to use the NetworkService account to access the documents, but as the DMZ server is not part of any domain we are struggling to set appropriate permissions on the internal share (I even tried giving Everyone full access to the the internal share directory).
The situation is complicated in that we don't "manage" the network/firewall infrastructure.
I've been reading up about application pool accounts and other ways of doing things but it's not my biggest area of expertise, and I suspect the vendors are struggling a bit too. Our network/firewall setup seems a bit more complex than their internal labs, and some of the suggestions they make seem misguided (they have talked about the built-in Windows firewall when we pointed out that our firewall might be blocking a port, for instance). We are early adopters of the system which is at version 1.0.0.1
If it helps to understand better, we have had port 445 opened from the DMZ to the Internal server. This allows the DMZ server to try and fetch the internal document (when the external user clicks the hyperlink in the app) but then it fails due to not having permissions (I believe) with the error:
Access to the path '\servername\sharename\documentfolder\9f4585db-14b9-4a93-8b4b-bfd12b5f5930.pdf' is denied.
Can anyone offer any help / guidance? I'm happy to provide more information where I can.
Many thanks in advance.
