0

I am working towards configuring our web application (Asp.net on IIS7) in a following scenario:

1) DMZ Server will act as a routing server which will redirect all request to Internal web server which is hosted outside DMZ environment. Is this a viable option if not what is the alternative?

2) Internal web server will connect to the database and sends the response to the DMZ server.

3) People accessing our web application will access it through a direct URL to internal web server withouth going through the DMZ server.

Is the above scenario workable?

How can I implment item 1 above so that DMZ server acts as a routine server only, do I need to implement reverse proxy as mentioned in the following URL:

http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

Any thing that I need to consider while deploying web application to above setup. Crystal report run time will also be installed in order to run reports. I am new to the DMZ environment so please bear with me. Thanks for your help.

learner
  • 581
  • 7
  • 27
  • 1
    The short answer is yes, you need the ARR acting as a reverse proxy. – Wiktor Zychla Jun 10 '16 at 16:54
  • Thanks Wiktor, what is the long answer? Please post it as an answer so that I can accept it as an answer if it deals with all my questions. I gather I don't need to install web application on both DMZ and internal web server, is this correct? Any issues that I should look for while implementing above scenario? Will the reverse proxy affect the people who access the web application via internal web server (by passing DMZ server)? Do I just need to open 80 and 443 port so that DMZ server can send and receive traffice to internal web server? – learner Jun 13 '16 at 08:41
  • Http/https ports should definitely be open on the internal app server. A good practice would be even to restrict the traffic on the internal app server so that it only accepts requests from the proxy and from nowhere else on 80/443. This way all your users go though the proxy. – Wiktor Zychla Jun 13 '16 at 10:14
  • If we don't force the traffic on the internal app server so that it only accepts requests from the proxy only, does it mean that reverse proxy implementation will affect the internal users trying to access the app directly pointing to internal web server URL? We would like to avoid an extra hop for internal users. – learner Jun 13 '16 at 10:30
  • That would be your choice, forcing including internal users to go through the proxy is just an extra safety measure that is optional, depending on your requirements. Note that proxy servers are optimized and the "extra hop" doesn't involve much resources then. In terms of resources vs safety I would go for safety (but that's of course only an opinion). – Wiktor Zychla Jun 13 '16 at 10:44
  • Will it affect the 'response rewriting' for internal users who will be accessing internal server URL, without going through DMZ? – learner Jun 13 '16 at 13:12
  • That depends deeply on what kind of rewriting you actually mean and the easiest way is just to try it out. But, I can hardly think of "rewriting" that would not work with a proxy server. – Wiktor Zychla Jun 13 '16 at 13:46

0 Answers0