1

Scenario

I have an application that I have been developing for two years. I use the framework .NET to develop it in a language called Oxygene that comes from Pascal. When I have something new in my code, I publish my application in File System method. I have a couple servers working on Amazon EC2, so I transfer this files to a folder in my IIS Server. In this IIS Server I already have a website that corresponds to my application, so I just replace the old files for the newest files. I have another server that works as an SQL server. Last detail is that in my application the user is able to attach files, import pictures, export PDF and Excel files. Attachments and pictures are stored in the same folder the application is located.

Issue

Here is my problem. I have got a new client that is kind of a big client. It seems like this company has a strong IT security, so the application must be located in their servers. The big problem is that they required my application to be set in the following architecture: DMZ

I am used to only use an app server (works for external access) and a SQL server. They want the third server in DMZ net so they can let external access happen. The reason the application can't be placed in the DMZ is because there are the files I mentioned bellow that the user stores in the application. The database stores all the data, but not those files mentioned.

Solutions I have offered, but won't be accepted:

  • Publishing the application in a IIS server located in the DMZ: That won't be accepted since my application stores user attachments in the same folder the application is located. There are also images stored there.

  • Publishing the application in the app server, but also publishing a empty application in the DMZ server redirecting to the IIS server inside the LAN: That's the best solution I have come up.

  • Using a reverse proxy to protect the LAN Net: This is off the table, since reverse proxy is not safe at all.

I am kind of confused because I can't see a way to separate my application in two to make it work in that suggested architecture.

Can anybody give me a hint or ideas of how this would work?

    -
Arturio
  • 418
  • 1
  • 7
  • 25

1 Answers1

0

You can't "redirect" to inside the LAN, a redirect is a client-side operation, so if the internal server isn't already exposed, you can't redirect someone to it.

A reverse proxy is likely your best bet. Why do you believe it is not safe? This is a tried-and-true solution, it allows you to leave additional ports/services open to internal requests (like a file server, which it sounds like you are trying to expose).

How are these files getting uploaded? Are you using FTP? SMB? HTTP? This solution will not expose those other protocols to the outside world (please don't expose SMB to the outside, it will result in tragedy). Do the external users need to upload these files?

Rob Conklin
  • 8,806
  • 1
  • 19
  • 23
  • Well.... the reverse proxy was actually an idea I gave them that would be a solution. But it won't be accepted by the company, according to them this is not safe at all although I disagree. Now I'm trying to understand how that suggested architecture would work . – Arturio Sep 18 '17 at 15:13
  • The files are uploaded using HTTP. The problem is that they are stored in the application's folder. – Arturio Sep 18 '17 at 15:15
  • You have only two choices here... Either publish your application to the DMZ server, or put a proxy in the DMZ to where your application is published. Technically you could also open a hole in the firewall for your LAN published application, but that would be terrible. There is no magic way to get HTTP to your application/images without either allowing it to be served over the public internet (via the DMZ), or without providing some way of proxying it to the application server. This is just the way networks work. There has to be a way to get the bits from the app server to the internet. – Rob Conklin Sep 19 '17 at 14:29
  • If for some reason it is the files stored on the server that they are truly terrified of, you could store the images in the database. This is no safer, but maybe they think it is somehow. – Rob Conklin Sep 19 '17 at 14:29
  • so, what they suggested actually makes no sense, am I wrong? I mean, I haven't seen an application that works like the way they want. – Arturio Sep 19 '17 at 16:32
  • What do they "want"? They want a browser on the public internet to send an http request to a server that is network-isolated from the internet? That is impossible. They bytes have to be able to get from the client's browser to the application and back. – Rob Conklin Sep 20 '17 at 15:10