Results 1 to 5 of 5

Thread: Access LAN from DMZ or Access DMZ from LAN

  1. #1

    Access LAN from DMZ or Access DMZ from LAN

    Some of my Windows XP LAN workstations run a VB6 application which reads/writes data from/to an Access XP database sitting on a W2003 LAN server.
    My client wants to have on-line real-time access to some of these data.
    I need to setup an W2003 IIS web server with an ASP.NET application which will read the required data from the Access database and expose them to the client (in the form of HTML pages).
    So, I need the web-facing Web server AND the LAN workstations to have real-time access at the same Access database.
    I am thinking of the following two alternatives:
    a) I set-up a DMZ and I put the Web server on this DMZ. If I do, how can the Web server have access to the Access database (which sits on a LAN server)?
    b) I set-up a DMZ and I put the Web server AND the Access database on this DMZ. If I do, how can the LAN workstations have access to the Access database (which will sit on the Web server on the DMZ)?
    Any other alternatives and how-to-s will be very much appreciated!

    Thank you in advance.

    George

  2. #2
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,861
    Instead of exposing your server and it's data to that vulnerability, have you considered remote desktop access? Or perhaps what you need to do could be driven through Sharepoint.

    Or if it really needs direct access...I'd get a router that could place an ACL in there...so that only the IP address of this client would be allowed access. Or do a router to router VPN connection. But I'd be scared as heck to simply "DMZ" a server with data exposed to the entire internet.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  3. #3
    Advanced Member
    Join Date
    Dec 2001
    Location
    NY
    Posts
    688
    Quote Originally Posted by YeOldeStonecat View Post
    Instead of exposing your server and it's data to that vulnerability, have you considered remote desktop access? Or perhaps what you need to do could be driven through Sharepoint.

    Or if it really needs direct access...I'd get a router that could place an ACL in there...so that only the IP address of this client would be allowed access. Or do a router to router VPN connection. But I'd be scared as heck to simply "DMZ" a server with data exposed to the entire internet.
    Depends on what is meant by DMZ really. In the typical consumer router model yes it is a bad idea. However if you setup your own "DMZ" which allows certain IP addresses to access the server using certain protocols (setup through a firewall) then it isn't that bad. Who needs access to the stuff over the internet, a known group from a known IP or an unknown group?

  4. #4
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,861
    Quote Originally Posted by ErikD View Post
    Depends on what is meant by DMZ really.
    Always means the same in my book....DeMilitarizedZone....a machine(s) that's outside the protection of the primary firewall which protects the rest of the network. Depending on the hardware this machine could be in the same group as the primary LAN..in which case it's horrendously risky. Or be able to be put in a separate group..such as an "orange zone"...outside the firewall..yet also separate from the primary LAN. Can get fancier multi-homing the server also..but still a risk. But only guesswork..his hardware is unknown.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  5. #5
    Senior Member Blisster's Avatar
    Join Date
    Jan 2002
    Posts
    9,668
    use ISA 2004/2007 publish the web-services of an internally located IIS server.

    This way internal clients have access to the database, the web server has access to the database and external clients can use a browser to access the protected web-app. ISA des this very simply and can even use the same AD credentials used internall to authenticate access (via HTTPS of course).


    Quote Originally Posted by Edward Abbey
    A patriot must always be ready to defend his country against his government.

Similar Threads

  1. Replies: 6
    Last Post: 03-01-07, 09:52 PM
  2. LAN Printer Access from Wireless
    By punkin in forum Networking Forum
    Replies: 1
    Last Post: 01-27-07, 11:42 AM
  3. Unable to access VPN via Office LAN
    By tony1972 in forum Network Security
    Replies: 0
    Last Post: 12-05-06, 09:08 PM
  4. Linksys DMZ Access host
    By surfin_phil in forum Networking Forum
    Replies: 9
    Last Post: 12-22-05, 05:25 PM
  5. n00b needs help with D-Link Router and allowing people to access LAN
    By plaidlesspez in forum Wireless Networks & Routers
    Replies: 4
    Last Post: 05-11-05, 02:26 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •