Scotty Boy

Steven - yes i do mean http.

sorry to sound daft, but i cant quite get the picture of your solution ... is it SQL Server inside my network, with a proxy sitting on the outside world. The user interface talks to the proxy which securly retrieves and updates data?

*****......|........*******.........****
*SQL*..<-- | -->..*proxy*.<--->.*UI*
*****......|........*******.........****

the web design stuff is all abit new to me and it is hard to know where to start reading.

thanks again


[Edited by Scotty Boy - 9/3/2003 12:04:29 PM]

Scotty Boy

Hi,

The current set up is a network SQL Server. A SQL Server database is replicated OUT of the internal network to an extranet SQL Server. All WWW reporting runs from the extranet box.

A new requirement has arisen. The WWW reporting now needs to be able to update SQL Server data.

What is the most secure way of getting modified extranet SQL Server data back IN to the internal SQL Server? Does anyone have any experience in these designs? A few pointers would be greatly appreciated to begin my investigations

many thanks
Scott

stevencotton

When you say 'WWW' you just mean over http?

You'll need something listening on the outside world. That should _not_ be SQL server An authenticating proxy sitting in the middle is what you need, you could just talk XML or something and have that insert the data into SQL Server.

stevencotton

That's exactly it. You can't put SQL Server on the outside world for obvious reasons (slammer wasn't that long ago), so you need a abstraction layer to authenticate (and control acces with your firewall as well, is your extranet a DMZ or public Internet?) and look after receiving data from your web app, and putting it into SQL Server.

How you decide on the details exactly will be determined on how you are currently using the web app for reporting.

Scotty Boy

Hi Steven,

The extranet is a public internet, to which the user can run reports and update data accordingly.

So it seems like i need to do some homework regarding;
1. security on the public internet user interface.
2. understanding the best abstraction layer.

thank you so much for the pointers, now to book worm it up

scott

stevencotton

You'll need something to authenticate (who the user is), authorise (is that user allowed to access this site), then do the work. Something as simple as Apache + CGI could do the updating. You just need to make sure only those allowed can do it

Scotty Boy

OK, methods of authentication and authorisation being ...???

... a log on screen to access the web site, with username and password communication using https rather than http, and stored in a database?

scott

stevencotton

Depends on a load of things, mainly:

If you're not expecting a shed load of traffic, you could do the lot over https and use basic HTTP authentication.

If your users need to "log out" you can't do that with basic auth, you'll need to set a cookie.

Work out where you want to get to, what you have, then work backwards. you have many, many options for doing it (apache, soap, etc) and none of the software will cost anything, but it will be a steep learning curve if you've not done it before!

Scotty Boy

Steven

Web development is new to me, so i am in for that steep learning curve but that is half the fun too !!!!

OK, off to the drawing board

thank you so much for your time, so greatly appreciated and most helpful.

kind regards
scott

stevencotton

Just noticed you're also in Herts, if you get stuck and feel the need to buy me beer in Hertford in exchange for info give me a shout