tags:

views:

275

answers:

1
Q: 

Access WCF-service behind firewall from DMZ

Hi,

I'm about to develop an service for a customer. The service will be located on the intranet behind firewalls and have a database of its own. The service will be consumed by another Web-application located on the DMZ. Now, my problem is that the company has a kind of strict policy not to open any ports from DMZ into the intranet.

1) Is it possible for my Web-app on the DMZ to access a WCF-service on the intranet without open a port?

2) If not, is there any reference architecture describing that opening a port may be done and still have a safe solution? Perhaps combined with certificates, some kind of athorization etc. There is no need for any other app to consume the service (at least not for now), so it is ok to have a configuration that limits the consumers to this single web-app.

Best regards /Valle

A: 

I had to "refine" my previous answer a little, by deleting it all :)

So here's the short, better version of it. Not the best one, but it works pretty good. To make the explanation simpler let's consider you have a single service and a client that wants to consume it.

  1. add a proxy server application that runs outside the firewall and exposes 2 services:
    the first one is identical to the original service (same address, binding, contract)
    the second one is a duplex service that has as its callback the same contract of the above service
  2. add a proxy client application that runs inside the firewall and consume the second service of the proxy server and also the original service
  3. the original client will consume the proxy server instead of the original service

How it works:

  1. the proxy client connects to the proxy server and register the callback
  2. the proxy client also connects to the original service
  3. the original client connects to the proxy service
  4. the proxy server forwards all the calls from the service to the callback (remember the contracts are the same)
  5. the proxy client forwards all the calls from the callback implementation to the client of the original service (again the contracts are the same)
  6. the original service process the call and returns the result
  7. the replies are forwarded back in the opposite order up to the original client

Note that the original client has no idea that it connects to the proxy server instead of the original service

Another note is that the forwarding happens in the code which is not very nice. The WCF in .NET 4.0 has routing support but I'm not sure you can route only the callback channel and not also the direct one.

Hope it helps, Gicanu

Gicanu  2010-06-10 11:44:29

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability