> A while ago I posed the question of how to deal with a > company running their "intranet" (actually, extranet > applications) at a remote datacenter, where their public > web server is running. The question at the time was how to > replicate a database from their internal network to the > remote installation. It was suggested by some that the > best approach was not to replicate the databases at all, > but simply have a single database and run the extranet > applications (all in CF) on the same web servers. What > I'm calling "extranet" applications are really only for > internal company use, but they wish to allow employees > to use the applications from home or while they're on > the road. > > The sticky part, at this point, is authentication. Right > now, the servers are in-house and they use NT authentication > forced by NTFS ACLs on the source directories of the web site. > Very simple. Everyone has just one password on the network. > They'd like to have the same type of authentication even > after the servers are moved. Can this be done? I was thinking > of placing a BDC at the datacenter, but I'm not sure how it > would synch user accounts with their internal domain controllers. > It's been suggested to perhaps run a VPN between the remote > servers and the internal network, but that sounds like it > may be a security hazard, since it essentially puts the web > servers on the internal network.
This is always a difficult issue to resolve in a fully satisfactory manner. If you want to use the same authentication database for both the internal network and for your web applications, you're either going to have to expose that database to the public network on which your web applications reside, or host those web applications on the internal network. The first solution is generally unacceptable, and you're right to point out that, VPN or no, you'd be creating a giant potential security hole in the case that your public web application servers get attacked, so at that point you might as well just host them on the internal network (or, to be accurate, to host them closer to the internal network - perhaps in a DMZ at the same physical location, while allowing authentication requests through the firewall). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
