Both the SQL server *and* the CF server should be behind the firewall...the
web server should be the only element in the DMZ. It's called setting CF up
in "distributed mode". Check details in the admin guide...if ur stuck pop
back here and I can help ya out...


-----Original Message-----
From: Dustin Snell [Unisyn Software, LLC] [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, June 27, 2002 1:47 PM
To: CF-Talk
Subject: Firewall configuration for CF and SQL (sort of OT)

Hello all,

This may seem sort of off topic and I apologize if it is, but it does
involve a Cold Fusion server and I think you guys/gals would likely know the

Here goes:

We are attempting to secure our network which was admittedly *not secure*
before.  So, we have purchased a 3COM Superstack 3 firewall which is up and
running and seems to be working great.  I am wondering what the recommended
topology should be for the Web Server (which is Windows 2000 Server, running
IIS and Coldfusion 4.5) and the SQL Server (diff machine, Windows 2000
Server, SQL 2000).  It seems to me that  the web server should be in the DMZ
(in front of the firewall) but  I  have the following  questions.

1) Should the SQL Server be behind  the firewall?  The answer seems to me to
be yes - if so, what port do I have to open to allow communication between
the Web/CF Server and the SQL Server so that they can still  talk to each
other.   Our intranet (LAN users) and website (WAN) users need to access the
same database.

These other questions are more off topic  but help would still be *very much
* appreciated

2) For servers in the DMZ, is there any rational reason for them to be in
the domain?  Wouldn't it  be more secure to keep those machines as
standalone (non-domain) machines so that  if they are compromised, all
domain machines are still behind the firewall?   The only  benefit I can see
to  keeping  them in the domain is group policy.

Misc... even more OT:

3)  For those running DNS servers in house, is  it customary for you to
actually have a dedicated DNS machine? Or do you, as we currently  do, use a
server for dual purpose (maybe it would be an  FTP Server and a DNS Server).
Also, are there any "plug and play" DNS  "network appliances" available that
wouldn't require a $1000+ license of Windows 2000 server?

Thanks very much for any wisdom you can offer to a Cold Fusion
Administrator/Network Security newbie.

Dustin Snell

Unisyn Software, LLC

Structure your ColdFusion code with Fusebox. Get the official book at

Reply via email to