I have a feeling that this is not technically possible, but I have a client that is wanting to move a Domino web server into a new DMZ that has a rule that says “No database servers allowed in the DMZ.” That works fine and dandy for IIS and SQL, but I’ve never heard of anyone rendering HTML on a Domino server where the database physically resides on a different server. Is that even possbile? Help!
Subject: One-way replication?
Did they explain the reason behind their “No Databases” rule? If it’s because they’re afraid a DMZ server will get hacked, allowing unauthorized editing of data, you could set up a replica of your web server database in the DMZ, with a replication rule and ACLs that only allow changes to flow from your internal server to the DMZ. A Notes database and how it’s used is different enough from your regular relational DBs that I think the rule shouldn’t apply the same way.
Subject: reversy proxy or Domino with ICM
put up a reverse proxy in the DMZ that points to the Domino HTTP server inside the company. It is conceptually the same as IIS and SQL Server.
SQL Server | Firewall | IIS server | Firewall | Internet
Domino | Firewall | Reverse proxy | Firewall | Internet
If you absolutely need a Domino server in the DMZ, a Domino server with Internet Cluster Manager (ICM) can work as a reverse proxy for the Domino servers on the inside.
Hans
Subject: Re: Domino WEB server in the DMZ w/o Databases
About the closes thing you can get is to put a simple windows box out there running IIS and and the websphere ISAPI plugin to proxy requests to your Domino box.
That keeps your data out of the DMZ, but adds the overhead of going from box to box for every request.
Subject: In theory…
If they’re speaking strictly, then no, the Domino server can’t be in the DMZ at all, since without “databases” the box won’t even run.
Now, if they’re talking “no live data in the DMZ,” that’s a different issue. If you HAVE to try to put a Domino server whose job is only to serve data that exists elsewhere, in theory you could write a rat’s nest of agents that at runtime, retrieve data from an internal server and then render the HTML themselves and emit it into the stream. How many years till you retire?
A better idea would be to put a secure proxy out there and have it ship requests inside the firewall and route responses back out.
Turtle