|
Home > Archive > BizTalk Server General > December 2005 > Architecture with DMZ
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Architecture with DMZ
|
|
| Björn Jansson 2004-12-08, 7:47 am |
| We hace a scenario where we want to get and send files by FTP to different
partners.
We are in the design & analysis phase of the integration project and are,
amongst other, thinking about how to set up our network. We would like it
to´be something like this:
BizTalk Server | FIREWALL | DMZ with "Proxy Server" | FIREWALL |
Internet with Partner servers
The architectural goal is to restrict the Biztalk Server having to have a
direct connection to the partner servers (via Internet). So we would like it
to just communicate to a "proxy server" in the DMZ (perimeter network), and
the "Proxy Server" then, in our case, do the actual FTP:ing.
Does this sound logical/doable? How do you do it?
One thing is for sure: We don't want the BizTalk server to have Internet
access.
Best regards,
Björn Jansson
| |
| Gary Keong [MSFT] 2004-12-08, 5:51 pm |
|
Hi,
Check out the following architecture recommendations from the Biztalk
documentation.
http://msdn.microsoft.com/library/d...-us/deploying/h
tm/ebiz_depl_secure_kuqo.asp
Specifically, you will be interested in the Secure deployment
recommendation. The Large Distributed architecture illustrates how to
seperate the web servers and the Biztalk servers.
http://msdn.microsoft.com/library/d...-us/deploying/h
tm/ebiz_depl_secure_iraf.asp
HTH,
Gary
--------------------[vbcol=seagreen]
<BjrnJansson@discussions.microsoft.com>[vbcol=seagreen]
different[vbcol=seagreen]
it[vbcol=seagreen]
and[vbcol=seagreen]
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
|
| we have exactly architecture as yours, the only difference is that we plan
to use ftps or sftp to secure the ftp part because of confidential files
sent on it.
jj
On Wed, 8 Dec 2004 05:07:03 -0800, Bjrn Jansson wrote:
> We hace a scenario where we want to get and send files by FTP to different
> partners.
> We are in the design & analysis phase of the integration project and are,
> amongst other, thinking about how to set up our network. We would like it
> tobe something like this:
>
> BizTalk Server | FIREWALL | DMZ with "Proxy Server" | FIREWALL |
> Internet with Partner servers
>
> The architectural goal is to restrict the Biztalk Server having to have a
> direct connection to the partner servers (via Internet). So we would like it
> to just communicate to a "proxy server" in the DMZ (perimeter network), and
> the "Proxy Server" then, in our case, do the actual FTP:ing.
>
> Does this sound logical/doable? How do you do it?
>
> One thing is for sure: We don't want the BizTalk server to have Internet
> access.
>
> Best regards,
> Bjrn Jansson
| |
| Brice Prunier 2005-12-17, 5:53 pm |
| On the same subject i am looking an expert to confirm the following idea:
a “Biztalk Group” with two specialized servers, one on each side :
-One server in the DMZ,
-One server on the Private Network
I will rely on BTSMsgBoxDb and SSO to secured message exchanges from Public
to Private area.
From my understanding we should open folloing ports between the DMZ and
Private Network to flow in both directions
-SQL (1433)
-SSO MSDTC(135 & 5000 to 5020)
Is the architecture feasible?
Do we need to open more ports?
Any better idea?
Regards
"Björn Jansson" wrote:
> We hace a scenario where we want to get and send files by FTP to different
> partners.
> We are in the design & analysis phase of the integration project and are,
> amongst other, thinking about how to set up our network. We would like it
> to´be something like this:
>
> BizTalk Server | FIREWALL | DMZ with "Proxy Server" | FIREWALL |
> Internet with Partner servers
>
> The architectural goal is to restrict the Biztalk Server having to have a
> direct connection to the partner servers (via Internet). So we would like it
> to just communicate to a "proxy server" in the DMZ (perimeter network), and
> the "Proxy Server" then, in our case, do the actual FTP:ing.
>
> Does this sound logical/doable? How do you do it?
>
> One thing is for sure: We don't want the BizTalk server to have Internet
> access.
>
> Best regards,
> Björn Jansson
| |
| Greg Forsythe 2005-12-19, 5:54 pm |
| I would not like to put a Biztalk Server in the DMZ.
The fact that this Biztalk server must be part of your internal domain and
have access to your SQL server, will expose a large risk if this server is
compromised.
In all implemetations I have done, all Biztalk Servers exist in the internal
network and access is provided by HTTP reverse proxy from an ISA Server or
similar. All connections are protected by SSL and require some level of
authentication, from Basic to Client Certificates. On top of this you could
implement WSE interfaces (and WCF/Indigo in the future) using WS-Security to
further constrain what is accepted and what is rejected.
This approach reduces the attack surface from your entire Biztalk server to
specific Web Service/HTTP interfaces.
My 2 cents
Greg
"Brice Prunier" <Brice Prunier@discussions.microsoft.com> wrote in message
news:E1E7BF3B-DE9C-4DC3-B108-685369B12367@microsoft.com...[vbcol=seagreen]
> On the same subject i am looking an expert to confirm the following idea:
>
> a "Biztalk Group" with two specialized servers, one on each side :
> -One server in the DMZ,
> -One server on the Private Network
>
> I will rely on BTSMsgBoxDb and SSO to secured message exchanges from
> Public
> to Private area.
>
> From my understanding we should open folloing ports between the DMZ and
> Private Network to flow in both directions
> -SQL (1433)
> -SSO MSDTC(135 & 5000 to 5020)
>
> Is the architecture feasible?
> Do we need to open more ports?
> Any better idea?
>
> Regards
>
> "Bjrn Jansson" wrote:
>
| |
| Brice Prunier 2005-12-20, 7:58 am |
| Hello Greg,
Reading your answer i feel a missunderstanding.
My scnenario is the following
WAN| FIREWALL | DMZ with "Reverse Proxy" | FIREWALL | LAN
All your recommandation are already applied on what i call a DMZ: Reverse
Proxy + ACL + SSL+ Secured FTP.
For my customer (i agree with him on this point) any network open on
internet is someway vulnarable.
All Corporate applications are on an other network (LAN) with no access to
the WAN.
Reading you answer i me feel my DMZ is a secured place?
Shoud be OK for BizTalk No?
Regards
"Greg Forsythe" wrote:
> I would not like to put a Biztalk Server in the DMZ.
> The fact that this Biztalk server must be part of your internal domain and
> have access to your SQL server, will expose a large risk if this server is
> compromised.
>
> In all implemetations I have done, all Biztalk Servers exist in the internal
> network and access is provided by HTTP reverse proxy from an ISA Server or
> similar. All connections are protected by SSL and require some level of
> authentication, from Basic to Client Certificates. On top of this you could
> implement WSE interfaces (and WCF/Indigo in the future) using WS-Security to
> further constrain what is accepted and what is rejected.
> This approach reduces the attack surface from your entire Biztalk server to
> specific Web Service/HTTP interfaces.
>
>
> My 2 cents
> Greg
>
>
>
> "Brice Prunier" <Brice Prunier@discussions.microsoft.com> wrote in message
> news:E1E7BF3B-DE9C-4DC3-B108-685369B12367@microsoft.com...
>
>
>
|
|
|
|
|