ASP.NET + SQL Server + WebHost - Setup Questions

Hello Dean,

Welcome here.

From your description, you have some questions about choosing a public
ASP.NET web application host. Here are some of my understanding and
suggestion to your questions:
What is the best way to accomplish this via a hosted setup (like
http://www.discountasp.net/) and ASP.NET?
=========================================
I think you should consider it carefully that whether you really want to
let your web application directly access your SQL Server(there is
security/authentication challenge here) since the web appliation will be
hosted in public host. IMO, you've several options as below:

** let the web appliaction directly access your SQL Server and you'll use
SQL Login mode and store username/password in your ASP.NET app's
connectionstring

**build a webservice for delegating the data accesing task, your ASP.NET
web application will call the webservice rather than directly access
sqlserver.
What features do I need to make sure I have when trying to select a web
hosting provider?
=========================================
I think resources(on the server) access permission would be an important
one you should consider. For example,

can you have full access of the file disk within your application's folder
can you access eventlog

In addition, since ASP.net application has a CAS trust level setting(by
default it is Full level ), you need to also make sure whether the web host
will allow you run application as "Full" trust level. As far as I know,
most host will restrict hosted application under very limited trust
level(such as Medium or Low).

What is the best method for accessing the databases here from the
remotely-hosted website? I want to make sure I'm using the best methods
for
speed, security, stability, etc.
=========================================
For better performance, you should use directly database access and
consider use replication, however, this should be a advanced feature which
will not be provided by every web hosts.

For security, since you're connecting your own server over inernet, only
SQL Server authentication(mixed mode) can be used. You need to consider how
your username/password pair will be stored in your application. ASP.NET
support encrypting web.config sections, however, you need to do the
encryption on the deployment server rather than development machine. Thus,
if you want to use web.config encryption, you need to also ask your web
host whether you can execute some command on the host server to encrypt
web.config at deployment time.

Will I just access the SQL Servers here directly, or do I need to have a
SQL
Server running at the web host also some type of a subscription setup? I
asked these question in another group and I was told to use replication to
keep a copy of the databases local to the web host for performance reasons.
=========================================
If possible, that does helps on performance, however, it depends on the
host provider.
Any recommandations for quality ASP.NET web hosting providers? Any that
you've had good service and results with?
=========================================

I would suggest you have a look at the host on the www.asp.net web site
since that's the official website of ASP.NET developing and here is the
host info about ASP.NET :

http://www.asp.net/Hosters/
Hope this helps. Please feel free to let me know if there is anything else
you wonder.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for the information Steven, please see my responses below:

I think you should consider it carefully that whether you really want to
let your web application directly access your SQL Server(there is
security/authentication challenge here) since the web appliation will be
hosted in public host. IMO, you've several options as below:

** let the web appliaction directly access your SQL Server and you'll use
SQL Login mode and store username/password in your ASP.NET app's
connectionstring

If I have a copy of the database on the same server or the same network as
the web server at the web host, why couldn't I use Windows
login/authentication? Then use replication/subscriptions to keep the
databases in sync, probably via a transactional setup?

I wonder if I could use a VPN connection from the web host to our servers
here, for the two databases to communicate with each other, for security?

**build a webservice for delegating the data accesing task, your ASP.NET
web application will call the webservice rather than directly access
sqlserver.

Would this web service access a locally stored copy of the database at the
web host, or would my ASP.NET application call to a web service running on a
server in our building here and access our local SQL Server?

I don't know that much about web services yet, so I'm not sure if this
method would be a benefit or a drawback for our scenario. I have no idea
how much more coding this method would require, nor how flexible it would
be. For instance everytime we need a new report or to add a query, the
application will have to be modified and the database, so would I also have
to modify the web service with every change also?

I don't know about the securty of having an exposed web service where
someone might be able to access our databases?

In addition, since ASP.net application has a CAS trust level setting(by
default it is Full level ), you need to also make sure whether the web
host
will allow you run application as "Full" trust level. As far as I know,
most host will restrict hosted application under very limited trust
level(such as Medium or Low).

And what happens if the web hosts only offer these Medium or Low levels? Is
there a work-around or are the drawbacks not worthwhile?
Thanks for all of your help.
Dean

Hello Dean,

Thanks for the reply.

for your further questions:

If I have a copy of the database on the same server or the same network as
the web server at the web host, why couldn't I use Windows
login/authentication? Then use replication/subscriptions to keep the
databases in sync, probably via a transactional setup?
==============================================
Yes, of course you can use windows authentication if you have a local
sqlserver instance on the host provider's server machine(or local
environment). However, that windows authentication is peforming against the
host provider's local security database(windows accounts) rather than your
own intranet's user accounts.

I wonder if I could use a VPN connection from the web host to our servers
here, for the two databases to communicate with each other, for security?
==============================================

I don't think this is quite doable, two problems here:

** VPN require us to establish the VPN connection first, normally if a
server joins a VPN, it will lose its original network connections(at least
will be affected).

** I don't think webhost will make their server join another VPN


Would this web service access a locally stored copy of the database at the
web host, or would my ASP.NET application call to a web service running on
a
server in our building here and access our local SQL Server?

I don't know that much about web services yet, so I'm not sure if this
method would be a benefit or a drawback for our scenario. I have no idea
how much more coding this method would require, nor how flexible it would
be. For instance everytime we need a new report or to add a query, the
application will have to be modified and the database, so would I also have
to modify the web service with every change also?

I don't know about the securty of having an exposed web service where
someone might be able to access our databases?
================================================
Webservice is just a distribute programming interface. If you use
webservice, you need to put your original ADO.NET code into webservice's
webmethod. And your ASP.NET web application will call webservice webmethods
instead of directly call ADO.NET components. And for webservice, you can
utilize existing security features such as basic authentication +
https/ssl or implement custom authentication in code. Anyway, since you're
not very familar with it in this case, I think you can put it aside for
future plan.

And what happens if the web hosts only offer these Medium or Low levels?
Is
there a work-around or are the drawbacks not worthwhile?
================================================== ====
In .net framework, Code Access Security (CAS) is used to perform security
checking and restriction on the code that can be executed in a certain .net
framework application.

#Code Access Security in Practice
http://msdn.microsoft.com/library/en....asp?frame=tru
e
In ASP.NET, the "trust" level controls the code access permission the
ASP.NET applciation will have(what level of code it can execute). By
default (defined in machine.config) ASP.NET application is running under
"Full" trust level, however, in public web host provider, they only provide
"Medium" trust level, thus, some privileged .net code(such as unmanaged
interop code or file IO API) will not allowed to be execute.

Here is a good reference article about CAS with ASP.NET, you can refer to
it to get more ideas:

#How To: Use Code Access Security in ASP.NET 2.0
http://msdn.microsoft.com/library/en...7.asp?frame=tr
ue
Also, even with "Medium" trust, there is some best practice article
describe how to make our ASP.NET application work in restricted host
environment:

#How To: Use Medium Trust in ASP.NET 2.0
http://msdn.microsoft.com/library/en...0.asp?frame=tr
ue
Hope this also helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

This posting is provided "AS IS" with no warranties, and confers no rights.

Hello Dean,

Have you got any further idea on this issue? Anyway, if you have any
further questions or anything else we can help, please don¡¯t hesitate to
let me know.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.