467,915 Members | 1,189 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 467,915 developers. It's quick & easy.

Accessing file system

I have a .net application that I want to run in a DMZ, with the SQL Server
and file system behind another firewall. Is there a secure way to get to
files from my application, or would it be better to have a reverse proxy
server in the DMZ and the webserver behind the second firewall?
Oct 9 '06 #1
  • viewed: 2096
Share:
2 Replies
Hello Gerhard,

Based on your description, your webserver (in DMZ)which host the .net
application(ASP.NET app?) will need to access files on another server
behind firewall(in intranet domain), and you're wondering the proper way to
do this, correct?

As for use a reverse proxy server and move the webserver into intranet with
the fileserver, I don't think it a prefered way since that'll involve more
complexity. And generally webserver is reasonable to locate in DMZ instead
of inside intranet domain.

For your scenario, if the files on the remote server (behind firewall) is
on NTFS file system, I think you can consider using the following means in
your .net application (running on the webserver in DMZ):

1. Use impersonate to execute File access (System.IO....) code under a
specific user. And since your webserver is in DMZ, you can not use domain
user account, you need to create two duplicated local accounts (with same
username and password) on both your webserver and the file server. Then, in
your .net application, use code to programmtically impersonate as this
local account and the impersonated code can correctly access the files on
the shared folder on the remote file server(as long as you've grant
sufficient permision for this account for this account).

Here is an article describe how to programmatically impersonate the
ASP.NET application code(also apply to normal .net application)

#How to implement impersonation in an ASP.NET application
http://support.microsoft.com/kb/306158/en-us
2. The #1 approach require us to impersonate under a certain user and this
user account must be a duplicated account on both source and target
machine. To avoid this, you can consider create a "Mapped network drive"
on your webserver machine which point to the remove file share folder. You
can create such a fileshare through the server explorer's "tools-->map
network drive..." menu or use the "net use" command line command.

Then, in your .net application you can access this mapped local drive
instead of the remove UNC path. You also need to make sure that your
application's running account (security context) is the one that create the
network share mapping.

Hope this helps. Please feel free to let me know if you have anything
unclear or need any further assistance.
Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Oct 9 '06 #2
Thank you. This was a big help.
"Steven Cheng[MSFT]" wrote:
Hello Gerhard,

Based on your description, your webserver (in DMZ)which host the .net
application(ASP.NET app?) will need to access files on another server
behind firewall(in intranet domain), and you're wondering the proper way to
do this, correct?

As for use a reverse proxy server and move the webserver into intranet with
the fileserver, I don't think it a prefered way since that'll involve more
complexity. And generally webserver is reasonable to locate in DMZ instead
of inside intranet domain.

For your scenario, if the files on the remote server (behind firewall) is
on NTFS file system, I think you can consider using the following means in
your .net application (running on the webserver in DMZ):

1. Use impersonate to execute File access (System.IO....) code under a
specific user. And since your webserver is in DMZ, you can not use domain
user account, you need to create two duplicated local accounts (with same
username and password) on both your webserver and the file server. Then, in
your .net application, use code to programmtically impersonate as this
local account and the impersonated code can correctly access the files on
the shared folder on the remote file server(as long as you've grant
sufficient permision for this account for this account).

Here is an article describe how to programmatically impersonate the
ASP.NET application code(also apply to normal .net application)

#How to implement impersonation in an ASP.NET application
http://support.microsoft.com/kb/306158/en-us
2. The #1 approach require us to impersonate under a certain user and this
user account must be a duplicated account on both source and target
machine. To avoid this, you can consider create a "Mapped network drive"
on your webserver machine which point to the remove file share folder. You
can create such a fileshare through the server explorer's "tools-->map
network drive..." menu or use the "net use" command line command.

Then, in your .net application you can access this mapped local drive
instead of the remove UNC path. You also need to make sure that your
application's running account (security context) is the one that create the
network share mapping.

Hope this helps. Please feel free to let me know if you have anything
unclear or need any further assistance.
Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Oct 9 '06 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by Generic Usenet Account | last post: by
2 posts views Thread by wan2tri | last post: by
3 posts views Thread by Nathan Sokalski | last post: by
3 posts views Thread by FerrisUML | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.