Scenario
You have already setup v20 on an internal webserver. Now you want to allow people to register over the internet. So how to do this best?
Option 1:
If you are using Momentus or AD Signon and you are only using the site internally and you don't have any DMZ setup you could just add an SSL to secure your site. This is not recommended if you have the database on the same server.
Option 2:
Generally if you are going to use a second v20 URL for a public facing site then it most likely going to reside on a different server and generally in a DMZ. It can reside on the same server but in most cases if using just one server it is best to just secure the site and have everyone internal and external using the same URL.
If you decide that you want to add an additional v20 site in a secure location you would setup v20 in the same way on the external server as the internal server. Once you have the external site setup and working you would then add the external site to the Public site field in the ungerboeckwebconfig.exe, applications settings tab on the internal server. You would end up with a scenario like this.
- One internal webserver, where you run v20 internally and
- One external webserver, where v20 registration is running only
- So in total you have two v20 installations running in parallel.
Test Link
Please open one v20 registration on the internal webserver after having maintained this string in the v20 configuration. Click on “save and copy shortcut”: the shortcut contains now the link to the external webserver, which you can now publish on the internet.
Please note, that the external webserver needs the ability to communicate with the database server (please enable ports).
Comments
11 comments
Hi,
Under this model how do you prevent the external version of the V20 setup from showing the application login? Otherwise, if you can configure it on the firewall, what's the difference between the above and just exposing your V20 server to the internet directly?
Thanks
0 upvotes
Good question Quentin, I'd like to see the answer to that too.
0 upvotes
Was there ever an answer to this question?
0 upvotes
This was the response I received from support.
When setting an environment to use public facing v20 the authentication method used can be set for Active Directory, this will ensure that if any user trying to login does not have an AD account with RNA then the system will not allow them to login (even after modifying the URL to access the login page).
Active Directory authentication is more secure than straight SQL user authentication.
0 upvotes
Having a full v20 web server exposed publicly is just asking for trouble/hacking!! Does Ungerboeck independently validate and certify that v20 has been intrusion audited for every version and service release?
We need a "light" installation of v20 that only exposes publicly accessible runtime, with functionality that you turn on and off.
0 upvotes
Jason, I don't have a lot of details, but I was told that this is currently being addressed. When I have more information I will be happy to update this post/the Knowledge Base.
Thank you,
Carrie
0 upvotes
Any updates on this so far? I'm going with Jason here, I have my doubts about seurity.
Can we get an overview how this setup is secured?
0 upvotes
Ungerboeck Software v20 is considered a single application with 2 “modes” – Backoffice & Public-Facing. For installations of Ungerboeck on public-facing web servers, we encourage the use of a setting in the v20 configuration that will turn the v20 installation into a ‘Public-only’ website. This will block traffic to the backoffice endpoints of v20 and expose only those endpoints needed to enable the public-facing applications such as Registration.
If you would like to configure this setting for one of your public facing sites, open the v20 Configuration tool (UngerboeckWebConfiguration.exe), go to the Application Settings tab, and find the section called “Websites”. In that section, you will find a checkbox labeled ‘Only Allow Access to Public Apps’. Check that checkbox and you will see the site cease to be able to run v20 backoffice.
In addition to being PA-DSS compliant, Ungerboeck Software also scans each major version and service release within that version with a website vulnerability tool called Acunetix.
0 upvotes
Hi Carrie,
Can the above be turned into a KB article? (v20 Public Facing Installation) I just spent a huge amount of time looking for this and found no mention of it in any install or tech documents. My apologies if it is already there.
0 upvotes
Sean, I'll see what I can do! I'm sending this to the right Product Management team to collaborate and get everything out there that needs to be.
Thanks,
--Carrie
0 upvotes
Hi there - still looking for a concise 'v20 public facing installation' guide.
Thanks.
0 upvotes
Please sign in to leave a comment.