OK, I'm not sure I understand your question. I _think_ you mean that there
are no new connections allowed from the DMZ into the internal network. This
means that the proxy server in the DMZ cannot be used to reverse-proxy the
external requests for WWW data on the internal server.
This is normal.
To solve the problem you will need to reconfigure your firewall or move the
WWW server in question into the DMZ. I would tell your firewall people to
allow inbound connections from the proxy server to the internal WWW source
for port 80. Your extra risk is that if someone compromises the proxy server
then they can start looking for port 80 exploits on the internal server.
Therefore, it follows that your proxy server should be examined for
trustworthiness as a security principal (ie make sure it's not going to fall
over).
What I _think_ you're talking about would have the same effect as allowing
the proxy-server to talk to the internal network except that it probably
wouldn't work and even if it did it would almost certainly break something,
security-wise.
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Sumeet Vij [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, 19 August 2000 2:53 AM
> To: [EMAIL PROTECTED]
> Subject: How do I do a reverse Invoke
>
>
> Hey folks,
> My problem is like this
> * I have two app servers, one in the DMZ and another on the corporate
> intranet protected by a firewall. * * Due to security
> restrictions, the
> firewall has been configured to only allow connections to be
> opened from
> inside i.e. only the server on the corporate intranet can
> make a connection
> to the proxy server in
> the DMZ outside the firewall.
> * Clients from the internet will be connecting to the Proxy
> in the DMZ. The
> proxy then has to send the
> request on the already open connection, which was initiated
> by the server
> inside the firewall,and then get the response when the server
> inside the
> firewall opens another connection as the response.
> Therefore the requests coming in from the internet,go from
> the proxy in the
> internet to the real server as responses to a pre-existing
> request opened by
> the real server.
> I hope I made the situation clear. I want to know if you have
> seen another
> product out there which does this or somebody who has
> implemented a solution
> to this already.
> A reply will really appreciated.
> Thanks,
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
