We have our webserver outside of our firewall in some kind of DMZ. Our employee database is inside the firewall (it's a Win2k server and we're using Active Directory). Now what I want to do is write a script on the webserver that does a bunch of stuff to one of the web databases after it figures out that a user is valid employee. I (and the PHB's) want to do this without punching a hole in the firewall.

Yeah sounds impossible I know. We have an Intranet server which is inside the firewall. It can easily access the employee database.

What I was thinking was to have the users go to the Intranet server, be validated, fill out the info on the form, then submit the form. The form would actually be submitted to the webserver.

Problem with this is how do I make sure what is submitted is actually from the Intranet server. I thought about checking the referrer, but I've written some scripts that send fake referrers. So far I'm thinking the best thing is to have the form send some kind of token. Or maybe I could force everyone to have an IP address in the 10.xx.xx.xx range (that isn't spoofable is it?? What if I want them to be able to do this from home and not on our network?)

From the comment Re: Referer check within domain problem it sounds like a completely different solution is needed. Yet there is no alternative offered.

The project is still at the idea stage, so almost anything can be changed. The only requirements are:

• We have to have a script manipulate a database on the webserver.
• It must only allow valid users to use it.
• We want to avoid having to maintain a database of users on the webserver.
• Allowing the webserver to access something on the other side of the firewall just isn't going to happen.

Any help would be appreciated. Thanks.