The notion of forcing (internal) users to submit via the Intranet server seems pretty sound, but the notion of letting employees work from outside is less so... even if you do VPN or something similar.

re your (IP) isn't spoofable is it??: If not today, wait a few seconds. I wouldn't want to bet against it being an easy do today. cf annonymiser, etc. which appear readily adaptable.

and re What if I want them to be able to do this from home and not on our network?: In the famous words of the (allegedly) prototypical New Yawker, "fergeddiboudit!" For one thing, one frequently high priority consideration for running an intranet is SPECIFICALLY that you don't want a user from outside your firewall playing inside your (proprietary) workspace -- to which I'd add "even if you THINK you know who it is."

On the other hand, your outside server (RH) uses a fairly sound encryption scheme to validate those with accounts; one would think you might be able to avoid posting a (generic meaning) database to validate those authorized to change content. But on the third or fourth or fifth hand, what is the PHB's level of risk tolerance?

I was afraid someone was going to say that. We already have people out in the field who connect via VPN and can then go crazy on our internal network. Of course not all of them are authorized for VPN. For these people, they are limited to doing some very simple tasks on the webserver with a webform.

First of, are their any ports currently open, possibly TCP 80 and/or TCP 443? If they are open you could use LWP::Useragent to access a page on your intranet server. The page on the intranet server would handle the AD testing and return a yes/no answer. You could then parse the output on the DMZ server for confirmation.

If there are not any ports open, you could set up a host to host rule on the firewall (Even though you said you wanted to avoid this), where inbound traffic is only permitted from the DMZ server address to the intranet server address. A rule like this is safer than just opening up the port to any internet host.

No you currently cannot have the webserver request a page from the intranet server. I did suggest something like this. I wasn't shot down exactly, but was told they wanted other options.

xorl,

I don't really see much of a way solution, considering your current level of resources. As a very last possible resort you could have the DMZ server email the requests to an account on the Intranet server for processing (which is a whole different security concern), then the intranet server could post the results to a form on the DMZ server. This would REALLY slow the process down, but I believe it to be at least an option if there are not any others.

Thanks,
Greg W.

You may want to talk to IT from other companies to see what they do - I expect that allowing the webserver to access something inside the firewall is precisely how it happens. Through a VPN tunnel, or via very strict firewalls that only allow the one static IP address through, or by using a second network card that connects to the other side of the firewall, and using strict iptables to limit what can go through each network card. For example, on eth1, only transmissions to port xyz on machine a.b.c.d are allowed. This can severely limit the exposure should the DMZ box be rooted.

• How do employees access the external webserver that you are trying to use?
• Can you mirror the external server on an intranet server?
• Can you mirror the employee database on the webserver(watch this with sensitive data, maybe what is needed for authentication)?