External access: Setting up ThoughtFarmer in a DMZ
With this method the ThoughtFarmer server is set up in a DMZ on your network. A DMZ is essentially a network configuration that places servers between 2 firewalls—one from the internet to the server, and the other from the server to your organization's internal network. This scenario requires a domain URL to be created and registered and the DNS entry set to point to your network's public gateway. The port forwarding in this case will point to the ThoughtFarmer server in the DMZ. It also requires additional configuration for the firewall to your internal network to allow for only the bare minimum of ports to be opened.
- This is a very secure method.
- This provides an easy way for your users to connect.
- This is the most complicated method to configure.
- This requires architectural changes to your server(s) on your network.
Steps for configuring your ThoughtFarmer server in a DMZ
- Set up your ThoughtFarmer server in a DMZ and configure the internal firewall to allow for the appropriate ports (see heading below).
- Get the external IP address for the network that your ThoughtFarmer server is set up on.
- Register a public domain name for your intranet (e.g. yourcompany.com) using the service provider of your choice. If you already have a domain registered skip this step.
- Choose a full URL for your intranet (e.g. intranet.yourcompany.com).
- Purchase an SSL certificate for the chosen URL from the service provider of your choice. You can also purchase a wildcard SSL (e.g. *.yourcompany.com) or use one if already purchased.
- Contact the Administrator for the registered domain name and add an A-record for your chosen intranet URL to point to the IP in step number 1.
- Install the SSL certificate on the ThoughtFarmer server.
- Configure an SSL binding on your ThoughtFarmer instance.
- Set up a redirect for all http traffic to go to https (you can specify a different URL than your internal users).
- Set up port forwarding on the network firewall to point all port 80 (http) and port 443 (https) traffic for the intranet URL to the internal IP of the ThoughtFarmer server in the DMZ.
Configuring the internal firewall
To allow for Windows Authentication and AD Integration, the web server needs to be part of the AD domain. This requires opening specific ports on the internal firewall. See How to configure a firewall for domains and trusts for a more complete listing depending on server operating system.
The diagram below shows a general overview of how this could be set up. Your SQL database server and the mail server can also be on the internal network if it is already set up this way. In this case some additional ports need to be opened up on the internal firewall to allow for this. The mail server ports depend on the method of connection. Please see the additional port list at the bottom of this page.
Additional ports required depending on server configurations
- SQL server - port 1433
- POP3 - port 110
- IMAP - port 143
- SMTP - port 25 (for all notifications)
- HTTP - port 80 (for Exchange mode email)
- HTTPS - port 443 (for Exchange mode email)
- SMTP (SSMTP) - port 465
- Secure IMAP (IMAP4-SSL) - port 585
- IMAP4 over SSL (IMAPS) - port 993
- Secure POP3 (SSL-POP) - port 995
Please sign in to leave a comment.