Our business is in need of setting up a dealer portal website which needs to 
interact with our internal SQL/App server.  I know SBS is not the place to 
host the site so setting up a virtual web server and putting it in some sort 
of DMZ is the plan thus far.  I'm planning on running the site securely 
(https://) which will conflict with the SBS OWA and RWW.  I'd perfer to use 
the same static IP address so how would I go about setting up and accessing 
the dealer site given that both will be on port 443?  Could I just change 
the port of the dealer portal? (eg.  https://mysite.com:4443)  I suspect the 
site will be fairly low volume if that matters any...

Is this normally how a company data driven website is setup?  I would assume 
3rd party hosting isn't an option since much of the data lives on our 
internal SQL/App server...

Any other suggestions?

I'd get another external IP
and use that for external access.

If you want to make things easier externally
just have a subdomain created of
dealer.yourdomain.com that points to that IP.

You may have 5 IP's already in some business accounts
Russ

-- 
Russell Grover - SBITS.Biz [SBS-MVP]
Microsoft Gold Certified Partner
Microsoft Certified Small Business Specialist
World Wide 24hr SBS Remote Support - http://www.SBITS.Biz
Microsoft Online Services - http://www.microsoft-online-services.com


"Scott Rymer" <tsrymer/at/hotmail/dot/com> wrote in message 
news:F2C2CDC3-A0DC-4389-AD70-6094C6959237@microsoft.com...
> Our business is in need of setting up a dealer portal website which needs 
> to interact with our internal SQL/App server.  I know SBS is not the place 
> to host the site so setting up a virtual web server and putting it in some 
> sort of DMZ is the plan thus far.  I'm planning on running the site 
> securely (https://) which will conflict with the SBS OWA and RWW.  I'd 
> perfer to use the same static IP address so how would I go about setting 
> up and accessing the dealer site given that both will be on port 443? 
> Could I just change the port of the dealer portal? (eg. 
> https://mysite.com:4443)  I suspect the site will be fairly low volume if 
> that matters any...
>
> Is this normally how a company data driven website is setup?  I would 
> assume 3rd party hosting isn't an option since much of the data lives on 
> our internal SQL/App server...
>
> Any other suggestions?
>
> 

Scott Rymer wrote:
> Our business is in need of setting up a dealer portal website which 
> needs to interact with our internal SQL/App server.  I know SBS is not 
> the place to host the site so setting up a virtual web server and 
> putting it in some sort of DMZ is the plan thus far.  I'm planning on 
> running the site securely (https://) which will conflict with the SBS 
> OWA and RWW.  I'd perfer to use the same static IP address so how would 
> I go about setting up and accessing the dealer site given that both will 
> be on port 443?  Could I just change the port of the dealer portal? 
> (eg.  https://mysite.com:4443)  I suspect the site will be fairly low 
> volume if that matters any...
> 
> Is this normally how a company data driven website is setup?  I would 
> assume 3rd party hosting isn't an option since much of the data lives on 
> our internal SQL/App server...
> 
> Any other suggestions?
> 
> 
Many ways...

Best practice is to host it externally, and to organise data flow 
between the sites. Professional web hosting normally includes an SQL 
database and active web page software of either Windows or *nix 
varieties. That also sidesteps the port issue.

Even in a local DMZ, this is the right way to do it, with the web server 
machine never having access to the LAN. Always pull the user data from 
the web server, and push back the data to publish, or send it by email. 
Never link a publicly-accessible web server to a database running on a 
non-expendable machine. The important thing to ensure is that if the web 
server is compromised, it does not provide any greater access to the 
rest of the company's IT systems than is available directly from the 
Internet.

An example: a client of mine needs to publish scanned documents on a web 
server, together with data associated with them. The documents are 
linked to a database, with the master copy at the client's office. So 
there is an application which allows the scan to be associated with a 
particular record in the master database at the time it is made. Then, 
the scan is processed and pushed by FTP to the website.

The updated database records are potentially more sensitive then the 
scans and are encrypted and emailed out of the client's office. The 
website pulls the emails from an IMAP server, extracts the attachments 
and copies the records to the slave database after verification, 
anti-SQL-injection and XSS measures etc. This has the side effect of 
maintaining an automatic up-to-date backup database offsite, and in fact 
in another country in this case.

It's a bit harder if significant data entry has to be made on web pages, 
but the relevant active page can sanitise and then email the data, or 
place it in a file for download by FTP or HTTP (or more secure method).

Since you're using https with a known group of clients, you could 
consider requiring a client certificate for access to the server, which 
you would distribute to the dealers along with written instructions that 
it should be installed only on secure computers. You will no doubt be 
using professionally-written web applications, and should be able to get 
more security advice from those professionals.

It is certainly more expensive to outsource the website if nothing goes 
wrong for a few years, but even a single compromise will tip the costs 
the other way, by quite a large amount. Think of it as insurance.

-- 
Joe

Joe,  thanks for the great advise.

Hosting externally isn't likely an option from a budget perspective... but 
what are some options to get data flowing from my internal SQL database to 
the web server hosted on a 3rd party server?

Some ideas I've had so far w.r.t. data:

Would SQL replication be advisable for data flowing from SQL to the web 
server?
What about using web services on the SQL box to send data to the web server?
FTPing XML files on a schedule from SQL box to a web server directory?

Obviously, I want the app to be as secure as possible.  I need to educate 
myself on the security risks before I go shopping for a developer...


> Many ways...
>
> Best practice is to host it externally, and to organise data flow between 
> the sites. Professional web hosting normally includes an SQL database and 
> active web page software of either Windows or *nix varieties. That also 
> sidesteps the port issue.
>
> Even in a local DMZ, this is the right way to do it, with the web server 
> machine never having access to the LAN. Always pull the user data from the 
> web server, and push back the data to publish, or send it by email. Never 
> link a publicly-accessible web server to a database running on a 
> non-expendable machine. The important thing to ensure is that if the web 
> server is compromised, it does not provide any greater access to the rest 
> of the company's IT systems than is available directly from the Internet.
>
> An example: a client of mine needs to publish scanned documents on a web 
> server, together with data associated with them. The documents are linked 
> to a database, with the master copy at the client's office. So there is an 
> application which allows the scan to be associated with a particular 
> record in the master database at the time it is made. Then, the scan is 
> processed and pushed by FTP to the website.
>
> The updated database records are potentially more sensitive then the scans 
> and are encrypted and emailed out of the client's office. The website 
> pulls the emails from an IMAP server, extracts the attachments and copies 
> the records to the slave database after verification, anti-SQL-injection 
> and XSS measures etc. This has the side effect of maintaining an automatic 
> up-to-date backup database offsite, and in fact in another country in this 
> case.
>
> It's a bit harder if significant data entry has to be made on web pages, 
> but the relevant active page can sanitise and then email the data, or 
> place it in a file for download by FTP or HTTP (or more secure method).
>
> Since you're using https with a known group of clients, you could consider 
> requiring a client certificate for access to the server, which you would 
> distribute to the dealers along with written instructions that it should 
> be installed only on secure computers. You will no doubt be using 
> professionally-written web applications, and should be able to get more 
> security advice from those professionals.
>
> It is certainly more expensive to outsource the website if nothing goes 
> wrong for a few years, but even a single compromise will tip the costs the 
> other way, by quite a large amount. Think of it as insurance.
>
> -- 
> Joe 

Scott Rymer wrote:
> Joe,  thanks for the great advise.
> 
> Hosting externally isn't likely an option from a budget perspective... 
> but what are some options to get data flowing from my internal SQL 
> database to the web server hosted on a 3rd party server?
> 
> Some ideas I've had so far w.r.t. data:
> 
> Would SQL replication be advisable for data flowing from SQL to the web 
> server?

I would think that was OK. I can't imagine any reason for a data flow 
back the other way, but then it would never have occurred to me a couple 
of years ago that PDFs could be dangerous.

> What about using web services on the SQL box to send data to the web 
> server?
> FTPing XML files on a schedule from SQL box to a web server directory?
> 
They certainly *should* be safe. As above...

> Obviously, I want the app to be as secure as possible.  I need to 
> educate myself on the security risks before I go shopping for a 
> developer...
> 

There be dragons... I'm not an expert on web security, like most here I 
have to be a jack-of-all-trades, and I know just enough about web 
security to be very wary. It's a full-time job in itself. Google for SQL 
injection and XSS if you want to scare yourself by how easy it is to 
leave gaping holes, and how many well-known websites have been 
compromised using just those two techniques. I can hack basic web server 
scripting, but I'd never consider writing code for a public site without 
acquiring a great deal more knowledge. And I'd still outsource the hosting.

I also can't help much specifically, as I'm comfortable with perl and 
php, so I tend to favour *nix servers if I need to get involved in 
scripting. Transferring MySQL data as pure text is trivial and easy to 
monitor for stuff that shouldn't be there. I've had nothing to do with 
MS SQL, but general Microsoft experience suggests that it would be 
somewhat less transparent to deal with. But what you want is 
bread-and-butter stuff to web developers, I'd have thought most would 
have off-the-shelf software to do it.

Best of luck.

-- 
Joe

This is a multi-part message in MIME format.

------=_NextPart_000_0159_01CA9926.C437AAF0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

The money you will pay in license fees for SQL server serviceing the =
internet/new hardware/Server OS and so on, is far greater than what you =
would pay to host it externall

--=20
Cris Hanna [SBS - MVP] (since 1997)
Co-Contributor, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/06723295=
73/ref=3Dpd_bbs_sr_1?ie=3DUTF8&s=3Dbooks&qid=3D1217269967&sr=3D8-1
Owner, CPU Services, Belleville, IL
A Microsoft Registered Partner
------------------------------------
MVPs do not work for Microsoft
Please do not submit questions directly to me.

  "Scott Rymer" <tsrymer/at/hotmail/dot/com> wrote in message =
news:eotSDYImKHA.5040@TK2MSFTNGP06.phx.gbl...
  Joe,  thanks for the great advise.

  Hosting externally isn't likely an option from a budget perspective... =
but=20
  what are some options to get data flowing from my internal SQL =
database to=20
  the web server hosted on a 3rd party server?

  Some ideas I've had so far w.r.t. data:

  Would SQL replication be advisable for data flowing from SQL to the =
web=20
  server?
  What about using web services on the SQL box to send data to the web =
server?
  FTPing XML files on a schedule from SQL box to a web server directory?

  Obviously, I want the app to be as secure as possible.  I need to =
educate=20
  myself on the security risks before I go shopping for a developer...


  > Many ways...
  >
  > Best practice is to host it externally, and to organise data flow =
between=20
  > the sites. Professional web hosting normally includes an SQL =
database and=20
  > active web page software of either Windows or *nix varieties. That =
also=20
  > sidesteps the port issue.
  >
  > Even in a local DMZ, this is the right way to do it, with the web =
server=20
  > machine never having access to the LAN. Always pull the user data =
from the=20
  > web server, and push back the data to publish, or send it by email. =
Never=20
  > link a publicly-accessible web server to a database running on a=20
  > non-expendable machine. The important thing to ensure is that if the =
web=20
  > server is compromised, it does not provide any greater access to the =
rest=20
  > of the company's IT systems than is available directly from the =
Internet.
  >
  > An example: a client of mine needs to publish scanned documents on a =
web=20
  > server, together with data associated with them. The documents are =
linked=20
  > to a database, with the master copy at the client's office. So there =
is an=20
  > application which allows the scan to be associated with a particular =

  > record in the master database at the time it is made. Then, the scan =
is=20
  > processed and pushed by FTP to the website.
  >
  > The updated database records are potentially more sensitive then the =
scans=20
  > and are encrypted and emailed out of the client's office. The =
website=20
  > pulls the emails from an IMAP server, extracts the attachments and =
copies=20
  > the records to the slave database after verification, =
anti-SQL-injection=20
  > and XSS measures etc. This has the side effect of maintaining an =
automatic=20
  > up-to-date backup database offsite, and in fact in another country =
in this=20
  > case.
  >
  > It's a bit harder if significant data entry has to be made on web =
pages,=20
  > but the relevant active page can sanitise and then email the data, =
or=20
  > place it in a file for download by FTP or HTTP (or more secure =
method).
  >
  > Since you're using https with a known group of clients, you could =
consider=20
  > requiring a client certificate for access to the server, which you =
would=20
  > distribute to the dealers along with written instructions that it =
should=20
  > be installed only on secure computers. You will no doubt be using=20
  > professionally-written web applications, and should be able to get =
more=20
  > security advice from those professionals.
  >
  > It is certainly more expensive to outsource the website if nothing =
goes=20
  > wrong for a few years, but even a single compromise will tip the =
costs the=20
  > other way, by quite a large amount. Think of it as insurance.
  >
  > --=20
  > Joe=20

------=_NextPart_000_0159_01CA9926.C437AAF0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.6000.16945" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>The money you will pay in license fees =
for SQL=20
server serviceing the internet/new hardware/Server OS and so on, is far =
greater=20
than what you would pay to host it externall</FONT></DIV>
<DIV><BR>-- <BR>Cris Hanna [SBS - MVP] (since 1997)<BR>Co-Contributor, =
Windows=20
Small Business Server 2008 Unleashed<BR><A=20
href=3D"http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/=
0672329573/ref=3Dpd_bbs_sr_1?ie=3DUTF8&amp;s=3Dbooks&amp;qid=3D1217269967=
&amp;sr=3D8-1">http://www.amazon.com/Windows-Small-Business-Server-Unleas=
hed/dp/0672329573/ref=3Dpd_bbs_sr_1?ie=3DUTF8&amp;s=3Dbooks&amp;qid=3D121=
7269967&amp;sr=3D8-1</A><BR>Owner,=20
CPU Services, Belleville, IL<BR>A Microsoft Registered=20
Partner<BR>------------------------------------<BR>MVPs do not work for=20
Microsoft<BR>Please do not submit questions directly to me.<BR></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV>"Scott Rymer" &lt;tsrymer/at/hotmail/dot/com&gt; wrote in message =
<A=20
  =
href=3D"news:eotSDYImKHA.5040@TK2MSFTNGP06.phx.gbl">news:eotSDYImKHA.5040=
@TK2MSFTNGP06.phx.gbl</A>...</DIV>Joe,&nbsp;=20
  thanks for the great advise.<BR><BR>Hosting externally isn't likely an =
option=20
  from a budget perspective... but <BR>what are some options to get data =
flowing=20
  from my internal SQL database to <BR>the web server hosted on a 3rd =
party=20
  server?<BR><BR>Some ideas I've had so far w.r.t. data:<BR><BR>Would =
SQL=20
  replication be advisable for data flowing from SQL to the web=20
  <BR>server?<BR>What about using web services on the SQL box to send =
data to=20
  the web server?<BR>FTPing XML files on a schedule from SQL box to a =
web server=20
  directory?<BR><BR>Obviously, I want the app to be as secure as =
possible.&nbsp;=20
  I need to educate <BR>myself on the security risks before I go =
shopping for a=20
  developer...<BR><BR><BR>&gt; Many ways...<BR>&gt;<BR>&gt; Best =
practice is to=20
  host it externally, and to organise data flow between <BR>&gt; the =
sites.=20
  Professional web hosting normally includes an SQL database and =
<BR>&gt; active=20
  web page software of either Windows or *nix varieties. That also =
<BR>&gt;=20
  sidesteps the port issue.<BR>&gt;<BR>&gt; Even in a local DMZ, this is =
the=20
  right way to do it, with the web server <BR>&gt; machine never having =
access=20
  to the LAN. Always pull the user data from the <BR>&gt; web server, =
and push=20
  back the data to publish, or send it by email. Never <BR>&gt; link a=20
  publicly-accessible web server to a database running on a <BR>&gt;=20
  non-expendable machine. The important thing to ensure is that if the =
web=20
  <BR>&gt; server is compromised, it does not provide any greater access =
to the=20
  rest <BR>&gt; of the company's IT systems than is available directly =
from the=20
  Internet.<BR>&gt;<BR>&gt; An example: a client of mine needs to =
publish=20
  scanned documents on a web <BR>&gt; server, together with data =
associated with=20
  them. The documents are linked <BR>&gt; to a database, with the master =
copy at=20
  the client's office. So there is an <BR>&gt; application which allows =
the scan=20
  to be associated with a particular <BR>&gt; record in the master =
database at=20
  the time it is made. Then, the scan is <BR>&gt; processed and pushed =
by FTP to=20
  the website.<BR>&gt;<BR>&gt; The updated database records are =
potentially more=20
  sensitive then the scans <BR>&gt; and are encrypted and emailed out of =
the=20
  client's office. The website <BR>&gt; pulls the emails from an IMAP =
server,=20
  extracts the attachments and copies <BR>&gt; the records to the slave =
database=20
  after verification, anti-SQL-injection <BR>&gt; and XSS measures etc. =
This has=20
  the side effect of maintaining an automatic <BR>&gt; up-to-date backup =

  database offsite, and in fact in another country in this <BR>&gt;=20
  case.<BR>&gt;<BR>&gt; It's a bit harder if significant data entry has =
to be=20
  made on web pages, <BR>&gt; but the relevant active page can sanitise =
and then=20
  email the data, or <BR>&gt; place it in a file for download by FTP or =
HTTP (or=20
  more secure method).<BR>&gt;<BR>&gt; Since you're using https with a =
known=20
  group of clients, you could consider <BR>&gt; requiring a client =
certificate=20
  for access to the server, which you would <BR>&gt; distribute to the =
dealers=20
  along with written instructions that it should <BR>&gt; be installed =
only on=20
  secure computers. You will no doubt be using <BR>&gt; =
professionally-written=20
  web applications, and should be able to get more <BR>&gt; security =
advice from=20
  those professionals.<BR>&gt;<BR>&gt; It is certainly more expensive to =

  outsource the website if nothing goes <BR>&gt; wrong for a few years, =
but even=20
  a single compromise will tip the costs the <BR>&gt; other way, by =
quite a=20
  large amount. Think of it as insurance.<BR>&gt;<BR>&gt; -- <BR>&gt; =
Joe=20
<BR></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0159_01CA9926.C437AAF0--

This is a multi-part message in MIME format.

------=_NextPart_000_000E_01CA99E2.6B42A9B0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Fair enough... do you have any documentation that would serve as a =
starting point for me to investigate how to get data from my internal =
SQL server to a third party server hosting my data driven website and =
vice-versa?  At some point, we'd be looking at online ordering that =
would need to integrate with our ERP system...  how is this normally =
done if the external website isn't allowed to talk to the internal =
database?

  "Cris Hanna [SBS - MVP]" <crisnospamhanna@cpunospamservices.net> wrote =
in message news:OQU7PkVmKHA.2188@TK2MSFTNGP04.phx.gbl...
  The money you will pay in license fees for SQL server serviceing the =
internet/new hardware/Server OS and so on, is far greater than what you =
would pay to host it externall

  --=20
  Cris Hanna [SBS - MVP] (since 1997)
  Co-Contributor, Windows Small Business Server 2008 Unleashed
  =
http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/06723295=
73/ref=3Dpd_bbs_sr_1?ie=3DUTF8&s=3Dbooks&qid=3D1217269967&sr=3D8-1
  Owner, CPU Services, Belleville, IL
  A Microsoft Registered Partner
  ------------------------------------
  MVPs do not work for Microsoft
  Please do not submit questions directly to me.

    "Scott Rymer" <tsrymer/at/hotmail/dot/com> wrote in message =
news:eotSDYImKHA.5040@TK2MSFTNGP06.phx.gbl...
    Joe,  thanks for the great advise.

    Hosting externally isn't likely an option from a budget =
perspective... but=20
    what are some options to get data flowing from my internal SQL =
database to=20
    the web server hosted on a 3rd party server?

    Some ideas I've had so far w.r.t. data:

    Would SQL replication be advisable for data flowing from SQL to the =
web=20
    server?
    What about using web services on the SQL box to send data to the web =
server?
    FTPing XML files on a schedule from SQL box to a web server =
directory?

    Obviously, I want the app to be as secure as possible.  I need to =
educate=20
    myself on the security risks before I go shopping for a developer...


    > Many ways...
    >
    > Best practice is to host it externally, and to organise data flow =
between=20
    > the sites. Professional web hosting normally includes an SQL =
database and=20
    > active web page software of either Windows or *nix varieties. That =
also=20
    > sidesteps the port issue.
    >
    > Even in a local DMZ, this is the right way to do it, with the web =
server=20
    > machine never having access to the LAN. Always pull the user data =
from the=20
    > web server, and push back the data to publish, or send it by =
email. Never=20
    > link a publicly-accessible web server to a database running on a=20
    > non-expendable machine. The important thing to ensure is that if =
the web=20
    > server is compromised, it does not provide any greater access to =
the rest=20
    > of the company's IT systems than is available directly from the =
Internet.
    >
    > An example: a client of mine needs to publish scanned documents on =
a web=20
    > server, together with data associated with them. The documents are =
linked=20
    > to a database, with the master copy at the client's office. So =
there is an=20
    > application which allows the scan to be associated with a =
particular=20
    > record in the master database at the time it is made. Then, the =
scan is=20
    > processed and pushed by FTP to the website.
    >
    > The updated database records are potentially more sensitive then =
the scans=20
    > and are encrypted and emailed out of the client's office. The =
website=20
    > pulls the emails from an IMAP server, extracts the attachments and =
copies=20
    > the records to the slave database after verification, =
anti-SQL-injection=20
    > and XSS measures etc. This has the side effect of maintaining an =
automatic=20
    > up-to-date backup database offsite, and in fact in another country =
in this=20
    > case.
    >
    > It's a bit harder if significant data entry has to be made on web =
pages,=20
    > but the relevant active page can sanitise and then email the data, =
or=20
    > place it in a file for download by FTP or HTTP (or more secure =
method).
    >
    > Since you're using https with a known group of clients, you could =
consider=20
    > requiring a client certificate for access to the server, which you =
would=20
    > distribute to the dealers along with written instructions that it =
should=20
    > be installed only on secure computers. You will no doubt be using=20
    > professionally-written web applications, and should be able to get =
more=20
    > security advice from those professionals.
    >
    > It is certainly more expensive to outsource the website if nothing =
goes=20
    > wrong for a few years, but even a single compromise will tip the =
costs the=20
    > other way, by quite a large amount. Think of it as insurance.
    >
    > --=20
    > Joe=20

------=_NextPart_000_000E_01CA99E2.6B42A9B0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.18865">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2 face=3DArial>Fair enough... do you have any =
documentation that=20
would serve as a starting point for me to investigate how to get data =
from my=20
internal SQL server to a third party server hosting my data driven =
website and=20
vice-versa?&nbsp; At some point, we'd be looking at online ordering that =
would=20
need to integrate with our ERP system...&nbsp; how is this normally done =
if the=20
external website isn't allowed to talk to the internal =
database?</FONT></DIV>
<DIV><FONT size=3D2 face=3DArial></FONT>&nbsp;</DIV>
<BLOCKQUOTE=20
style=3D"BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; =
PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px"=20
dir=3Dltr>
  <DIV>"Cris Hanna [SBS - MVP]" &lt;<A=20
  =
href=3D"mailto:crisnospamhanna@cpunospamservices.net">crisnospamhanna@cpu=
nospamservices.net</A>&gt;=20
  wrote in message <A=20
  =
href=3D"news:OQU7PkVmKHA.2188@TK2MSFTNGP04.phx.gbl">news:OQU7PkVmKHA.2188=
@TK2MSFTNGP04.phx.gbl</A>...</DIV>
  <DIV><FONT size=3D2 face=3DArial>The money you will pay in license =
fees for SQL=20
  server serviceing the internet/new hardware/Server OS and so on, is =
far=20
  greater than what you would pay to host it externall</FONT></DIV>
  <DIV><BR>-- <BR>Cris Hanna [SBS - MVP] (since 1997)<BR>Co-Contributor, =
Windows=20
  Small Business Server 2008 Unleashed<BR><A=20
  =
href=3D"http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/=
0672329573/ref=3Dpd_bbs_sr_1?ie=3DUTF8&amp;s=3Dbooks&amp;qid=3D1217269967=
&amp;sr=3D8-1">http://www.amazon.com/Windows-Small-Business-Server-Unleas=
hed/dp/0672329573/ref=3Dpd_bbs_sr_1?ie=3DUTF8&amp;s=3Dbooks&amp;qid=3D121=
7269967&amp;sr=3D8-1</A><BR>Owner,=20
  CPU Services, Belleville, IL<BR>A Microsoft Registered=20
  Partner<BR>------------------------------------<BR>MVPs do not work =
for=20
  Microsoft<BR>Please do not submit questions directly to me.<BR></DIV>
  <BLOCKQUOTE=20
  style=3D"BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; =
PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
    <DIV>"Scott Rymer" &lt;tsrymer/at/hotmail/dot/com&gt; wrote in =
message <A=20
    =
href=3D"news:eotSDYImKHA.5040@TK2MSFTNGP06.phx.gbl">news:eotSDYImKHA.5040=
@TK2MSFTNGP06.phx.gbl</A>...</DIV>Joe,&nbsp;=20
    thanks for the great advise.<BR><BR>Hosting externally isn't likely =
an=20
    option from a budget perspective... but <BR>what are some options to =
get=20
    data flowing from my internal SQL database to <BR>the web server =
hosted on a=20
    3rd party server?<BR><BR>Some ideas I've had so far w.r.t.=20
    data:<BR><BR>Would SQL replication be advisable for data flowing =
from SQL to=20
    the web <BR>server?<BR>What about using web services on the SQL box =
to send=20
    data to the web server?<BR>FTPing XML files on a schedule from SQL =
box to a=20
    web server directory?<BR><BR>Obviously, I want the app to be as =
secure as=20
    possible.&nbsp; I need to educate <BR>myself on the security risks =
before I=20
    go shopping for a developer...<BR><BR><BR>&gt; Many =
ways...<BR>&gt;<BR>&gt;=20
    Best practice is to host it externally, and to organise data flow =
between=20
    <BR>&gt; the sites. Professional web hosting normally includes an =
SQL=20
    database and <BR>&gt; active web page software of either Windows or =
*nix=20
    varieties. That also <BR>&gt; sidesteps the port =
issue.<BR>&gt;<BR>&gt; Even=20
    in a local DMZ, this is the right way to do it, with the web server =
<BR>&gt;=20
    machine never having access to the LAN. Always pull the user data =
from the=20
    <BR>&gt; web server, and push back the data to publish, or send it =
by email.=20
    Never <BR>&gt; link a publicly-accessible web server to a database =
running=20
    on a <BR>&gt; non-expendable machine. The important thing to ensure =
is that=20
    if the web <BR>&gt; server is compromised, it does not provide any =
greater=20
    access to the rest <BR>&gt; of the company's IT systems than is =
available=20
    directly from the Internet.<BR>&gt;<BR>&gt; An example: a client of =
mine=20
    needs to publish scanned documents on a web <BR>&gt; server, =
together with=20
    data associated with them. The documents are linked <BR>&gt; to a =
database,=20
    with the master copy at the client's office. So there is an <BR>&gt; =

    application which allows the scan to be associated with a particular =

    <BR>&gt; record in the master database at the time it is made. Then, =
the=20
    scan is <BR>&gt; processed and pushed by FTP to the =
website.<BR>&gt;<BR>&gt;=20
    The updated database records are potentially more sensitive then the =
scans=20
    <BR>&gt; and are encrypted and emailed out of the client's office. =
The=20
    website <BR>&gt; pulls the emails from an IMAP server, extracts the=20
    attachments and copies <BR>&gt; the records to the slave database =
after=20
    verification, anti-SQL-injection <BR>&gt; and XSS measures etc. This =
has the=20
    side effect of maintaining an automatic <BR>&gt; up-to-date backup =
database=20
    offsite, and in fact in another country in this <BR>&gt;=20
    case.<BR>&gt;<BR>&gt; It's a bit harder if significant data entry =
has to be=20
    made on web pages, <BR>&gt; but the relevant active page can =
sanitise and=20
    then email the data, or <BR>&gt; place it in a file for download by =
FTP or=20
    HTTP (or more secure method).<BR>&gt;<BR>&gt; Since you're using =
https with=20
    a known group of clients, you could consider <BR>&gt; requiring a =
client=20
    certificate for access to the server, which you would <BR>&gt; =
distribute to=20
    the dealers along with written instructions that it should <BR>&gt; =
be=20
    installed only on secure computers. You will no doubt be using =
<BR>&gt;=20
    professionally-written web applications, and should be able to get =
more=20
    <BR>&gt; security advice from those professionals.<BR>&gt;<BR>&gt; =
It is=20
    certainly more expensive to outsource the website if nothing goes =
<BR>&gt;=20
    wrong for a few years, but even a single compromise will tip the =
costs the=20
    <BR>&gt; other way, by quite a large amount. Think of it as=20
    insurance.<BR>&gt;<BR>&gt; -- <BR>&gt; Joe=20
<BR></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_000E_01CA99E2.6B42A9B0--