Internet --> Firewall --> Reporting Services --> Firewall --> SQL Server>>since you may be putting your database at risk.
Not exactly since RS uses a separate db for itself. The userid/pwds are different so i think your other db's should be okay unless you are using the same userid/pwd for all the dbs.
hth|||Maybe my company and I are a little paranoid about security, but i really consider this to be very bad design. There is no way i would approve such a configuration. I really don't want to allow anonymous users on the internet to access our corporate database server (over http/https or any other protocol) in order to logon and run reports using forms authenication. That's just not wise.
The problem is, to support the configuration in my previous post, it is my understanding you need to purchase 2 SQL servers. We have a 1 processor license of SQL Enterprise which costs $20,000 and can't afford the extra $$$ for another separate license. Plus, it's tough to justify since we would only be using it as a reporting server.
It seems that Microsoft's licensing for Reporting Services forces small companies who can't afford an extra license to compromise on security.|||>>I really don't want to allow anonymous users on the internet to access our corporate database server
only authorized users are allowed to run the reports. security is in-built in RS. also you can use the SSL ( which btw comes as a default option when you install RS).
hth|||That's my point. They must logon to RS via either Windows auth or Forms auth right? We need to use forms authentication to integrate with our web application. Maybe i'm wrong, but using Forms authentication, users will initially hit the RS server as anonymous to login, then be redirected to a logon page. correct? If it is, you are allowing anonymous http access to your database server. This could lead to a potential security risk since it may provide an avenue of opportunity for a hacker to expose. That's why most organizations implement DMZs which typically only include low risk web/dns servers. All high risk servers such as database, directory and infrastructure servers sit behind the DMZ protected by a 2nd firewall. Publishing a single RS server for internet access via http/s is like putting your corporate database in the DMZ.|||I was looking into the same issues about 12 months ago but the Licencing is just unworkable for a small company. We can't justify even one enterprise licence let alone two whcih means we can't use forms authentication because the security API only comes with the enterprise edition. As we could only budget for a standard edition (at the time we were using msde) we had to walk away from RS and use Crystal with msde which turned out to be alot cheaper and the functionality is essentially the same.
Ryan|||I may be wrong, but why not purchase Windows SBS 2003 Premium which includes SQL Server 2000 Standard without limitation on unauthenticated connections and stick it behind a firewall and use another system as the web server?
You would get the benefit of using SQL Server 2000 and RS with minimal costs and better security, imo.|||The security API only comes with the Enterprise edition and it is the only way you can use RS with forms or custom authentication. Standard edition has to use Windows Authentication.|||I wonder if this they will change this in Yukon...|||I have been told that there are no plans on changing the licencing.|||You can use the Reporting Services Web Service interface to integrate RS into your (web)application. This way, you can put RS safely behind your second firewall.
I'm currently researching this technique and I'm planning to use it in my web applications.
SeeIntegrating Reporting Services into Applications at MSDN for more info.
|||The problem with a web service is that it greatly reduces the functionality of the report. In fact all it returns is a snapshot of the report.|||Yep, i took shot at writing a proxy that marshaled all the calls from the internet to the web service (behind the 2nd firewall). It started to get really ugly if you want to support drilldown and image links in your reports...you have to re-write all the urls/links to refer to the proxy. then the proxy redirects to the web service etc...after a few days it became apparent that it was going to be a lot of work...so, i've tabled it for now...|||From my experience, RS is not a very good option for BI reports. You'd be a heck of a lot better off going with an actual BI suite to do what you are looking for. RS (especially through the web) is very good for giving you something that the end user cannot change the specs for (we use it for letters we send to customers in our database). Security isn't that extremely horrible through the web, I have a custom made form that I use for my own login purposes, have the person in charge of the reports log in through SSL, then, and only then, I allow them to see the report through a form where I pass the encrypted login/password for the reporting services automatically behind the scenes.
If you are looking for a good BI suite, there are a number of them out there that will allow you to securely connect to a database for drilldown/etc reports. The one that we use here where I work is called Hummingbird BI/Broker, and it has just about anything you could need BI-wise through the web.|||
brianp:
Yep, i took shot at writing a proxy that marshaled all the calls from the internet to the web service (behind the 2nd firewall). .
I am new to SSRS.
I'd like to ask a silly question.
Is it possible to close SSRS from external connections, make it visible only to server-side ASP.NET, which would provide reporting on requests, and thereafter have authentication by IIS (of asp.net app)?
No comments:
Post a Comment