Hi,

I have installed LimeSurvey CE Version 3.15.5+181115 on a RHEL 7 VM. This VM is in not in the DMZ but behind a firewall, which severely limits functionality.

www.limesurvey.org/forum/installation-a-...leting-admin-details

I need to get the VM into the DMZ and point the front end to a backend behind the firewall. Has anyone had experience in doing this? I have glanced through the manual and forum but can't find any details about whether this can be done.

Any feedback would be greatly appreciated.

Thanks Simon

By backend : you mean the database ?

If yes : put limesurvey in DMZ and just use the DB server IP in configuration, and be sure your dmz can access this DB with this IP.

well it's not a LS problem, but rather a network configuration problem.

@DenisChenu you are right I did mean the database.

@LouisGac, yes it is a network configuration problem and an what I would presume would be a common problem for business. The fundamental issue here is LimeSurvey does not have full functionality unless exposed to the Internet [1], i.e. it needs to be in the DMZ, while it is deemed inappropriate to store some types of data in an area where it is deemed not to be fully secure. So the recommendations by the Enterprise Architects and Security Teams is host LimeSurvey, the 'front-end', in the DMZ and point it to a secured database behind a firewall (the back-end').

The only reason I asked about this is I could not find any guidance in the manual or forums, and the teams setting up the servers and database indicated that not all packages can point to a database hosted on a separate server -- so I thought I would ask.

After a bit of looking around I found the connection strings in the config file and could see how they could be adjusted to point to a remote server. Thanks for your feedback.

[1] Things I found that will not work properly are - (a) ComfortUpdate will not work; (b) Emails will not work so administrators are harder to add; (c) you can't survey people outside your network.

SimonCropper wrote: [1] Things I found that will not work properly are - (a) ComfortUpdate will not work; (b) Emails will not work so administrators are harder to add; (c) you can't survey people outside your network.

Do you want to use these functions?
I personally don't like the concept, that comfortupdate is connecting to the external server when logging in as a user. That is causing issues very often. The connection parts are often laggy (same issues when you let emails sent when a survey is submitted and the mailserver connection has a issue. Than the submission of an interviews is not directly finished.

To separate database from webapplication and place them in different networkzones is unrelated to certain functions. For comfortupdate and emailtransport you wouldn't need to place LimeSurvey in a DMZ. The DMZ is recommend (not needed), when you want externals to access the LimeSurvey application from the internet. As long as a connection string is on webserver inside the DMZ, a hacker could reach the database via a hack of the LimeSurvey server inside the DMZ.

WAN <-Packetfilter-> DMZ <Packetfilter> LAN
WAN <-Packetfilter-> LAN

The attack vector is getting credentials. If the hacker is in the DMZ, grabbing credentials from users or database connections will be enough to create a full database dump easily. No matter where the database is placed.

I already have a lot of instance wher DB is set in a internal server …

It's jjst a config issue : work if Web server have access to 192.168.0.12 … db