Setup database on remote server behind a firewall

More
11 months 2 weeks ago #178601 by SimonCropper
Hi,

I have installed LimeSurvey CE Version 3.15.5+181115 on a RHEL 7 VM. This VM is in not in the DMZ but behind a firewall, which severely limits functionality.

https://www.limesurvey.org/forum/installation-a-update-issues/117247-delays-in-entering-admin-area-after-completing-admin-details

I need to get the VM into the DMZ and point the front end to a backend behind the firewall. Has anyone had experience in doing this? I have glanced through the manual and forum but can't find any details about whether this can be done.

Any feedback would be greatly appreciated.

Thanks Simon

Cheers Simon

Please Log in or Create an account to join the conversation.

LimeSurvey Partners
More
11 months 2 weeks ago #178606 by DenisChenu
By backend : you mean the database ?

If yes : put limesurvey in DMZ and just use the DB server IP in configuration, and be sure your dmz can access this DB with this IP.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in or Create an account to join the conversation.

More
11 months 2 weeks ago #178615 by LouisGac
well it's not a LS problem, but rather a network configuration problem.
The following user(s) said Thank You: DenisChenu

Please Log in or Create an account to join the conversation.

More
11 months 2 weeks ago - 11 months 2 weeks ago #178676 by SimonCropper
@DenisChenu you are right I did mean the database.

@LouisGac, yes it is a network configuration problem and an what I would presume would be a common problem for business. The fundamental issue here is LimeSurvey does not have full functionality unless exposed to the Internet [1], i.e. it needs to be in the DMZ, while it is deemed inappropriate to store some types of data in an area where it is deemed not to be fully secure. So the recommendations by the Enterprise Architects and Security Teams is host LimeSurvey, the 'front-end', in the DMZ and point it to a secured database behind a firewall (the back-end').

The only reason I asked about this is I could not find any guidance in the manual or forums, and the teams setting up the servers and database indicated that not all packages can point to a database hosted on a separate server -- so I thought I would ask.

After a bit of looking around I found the connection strings in the config file and could see how they could be adjusted to point to a remote server. Thanks for your feedback.

[1] Things I found that will not work properly are - (a) ComfortUpdate will not work; (b) Emails will not work so administrators are harder to add; (c) you can't survey people outside your network.

Cheers Simon
Last edit: 11 months 2 weeks ago by SimonCropper. Reason: Clarification of statement

Please Log in or Create an account to join the conversation.

More
11 months 2 weeks ago #178678 by jelo

SimonCropper wrote: [1] Things I found that will not work properly are - (a) ComfortUpdate will not work; (b) Emails will not work so administrators are harder to add; (c) you can't survey people outside your network.

Do you want to use these functions?
I personally don't like the concept, that comfortupdate is connecting to the external server when logging in as a user. That is causing issues very often. The connection parts are often laggy (same issues when you let emails sent when a survey is submitted and the mailserver connection has a issue. Than the submission of an interviews is not directly finished.

To separate database from webapplication and place them in different networkzones is unrelated to certain functions. For comfortupdate and emailtransport you wouldn't need to place LimeSurvey in a DMZ. The DMZ is recommend (not needed), when you want externals to access the LimeSurvey application from the internet. As long as a connection string is on webserver inside the DMZ, a hacker could reach the database via a hack of the LimeSurvey server inside the DMZ.

WAN <-Packetfilter-> DMZ <Packetfilter> LAN
WAN <-Packetfilter-> LAN

The attack vector is getting credentials. If the hacker is in the DMZ, grabbing credentials from users or database connections will be enough to create a full database dump easily. No matter where the database is placed.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The following user(s) said Thank You: DenisChenu

Please Log in or Create an account to join the conversation.

More
11 months 2 weeks ago #178684 by DenisChenu
I already have a lot of instance wher DB is set in a internal server …

It's jjst a config issue :
mysql:host=192.168.0.12;port=3306;dbname=ls_master;
work if Web server have access to 192.168.0.12 … db

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in or Create an account to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!