You are viewing limited content. For full access, please sign in.

Question

Question

DMZ Forms whitepaper seems to be inaccurate?

Laserfiche Forms
Updated November 18, 2019
asked on July 4, 2018

We are reading the Hosting Laserfiche Forms 10 In A Perimeter Network (DMZ) whitepaper.

Our configuration is "Two Forms Servers, One SQL Server". One of the Forms Servers is on the DMZ and is set up as the Forms Portal.

The whitepaper on page 4 has the following sentence (highlighted):

This doesn't seem to make sense. How would a DMZ Forms server work if it is pointed to an STS on the internal network? A user connecting to Forms from the Internet would have their browser redirected to the STS login page, but if that page is located on the internal server, the user wouldn't be able to reach that page (since they are external). This is why we have an STS installed on the DMZ server, i.e. https://www.domain.com/lfdssts that Forms is using.

The reason I'm bringing this up is because the rest of the whitepaper seems to make this assumption in several places (that Forms will be using an internal STS page) and so the instructions are inaccurate/incorrect. For example, on page 8, this step (highlighted) won't work:

We actually confirmed this: when we change the issuer to the internal STS page, the browser complains that it can't reach that page (obviously).

1 0

Replies

replied on July 9, 2018

The white paper related to Laserfiche Directory Server was not updated after Laserfiche Directory Server added the support for installing Directory Server STS on separate machine in the DMZ, I will ask UE to update that. And if you install STS in the DMZ and Directory Server in the internal, you can refer to https://www.laserfiche.com/support/webhelp/Laserfiche/10/en-US/administration/#../Subsystems/LFDS/Content/separate-sts.htm how to configure Forms.

1 0
replied on July 13, 2018

Hi Ege, 

We've updated the paper to describe two additional configuration scenarios that involve a separate STS in the DMZ.

1 0
View 7 previous replies
replied on October 29, 2019 Show version history

I still don't know if this is correct in the updated white paper. In the Two Forms Servers with Two STS Instances, step 5 says to log into FormsConfig on the DMZ Forms server and on the User Authentication tab set the Directory Server STS URL to the address of the LFDS STS in the DMZ. That setting makes it so all internal traffic is now getting redirected to the DMZ STS instead of the internal STS.

0 0
replied on October 31, 2019

It is indeed incorrect, you should modify the web.config in the DMZ Forms Server to configure it to use the STS in the DMZ:

 a.Locate the wsFederation node. It should begin with the string <wsFederation persistentCookiesOnPassiveRedirects=.  

b. In the wsFederation node, change the realm and reply attributes to the address of the DMZ Forms server.

c. In the same node, change the issuer variable to the location of the Laserfiche Directory Server STS in the DMZ network. 

I will ask UE to update it.

1 0
replied on October 31, 2019

So step 9 b-d are the same, but we should not be doing step 5 c?

0 0
replied on November 1, 2019

Yes, the b,c step for step 5 are extra steps that are not necessary. 

1 0
replied on November 1, 2019

Please let me know when the white papers have been updated.

1 0
replied on November 11, 2019

Hi Blake, the white paper has been updated.

1 0
replied on November 15, 2019

It appears that new steps have been added under the 'Two Forms Servers with Two STS Instances' section and the 'To configure the internal Forms server' subsection step #6 & 7. I am unable to find the path specified in step #6.

0 0
replied on November 18, 2019

Did you install Laserfiche Notification Service on the internal Forms server? The file is located in following place by default.

0 0
replied on November 18, 2019

I must have not been looking in the x86 location. Found it now. Why were these steps added?

0 0
replied on November 18, 2019

We added these steps in order to make the real-time updates on the Tasks page works. The security mode settings between the Notification Service and Forms Routing Service must match in order to make it work.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...