This is correct. You simply update the LFDSSTS redirect link for the DMZ Forms instance to use the public STS URL, either via /FormsConfig (before you disable the Forms Routing Service) or in the DMZ Forms IIS web app web.config file.

Will this work if their DMZ server is not on the Domain.

I am sure it will, but wanted to check.

Thanks,

Jeff Curtis

Yes, our DMZ server is not on the domain, so it is certainly possible.

Did you just need to open up the FW for LFDS then?

Thanks,

Jeff

Hi Jeff,

I'd have to defer to someone else on the finer details. Our engineering team did all the server/network configuration so I'm not sure about those aspects.

The DMZ STS instance doesn't need to be on a domain-joined machine. However, if it's not, you must configure LFDS to enable and the DMZ STS to use the "alternative service", aka certificate authentication, because the AD-mediated mechanism STS and LFDS normally use for service message authentication and encryption is unavailable in that scenario. The DMZ STS instance must be able communicate with the LFDS service on TCP 5048 & 5049.

Set it up per the instructions here under Configuring Applications in a DMZ Environment: Configuring the Security Token Service On A Separate Machine for Single Sign-on

DO NOT UNDER ANY* CIRCUMSTANCES OPEN A FIREWALL TO ALLOW A PUBLIC ROUTE TO YOUR INTERNAL LFDS INSTANCE.

*Unless you fully understand the security risks and threat model involved, know exactly what you are doing, and the network route involves reverse proxies and in-line security appliances with path-based routing rules that only allow traffic to /LFDSSTS endpoints over TCP 443 and not /LFDS ones, or equivalent. 

Hey Sam,

Thanks

What do you suggest as the best setup for a customer to be able to mark a form public?

Seems there is something missing here and I am not sure what. 

I would think if a customer purchased a portal license which is installed on the DMZ server, and you setup their environment for two forms servers (Internal/DMZ), one SQL server, that the customer would have a way to build the form internally and then mark it public for the consumer to use, without having to connect to the DMZ server, to switch the form to Public.

Appreciate your feedback,

Jeff Curtis

Hey Jeff,

In the "Two Forms Serers, One SQL Server" setup the instances share a database. All you have to do is set the Access Rights for the Starting Form to "Public" (from either instance) - doesn't matter which instance you set the access rights from because they're referencing the same Forms database.

Hi Sam/Jeff,

Just to clarify, even if the instances are both pointing at the same database, the option to toggle between Public and Restricted will only be available when you're logged into the instance with the Public Portal license.

Hello Jason/Sam,

Sam- What you are saying seems be true. If we want the Form marked public, should we be doing these installs where we license the internal Forms server with the Portal license, and then install Forms Professional on the DMZ server and make the necessary configuration changes to the Forms install on the DMZ Server, per the "Two Forms Server, One SQL DB" process outlined in the Whitepaper.  That we the customer still logs into internal forms, creates the form, marks it public and then it can be used per the DMZ forms setup??

Appreciate the feedback,

Jeff Curtis