You are viewing limited content. For full access, please sign in.

Question

Question

Forms Portal in DMZ to the Forms Internal

Forms
Updated February 21, 2018
asked on April 20, 2016

I have read a lot on this but nowhere did I find a detailed write-up on how to do this so if anyone could explain that would be great. I have an external form, and after it is submitted it needs to continue "Internally". I found at the end of this thread: https://answers.laserfiche.com/questions/93786/Forms-Portal-access-to-Active-Directory

Ling talked about changing the web.config which is great, but how is the other components set up?

I'm wondering the following:

1. At setup, how do I configure the DMZ Forms Portal - I know I point to the primary forms server, but do I configure the rest of the settings? (Currently getting access denied errors on 'User authentication' tab) If I disable the Forms Routing Service on the DMZ as Ling says to, I get a proxy error. Do I configure first then disable the service?

2. The DMZ would host the Business Process, would it just host the Form and not have any steps involved in the Process designer?

3. The Internal Forms server - would I need to host a copy of the Business Process there? How will the Process Designer steps get started?

 

Any help would be appreciated. The Form was designed internally and uses AD users and such, so it's essential to have the DMZ Forms Portal only collect the external Forms and then let the Internal Forms server handle the rest after submission. 

 

0 0

Replies

replied on April 20, 2016

You can always have Forms internally, and open a port to allow outside connection to it.

0 0
replied on April 20, 2016

Shaun,

The safest way to configure this is to have Forms Portal installed inside the network and have a reverse proxy IIS server on the DMZ that acts as a bridge between the external users and the Forms Server. Simon Verrault has an excellent walkthrough here. It is for Web Access, but it should be easy enough to re-purpose for Forms.

The other option, which is more complex and risky, is to have two Forms Servers, one on the DMZ and one inside the network, and have them share the same database. The reason this is more complex and risky is that you'll need several firewall rules to make sure the Forms Server on the DMZ can talk to the Laserfiche Server, the License Manager, and the database server. Most competent IT people will give you a lot of pushback when you suggest this because it's against best practices to have DMZ services access assets inside the network. The reverse proxy approach is both very clean and virtually risk-free (or at least as risk-free as it can get with anything involving the Internet).

0 0
replied on April 25, 2016

Thanks guys. I would like to keep as many ports closed on the internal server as possible, so if I go with the risky option, I wouldn't have to have external users working on the internal server. 

When I installed Forms Portal on the DMZ, I had to get some ports opened for Forms Config to see the Forms SQL database, so that's open. This DMZ already has Weblink so it already talks to the LF Server. 

My question is, if I go with the risky option (Forms Portal on DMZ, Forms Server on internal LF Server, both using same Database), how is that configured. As mentioned previously, there is no real written out steps for this. I saw that you need to disable the Forms Routing service on the DMZ and in config you need to point to the main Forms server (internal), and also change the web.config on the DMZ to point to the internal server. After a form submission to the Forms Portal, will the internal Forms server pick up the form submission and start the first item in the Business Process? Will it act as though someone submitted the form internally on the internal form server?

 

Ultimately the reverse proxy option is the best, but I believe I'm over my head with Simon's article. 

 

I find it hard to believe that nobody else out there hasn't done this with Forms Portal yet...or at least hasn't shared that they have. 

0 0
replied on April 25, 2016

We have a client using Forms Portal on the DMZ and another Forms Server inside the network. Both Forms Routing Services are running. It works exactly as you describe: when an external user submits a form, it's routed to an internal user in a (mostly) seamless manner. It took a lot of fiddling and trial-and-error though.

You're right that the documentation on this is non-existent and it's very frustrating. Laserfiche really needs to publish some whitepapers describing their software configurations in enterprise scenarios. Expecting people to figure it out on their own is crazy, especially since the software is getting more complex with more moving parts with every release.

0 0
replied on April 25, 2016

I am glad to hear you have implemented this already, gives me hope that this can be done. Would it be too much to ask for you to list the steps involved? Did you document this at the time? I know there will be others that will benefit from your response if you do. 

Thanks Ege,

Shaun

0 0
replied on April 28, 2016 Show version history

Hi Shawn,

To answer your initial questions:

  1. You have to first open the appropriate ports (Sql Server, Laserfiche Server, Forms routing service), configure the DMZ Formsconfig; then disable DMZ Forms Routing Service.
  2. If you meant whether the user on DMZ Forms can see process diagrams, yes.  Since you’re opening a port to the Sql Server, your DMZ Forms will also have access to the internal Forms database which stores business process diagrams.
  3. No, since your DMZ Forms Server has access to the Sql Server, it can access the business process directly

 

For further configuration details, please see the white paper "Hosting Laserfiche Forms 10 in A Perimeter Network (DMZ)" here:

 https://support.laserfiche.com/GetFileRepositoryEntry.aspx?id=3481&mode=download

Thanks

0 0
View 1 previous reply
replied on April 28, 2016 Show version history

Is disabling the DMZ Forms Routing Service a strict requirement? One of our clients has it enabled (along with the internal Routing Service) and as far as we can tell, it hasn't been causing problems (they don't use Windows authentication).

Also, how much of that white paper apply to 9.2.1? I know that a few of the services mentioned don't exist in 9.2.1 but is there anything other than that?

0 0
replied on April 28, 2016

It's not strictly required but it's good practice.  What matters more is what your DMZ Forms web.config's endpoints are pointing at.  

White paper is applicable to 9.2.1

0 0
replied on April 28, 2016 Show version history

I guess my question is that what happens if we don't change the web.config file and simply let both Forms Routing services run?

0 0
replied on April 29, 2016

If you have both routing services running, you could have issue with the timer events.  Thus we do not support multiple routing engines.  

0 0
replied on December 21, 2016

Is this paper still available? I click on the link and it brings me to a page without another link or the white paper download.

replied on May 3, 2016

Thank you Ling for creating the whitepaper, I'm sure it will help a lot of people. At a quick glance it looks great and to the point. I will give it a try and see how things go. Thanks again, and thank you Ege for your help as well. Hopefully I can finalize this project. 

0 0
replied on May 3, 2016

Hi Shaun, it is our User Education who created the white paper.  I'm glad it's helpful.  

0 0
replied on February 21, 2018

We have a Form to be used in the Laserfiche app on phones and tablets which requires access from outside. Should we place the Laserfiche Mobile server 10.3 in the DMZ to point to the internal forms server? The app is able to logon to the forms but still receiving network errors. Could this be an issue of reverse lookup, and how to apply this to the endpoint addresses? The whitepaper only refers to the Forms server being in the DMZ and using two, one internal, one in DMZ. No references made to the mobile server. Is this an atypical scenario?

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...