ASP.Net Providers from web server in DMZ

Question

We have an intranet asp.net web application which uses the OOTB ASP.net membership and role providers.

Now we are planning to expose the application to internet, by moving the web server to the DMZ as represented in the following (crappy) text diagram

             External                    Internal     
internet --- Firewall --- Web server --- Firewall --- App Server --- Database

                             DMZ                              Intranet

Now the problem is that the asp.net membership and role providers on the web server cant connect to the sql server because of the internal firewall.

Have you ever faced such a scenario before? Will you recommend opening up ports in the internal firewall so that the webserver can directly connect to the SQL server? What other alternatives do I have (otherthan wring a custom provider myself)?

Answer 1

Changing your DMZ policy and opening ports is usually REALLY hard. You might have better success doing what I did: expose a WCF service inside the network and communicate with it over HTTP on port 80.

Zero friction with the LAN folks, and I just mimic the same exact (though crappy) API that .NET gives us :)

Edit: to clarify, this means I have a RemoteRoleProvider that is configured like this:

<roleManager enabled="true" defaultProvider="RemoteRoleProvider">
   <providers>
      <add name="RemoteRoleProvider" type="MyCorp.RemoteRoleProvider, MyCorp" serviceUrl="http://some_internal_url/RoleProviderService.svc" />
   </providers>
</roleManager>

Answer 2

We have a couple of Internet-facing web servers in a DMZ and had to open tunnels in our firewall back to the SQL server in our private network that they need to interact with. I think we used something other than port 1433 for the SQL connections. So far it's worked pretty well, i.e. no security breaches.