Allowing Web Access through a firewall

If Web Access will only be used on your organization’s intranet, no special configuration is necessary. Web Access is as secure as any other IIS website. But if you want to allow access from outside the organization for remote users, contractors, vendors, or other business partners, your network will need to be configured to allow access through one or more firewalls to the Web Access server. A description of this configuration follows and is illustrated in the following figure with example IP addresses:

This configuration is necessary because the TeamWork application server communicates with Web Access running on the IIS server via the DCOM protocol. Web Access always starts a DCOM session with a request on the TCP port 135 of the TeamWork application server. If a response is received, DCOM handles further communications, and which port will be used. The TeamWork application server needs to be accessible from the IIS server on its own IP address because DCOM doesn’t support Network Address Translation (NAT).

To allow Web Access through a firewall:

1. Install TeamWork and Web Access on their respective computers as described in Installing TeamWork.
2. By default, DCOM communicates over a very wide port range (1024 to 6500). Use the DCOMCNFG tool on the TeamWork application server to view the DCOM properties of the computer. Modify the Connection-oriented TCP/IP protocol and restrict the range of TCP port numbers it is able to use to, for example, 5000–6000. It’s essential to ensure that DCOM is running with TCP/IP only. If possible, delete all other protocols except TCP/IP if you are not using them. If you only have a restricted number of ports to use, refer to the Microsoft MSDN site for the current recommendation for the minimum number of ports to allocate.

3. Configure the TeamWork IIS applications (created by Web Access installation) of the default website to enable SSL.

   Note    If the Windows firewall is used, enable World Wide Web Services (HTTP Traffic in) and World Wide Web Services (HTTP Traffic in) in Windows Firewall and Advanced Security.

4. In the example configuration shown in the preceding figure, a small modification is necessary in the routing table for Windows. That is, the default gateway is 192.168.1.1, which means that the subnet of 192.168.2.0 can never normally be reached. This could be solved with two network cards, but could also be solved by adding an explicit routing to the routing table as shown in the following example:

   ROUTE –p ADD 192.168.2.0 MASK 255.255.255.0 192.168.1.3

   Note    If errors occur from mtx.exe, this means that you have restricted the TeamWork website to run in a separate memory space, which is not allowed.

5. Configure the firewall between the TeamWork server and the IIS server to allow communications within the port range specified in step 2. Following are example lines to add to an /etc/ipf.rules file:

#dcom connection from Web Access to EDM Server
pass in quick on ed0 proto tcp from any port > 1023 to any port = 135 flags S keep state keep frags
#dcom connection from EDM Server to Web Access
block in on ed0 proto tcp from any port > 1023 to any port > 6000 flags S keep state keep frags
pass in quick on ed0 proto tcp from any port > 1023 to any port > 5000 flags S keep state keep frags

Note    If the Windows firewall is used, add an exception rule in Windows Firewall and Advanced Security for the TeamWork executable AMEDMW.exe.

6. When the firewall has been configured and the connection between the IIS and TeamWork servers is working properly, publish an TeamWork vault as described in Creating a Web Access location.
7. The last step is to create a simple port mapping on the firewall between the LAN and the DMZ so that the IIS server on the private LAN can be reached via the Internet using a real IP address.

On the firewall computer, edit the /etc/ipnat.rules file as below:

#test web client
bimap fxp1 192.168.1.240/32 -> x.x.x.x/32

(x.x.x.x = a real life Internet address)

Also edit the /etc/ipf.rules file as shown below:

#test web client
pass in quick on fxp1 proto tcp from any port > 1023 to 192.168.1.240/32 port = 80 flags S keep state keep frags
pass in quick on fxp1 proto tcp from any port > 1023 to 192.168.1.240/32 port = 443 flags S keep state keep frags

Your TeamWork application server is now accessible securely via the Internet.

Bear in mind that the preceding steps relate to this configuration scenario only. However, the technique of using protocol levels in this way is the same for all configurations. More information regarding configuring DCOM and firewalls can be found at www.microsoft.com/com/wpaper/dcomfw.asp.