Firewall Configurations
There are several different types of firewall configurations that can be implemented for Laserfiche Forms.
Note: If you have never configured a firewall, it is strongly recommended that you refer to another source for information on firewall configuration. You should also contact a network security professional prior to implementing a firewall solution.
The following basic configurations are available when using Laserfiche Forms with a firewall.
The Forms Server within the DMZ
This configuration allows access to the Laserfiche Server, Active Directory domain controller, Database server, and Laserfiche Forms Server only through the firewall. In this case, the firewall acts as a proxy or a filtering gateway depending upon your network configuration. It requires careful configuration and entails an extra level of complexity for the primary firewall.
This setup is similar to the single within-firewall example, with the addition of a second firewall. In the case of a network compromise, a properly configured dual-firewall setup will provide a method of localizing the security breach. It offers additional security over an all-or-nothing model.
Tip: If your Laserfiche Forms installation includes the Forms Portal Add-on and will be accessed by public users, consider using this firewall configuration as it provides the most security when the Forms Server is publicly accessible.
How does it work?
- An Internet user (via web browser) requests information from the Forms Server through a website incorporating Laserfiche Forms.
- The secondary firewall is configured to allow Internet access from the private network. In addition, the firewall is configured to act as an HTTP proxy or router (depending on whether the firewall is proxy-based or filter-based). In other words, users would point their web browsers to the firewall itself and the firewall would forward the request to the Forms Server located on the private network.
- The request is received by the Laserfiche Forms Server, which opens a connection with the Laserfiche Server via the primary firewall.
- The Laserfiche Server receives the connection command and provides the requested information back to the user through Laserfiche Forms.
- A second firewall is configured to allow Internet and Laserfiche access from the private network. All access initiated from the Internet or from the Laserfiche Server to the private network is restricted.
Everything Inside the Firewall
This type of configuration allows access to the Laserfiche Server, Database Server, Active Directory domain controller and the Laserfiche Forms Server only through the firewall. The firewall acts as a proxy or a filtering gateway depending upon your network configuration. This requires careful configuration and entails an extra level of complexity for the firewall.
With this configuration, the firewall would need to be reconfigured to allow arbitrary connections from the Internet to the Web server. However, if Laserfiche Forms is only being used for an intranet and not for Internet access, then not allowing connections through the firewall would be acceptable. Be aware that if you configure the firewall to allow arbitrary connections from the Internet to the Web server, you will weaken the integrity of your firewall.
Tip: If your Laserfiche Forms installation does not include the Forms Portal Add-on or will not be accessed by public users, consider using this firewall configuration as it provides the most security when the Forms Server is not publicly accessible.
Important: If external users will access Laserfiche Forms from one of several Forms Servers connected to the same database, ensure that the Primary Forms Server URL is specified on this tab. The primary Forms Server must be able to access the users for the other Forms Servers. Additionally, the routing service for each of the other Forms Servers must be able to access the primary Forms Server.
How does it work?
- An Internet (or Intranet) user (via web browser) requests information from the Forms Server through a website incorporating Laserfiche Forms.
- The firewall is configured to allow Internet access from the private network. In addition, the firewall is configured to act as an HTTP proxy or router (depending on whether the firewall is proxy-based or filter-based). In other words, users would point their web browsers to the firewall itself and the firewall would forward the request to the Forms Server located on the private network.
- The request is received by the Laserfiche Forms Server, which opens a connection with the Laserfiche Server.
- The Laserfiche Server receives the connection command and provides the requested information back to the user through Laserfiche Forms.
- When the Forms Server needs to communicate with the database server and Active Directory server, it connects to the appropriate server. Once the database server or Active Directory domain controller has received the request, it sends the appropriate information back to the Forms Server.
The Forms Server Outside, Everything Else Inside
With this setup, the Laserfiche Server, database server, and Active Directory domain controller remain protected behind the firewall, however, the Laserfiche Forms Server will need to be configured to connect to these servers. This configuration keeps these servers relatively secure within the firewall. However, because a tunnel must exist to allow the Laserfiche Forms Server to communicate with them, if the Laserfiche Forms Server were to be compromised, it could be used as a launching point of an attack through the firewall to the Laserfiche Server, Active Directory domain controller or database server.
How does it work?
- An Internet user (via web browser) attempts to sign in to Laserfiche Forms.
- The request is received by the Laserfiche Forms Server, which opens a connection with the Laserfiche Server via the firewall.
- The firewall is configured to allow Internet access from the private network. All direct access initiated from the Internet to the private network is restricted. When the Laserfiche Forms Server makes a connection to the firewall, the firewall passes the request on to the Laserfiche Server located on the private network. Special care should be taken to only allow access to the ports that Laserfiche needs for connection and to only allow connections coming from the Web server hosting the Laserfiche Forms Server.
- The Laserfiche Server receives the connection command and provides the requested information back to the user through Laserfiche Forms.
- By default, the Laserfiche Server listens on TCP port 80. The Laserfiche Server broadcasts notifications on port 5051. If there is a firewall between your Laserfiche Server instance and your Forms Server, make sure ports 80 and 5051 are open on the firewall. You can use the Server Settings node of the Laserfiche Administration Console to modify the default port settings.
- When the Forms Server needs to communicate with the database server and Active Directory server, it connects to the firewall, which passes the request to the appropriate server. Once the database server or Active Directory domain controller has received the request, it sends the appropriate information back through the firewall to the Forms Server.
Note: There are several options for configuring Active Directory Domain Services to communicate with the Forms Server through a firewall. See this TechNet article for more information.
Firewall Setup
By default, the Laserfiche Server listens on TCP port 80. The Laserfiche Server broadcasts notifications on TCP port 5051. If there is a firewall between your Laserfiche Server instance and your Forms Server, make sure that ports 80 and 5051 are open on the firewall. You can use the Server Settings node of the Laserfiche Administration Console to modify the default port settings.
Note: The Laserfiche Server installation automatically creates a Windows Firewall exception for the Laserfiche Server.
Port Information
By default, Forms communicates with other applications using the following ports.
| Product | Port | Where to Change? |
|---|---|---|
| Laserfiche Server | 80 and 5051 | Laserfiche Administration Console |
| Workflow Web Service | 80 | IIS on the Workflow Server machine |
| Database Lookups | 1433 | In the SQL Server Configuration Manager |
| Laserfiche Rio installations | 5048 (https - 5049) | Directory Server configuration file |