Click here to Skip to main content
Click here to Skip to main content

Making WCF RIA Services work in a DMZ/Multitier architecture using Application Request Routing

, 13 Sep 2010
Rate this:
Please Sign up or sign in to vote.
A guide to creating secure Silverlight + WCF RIA Services applications for the enterprise! This is done using Application Request Routing (turning IIS in a reverse proxy).

Introduction

In large companies / governments / ... most of the time the application architecture needs to follow a set of rules (focused on maintainability and security).
These could be rules like the following:

  • The applications need to be developed following a Multitier architecture
  • Each tier should be physically separated for security.
  • The business logic tier is the only one that can connect to the data tier.
  • The presentation tier only connects to the business logic tier.
  • The presentation tier may not directly connect to the data tier.
  • The presentation tier is located in a DMZ, other tiers are heavily secured.
  • ...

Each project / company will have its own rules but the concept stays the same.
Here is an example of how this could be achieved in ASP.NET:

As you can see, for the data tier to be compromised one must first compromise the presentation and the business logic tier.
You can also assume that in most cases each physical tier is also protected by a firewall.

Default: Physical tiers in Silverlight + WCF RIA Services

When you're building an application in Silverlight with WCF RIA Services you'll get the following setup:

The setup is still a 3-tier achitecture, but the presentation tier runs on the client.
You could argue if the middle tier does or does not count as a presentation tier (since everything runs on the client) but let's say it does.

If you look at this from a security point of view it's less safer.
Once the webserver in the middle is compromised one has direct access to the data tier.

We could just add an extra tier containing some WCF Services that would be consumed by our WCF RIA Services but that would cause code duplication.
This would be an undesired side effect and thus we won't see this as a good solution to our problem.

Separate: An extra Web Application for WCF RIA Services

In my last post (Things you can do with WCF RIA Services and a regular .svc file) I described how you could separate the web application (hosting Silverlight) and the services. Resulting in the following setup:

As you can see here we're a step closer. Our services can live on one server and our web page (hosting the Silverlight application) on an other server. This does separate our tiers physically. But the problem is that Silverlight still requires a connection to WCF RIA Services directly.

In this setup our Business Logic Tier should be exposed to the internet / be in a DMZ / ... for our Silverlight client to access it.
And again, if this server is compromised one has direct access to the Data Tier!

Advanced: Using IIS Application Request Routing

For more information about ARR please visit: http://www.iis.net/download/ApplicationRequestRouting
An other interesting topic to look at is content based routing: http://hashtagfail.com/post/1000967093/wcf-routing-ria-services 

We'll be using ARR (in combination with URL Rewrites) because it allows us to use IIS as a reverse proxy.
Using this reverse proxy we'll be able to achieve the following setup:

Follow these steps to install and configure IIS Application Request Routing.

A. Preparing the server(s)

  1. Make sure you have IIS 7 or IIS 7.5
  2. Download the Application Request Routing extension: x86 / x64
  3. Install the extension (it might install other extensions first)
  4. For testing purposes we'll simulate 2 servers on one machine.
    To do this, open c:\windows\system32\drivers\etc\hosts with notepad.

    127.0.0.1 presentationtier
    127.0.0.1 logictier


    We'll link these hostnames using host headers in IIS.

    If you have 2 servers you can use for testing, please do (and you can skip this step).
    But don't forget to install the WCF RIA Services Toolkit!
  5. Finally we'll configure the Application Request Routing.
    In IIS Manager, click your server and go to Application Request Routing Cache:



    Important note: If you work with multiple servers (and that's what you'll do in a real environment), you need to do this on your presentation tier (the ASP.NET website containing the Silverlight application).

  6. On the right select Server Proxy Settings and check the box Enable proxy.

B. Creating the site for the business logic tier

  1. In IIS, create a website called LogicSite


    Note that the 'Host name' points to logictier under Binding.
    This way we can simulate that this website is configured on the server logictier.
  2. Now go to Application Pools and open the LogicSite application pool.
    Change the .NET Framework version to v4.0.

C. Provisioning the business logic tier site

Splitting up a Silverlight+RIA Services application requires some actions and you can read all about it in my last article.
We'll be using the solution from that article to get started right away. Note that this solution does not connect to a data tier, it just simulates this using a static list.

  1. Download the complete solution and extract it: Sandworks.Silverlight.nTier.zip (464.99 kb)
  2. Open the solution using Visual Studio
  3. Right click the project and select publish.

  4. Point the publish to the correct directory.

  5. Press Publish.
  6. Now visit http://logictier/Tasks.svc and your WCF RIA Service should be working correctly.

  7. Now, create a file called clientaccesspolicy.xml in the root of this site containing the following XML (required for cross site access in Silverlight):

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="*">
        <domain uri="http://*" />
        <domain uri="https://*" />
      </allow-from>
      <grant-to>
        <resource path="/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

That does it. Our business logic tier (on a 'separate server') has been configured and is working.

D. Creating the site for the presentation tier (and reverse proxy)

  1. In IIS, create a site called PresentationSite

    Note that the 'Host name' points to presentationtier under Binding.
    This way we can simulate that this website is configured on the server presentationtier.
     
  2. Now go to Application Pools and open the LogicSite application pool.
    Change the .NET Framework version to v4.0.
     
  3. For this application pool go to Advanced Settings and change the Idle-Time out to 0 minutes.
    And finally go to Recycle... and clear the Regular time intervals (in minutes) checkbox.

E. Provisioning the presentation tier site

  1. Go back to Visual Studio, to the Sandworks.Silverlight.nTier.Client project.
  2. Open MainPage.xaml.cs
  3. Change both links you see there to http://logictier/Tasks.svc
  4. Rebuild the complete solution.
  5. Publish the Sandworks.Silverlight.nTier.Web site to our PresentationSite.


     
  6. Now, open the following link: http://presentationtier/Sandworks.Silverlight.nTier.ClientTestPage.aspx
     
  7. If everything goes well you should see a Silverlight application, and when you press the button Get all tasks you'll see this:

Now you've got a fictive server running the services and an other server running the actual web application hosting the Silverlight application.
The Silverlight application runs locally but still connects to the business logic tier. Now we created a setup as described in Separate (WCF RIA Services split in 2 servers).

Let's continue.

F. Configuring IIS Application Request Routing and IIS Rewrite

  1. Open the web.config of the PresentationSite (running on the presentation tier).
  2. Now add the following to the configuration file:

    <system.serviceModel>
       <serviceHostingEnvironment aspNetCompatibilityEnabled="true"
    multipleSiteBindingsEnabled="true" />
    </system.serviceModel>
    <system.webServer>
      <validation validateIntegratedModeConfiguration="false" />
      <rewrite>
       <rules>
         <rule name="Reverse Proxy to Business Logic Tier" stopProcessing="true">
           <match url="^riaservices/(.*)" />
           <action type="Rewrite" url="
    http://logictier/{R:1}" />
         </rule>
       </rules>
      </rewrite>
    </system.webServer>


    This will make sure all requests to the path riaservices are forwarded to our logictier server (containing the business logic tier).
     
  3. Now, visit the page: http://presentationtier/riaservices/Tasks.svc

And there you have it. Even tough we're visiting a page on the server presentationtier it's showing us content from the logictier server.
This means our Silverlight application no longer needs to talk to the logictier server. And thus, we don't need to expose our logictier server to the internet or put it in a DMZ.

Note 1: The clientaccesspolicy.xml file we placed in the LogicSite is no longer required.
Note 2: The system.serviceModel part in the config is very important. If it's missing you'll get the following error:

In your browser:

Server Error in '/' Application.
The resource cannot be found.

In EventViewer:

WebHost failed to process a request.
Sender Information: System.ServiceModel.Activation.HostedHttpRequestAsyncResult/27111447
Exception: System.Web.HttpException (0x80004005): The service '/riaservices/Tasks.svc' does not exist. ---> System.ServiceModel.EndpointNotFoundException: The service '/riaservices/Tasks.svc' does not exist.

G. The final result in our Silverlight application

  1. Go back to Visual Studio.
  2. Open MainPage.xaml.cs
  3. Change both urls to http://presentationtier/riaservices/Tasks.svc
  4. Rebuild the complete solution.
  5. Publish the Silverlight application like we did in E-5
  6. Check the web.config if it still contains the URL Rewrite configuration.
  7. Visit http://presentationtier/Sandworks.Silverlight.nTier.ClientTestPage.aspx

And we're done...

If you want you can start Fiddler and you'll see that our Silverlight application is only accessing our presentationtier server:

After a very long article this is what we've accomplished:

Our solution is ready for the enterprise!

Downloads:

Enjoy..

License

This article, along with any associated source code and files, is licensed under The Microsoft Public License (Ms-PL)

About the Author

Sandrino Di Mattia
Technical Lead RealDolmen
Belgium Belgium
I'm a Technical Consultant at RealDolmen, one of the largest players on the Belgian IT market: http://www.realdolmen.com
 
All posts also appear on my blogs: http://blog.sandrinodimattia.net and http://blog.fabriccontroller.net
Follow on   Twitter

Comments and Discussions

 
QuestionWhere is article source code? Pinmemberobs12323-Nov-13 1:44 
QuestionDoes this solution forward authenticated client name? PinmemberValeriu zabulica17-Jan-11 2:24 
GeneralGreat article PinmemberAndiM5-Oct-10 12:48 
General5 Pinmembertamash_ionut1-Sep-10 22:35 
GeneralRe: 5 PinmemberSandrino Di Mattia1-Sep-10 23:02 
GeneralRe: Diagrams Software PinmemberMninawa2-Sep-10 22:11 
GeneralRe: Diagrams Software Pinmember42882-Sep-10 22:29 
It seems like Office Visio. Correct me if I'm wrong
---

GeneralRe: Diagrams Software PinmemberSandrino Di Mattia2-Sep-10 23:27 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web01 | 2.8.140721.1 | Last Updated 14 Sep 2010
Article Copyright 2010 by Sandrino Di Mattia
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid