Hi K2 Community,
I'm trying out the DMZ deployment topology described at Separate IIS Server for DMZ-style External Access, however, the documentation is not clear to me.
In my environment, the internal domain does not trust the DMZ domain, while the DMZ domain does trust the internal domain. I can sign into DMZ servers with internal domain accounts, we have other apps in the DMZ where we can use our internal AD accounts to sign into them. There's a firewall between the DMZ network and the internal network that blocks all traffic between them, we configure firewall policies in case-by-case to allow traffic on specific ports. The edge firewall is mostly limited to port 443, again this is on a case-by-case basis. So far this a common DMZ environment.
I'm installing K2 Smartform runtime and web services on the DMZ --IIS app pool will run with an internal domain account, as recommended by the documentation--. The account I'm using to install it is from the DMZ domain because the DMZ is joined onto the DMZ AD, not to the internal domain.
On the K2 Five installation wizard, I'm selecting Web Components (K2 Site) --note that I don't want to run the Designer in the DMZ--. The installation wizard is asking me to enter the K2 Database details, which I assume is the existing K2 db and of course, port 1433 is blocked from the DMZ to the internal server running SQL Server.
The documentation says
"TCP Port 5252 and 5555, used for Workflow and SmartObject/Management calls"
and
"If you are running K2 Designer in the DMZ, you must open TCP port 1433 to allow SQL Server traffic for SmartObject calls."
I do get the point that says K2 Designer is needing port 1433 and that ports 5252 and 5555 connect to the internal K2 Server, but I don't want to run the K2 Designer in the DMZ, why would I need access to port 1433? doesn't the K2 Site communicate directly on port 5252 and 5555?. The documentation should include a note that mentions port 1433 is needed in either case.
Or...
The installation wizard should include an option under Web Components that allows you to install the specific components such as K2 Designer, Web services, Runtime and so on. One thing I tried was to coping the Smartform runtime and webservices directories from the existing internal K2 server, and unsurprisingly this did not work because of missing assemblies dependencies, I did install K2 Core during this installation test --this feels like an unsupported deployment.
What other surprises people in the community have encountered in this deployment topology with the environment I'm describing?
Additionally, given the same environment, what advantages will the Reverse proxy deployment topology have over K2 in a DMZ server? I would believe applying future K2 patches will be easier in Reverse proxy installations.
Thank you,
Eduardo
