4-Tier Deployment question

4-Tier Deployment question

Old forum URL: forums.lhotka.net/forums/t/8726.aspx

fresh_ant posted on Thursday, March 25, 2010

Hi Rocky & other CSLA users,

We are a team of developers who recently started exploring CSLA & found it very interesting and useful.

We are trying a proof of concept aimed towards 4-tier deployment model and have the following question.

Our deployment scenario is as follows,

1) Client => Silverlight OOB application (because ours is a file based application & needs trusted file access at the client which cannot be got in an in-browser silverlight application, hence decided to go in for OOB).

2) WebServer => First IIS (hosts the above silverlight application).

3) AppServer => Second IIS (hosts a WCF service which talks to a DAL layer).

4) DB => Sql Server db.

The above scenario works very well (in intranet).

The problem is we want to achieve the following in the internet, the Web Server should be exposed to the public internet, the app server should be inside the firewall (or in the DMZ)

Our silverlight app in its "ServiceReference.clientconfig" has a endpoint pointing directly to the App server's WCF service. (may be this is wrong approach).

So once we go Out-Of-Browser, then the xap has the same endpoint url, but this endpoint is not exposed to the public internet. So anyone who takes the OOB app cannot work (unless we expose the app server to the public) which we do not want to do (for security reasons that we do not want someone to compromise our BL or DAL layers).

Now can you please suggest what would be the right approach to follow and whether CSLA provides some option (or) means to expose the WCF through the web server (something like a tunnel) or should we follow the option A explained below,

1) Option A: Write another CSLA WCF service which will expose the App servers WCF Service (something like First WCF service to wrap the second WCF App service) or act like a redirecting service.

Say we call this the "Web Servers WCF Service" , this will not have the "Business.Server" reference but it will just have a "service reference" to the "App Servers WCF Service" .

And the SL client will point to the "Web servers WCF Service" and hence even if it goes OOB, it will still poitn to the Web server and hence we need to expose just one server outside the DMZ.


For doing option A, should we create a client proxy for the "App servers WCF" and then expose this client proxy as a WCF service?

2) Option B:

Is there some other option that the framework provides to handle such a scenario.

Please let us know your suggestion on this and what would be the recommended solution.




RockfordLhotka replied on Thursday, March 25, 2010

CSLA .NET for Silverlight directly supports the concept of a 4-tier physical deployment.

In that case the Silverlight client calls a data portal service on a public facing web server (maybe the one where the app is hosted for download).

The public facing web server's data portal doesn't do any real work, it delegates the call to the CSLA .NET for Windows data portal, which invokes the app server. Typically the app server is behind a second firewall.

It is possible for you to write code on the public facing web server to examine client requests before allowing them to be processed. This can be useful if you want to add extra security checks, or re-run business rules before allowing the objects to pass through the internal firewall.

The app server is then able to talk to the database server, because they are both in the trusted zone behind both public and internal firewalls.

The CSLA .NET for Silverlight video series covers the configuration of this model.

fresh_ant replied on Friday, March 26, 2010

Thank you Rocky for the guidance in the right direction & for such a quick reply.

Our company has decided to purchase the video series so that we would know the right approach for implementation.

- Prashant.


Copyright (c) Marimer LLC