10 Replies Latest reply on Feb 27, 2013 12:03 PM by micinfo

    Hosting FMP files on the internet

    micinfo

      Lots of development experience on FMP within the LAN, but I'm a newbie when it comes to FMP security with WAN hosting of FMP files so...

       

      I would VERY much appreciate if you could recommend the easiest way to set up secure hosting of FMP files so that we can access the db from client systems located remotely on the WAN. Specifically, how do I access the FM Server within our LAN from an FMP client located remote in the WAN (currently all computers in the LAN are DHCP running FMP(A)/FMS 11).

       

      Sorry for the newbie question, I assume it's a relatively simple answer, but I don't want to take any chances with security, and so any guidance would be GREATLY appreciated.

       

      - Phil.

        • 1. Re: Hosting FMP files on the internet
          anothersmurf

          Set up a VPN server inside your LAN; have clients outside the LAN connect first to the VPN, then they will be able to get to your FileMaker server as though they were inside the LAN (and network traffic will be encrypted between the client and the VPN server).

          • 2. Re: Hosting FMP files on the internet
            micinfo

            Since our database files have only been hosted within the LAN up to this point, they are not assigned password protection. Do I need to password protect each file when hosted via  the VPN, or is the VPN's login sufficient protection? I really want to avoid passwording every db file if at all possible.

            • 3. Re: Hosting FMP files on the internet
              Aigaion

              If you don't want to set up a VPN or if you want to give access to your database to persons who should not have VPN access, you can create FM "Launcher" files that easily connect any authorized user to the remotely hosted databases.  This db will have only one layout that features a button tiggering a script that provides remote FM client access over the WAN.

               

              To do this, create a new FM database and use File > Manage External Data Sources > New to set a file name and path to the hosted database.  Assuming you are hosting on a Filemaker Server that is accessible via the Internet, the path will look something like:  fmnet:/fms7.yourhostingsite.com/targetdb    Repeat for each db file to which you want to give access.

               

              Next, for each db to be accessed,  set up a button on your opening (only) layout that is labeled "Access" or "File_Name" or somthing simiiar.  Associate with this button the action Open File and specify the file and path you set up in the step above. Do this  by using the drop down menu in the Specify section of the Button Setup dialog box.  All you need do is click on the name of the db in the list that you want associated with that "launch" button.

               

              Now all users have to do is open the Launcher db file as they would any other FM database, click the button for the remotely hosted file they want to access, and a standard Log In window will appear - assuming you have set up passwords and not kept the Admin password giving everyone Full Access - somethng I would really caution against.   If you don't want to pasword protect your hosted files, you could password protect only the Launcher db, so no one without that password can use it to access the remotely hosted files via the "launcher" buttons.

               

              I use this Launcher DB method all the time with a wide range of clients and it provides simple, easy to understand access for those with limited tech skills.

              • 4. Re: Hosting FMP files on the internet
                wimdecorte

                Aigaion wrote:

                 

                If you don't want to set up a VPN or if you want to give access to your database to persons who should not have VPN access, you can create FM "Launcher" files that easily connect any authorized user to the remotely hosted databases. 

                 

                That's not secure at all though.  If I can guess at the host name, I will be able to open any file without being prompted for credentials.

                 

                I really only see two choices:

                - set up credentials for each user.  To reduce the workload here I would look into external authentication

                - or, go with a VPN and remove access on the firewall for FM.  Once the users are connected through VPN it is as if the FMS machine is on the LAN.

                • 5. Re: Hosting FMP files on the internet
                  Mike_Mitchell

                  May I ask - what is your driver for not wanting to password protect your databases? Even on a LAN, you're taking a risk. A pretty big one.

                   

                  1) A user can do something stupid and edit / damage schema without meaning to.

                  2) A hacker who penetrates your LAN (and yes, that does happen) now has access to all your databases without a password.

                  3) What about a compromised insider? Usually, an attacker has to be someone with elevated privileges. In this case, all it has to be is a user on your network with a copy of FileMaker. Ouch!

                   

                  If you're serious about not wanting to take "any chances" with security, I'd think seriously about what Wim has recommended. You can use external authentication to reduce the workload, but ... leaving yourself open like that is asking for trouble. And trouble is very polite; it always accepts an invitation eventually. At least in my experience.   

                   

                  Mike

                  • 6. Re: Hosting FMP files on the internet
                    Aigaion

                    Agree the "launcher file" way of doing it is not secure if each User is not given credentials.  Frankly, I can't image ever setting up a database that does not have the security of unique User login and privildege set restrictions. That's why - like Mike_Mitchell,  I cautioned Micinfo against leaving access open - regardless of method of access.

                    • 7. Re: Hosting FMP files on the internet
                      Lemmtech

                      You can't be serious. You are asking about how to secure your files but they have no passwords on them? Of course set up passwords and usernames on ALL your files and then set up a secure VPN and then you can get to the files from anywhere. I just open the FM port and don't bother with VPN's for remote access but that's of course because ALL my solutions are password protected.

                       

                      Good luck,

                       

                      Mark

                      • 8. Re: Hosting FMP files on the internet
                        micinfo

                        Yes, Lemmtech, I am serious. The files in our inhouse LAN don't need password protection, but as I said, I don't want them accessed from outside the LAN if the VPN doesn't apply sufficient security. I'm not familiar with VPN and so I was inquiring to the users about what constitutes appropriate security for that out-of-LAN access.

                         

                        Thanks.

                         

                        - Phil.

                        • 9. Re: Hosting FMP files on the internet
                          Lemmtech

                          All your files should have passwords on them regardless if then are just on your LAN and need to be accessed remotely unless you don't really care about the data in them. VPN's are as secure as you make them contact some networking people to have them provide the details for you.

                           

                          -Mark

                          • 10. Re: Hosting FMP files on the internet
                            micinfo

                            Believe me when I tell you that our LAN is well-protected and the users are loyal professionals. (At some point we all simply have to trust the judgement of the developer and just try to address the specific question at hand in this forum.) I do have a single file being hosted outside the LAN which is indeed password protected, but it is not hosted by the server (which is running in the LAN) but is hosted by a static IP system in a client-to-client configuration.

                             

                            So my question wasn't about how to secure FMP within a secure LAN, it was only about establishing security in a VPN outside the LAN, and now I understand that the VPN does not replace the security of passwording each individual file. Message received. Thanks.