Question on using IIS for a C#/WCF backend


Bill Fuller

I have a team that is designing/building an n-tier (5 logical layer, 3
physical) WinForms application that will be deployed via ClickOnce. The
backend will be using WCF for communication.

Here is the question... the design team is using IIS, which is not a
requirement of WCF. It is not a web application and we have total control of
the binding protocol (HTTP, TCP, ES, etc.). Thier reasoning for using IIS is
because of the requirement for SSL.

My thought is that the backend should be behind the firewall and communicate
to the client application via a proxy in the DMZ... with SSL handling pushed
to edge devices. This would mean that the WCF application servers on the
inside network would not have to be configured as web servers.

Does anyone have any thoughts/recommendations/experience on this?


WCF allows you to "expose" your code in any number of different ways.

So the HOST stuff doesn't need to run its code (and get what it needs) thru
IIS, as you suggest.
But it will expose its services via http/ssl if you so choose.

Check channel9 for the Greg Leake videos.
His stocktrader application will actually do it both ways.
1. The host exposes services, but doesn't actually consume services.
2. The host exposes services, but USES services as well. (Aka, a second
wcf layer).
You can look at the code at ( I think thats it?)

But watch the videos BEFORE you open up the code.


You can see my additions to the WCF technology here:!A68482B9628A842A!158.entry

I have a downloadable example....and you can expose the service through
named pipes or a http web service.

Marc Gravell

Some thoughts; first - why /not/ IIS? Are you just worried about an
extra attack surface?

Note that actully SSL is not a requirement for secure WCF; you can use
message security and pass the message over http, tcp, carrier
pidgeon[*], msmq, etc. You can also use the host as a service without
IIS, including SSL certificates - but it is harder to do that; IIS is
easy and well documented.
*= you'll need to write your own driver here, I'm afraid

Under the "KISS" principle, I use transport security (https) and IIS,
running the code on those web-servers via IIS, with a firewall and NLB
in front of them and a database server (and another fireall) behind
them. It works well enough for my needs.

Re terminating SSL at the edge devices - note that this *can't* be a
simple passthru such as an NLB (F5 etc) configured to handle https but
use http to the inner-farm. WCF must be configured the same at client
and server: if the client is configured for transport security, the
server must be configured for transport security; and if the server is
configured for transport security it *will not accept* requests over
http. You can use a .NET host/proxy at the perimeter, but I'm not sure
it gains you much.

I use an NLB, but I had to configure it to re-encrypt (with a
different SSL session) between the NLB and the farm. Alternatively, if
you go to message security then your NLB can be a simple pass-thru

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question