Possible Duplicate:
How to Deploy an ASP.NET Web API- and Browser-based Application to a Production Environment

We have an ASP.NET Web API server that serves up a SQL Server data driven website. The API uses JSON to transfer data from SQL Server to the front end.

We need to move it to an internal production environment (nothing will be exposed on the public Internet) and we’re having problems - or just not understanding what needs to be done.

There are two domains:

  1. The corporate domain - where all users login normally.
  2. The process domain - contains the database the Web API needs to access.

The IT staff wants to put a DMZ between the two domains to house the IIS app and shield the users on the corporate domain from having access into the process domain directly.

The ideal configuration is:

corp domain (end users) <–> firewall (open port 80) <–> DMZ (web server running IIS) <–> firewall (open port 80 or 1433????) <–> process domain (IIS for Web API and SQL Server)

We don’t really understand how to deploy our browser/Web API application in this scenario.

  1. Do we need to break up our application so that all the client code is on the IIS server in the DMZ, while the Web API gets installed on the server in the process domain?
  2. Does the entire app (client code and Web API) stay together on the IIS server in the DMZ, which then somehow accesses the SQL Server instance to get data?
  3. From the IIS server and app in the DMZ, would you simply access the Web API on the server in the process domain by going to http://server/appname/api/getitmes?
  4. In the second firewall between the DMZ and the process domain, would you have to open port 1433 or just port 80 since the Web API is a HTTP endpoint?
  5. Or, is there some better way of deployment (i.e., how ASP.NET Web API single page applications written all in HTML5 and JavaScript supposed to be deployed to production environments?)?

NB: The servers are Win2k8 R2, SQL Server 2k8 R2, and IIS 7.5.

  • 197
  • 1
  • 3
  • 8
  • When you say "single page" do you mean that all page interactions are handled via the client (i.e. Javascript) and that all requests to the WebApi are done through Javascript/AJAX? If so, you'll have to put your WebApi so that it is accessible by the end users (since they will be trying to access it directly from their browser). I can't quite tell from the description if the DMZ is forwarding requests or not. –  Nov 13 '12 at 07:50
  • Hello Chris. Thanks for replying. You are correct; that is, the application as it stands right now is a SPA in which the client gets all the HTML/CSS/JS on the initial request and after that only REST calls are made to the Web API. The Web API controllers on the server issue SQL queries directly to the database and return JSON data (in the case of GETs, for example). To clarify, you're suggesting putting everything (the HTML, CSS, JS, Web API assemblies, etc.) all on the IIS server in the DMZ and then send only queries to the SQL Server through port 1433? ... – lmttag Nov 13 '12 at 16:20
  • ... I was having trouble with this scenario. From a client browser (mobile Safari since this app is intended for mobile devices), I type in the URL to the IIS server (e.g., http://servername/appname) and get the HTML/CSS/JS downloaded to the browser. Inside one of my JS files, I make an AJAX call to the Web API (e.g., http://servername/appname/api/getitems). This all work locally when IIS and SQL Server are all on the same machine. Is there something else I need to do different to work in production where IIS and SQL Server are on two separate servers? ... – lmttag Nov 13 '12 at 16:20
  • ... Assuming the firewall stuff between the two servers is correct, do I just need to change my DB connection string to find the SQL Server? Or? Thanks! It appears that this post was migrated from stackoverflow.com, so now there's two on serverfault. Sorry. – lmttag Nov 13 '12 at 16:21
  • Yes, all you should have to change are your connection strings. – NotMe Nov 13 '12 at 19:21

1 Answers1


Typically speaking your code is going to be deployed on the IIS server. This means your "web api" and website.

Quite frankly I don't think your using the correct terms here as what you seem to be saying is that you have a web site which communicates with a web service that then communicates with the sql server for data access.

The web service and website would be on one or more web servers outside the DMZ. The database server would be inside the DMZ. The DMZ should be configured to only allow requests from your web server(s) to go to the database server. Usually over port 1433 or whatever port SQL is configured to use.

Outside the DMZ, a firewall should be in place to limit access to that web server on ports 80 or 443. 80 if it's not SSL, 443 if SSL is enabled.

  • 3,772
  • 7
  • 30
  • 43
  • Hi Chris. Thanks for replying. Yeah, you're probably correct about me not using correct terms. Since I'm no networking/security expert (I'm a developer and, up until now, we've only had to worry about installing our Windows forms apps on a single server with simple Windows authentication), I'm just trying to understand some things so I can speak somewhat intelligently to IT people, and figure out if we have to change our application in any way. What you've said (in addition to the other replies) makes sense. I'll investigate further. Thanks again. – lmttag Nov 13 '12 at 16:28