We're looking for a solution to allow contractors to our Vault. I was thinking of a replicated server hosting Web2 within a DMZ? does this make sense?
So after Mike Spens presentetion yesterday, Yes setting up the Web Server within a DMZ is the way to go.
Adrian, take a look at Flatter Files http://www.flatterfiles.com
I have had this same need many times during the last 10 years with EPDM and have fought with the original web client, training suppliers, training and maintaining it for internal employees but have never had a good solution with the limited functionality. I have NOT tried Web2 yet BUT Flatter Files has EVERYTHING you will need. Check it out.
I am familiar with Flatter Files, but in our case we need to actively collaborate with SW Parts and Assemblies, not just drawings. We're looking for a solution where we don't have to zip files up every time. I already have Web2 setup internally, it seems like a possible solution.
I hope to find out about this as well by attending the "Share SOLIDWORKS PDM Professional Content Online with Web2" session at SolidWorks World 2016.
Thanks for the Heads-up Michael, I we'll see you there! Our IT Team has some ideas, but I was just wondering if anyone had actually done it already.
From a security standpoint, I'm going to go with it's a really bad idea. There are quite a few things about the setup that you don't want to do to a web facing server.
even from within a DMZ? if the setup is so unsecure why even create it then?
The point of a DMZ is to suspect that anything outside of it is unsecure and possibly compromised. But to make Web2 work you still have to have pretty much full access to the servers from the DMZ. The web server has to have a vault view installed and there has to be a user profile on the server that IIS is using to access that view. You have to have holes through the DMZ for the SQL and Archive server so anyone that's able to take control of that server will have access to your entire vault. It's built to be an intranet style site that you can grant access to outside vendors through a VPN.
Well that renders it useless!
Thanks for the details THAT SOLIDWORKS DOESN'T PROVIDE...
I feel mislead... have been waiting over a year for this as means of solving our issue, I could have looked elsewhere by now if I knew it did not work as Advertised...
The web connection capabilities in SOLIDWORKS PDM Professional enable both internal and external users to access and edit data stored in the vault from anywhere and on any device with a browser and an internet connection. There is also a mobile version to make navigating and finding data easy on small hand-held devices like Smartphones and mini-tablets.
Technically it works as advertised, it will let external users access your data, it just might not be the ones you want... I've looked to see if I could get our SecOps team to take a look at this but as soon as I said it ran on IIS they said nope.... can't say I blame them
Well yeah but anyone that already has VPN or Networks access already has the regular PDM Client. For me "Over the internet" and "thru VPN" are not the same thing...
"from anywhere and on any device with a browser and an internet connection." no where in there it states VPN is required.
I'm not questioning their reason (for using IIS), I'm just frustrated because they should have been very clear about that!
It's true that it CAN be setup without requiring VPN, I'm just saying you SHOULDN'T set it up without VPN. The world of web services is a wild one. Sys admins have to stay up to date on exploits and vulnerabilities. All it takes is missing one cross site scripting vulnerability and it's over, you lost everything. I don't recall there even being an ability to lock out a user after multiple attempts and every vault has a user named admin that's not controlled by active directory that anyone on the web could just brute force until it got through if they could get to the login dialog. VPN just closes that gap down to people that can open that door first and the security around it is well established.
Yeah, this is what I mean, if no one in their right mind would recommend do it, then is not an option as a solution. SW should include in their documentation that the intended use is as an Intranet not "Over the Internet"
While Charley Saint may be correct, i am going to reserve judgement until I talk to someone at SWW.
Had to catch a flight so I missed it, what did he say?
I'm also curious about the presentation you mentioned. Can you elaborate about what was shown? I DO NOT want to roll out our Web Client without the proper security in place.
We have implemented it, we went live with it late winter last year. We utilize it to allow access to support docs for our customer base, as well as a data exchange for our tier one vendors.
We are currently running this setup. There are still some hoops to jump through, plus the Web2 non-beta has some gremlins as well.
You will have to purchase an additional license first off. You can only have as many simultaneous external users accessing as you have licenses. Unless your external user clicks on the logout (btw this button is not currently working) button, the session will remain open. You can set a auto time out, but that takes some trail and error to determine what the ideal time is. The web2 beta had some issues with large data sets being downloaded, not sure yet how the non beta handles this.
If you have any further questions feel free to ask.
Did you guys happen to have an internal or third party security audit of the deployment?
No, our corporate overlords don't require one. We run the web server in our DMZ which already falls under existing external accessibility rules.
Retrieving data ...