WCF cross-domain duplex: your Thawtes

382 views Asked by At

(Ha! see what I did there?)

I have a system whereby a server pushes information from a central DB out to many client DBs (cross-domain via internet), and periodically they call services on the server. This has to withstand intermittent connections, ie queue messages.

I've created a development version using duplex MSMQ that I'm trying to apply transport security. From the reading I've done, it appears that:

  • MSMQ uses AD Windows Security, which is irrelevant cross-domain.
  • Due to the nature of duplex, each client is effectively a server as well. That means I need to pay $1200 every time I install the system with another client if I want to use SSL.

Are these facts correct? Am I really the only person who needs to secure services that are queued AND cross-domain AND duplex?

2

There are 2 answers

1
tom redfern On BEST ANSWER

You may, in fact, be the only person in the world right now who wants to do this.

Let me embellish.

  1. Not many companies are using MSMQ (in the grand scheme of things).
  2. Of those that are, the vast majority are using only private queues, a small minority only use public queues.
  3. Of those that are, only a handful are using it across the internet.
  4. Of those that are, perhaps one is using it to exchange messages in both directions (that would be yours).

But that aside, it seems to me your main challenge will be using MSMQ as a secure transport layer over the internet. Although I have never had to do this, here are a couple of articles:

Sorry couldn't be of more help.

0
John Breakwell On
  • "MSMQ uses AD Windows Security, which is irrelevant cross-domain."

No, MSMQ uses Windows security which includes local accounts and, if available, domain accounts. MSMQ also uses certificates, if available.

  • "Due to the nature of duplex, each client is effectively a server as well."

MSMQ doesn't use a client-server model. All MSMQ machines are effectively peers, sending messages between each other. For the $1,200 payment, are you referring to the certificate needed by the web service for sending MSMQ over HTTPS?

This is the first time I've seen anyone want to push secure messages over HTTPS to multiple destinations.