External access by setting up ThoughtFarmer in a DMZ

With this method the ThoughtFarmer server will be set up in a De-Militarized Zone (DMZ) on your network. A DMZ is essentially a network configuration that places servers between 2 firewalls. One from the internet to the server, and then another to your organization's internal network. This scenario requires a domain URL to be created and registered and the DNS entry set to point to your network's public gateway. The port forwarding in this case will point to the ThoughtFarmer server in the DMZ. It will also require additional configuration for the firewall to your internal network to allow for only the bare minimum of ports to be opened.


  • This approach provides direct external access to your intranet, which is easier for users than solutions that require a VPN.
  • Unlike a simple port-forwarding approach, a DMZ provides an extra level of security at the network level. 

  • This may require architectural changes to your server(s) on your network.
  • This can be the most complicated method to configure.

Steps for configuring your ThoughtFarmer server in a DMZ

  1. Set up your ThoughtFarmer server in a DMZ and configure the internal firewall to allow for the appropriate ports (see below).
  2. Get the external IP address for the network that your ThoughtFarmer server is set up on.
  3. Register a public domain name for your intranet (e.g. using the service provider of your choice. If you already have a domain registered skip this step.
  4. Choose a full URL for your intranet (e.g.
  5. Purchase an SSL certificate for the chosen URL from the service provider of your choice. You can also purchase a wildcard SSL (e.g. * or use one if already purchased.
  6. Contact the Administrator for the registered domain name and add an A-record for your chosen intranet URL to point to the IP in step number 1.
  7. Install the SSL certificate on the ThoughtFarmer server.
  8. Configure an SSL binding on your ThoughtFarmer instance.
  9. Set up a redirect for all http traffic to go to https (you can specify a different URL than your internal users).
  10. Set up port forwarding on the network firewall to point all port 80 (http) and port 443 (https) traffic for the intranet URL to the internal IP of the ThoughtFarmer server in the DMZ.

Configuring the internal firewall

In order to allow for Windows Authentication and AD Integration the web server will need to be a part of the AD domain. This will require opening specific ports on the internal firewall. See How to configure a firewall for domains and trusts for a complete listing depending on server operating system.

The diagram below shows a general overview of how this could be set up. Your SQL database server and the mail server can also be on the internal network if it is already set up this way. In this case some additional ports will need to be opened up on the internal firewall to allow for this. The mail server ports will depend on the method of connection. Please see the additional port list at the bottom of the page.


Additional ports required depending on server configurations:

  • SQL server - port 1433
  • POP3 - port 110
  • IMAP - port 143
  • SMTP - port 25 (for all notifications)
  • HTTP - port 80 (for Exchange mode email)
  • HTTPS - port 443 (for Exchange mode email)
  • SMTP (SSMTP) - port 465
  • Secure IMAP (IMAP4-SSL) - port 585
  • IMAP4 over SSL (IMAPS) - port 993
  • Secure POP3 (SSL-POP) - port 995