I am currently working on a project and we are trying to overcome some
issues with our network security setup. Basically we want to have database
and application servers on the protected side of a firewall supply data to a
web server on the exposed side of the firewall.

The IT group isn't comfortable with opening a direct port from the web
server to the application and database servers. The firewall is set up so
connections can only be initiated from the protected side of the firewall -
all outside requests are dropped unless they are in response to an internal
request.

We are trying to figure out how to let the web server talk to the database
server without compromising security. The web server can't request data
through the firewall and we don't want to have the app server constantly
polling the web server to find out if it needs data (or has data that needs
to be pulled inside the firewall).

Here's our idea - I'm curious if anyone knows if it will work. We have just
started researching it and haven't tried to implement it.

Might it be possible to have the app server use a web service on the web
server to pass a delegate to a method of an object that resides on the app
server. I realize that sentence might be hard to parse so I will explain it
more.

The web server could run a web service - perhaps like GimmeADelegate(d as
Delegate).
The app server could create an instance of our data access class
The app server then creates a delegate to an ExecuteSQL method on the class
The app server then passes the delegate to the web server's GimmeADelegate
When the web server needs to execute SQL it could use d.invoke(sql)

Two questions:
Is it possible to pass a delegate over the internet and have it invoke a
method on the local system?
If it is possible is it through the same TCP/IP connection such that a
firewall will think it originated on the safe side?

Sorry for the lengthy post, if it was a simple question I wouldn't bother to
ask it. I realize the only way to find out might be to try it - I was just
trying to save some development time on the off chance that someone else has
tried something like this.

Steve Hiner