A variation of this is something I tend to do.. Config your webserver so that it will work inside or outside the firewall and install an additional network card in it. Configure that second NIC to be on a private network(10.10.10.0 for example), then configure your database to sit on that private network as well. Plug the second NIC on your webserver and your DB into a hub/switch, and configure them to talk to eachother over that *private* link.(further security could be added by only allowing the DB to talk to the IP address of the second NIC on the webserver) With this method, the DB doesn't care whether or not its in front of or behind a firewall, and since the webserver and the DB talk over a private link, the webserver doesn't care either. The DB can always be reached on that private network whether or not there's a firewall in front of the public IP address of the webserver and the webserver more or less acts as a firewall between the DB and the internet. You'll also see an improvment in speed between the DB and the webserver since they're on a dedicated link with eachother. :) Again, just my preference.. If anything is unclear or you have questions, feel free to shout :) .djc. J. Blanchard wrote: > Or third, we could establish a data server outside of the firewall with the web server, replicate needed items from inside the firewall for the database, and create a subnet between the servers.