|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Your opinion on SSL and common URL to access site from internal and externalthat access this from the Internet and intranet use just one URL. Currently, on the Internet users are able to connect to my company site using: http://site.company.com (I terminate the SSL on ISA, and I can make a redirection from http to https) DNS 'externa'=company.com Then "internal" users should get to the site by doing: http://site DNS internal = tis.company.com (no SSL is configured on the sharepoint/web server itself. The reason I don't configure SSL on the webserver is because when accessing the webserver from the internal network, the FQDN of the domain for which the cert was issued wouln't match http://site and users would get a pop up window.) Questions: 1. In this case can I use host headers on the IIS-sharepoint server or other alternative to make my internal users also use http://site.company.com and get to the internal site just fine ? 2. Assuming such sharepoint contains no critically sensitive content to internal users (and it will require Windows authentication to get to it anyway), you agree that this implementation without SSL for the internal users are a practical and common one ? 3. For the users accessing this from the Internet, do you think the idea of doing the redirection from http to https but not doing that for the internal users (internally, only http would work) won't cause confusion ? Any suggestions on how to make this internal and external link common is appreciated.
Show quote
Hide quote
"Magoo" <nospammagoo@hotmail.com> wrote in message I think an easier solution would be to change your internal name servers tonews:eycAJX%23ZFHA.3032@TK2MSFTNGP10.phx.gbl... > I have a Sharepoint site published on ISA 2004. Requirement is let users > that access this from the Internet and intranet use just one URL. > > Currently, on the Internet users are able to connect to my company site > using: > http://site.company.com > (I terminate the SSL on ISA, and I can make a redirection from http to > https) > DNS 'externa'=company.com > > Then "internal" users should get to the site by doing: > http://site > DNS internal = tis.company.com > > (no SSL is configured on the sharepoint/web server itself. The reason I > don't configure SSL on the webserver is because when accessing the webserver > from the internal network, the FQDN of the domain for which the cert was > issued wouln't match http://site and users would get a pop up window.) > > Questions: > 1. In this case can I use host headers on the IIS-sharepoint server or other > alternative to make my internal users also use http://site.company.com and > get to the internal site just fine ? serve up a different IP address for the same site.company.com domain name. Then both virtual sites on your server can use the same cert, or if you prefer, you can have a second virtual server that is unencrypted for internal users but that uses the same host name and URL. In fact, I think doing that [configuring your internal name servers with different internal IP address / name resolution via "split DNS"] is a requirement. If you don't do that, your host headers idea won't work, and if you do do that, I think you don't need to use host headers. Unless I'm not thinking clearly, I think host headers is irrelevant to this solution. Another solution would be to stand up your own Windows 2003 cert server, issue a cert for the internal web server, and configure all the internal web browsers to trust your new CA. Not as easy, but it is a solution. > 2. Assuming such sharepoint contains no critically sensitive content to It is common, but then again implementing poor security practices is also> internal users (and it will require Windows authentication to get to it > anyway), you agree that this implementation without SSL for the internal > users are a practical and common one ? common. Whether this is safe enough is entirely up to you. Do note that Windows authentication through IIS is not strongly encrypted [I think it may be even easier to crack than typical windows networking authentication], and that basic authentication with SSL is more secure. However, on a Windows network, you will often have plenty of more or less insecure Windows password hashes flying around the network. > 3. For the users accessing this from the Internet, do you think the idea It shouldn't cause too much confusion. I would mainly be concerned aboutof > doing the redirection from http to https but not doing that for the internal > users (internally, only http would work) won't cause confusion ? confusion when someone emails an internal link to an external user or vice versa, or is using a laptop that travels in and out of your network, or is accessing an internal link their internal email from a home computer. It is possible to write a script that makes all of these links redirect automatically, if you wish. Or, you could just go ahead and implement HTTPS internally so that the links are identical. Karl, you rule ! Thanks.
Show quoteHide quote "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message news:uWdgZMDaFHA.1940@TK2MSFTNGP10.phx.gbl... > > "Magoo" <nospammagoo@hotmail.com> wrote in message > news:eycAJX%23ZFHA.3032@TK2MSFTNGP10.phx.gbl... > > I have a Sharepoint site published on ISA 2004. Requirement is let users > > that access this from the Internet and intranet use just one URL. > > > > Currently, on the Internet users are able to connect to my company site > > using: > > http://site.company.com > > (I terminate the SSL on ISA, and I can make a redirection from http to > > https) > > DNS 'externa'=company.com > > > > Then "internal" users should get to the site by doing: > > http://site > > DNS internal = tis.company.com > > > > (no SSL is configured on the sharepoint/web server itself. The reason I > > don't configure SSL on the webserver is because when accessing the > webserver > > from the internal network, the FQDN of the domain for which the cert was > > issued wouln't match http://site and users would get a pop up window.) > > > > Questions: > > 1. In this case can I use host headers on the IIS-sharepoint server or > other > > alternative to make my internal users also use http://site.company.com and > > get to the internal site just fine ? > > I think an easier solution would be to change your internal name servers to > serve up a different IP address for the same site.company.com domain name. > Then both virtual sites on your server can use the same cert, or if you > prefer, you can have a second virtual server that is unencrypted for > internal users but that uses the same host name and URL. > > In fact, I think doing that [configuring your internal name servers with > different internal IP address / name resolution via "split DNS"] is a > requirement. If you don't do that, your host headers idea won't work, and > if you do do that, I think you don't need to use host headers. Unless I'm > not thinking clearly, I think host headers is irrelevant to this solution. > > Another solution would be to stand up your own Windows 2003 cert server, > issue a cert for the internal web server, and configure all the internal web > browsers to trust your new CA. Not as easy, but it is a solution. > > > 2. Assuming such sharepoint contains no critically sensitive content to > > internal users (and it will require Windows authentication to get to it > > anyway), you agree that this implementation without SSL for the internal > > users are a practical and common one ? > > It is common, but then again implementing poor security practices is also > common. Whether this is safe enough is entirely up to you. Do note that > Windows authentication through IIS is not strongly encrypted [I think it may > be even easier to crack than typical windows networking authentication], and > that basic authentication with SSL is more secure. However, on a Windows > network, you will often have plenty of more or less insecure Windows > password hashes flying around the network. > > > 3. For the users accessing this from the Internet, do you think the idea > of > > doing the redirection from http to https but not doing that for the > internal > > users (internally, only http would work) won't cause confusion ? > > It shouldn't cause too much confusion. I would mainly be concerned about > confusion when someone emails an internal link to an external user or vice > versa, or is using a laptop that travels in and out of your network, or is > accessing an internal link their internal email from a home computer. It is > possible to write a script that makes all of these links redirect > automatically, if you wish. Or, you could just go ahead and implement HTTPS > internally so that the links are identical. > > >  
Other interesting topics
Permission denied when writing to eventlog from global.asa
401 errors filling logfile certificate services fails to start IP address and domain name restrictions not available?. SSL for FTP Problem with IUSR account How to control bandwidth per web site on IIS Using integrated authentication Is the sessionState cookie a security risk. Response splitting |
|||||||||||||||||||||||
