|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Making unique URL - internal and externalname servers to serve up a different IP address to accomodate requests from users that need to hit http://mysite.compay.com (from the Internet) and http://mysite from the intranet. I want users to type only one common link regardless if they are inside or outside the network. In order to accomodate such scenario, should I create a Zone on the internal DNS servers then that is going to accomodate such mysite.company.com ? That I would use the respective IP address specified under that zone in my IIS - site ? I think an easier solution would be to change your internal name servers to serve up a different IP address for the same site.company.com domain name. Then both virtual sites on your server can use the same cert, or if you prefer, you can have a second virtual server that is unencrypted for internal users but that uses the same host name and URL. In fact, I think doing that [configuring your internal name servers with different internal IP address / name resolution via "split DNS"] is a requirement. If you don't do that, your host headers idea won't work, and if you do do that, I think you don't need to use host headers. Unless I'm not thinking clearly, I think host headers is irrelevant to this solution. Another solution would be to stand up your own Windows 2003 cert server, issue a cert for the internal web server, and configure all the internal web browsers to trust your new CA. Not as easy, but it is a solution. > 2. Assuming such sharepoint contains no critically sensitive content to It is common, but then again implementing poor security practices is also> internal users (and it will require Windows authentication to get to it > anyway), you agree that this implementation without SSL for the internal > users are a practical and common one ? common. Whether this is safe enough is entirely up to you. Do note that Windows authentication through IIS is not strongly encrypted [I think it may be even easier to crack than typical windows networking authentication], and that basic authentication with SSL is more secure. However, on a Windows network, you will often have plenty of more or less insecure Windows password hashes flying around the network. > 3. For the users accessing this from the Internet, do you think the idea It shouldn't cause too much confusion. I would mainly be concerned aboutof > doing the redirection from http to https but not doing that for the internal > users (internally, only http would work) won't cause confusion ? confusion when someone emails an internal link to an external user or vice versa, or is using a laptop that travels in and out of your network, or is accessing an internal link their internal email from a home computer. It is possible to write a script that makes all of these links redirect automatically, if you wish. Or, you could just go ahead and implement HTTPS internally so that the links are identical.
Show quote
Hide quote
On Fri, 3 Jun 2005 23:52:30 -0700, "Magoo" <nospammagoo@hotmail.com> Since that's exactly what Karl suggested, and exactly what you shouldwrote: >In a previous post, Karl kindly suggested that I could change the internal >name servers to serve up a different IP address to accomodate requests from >users that need to hit http://mysite.compay.com (from the Internet) and >http://mysite from the intranet. >I want users to type only one common link regardless if they are inside or >outside the network. > >In order to accomodate such scenario, should I create a Zone on the internal >DNS servers then that is going to accomodate such mysite.company.com ? That >I would use the respective IP address specified under that zone in my IIS - >site ? do, yes. If you have trouble with the DNS configuration, try the DNS group related to the version you use. Jeff Show quoteHide quote >I think an easier solution would be to change your internal name servers to >serve up a different IP address for the same site.company.com domain name. >Then both virtual sites on your server can use the same cert, or if you >prefer, you can have a second virtual server that is unencrypted for >internal users but that uses the same host name and URL. > >In fact, I think doing that [configuring your internal name servers with >different internal IP address / name resolution via "split DNS"] is a >requirement. If you don't do that, your host headers idea won't work, and >if you do do that, I think you don't need to use host headers. Unless I'm >not thinking clearly, I think host headers is irrelevant to this solution. > >Another solution would be to stand up your own Windows 2003 cert server, >issue a cert for the internal web server, and configure all the internal web >browsers to trust your new CA. Not as easy, but it is a solution. > >> 2. Assuming such sharepoint contains no critically sensitive content to >> internal users (and it will require Windows authentication to get to it >> anyway), you agree that this implementation without SSL for the internal >> users are a practical and common one ? > >It is common, but then again implementing poor security practices is also >common. Whether this is safe enough is entirely up to you. Do note that >Windows authentication through IIS is not strongly encrypted [I think it may >be even easier to crack than typical windows networking authentication], and >that basic authentication with SSL is more secure. However, on a Windows >network, you will often have plenty of more or less insecure Windows >password hashes flying around the network. > >> 3. For the users accessing this from the Internet, do you think the idea >of >> doing the redirection from http to https but not doing that for the >internal >> users (internally, only http would work) won't cause confusion ? > >It shouldn't cause too much confusion. I would mainly be concerned about >confusion when someone emails an internal link to an external user or vice >versa, or is using a laptop that travels in and out of your network, or is >accessing an internal link their internal email from a home computer. It is >possible to write a script that makes all of these links redirect >automatically, if you wish. Or, you could just go ahead and implement HTTPS >internally so that the links are identical. > > >
Show quote
Hide quote
"Magoo" <nospammagoo@hotmail.com> wrote in message If you have internal name servers to serve up name requests, then yes, thisnews:uHYf7HNaFHA.2496@TK2MSFTNGP14.phx.gbl... > In a previous post, Karl kindly suggested that I could change the internal > name servers to serve up a different IP address to accomodate requests from > users that need to hit http://mysite.compay.com (from the Internet) and > http://mysite from the intranet. > I want users to type only one common link regardless if they are inside or > outside the network. > > In order to accomodate such scenario, should I create a Zone on the internal > DNS servers then that is going to accomodate such mysite.company.com ? That > I would use the respective IP address specified under that zone in my IIS - > site ? is how I would do this. It could be a new zone in DNS, or if that causes problems for you, it could also be static host names in WINS and point your DNS server, if any, to the WINS server for lookups. It could even be an entry in the hosts files on all your computers, although this gets hard to manage in large environments. The main issue with adding a new zone to your DNS servers is that I believe you need to add host names for all of the hosts that your internal clients would ever want to look up in that zone. If you created a new zone with just the one entry for just mysite.company.com, I think your DNS server would start returning "hostname not found" for any other hostnames your clients tried to look up in that zone, such as mailserver.company.com or mysite2.company.com Once there is a zone there, I do not believe your DNS server will resolve names for any hosts that should be in that zone but your DNS server is not aware of. [In other words, your DNS server will assume it is authoritative for that zone and will not double-check with the Internet DNS servers on the Forwarders tab to see if they know of any other hosts in that zone.]  
Other interesting topics
Permission denied when writing to eventlog from global.asa
Secure website (cookie/session) 401 errors filling logfile Your opinion on SSL and common URL to access site from internal and external IP address and domain name restrictions not available?. SSL for FTP Application Identity Problem with IUSR account Is the sessionState cookie a security risk. windows integrated authentication |
|||||||||||||||||||||||
