Re: Prividing Intranet Website Access To External Users
From: Gabriel Orozco (gabriel_orozco_at_mx.sumida.com)
Date: 02/07/05
- Previous message: Marty: "Taking control of user's desktops"
- In reply to: rusty chiles: "Prividing Intranet Website Access To External Users"
- Next in thread: Javier Otero De Alba: "RE: Prividing Intranet Website Access To External Users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "rusty chiles" <rustychiles@gmail.com>, <security-basics@securityfocus.com> Date: Mon, 7 Feb 2005 13:09:50 -0600
I would install a reverse proxy, like apache, just connect to the internal
web server and the firewall filter every other traffic.
----- Original Message -----
From: "rusty chiles" <rustychiles@gmail.com>
To: <security-basics@securityfocus.com>
Sent: Friday, February 04, 2005 6:16 PM
Subject: Prividing Intranet Website Access To External Users
> Greetings,
>
> I'm asking for reccomendations with the following Scenario:
>
> We have a internal intranet site. Users are authenticated using their
> nt credentials.
>
> We need to provide the site externally, translate the internal links
> to external links, and still pass their NT credentials to the website.
>
> MGMT wants to do this without vpn, or any other 3rd party software on
> the clients computer.
>
> The goal here is a single user sign on, so that the end user is
> presented with the same experience at home as they are at work.
>
> We WILL use SSL to protect the transportation of the userid and password.
>
> The web server is IIS on windows2003.
>
> The web server will be in the DMZ, and only port 443 will be allowed
> from the outside world.
>
> The problem is that webserver in the dmz will need to have the ability
> to talk to the domain controller, as well as a sql server.
>
> I prefer my resources be separated, and never have internal servers
> traverse the dmz, but in this case that is not possible due to a
> dependency on the website having tight integration with Active
> directory resources.
>
> We could put a sql box in the dmz, but a domain controller....... I
> don't feel comfortable doing that. One box in the dmz is compromised,
> then the DC is open to direct attack.
>
> If the box talks from the dmz to the internal Domain controller, we
> can acl the traffic so that it only talks over limited port numbers;
> however there is still some risk involved. (which we may have to
> accept)
>
> What experience have members of this list had with publishing their
> intranets to the internet in a secure manner.
>
> What has worked reliably, and still provided solid security.
>
> I've considered a SSL VPN type portal, ISA Server, and the like as
> well as several forwarding proxies, but am not 100% comfortable with
> any of the solutions I have seen thus far.
>
> Any reccomendations List members can make will be helpful to us.
>
- Previous message: Marty: "Taking control of user's desktops"
- In reply to: rusty chiles: "Prividing Intranet Website Access To External Users"
- Next in thread: Javier Otero De Alba: "RE: Prividing Intranet Website Access To External Users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
