|
|
You're in the
iis security
group:Your opinion on SSL and common URL to access site from internal and external
iis security:
I have a Sharepoint site published on ISA 2004. Requirement is let users
that access this from the Internet and intranet use just one URL. Currently, on the Internet users are able to connect to my company site using: http://site.company.com (I terminate the SSL on ISA, and I can make a redirection from http to https) DNS 'externa'=company.com Then "internal" users should get to the site by doing: http://site DNS internal = tis.company.com (no SSL is configured on the sharepoint/web server itself. The reason I don't configure SSL on the webserver is because when accessing the webserver from the internal network, the FQDN of the domain for which the cert was issued wouln't match http://site and users would get a pop up window.) Questions: 1. In this case can I use host headers on the IIS-sharepoint server or other alternative to make my internal users also use http://site.company.com and get to the internal site just fine ? 2. Assuming such sharepoint contains no critically sensitive content to internal users (and it will require Windows authentication to get to it anyway), you agree that this implementation without SSL for the internal users are a practical and common one ? 3. For the users accessing this from the Internet, do you think the idea of doing the redirection from http to https but not doing that for the internal users (internally, only http would work) won't cause confusion ? Any suggestions on how to make this internal and external link common is appreciated.
[quoted text, click to view] "Magoo" <nospammagoo@hotmail.com> wrote in message news:eycAJX%23ZFHA.3032@TK2MSFTNGP10.phx.gbl... > I have a Sharepoint site published on ISA 2004. Requirement is let users > that access this from the Internet and intranet use just one URL. > > Currently, on the Internet users are able to connect to my company site > using: > http://site.company.com > (I terminate the SSL on ISA, and I can make a redirection from http to > https) > DNS 'externa'=company.com > > Then "internal" users should get to the site by doing: > http://site > DNS internal = tis.company.com > > (no SSL is configured on the sharepoint/web server itself. The reason I > don't configure SSL on the webserver is because when accessing the webserver > from the internal network, the FQDN of the domain for which the cert was > issued wouln't match http://site and users would get a pop up window.) > > Questions: > 1. In this case can I use host headers on the IIS-sharepoint server or other > alternative to make my internal users also use http://site.company.com and > get to the internal site just fine ? I think an easier solution would be to change your internal name servers to serve up a different IP address for the same site.company.com domain name. Then both virtual sites on your server can use the same cert, or if you prefer, you can have a second virtual server that is unencrypted for internal users but that uses the same host name and URL. In fact, I think doing that [configuring your internal name servers with different internal IP address / name resolution via "split DNS"] is a requirement. If you don't do that, your host headers idea won't work, and if you do do that, I think you don't need to use host headers. Unless I'm not thinking clearly, I think host headers is irrelevant to this solution. Another solution would be to stand up your own Windows 2003 cert server, issue a cert for the internal web server, and configure all the internal web browsers to trust your new CA. Not as easy, but it is a solution. [quoted text, click to view] > 2. Assuming such sharepoint contains no critically sensitive content to > internal users (and it will require Windows authentication to get to it > anyway), you agree that this implementation without SSL for the internal > users are a practical and common one ? It is common, but then again implementing poor security practices is also common. Whether this is safe enough is entirely up to you. Do note that Windows authentication through IIS is not strongly encrypted [I think it may be even easier to crack than typical windows networking authentication], and that basic authentication with SSL is more secure. However, on a Windows network, you will often have plenty of more or less insecure Windows password hashes flying around the network. [quoted text, click to view] > 3. For the users accessing this from the Internet, do you think the idea of > doing the redirection from http to https but not doing that for the internal > users (internally, only http would work) won't cause confusion ? It shouldn't cause too much confusion. I would mainly be concerned about confusion when someone emails an internal link to an external user or vice versa, or is using a laptop that travels in and out of your network, or is accessing an internal link their internal email from a home computer. It is possible to write a script that makes all of these links redirect automatically, if you wish. Or, you could just go ahead and implement HTTPS internally so that the links are identical.
Karl, you rule ! Thanks.
[quoted text, click to view] "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message news:uWdgZMDaFHA.1940@TK2MSFTNGP10.phx.gbl... > > "Magoo" <nospammagoo@hotmail.com> wrote in message > news:eycAJX%23ZFHA.3032@TK2MSFTNGP10.phx.gbl... > > I have a Sharepoint site published on ISA 2004. Requirement is let users > > that access this from the Internet and intranet use just one URL. > > > > Currently, on the Internet users are able to connect to my company site > > using: > > http://site.company.com > > (I terminate the SSL on ISA, and I can make a redirection from http to > > https) > > DNS 'externa'=company.com > > > > Then "internal" users should get to the site by doing: > > http://site > > DNS internal = tis.company.com > > > > (no SSL is configured on the sharepoint/web server itself. The reason I > > don't configure SSL on the webserver is because when accessing the > webserver > > from the internal network, the FQDN of the domain for which the cert was > > issued wouln't match http://site and users would get a pop up window.) > > > > Questions: > > 1. In this case can I use host headers on the IIS-sharepoint server or > other > > alternative to make my internal users also use http://site.company.com and > > get to the internal site just fine ? > > I think an easier solution would be to change your internal name servers to > serve up a different IP address for the same site.company.com domain name. > Then both virtual sites on your server can use the same cert, or if you > prefer, you can have a second virtual server that is unencrypted for > internal users but that uses the same host name and URL. > > In fact, I think doing that [configuring your internal name servers with > different internal IP address / name resolution via "split DNS"] is a > requirement. If you don't do that, your host headers idea won't work, and > if you do do that, I think you don't need to use host headers. Unless I'm > not thinking clearly, I think host headers is irrelevant to this solution. > > Another solution would be to stand up your own Windows 2003 cert server, > issue a cert for the internal web server, and configure all the internal web > browsers to trust your new CA. Not as easy, but it is a solution. > > > 2. Assuming such sharepoint contains no critically sensitive content to > > internal users (and it will require Windows authentication to get to it > > anyway), you agree that this implementation without SSL for the internal > > users are a practical and common one ? > > It is common, but then again implementing poor security practices is also > common. Whether this is safe enough is entirely up to you. Do note that > Windows authentication through IIS is not strongly encrypted [I think it may > be even easier to crack than typical windows networking authentication], and > that basic authentication with SSL is more secure. However, on a Windows > network, you will often have plenty of more or less insecure Windows > password hashes flying around the network. > > > 3. For the users accessing this from the Internet, do you think the idea > of > > doing the redirection from http to https but not doing that for the > internal > > users (internally, only http would work) won't cause confusion ? > > It shouldn't cause too much confusion. I would mainly be concerned about > confusion when someone emails an internal link to an external user or vice > versa, or is using a laptop that travels in and out of your network, or is > accessing an internal link their internal email from a home computer. It is > possible to write a script that makes all of these links redirect > automatically, if you wish. Or, you could just go ahead and implement HTTPS > internally so that the links are identical. > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |