In a previous post, Karl kindly suggested that I could change the internal
name servers to serve up a different IP address to accomodate requests from
users that need to hit
http://mysite.compay.com (from the Internet) and
http://mysite from the intranet.
I want users to type only one common link regardless if they are inside or
outside the network.
In order to accomodate such scenario, should I create a Zone on the internal
DNS servers then that is going to accomodate such mysite.company.com ? That
I would use the respective IP address specified under that zone in my IIS -
site ?
I think an easier solution would be to change your internal name servers to
serve up a different IP address for the same site.company.com domain name.
Then both virtual sites on your server can use the same cert, or if you
prefer, you can have a second virtual server that is unencrypted for
internal users but that uses the same host name and URL.
In fact, I think doing that [configuring your internal name servers with
different internal IP address / name resolution via "split DNS"] is a
requirement. If you don't do that, your host headers idea won't work, and
if you do do that, I think you don't need to use host headers. Unless I'm
not thinking clearly, I think host headers is irrelevant to this solution.
Another solution would be to stand up your own Windows 2003 cert server,
issue a cert for the internal web server, and configure all the internal web
browsers to trust your new CA. Not as easy, but it is a solution.
[quoted text, click to view] > 2. Assuming such sharepoint contains no critically sensitive content to
> internal users (and it will require Windows authentication to get to it
> anyway), you agree that this implementation without SSL for the internal
> users are a practical and common one ?
It is common, but then again implementing poor security practices is also
common. Whether this is safe enough is entirely up to you. Do note that
Windows authentication through IIS is not strongly encrypted [I think it may
be even easier to crack than typical windows networking authentication], and
that basic authentication with SSL is more secure. However, on a Windows
network, you will often have plenty of more or less insecure Windows
password hashes flying around the network.
[quoted text, click to view] > 3. For the users accessing this from the Internet, do you think the idea
of
> doing the redirection from http to https but not doing that for the
internal
> users (internally, only http would work) won't cause confusion ?
It shouldn't cause too much confusion. I would mainly be concerned about
confusion when someone emails an internal link to an external user or vice
versa, or is using a laptop that travels in and out of your network, or is
accessing an internal link their internal email from a home computer. It is
possible to write a script that makes all of these links redirect
automatically, if you wish. Or, you could just go ahead and implement HTTPS
internally so that the links are identical.
