On Feb 15, 3:25 pm, vidgu...@gmail.com wrote:
> We have a set of 4 servers running our external web system. These
> machines are NOT on our domain for security and performance reasons.
> We have a seperate (5th) machine which runs our local office network,
> Active Directory, etc.
>
> Normaly, we've had no problem keeping this particular intranet site
> internal, and hence IP security was fine. However, we have now
> recently merged with another company, and some of our staff have
> migrated to the other office. We do not have any plans to establish a
> VPN, because aside from this site, we have no need to share data.
>
> The staff that have moved to the other office will still be maintained
> in our Active Directory, and have internet access. So the plan was to
> open this site up and remove IP restrictions, and use an access
> control list instead. My plan, hopefully, is to use Active Directory
> and a combination of windows auth & basic auth.
>
> Windows auth will allow the people in this office to continue
> seamlessly accessing the site, and basic auth would allow the staff
> who move to log in with a password.
>
> It seems if the Active Directory & IIS were on the one machine, or
> indeed, even in the domain together, this would not be a problem. But
> they are not .. Does anyone know of a way to get IIS on one non-
> domain machine to use the ACL from an Active Directory?
>
> Thanks in advance for any advice!

On Feb 15, 3:28 pm, vidgu...@gmail.com wrote:
> On Feb 15, 3:25 pm, vidgu...@gmail.com wrote:
>
>
>
>
>
> > We have a set of 4 servers running our external web system. These
> > machines are NOT on our domain for security and performance reasons.
> > We have a seperate (5th) machine which runs our local office network,
> > Active Directory, etc.
>
> > Normaly, we've had no problem keeping this particular intranet site
> > internal, and hence IP security was fine. However, we have now
> > recently merged with another company, and some of our staff have
> > migrated to the other office. We do not have any plans to establish a
> > VPN, because aside from this site, we have no need to share data.
>
> > The staff that have moved to the other office will still be maintained
> > in our Active Directory, and have internet access. So the plan was to
> > open this site up and remove IP restrictions, and use an access
> > control list instead. My plan, hopefully, is to use Active Directory
> > and a combination of windows auth & basic auth.
>
> > Windows auth will allow the people in this office to continue
> > seamlessly accessing the site, and basic auth would allow the staff
> > who move to log in with a password.
>
> > It seems if the Active Directory & IIS were on the one machine, or
> > indeed, even in the domain together, this would not be a problem. But
> > they are not .. Does anyone know of a way to get IIS on one non-
> > domain machine to use the ACL from an Active Directory?
>
> > Thanks in advance for any advice!
>
> Or alternatively, a combination of Basic Auth and IP Restrictions?
> Ie, can I set it up to:
> If IP is 10.100.*.*, grant access
> *AND*
> If not, Use basic auth, rather than flat out deny. This way we could
> just have a single user/pass for external access. (this level of
> security would be fine, even tho it does not provide user logging/
> tracking)- Hide quoted text -
>
> - Show quoted text -

<vidguide@gmail.com> wrote in message
news:1171516025.480815.302310@p10g2000cwp.googlegroups.com...
> On Feb 15, 3:28 pm, vidgu...@gmail.com wrote:
>> On Feb 15, 3:25 pm, vidgu...@gmail.com wrote:
>>
>>
>>
>>
>>
>> > We have a set of 4 servers running our external web system. These
>> > machines are NOT on our domain for security and performance reasons.
>> > We have a seperate (5th) machine which runs our local office network,
>> > Active Directory, etc.
>>
>> > Normaly, we've had no problem keeping this particular intranet site
>> > internal, and hence IP security was fine. However, we have now
>> > recently merged with another company, and some of our staff have
>> > migrated to the other office. We do not have any plans to establish a
>> > VPN, because aside from this site, we have no need to share data.
>>
>> > The staff that have moved to the other office will still be maintained
>> > in our Active Directory, and have internet access. So the plan was to
>> > open this site up and remove IP restrictions, and use an access
>> > control list instead. My plan, hopefully, is to use Active Directory
>> > and a combination of windows auth & basic auth.
>>
>> > Windows auth will allow the people in this office to continue
>> > seamlessly accessing the site, and basic auth would allow the staff
>> > who move to log in with a password.
>>
>> > It seems if the Active Directory & IIS were on the one machine, or
>> > indeed, even in the domain together, this would not be a problem. But
>> > they are not .. Does anyone know of a way to get IIS on one non-
>> > domain machine to use the ACL from an Active Directory?
>>
>> > Thanks in advance for any advice!
>>
>> Or alternatively, a combination of Basic Auth and IP Restrictions?
>> Ie, can I set it up to:
>> If IP is 10.100.*.*, grant access
>> *AND*
>> If not, Use basic auth, rather than flat out deny. This way we could
>> just have a single user/pass for external access. (this level of
>> security would be fine, even tho it does not provide user logging/
>> tracking)- Hide quoted text -
>>
>> - Show quoted text -
>
> While i'm still interested in a solution to do it as mentioned above
> (ie, keeping the same name) i have found and implemented a temporary
> solution by redirecting external requests through to the other server.
> This isnt ideal, but it works for now. :)
>
> Thanks
>

On Feb 16, 1:29 pm, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote:
> If your webserver is not in the domain it cannot make use
> of the domain's accounts and ACL based on them (short
> of trusts, or some form of mapping such as from a local
> ADAM+code or from use of ADFS - all of which seem
> out of scope for your situation).
>
> Question: if the intranet web was isolated to protect
> the internal domain, the intranet web content, etc.
> but now the decision has been made to break down
> that barrier (AD accounts used over the internet to
> access the intranet web), perhaps it is time to rethink
> whether there is any longer advantage to not having
> a domain joined webserver hanging on the outside
> (well protected of course, such as by allowing only
> tcp 80/443 with external IPs and allowing authenticated
> access only).
>
> <vidgu...@gmail.com> wrote in message
>
> news:1171516025.480815.302310@p10g2000cwp.googlegroups.com...
>
>
>
> > On Feb 15, 3:28 pm, vidgu...@gmail.com wrote:
> >> On Feb 15, 3:25 pm, vidgu...@gmail.com wrote:
>
> >> > We have a set of 4 servers running our external web system. These
> >> > machines are NOT on our domain for security and performance reasons.
> >> > We have a seperate (5th) machine which runs our local office network,
> >> > Active Directory, etc.
>
> >> > Normaly, we've had no problem keeping this particular intranet site
> >> > internal, and hence IP security was fine. However, we have now
> >> > recently merged with another company, and some of our staff have
> >> > migrated to the other office. We do not have any plans to establish a
> >> > VPN, because aside from this site, we have no need to share data.
>
> >> > The staff that have moved to the other office will still be maintained
> >> > in our Active Directory, and have internet access. So the plan was to
> >> > open this site up and remove IP restrictions, and use an access
> >> > control list instead. My plan, hopefully, is to use Active Directory
> >> > and a combination of windows auth & basic auth.
>
> >> > Windows auth will allow the people in this office to continue
> >> > seamlessly accessing the site, and basic auth would allow the staff
> >> > who move to log in with a password.
>
> >> > It seems if the Active Directory & IIS were on the one machine, or
> >> > indeed, even in the domain together, this would not be a problem. But
> >> > they are not .. Does anyone know of a way to get IIS on one non-
> >> > domain machine to use the ACL from an Active Directory?
>
> >> > Thanks in advance for any advice!
>
> >> Or alternatively, a combination of Basic Auth and IP Restrictions?
> >> Ie, can I set it up to:
> >> If IP is 10.100.*.*, grant access
> >> *AND*
> >> If not, Use basic auth, rather than flat out deny. This way we could
> >> just have a single user/pass for external access. (this level of
> >> security would be fine, even tho it does not provide user logging/
> >> tracking)- Hide quoted text -
>
> >> - Show quoted text -
>
> > While i'm still interested in a solution to do it as mentioned above
> > (ie, keeping the same name) i have found and implemented a temporary
> > solution by redirecting external requests through to the other server.
> > This isnt ideal, but it works for now. :)
>
> > Thanks- Hide quoted text -
>
> - Show quoted text -