|
Home > Archive > IIS Server Security > June 2005 > Your opinion on SSL and common URL to access site from internal and external
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Your opinion on SSL and common URL to access site from internal and external
|
|
|
| I have a Sharepoint site published on ISA 2004. Requirement is let users
that access this from the Internet and intranet use just one URL.
Currently, on the Internet users are able to connect to my company site
using:
http://site.company.com
(I terminate the SSL on ISA, and I can make a redirection from http to
https)
DNS 'externa'=company.com
Then "internal" users should get to the site by doing:
http://site
DNS internal = tis.company.com
(no SSL is configured on the sharepoint/web server itself. The reason I
don't configure SSL on the webserver is because when accessing the webserver
from the internal network, the FQDN of the domain for which the cert was
issued wouln't match http://site and users would get a pop up window.)
Questions:
1. In this case can I use host headers on the IIS-sharepoint server or other
alternative to make my internal users also use http://site.company.com and
get to the internal site just fine ?
2. Assuming such sharepoint contains no critically sensitive content to
internal users (and it will require Windows authentication to get to it
anyway), you agree that this implementation without SSL for the internal
users are a practical and common one ?
3. For the users accessing this from the Internet, do you think the idea of
doing the redirection from http to https but not doing that for the internal
users (internally, only http would work) won't cause confusion ?
Any suggestions on how to make this internal and external link common is
appreciated.
| |
| Karl Levinson, mvp 2005-06-03, 7:49 am |
|
"Magoo" <nospammagoo@hotmail.com> wrote in message
news:eycAJX%23ZFHA.3032@TK2MSFTNGP10.phx.gbl...
> I have a Sharepoint site published on ISA 2004. Requirement is let users
> that access this from the Internet and intranet use just one URL.
>
> Currently, on the Internet users are able to connect to my company site
> using:
> http://site.company.com
> (I terminate the SSL on ISA, and I can make a redirection from http to
> https)
> DNS 'externa'=company.com
>
> Then "internal" users should get to the site by doing:
> http://site
> DNS internal = tis.company.com
>
> (no SSL is configured on the sharepoint/web server itself. The reason I
> don't configure SSL on the webserver is because when accessing the
webserver
> from the internal network, the FQDN of the domain for which the cert was
> issued wouln't match http://site and users would get a pop up window.)
>
> Questions:
> 1. In this case can I use host headers on the IIS-sharepoint server or
other
> alternative to make my internal users also use http://site.company.com and
> get to the internal site just fine ?
I think an easier solution would be to change your internal name servers to
serve up a different IP address for the same site.company.com domain name.
Then both virtual sites on your server can use the same cert, or if you
prefer, you can have a second virtual server that is unencrypted for
internal users but that uses the same host name and URL.
In fact, I think doing that [configuring your internal name servers with
different internal IP address / name resolution via "split DNS"] is a
requirement. If you don't do that, your host headers idea won't work, and
if you do do that, I think you don't need to use host headers. Unless I'm
not thinking clearly, I think host headers is irrelevant to this solution.
Another solution would be to stand up your own Windows 2003 cert server,
issue a cert for the internal web server, and configure all the internal web
browsers to trust your new CA. Not as easy, but it is a solution.
> 2. Assuming such sharepoint contains no critically sensitive content to
> internal users (and it will require Windows authentication to get to it
> anyway), you agree that this implementation without SSL for the internal
> users are a practical and common one ?
It is common, but then again implementing poor security practices is also
common. Whether this is safe enough is entirely up to you. Do note that
Windows authentication through IIS is not strongly encrypted [I think it may
be even easier to crack than typical windows networking authentication], and
that basic authentication with SSL is more secure. However, on a Windows
network, you will often have plenty of more or less insecure Windows
password hashes flying around the network.
> 3. For the users accessing this from the Internet, do you think the idea
of
> doing the redirection from http to https but not doing that for the
internal
> users (internally, only http would work) won't cause confusion ?
It shouldn't cause too much confusion. I would mainly be concerned about
confusion when someone emails an internal link to an external user or vice
versa, or is using a laptop that travels in and out of your network, or is
accessing an internal link their internal email from a home computer. It is
possible to write a script that makes all of these links redirect
automatically, if you wish. Or, you could just go ahead and implement HTTPS
internally so that the links are identical.
| |
| Marlon 2005-06-03, 6:01 pm |
| Karl, you rule ! Thanks.
"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:uWdgZMDaFHA.1940@TK2MSFTNGP10.phx.gbl...
>
> "Magoo" <nospammagoo@hotmail.com> wrote in message
> news:eycAJX%23ZFHA.3032@TK2MSFTNGP10.phx.gbl...
> webserver
> other
and[vbcol=seagreen]
>
> I think an easier solution would be to change your internal name servers
to
> serve up a different IP address for the same site.company.com domain name.
> Then both virtual sites on your server can use the same cert, or if you
> prefer, you can have a second virtual server that is unencrypted for
> internal users but that uses the same host name and URL.
>
> In fact, I think doing that [configuring your internal name servers with
> different internal IP address / name resolution via "split DNS"] is a
> requirement. If you don't do that, your host headers idea won't work, and
> if you do do that, I think you don't need to use host headers. Unless I'm
> not thinking clearly, I think host headers is irrelevant to this solution.
>
> Another solution would be to stand up your own Windows 2003 cert server,
> issue a cert for the internal web server, and configure all the internal
web
> browsers to trust your new CA. Not as easy, but it is a solution.
>
>
> It is common, but then again implementing poor security practices is also
> common. Whether this is safe enough is entirely up to you. Do note that
> Windows authentication through IIS is not strongly encrypted [I think it
may
> be even easier to crack than typical windows networking authentication],
and
> that basic authentication with SSL is more secure. However, on a Windows
> network, you will often have plenty of more or less insecure Windows
> password hashes flying around the network.
>
> of
> internal
>
> It shouldn't cause too much confusion. I would mainly be concerned about
> confusion when someone emails an internal link to an external user or vice
> versa, or is using a laptop that travels in and out of your network, or is
> accessing an internal link their internal email from a home computer. It
is
> possible to write a script that makes all of these links redirect
> automatically, if you wish. Or, you could just go ahead and implement
HTTPS
> internally so that the links are identical.
>
>
>
|
|
|
|
|