The machine is Win2k3 SP1 with IIS 6.0.  Suppose I have a website
siteName.companyName.com.

Internal clients should be able to access the website as follows:
http:/siteName/

External clients should access the website using SSL as follows:
https:/siteName.companyName.com

I believe I need two virtual servers to accomplish this.  What should the
server bindings and/or secure bindings of each virtual server look like?

Thank you.

[ Post a follow-up to this message ]

Not really,

You can have one where you don't force use of SSL on IIS. This way your
internal users will be able to use http://. Then on the firewall only open
TCP port 443 (and not TCP port 80) from the internet to your IIS server.
This will force your external users to use SSL...

--
Mike
Microsoft MVP - Windows Security

"bill tie" <billtie@discussions.microsoft.com> wrote in message
news:3B7A6C6C-7980-4016-A4EE-7179D01CE321@microsoft.com...
>
> The machine is Win2k3 SP1 with IIS 6.0.  Suppose I have a website
> siteName.companyName.com.
>
> Internal clients should be able to access the website as follows:
> http:/siteName/
>
> External clients should access the website using SSL as follows:
> https:/siteName.companyName.com
>
> I believe I need two virtual servers to accomplish this.  What should the
> server bindings and/or secure bindings of each virtual server look like?
>
> Thank you.
>
>
>
>

[ Post a follow-up to this message ]

Mike,

Thank you for your reply.

The port "trick" works, indeed.

1. However, if an external client tries http://..., he sees a nasty message
"The page cannot be displayed ... Cannot find server or DNS Error..."

How's this handled?

2. What if I needed port 80 open on the same IP address?

[ Post a follow-up to this message ]

Yes, clients will get that error since firewall denies access.

If you want to customize that you will then have to go and configure two
sites etc...

Let me know if you need more help on this with configuring two sites...

--
Mike
Microsoft MVP - Windows Security

"bill tie" <billtie@discussions.microsoft.com> wrote in message
news:2AB5ED3F-EC5F-48F6-A9F2-E50AE6E690E1@microsoft.com...
>
> Mike,
>
> Thank you for your reply.
>
> The port "trick" works, indeed.
>
> 1. However, if an external client tries http://..., he sees a nasty
> message
> "The page cannot be displayed ... Cannot find server or DNS Error..."
>
> How's this handled?
>
> 2. What if I needed port 80 open on the same IP address?
>
>
>
>

[ Post a follow-up to this message ]

Mike,

Thank you for your interest.

> Let me know if you need more help on this with
> configuring two sites...

I've concocted a working twin-site, but I'm not 100% sure about server
and/or secure bindings of each twin.

For the sake of clarity, I'll call the twins Internal Site and External
Site.  The Internal site should be accessed as http://siteName/, and the
External Site as https://siteName.CompanyName.com.

1. Internal Site
IP: 172.16.1.2
TCP/IP port: 80
SSL port: blank
Host header names: 172.16.1.2:80 siteName, 172.16.1.2:80
siteName.CompanyName.com

2. External Site
IP: 172.16.1.2
TCP/IP port: 80
SSL port: 443
SSL host header name: 172.16.1.2:443 siteName.CompanyName.com

Could you comment, please?

[ Post a follow-up to this message ]

Personally I would put these two sites on two different IP address and avoid
using Host Headers. You will run into more problems if you decide to use SSL
with Host Header names...

You can leave 172.16.1.2 for external site and map it to e.g. external IP
address on e.g. your firewall. Not change 172.16.1.2 IP address on internal
site to something else that is free on your network...

--
Mike
Microsoft MVP - Windows Security

"bill tie" <billtie@discussions.microsoft.com> wrote in message
news:605EF23C-9AC7-46A4-B979-EE9E34B06409@microsoft.com...
>
> Mike,
>
> Thank you for your interest.
> 
>
> I've concocted a working twin-site, but I'm not 100% sure about server
> and/or secure bindings of each twin.
>
> For the sake of clarity, I'll call the twins Internal Site and External
> Site.  The Internal site should be accessed as http://siteName/, and the
> External Site as https://siteName.CompanyName.com.
>
> 1. Internal Site
> IP: 172.16.1.2
> TCP/IP port: 80
> SSL port: blank
> Host header names: 172.16.1.2:80 siteName, 172.16.1.2:80
> siteName.CompanyName.com
>
> 2. External Site
> IP: 172.16.1.2
> TCP/IP port: 80
> SSL port: 443
> SSL host header name: 172.16.1.2:443 siteName.CompanyName.com
>
> Could you comment, please?
>
>

[ Post a follow-up to this message ]

Mike,

Thank you for your reply.

> You will run into more problems if you decide to use
> SSL with Host Header names...

Fine.  I take your word for it.

The machine is going to host the two sites (internal & external SharePoint
sites), Exchange Server 2003 with OWA, and ISA Server 2004. It's a single NI
C
machine behind a router/firewall.

In light of this info, do you have any other suggestions?

[ Post a follow-up to this message ]

Not really -- except that I wouldn't put all this on one server.

What will be the role of the ISA since it is one NIC server? Why don't you
use it as a firewall?

--
Mike
Microsoft MVP - Windows Security


"bill tie" <billtie@discussions.microsoft.com> wrote in message
news:D8D71FFD-65CC-413D-8200-534CC9E55DF6@microsoft.com...
>
> Mike,
>
> Thank you for your reply.
> 
>
> Fine.  I take your word for it.
>
> The machine is going to host the two sites (internal & external SharePoint
> sites), Exchange Server 2003 with OWA, and ISA Server 2004. It's a single
> NIC
> machine behind a router/firewall.
>
> In light of this info, do you have any other suggestions?
>
>

[ Post a follow-up to this message ]

Mike,

Thanks.  That was quick.

> Not really -- except that I wouldn't put all this on one server.

It's got to be so for the time being.  SharePoint and Ex2k3 are new things
on the network.

> What will be the role of the ISA since it is one NIC server?

We're testing AND learning ISA.  We ain't got spare iron.  Later on, we may
use the other NIC on the machine.

[ Post a follow-up to this message ]

So what will be current role of ISA on this server?

--
Mike
Microsoft MVP - Windows Security

"bill tie" <billtie@discussions.microsoft.com> wrote in message
news:41BAE7BE-824E-47F3-8552-71FFEA0DFCC1@microsoft.com...
>
> Mike,
>
> Thanks.  That was quick.
> 
>
> It's got to be so for the time being.  SharePoint and Ex2k3 are new things
> on the network.
> 
>
> We're testing AND learning ISA.  We ain't got spare iron.  Later on, we
> may
> use the other NIC on the machine.
>

[ Post a follow-up to this message ]