Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10172
  • Last Modified:

Configure IIS to allow both http and https access to same site

Hi,
 I need to configure IIS to allow http access to a site when accessed from local machines ( LAN ).
And also i need to allow only https access when accessed from internet ( remote machines ).

reply is required urgently.

Thanks
sadha
0
sadhasivan
Asked:
sadhasivan
  • 5
  • 4
  • 4
  • +1
2 Solutions
 
humeniukCommented:
Since this is a server configuration, I doubt that you can allow http access in one case and require https in another (although someone else may know a way).  I suppose you could block public http traffic (port 80) with your firewall, but that seems a bit messy.  If you're using ISA Server, there may be a cleaner way to do it.  Likewise, you could run the http version on an alternate port (ie port 88), inform the local users, but not the public users . . . again, imperfect and messy.

If not, you may want to consider creating a duplicate website - version one is publicly available and requires https, version two is not publicly available (just local/LAN) and is available via http.
0
 
fwscottCommented:
Hi,

To help with what humeniuk's second answer...

You can setup two different sites with hostheaders enabled.

The LAN side would access this via "servername", the internet would access this via the DNS name.

Both sites would point to the same file system structure and the internet one would require SSL.
0
 
humeniukCommented:
Right, an important point - each site pointing to the same file structure, so you don't have to worry about synchronization.

You could even put the non-https site on a different private (LAN) IP not available via the internet.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
meverestCommented:
just a small point (not wanting to be over critical though)

>> The LAN side would access this via "servername", the internet would access this via the DNS name.

host headers are not relevent when dealing with https.

I agree that it is surely a firewall/border-router task.  Just map port 443 through to the web server and not port 80.

The multiple IP address idea is also good - one address for the intranet and one for the internet access.  Two web sites pointing to the same file structure will give you the opportunity to restrict access individually based on client IP address too.

Cheers.
0
 
sadhasivanAuthor Commented:
Hi,

 i agree with fwscott and humeniuk, but we have to identify source of
request and if it is from internet then we have to redirect them to a
secured site. In ASP, we have Request.ServerVariables("REMOTE_ADDR") to identify the
client ip and Request.ServerVariables("REMOTE_HOST") will give us the host name of the client, which made request. From these information, we need a function or a way to analyse which request is from internet or which one is intranet. We may have URL ends with .net, .com, etc..
we need a strong function.

need reply.

urs,
sadha

 
0
 
meverestCommented:
Hello,

to give you something like the definitive answer, you probably need to let us know how the web site will be accessed by the end user.  For example:

"from the intranet they use http://www.myserver.com and are allowed to access, but from the internet if they enter the same url, they will be automatically redirected to the secure resource"

is that a reasonable description of what will happen?  or is it more like:

"but from the internet  access to http://www.myserver.com will be automatically redirected to https://www.myserver.com.  from intranet, the site is accessed by http://myservername and http is allowed.  if the intranet user accesses http://www.myserver.com, they will also be forced to https"

or maybe something different - can you extrapolate on this for us?

Also, I would like to know whether you can currently access http://www.yourserver.dom ok from a remote (internet) location?  What about the https://www.yourserver.dom site?

Not sure yet whether you are asking just how to acheive the outcome, or also need to know how to install certificates, set up your gateway router etc.

Regards,  Mike.
0
 
sadhasivanAuthor Commented:
Hi,
 
 the clients in intranet will type http://myservername  and
 clients will type http://www.myserver.com to access via internet.

 if intranet users type http://www.myserver.com then no problem to redirect them to secure site.

Thanks
sadha
0
 
humeniukCommented:
Then you can use the approach outlined above - http & https site on different IPs.  In your internal DNS, have http://myservername point to the http IP address and http://www.myserver.com point to the https IP address.

Your router/firewall should be configured to forward incoming https traffic to the https IP address (ie. the secure site).

This should serve your purpose unless there's something else I'm missing.
0
 
meverestCommented:
Easy-peasy then.  I think that you might want to consider doing some clever things with custom error pages (right click web site->properties->custom errors) in conjunction with the two web sites already suggested above.

Assuming that you currently have just the one default web site, the following general steps will (hopefully) help you understand my idea.  I am also going to assume that you have the ssl certificate already installed.

1.  right click the default web site->web site tab->advanced.  in the top text frame, double click the one entry (if there is more than one, do this for all of them) and enter www.myserver.com in the host header value, click ok twice (leave the main properties dialog open for the moment)
2. now select the 'directory security tab', and click 'edit' next to 'ip address restrictions'.  select 'by default all computers are GRANTED access', then click 'add', group of computers, eand enter the network address and netmask for the local LAN, OK twice (leave the main config pane open still)
3. now click 'edit' at the bottom of the 'directory security' panel, and check the box that says 'require secure channel', then OK.
4. select custom errors tab, and double click the entry for 403;4, and select message type=url, and https://www.mydomain.com as the url entry, then click ok.
5.  now double click the 403;6 entry, and set the url to http://myservername
6. now select the 'home direcory tab', highlight the text in 'local path', right click the highlighted text and copy.  close that dialog
7. right click 'web sites' node, new->web site.  description='intranet', ip address='all unassigned', port=80, host header='myservername' path=(paste what you copied from the last step), check any extra stuff you might need, then finish.

now you should have a system whereby *everyone* (internet AND intranet users) can access the web site by http://www.mydomain.com.  (inTRAnet users can use the http://myservername too if they wish)  If an internet user accesses, they will be automatically sent to the secure interface.  If the intranet user accesses, they will be sent to the http://myservername automatically.

does this suit your requirements?

0
 
sadhasivanAuthor Commented:
Hi,
 
 meverest, i tried to follow ur instructions mentioned above. When i tried to set URL for custom errors, i get "The path is not a local absolute URL path" alert. i couldnt set it.

urs,
sadha
0
 
meverestCommented:
Sorry, my bad - i did not check that the url could be set to an external resource.  It seems that this dialog will only allow display of a resource from the same virtual web host.

A work around is to make custom error files:

1.  open wordpad and paste in this text:

<script language="javascript">
    document.location.href="https://www.mydomain.com"
</script>

save it as drive:\somepath\404_6.html

2.  paste in this text:

<script language="javascript">
    document.location.href="http://myservername"
</script>

save it as drive:\somepath\404_3.html

3.  now open the custom errors page and set the relevent error messages to the files above.

That should acheive the same result.

Regards,  Mike.
0
 
meverestCommented:
suggest split meverest/humenuik
0
 
sadhasivanAuthor Commented:
Hi,
 I agree  with you, you can give equal points to meverest and humeniuk

 Thanks for Experts Exchange, I gained a lot.

Thanks
sadha
0
 
humeniukCommented:
Glad to hear that we were able to help, sadhasivan.

In general, EE prefers Askers to close their own questions rather than have it done through the cleanup process.  Your options are at the link above, but if you would like to split points, you can see how at www.experts-exchange.com/help.jsp#hi19.  If you need help, let me know.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now