jsvb1977
asked on
How to configure IIS Version 7.5 to allow for both internal and public facing web applications
Clearly, I am a newb. I am in a situation where we have one web server. On that web server I would like to host both internally accessible and public facing website [applications] where the internal applications are only accessible to employees INSIDE our domain.
The public facing websites should be accessible from both inside and out our local network.
Currently, I have all web applications organized under 'Default Website' configured as applications in IIS.
Is there a way to segregate the apps so that the 'internal' apps are blocked from being accessed from the outside?
Should this be done by moving the 'public' websites outside of the 'Default Websites' container in IIS and/or should this be done using ports like :80, :8080, :81, etc...?
Here is a quick outline of how the sites look in IIS right now with tags as to how I want them to be accessed:
IIS >
Default Web Site >
Web App 1 [Should only be accessible internally]
Web App 2 [Should only be accessible internally]
e Commerce Site 1 [Should be accessible both internally and externally]
e Commerce Site 2 [Should be accessible both internally and externally]
Web App 3 [Should only be accessible internally]
etc...
The server has one IP Address and we intend to configure DNS for the Public Facing Site[s].
Thank you for your assistance.
Jason
The public facing websites should be accessible from both inside and out our local network.
Currently, I have all web applications organized under 'Default Website' configured as applications in IIS.
Is there a way to segregate the apps so that the 'internal' apps are blocked from being accessed from the outside?
Should this be done by moving the 'public' websites outside of the 'Default Websites' container in IIS and/or should this be done using ports like :80, :8080, :81, etc...?
Here is a quick outline of how the sites look in IIS right now with tags as to how I want them to be accessed:
IIS >
Default Web Site >
Web App 1 [Should only be accessible internally]
Web App 2 [Should only be accessible internally]
e Commerce Site 1 [Should be accessible both internally and externally]
e Commerce Site 2 [Should be accessible both internally and externally]
Web App 3 [Should only be accessible internally]
etc...
The server has one IP Address and we intend to configure DNS for the Public Facing Site[s].
Thank you for your assistance.
Jason
ASKER
Thank you! Very helpful. Please read my responses below:
Besides that there are some different options here. You can limit the ip addresses on the web server. This way all traffic to the web server is allowed and the web server itself will see if the ip is allowed or not. This is probably the most easy setup.
[
Can you elaborate on this a little more? Correct me if I am wrong, but I think what you are saying is that if I separate the websites out so that they are not all under "Default Web Site" in IIS, then I can specify which IP Address is associated with each website? If so, would I not need to own multiple IP Addresses. Furthermore, can I keep all of the internal apps under "Default Website" and move only the public facing websites to their own containers?
]
Option 2 is to ask for authentication. This way the internal web applications are also available outside the company IF you have a valid log in. This is only useful if you need it.
[
All of our internal web apps utilize Authentication Methods which interact with Active Directory on our local network.
Our Public e Commerce website uses SQL Authentication.
I think this is good -- but I do not want to rely only on Authentication at each application. Thoughts?
]
If you want to block access on the Firewall you should add an additional (internal) IP address on the network card of the server. Then you can select the public websites to run on that ip. If you then would open the public ip to that specific internal ip. This way access is blocked on the firewall instead of on the server.
[
I think this is an important step. I like the idea of controlling access via the Firewall [Hardware] before folks even get to the web server. Our web server is a virtual machine, so I think that adding another NIC will be an easy task for our Systems Team.
]
Besides that there are some different options here. You can limit the ip addresses on the web server. This way all traffic to the web server is allowed and the web server itself will see if the ip is allowed or not. This is probably the most easy setup.
[
Can you elaborate on this a little more? Correct me if I am wrong, but I think what you are saying is that if I separate the websites out so that they are not all under "Default Web Site" in IIS, then I can specify which IP Address is associated with each website? If so, would I not need to own multiple IP Addresses. Furthermore, can I keep all of the internal apps under "Default Website" and move only the public facing websites to their own containers?
]
Option 2 is to ask for authentication. This way the internal web applications are also available outside the company IF you have a valid log in. This is only useful if you need it.
[
All of our internal web apps utilize Authentication Methods which interact with Active Directory on our local network.
Our Public e Commerce website uses SQL Authentication.
I think this is good -- but I do not want to rely only on Authentication at each application. Thoughts?
]
If you want to block access on the Firewall you should add an additional (internal) IP address on the network card of the server. Then you can select the public websites to run on that ip. If you then would open the public ip to that specific internal ip. This way access is blocked on the firewall instead of on the server.
[
I think this is an important step. I like the idea of controlling access via the Firewall [Hardware] before folks even get to the web server. Our web server is a virtual machine, so I think that adding another NIC will be an easy task for our Systems Team.
]
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Perfect. Exactly what I needed to know.
no problem! tx for the rating!
Besides that there are some different options here. You can limit the ip addresses on the webserver. This way all traffic to the webserver is allowed and the webserver itself will see if the ip is allowed or not. This is probably the most easy setup.
Option 2 is to ask for authentication. This way the internal web applications are also available outside the company IF you have a valid login. This is only usefull if you need it.
If you want to block access on the Firewall you should add an additional (internal) IP address on the network card of the server. Then you can select the public websites to run on that ip. If you then would open the public ip to that specific internal ip. This way access is blocked on the firewall instead of on the server.
If you need some more info on a specific scenario let me know!