Solved

How to configure IIS Version 7.5 to allow for both internal and public facing web applications

Posted on 2010-09-21
5
1,545 Views
Last Modified: 2012-05-10
Clearly, I am a newb. I am in a situation where we have one web server. On that web server I would like to host both internally accessible and public facing website [applications] where the internal applications are only accessible to employees INSIDE our domain.

The public facing websites should be accessible from both inside and out our local network.

Currently, I have all web applications organized under 'Default Website' configured as applications in IIS.

Is there a way to segregate the apps so that the 'internal' apps are blocked from being accessed from the outside?

Should this be done by moving the 'public' websites outside of the 'Default Websites' container in IIS and/or should this be done using ports like :80, :8080, :81, etc...?

Here is a quick outline of how the sites look in IIS right now with tags as to how I want them to be accessed:

IIS >
Default Web Site >
Web App 1 [Should only be accessible internally]
Web App 2 [Should only be accessible internally]
e Commerce Site 1 [Should be accessible  both internally and externally]
e Commerce Site 2 [Should be accessible  both internally and externally]
Web App 3 [Should only be accessible internally]
etc...

The server has one IP Address and we intend to configure DNS for the Public Facing Site[s].

Thank you for your assistance.
Jason
0
Comment
Question by:jsvb1977
  • 3
  • 2
5 Comments
 
LVL 6

Expert Comment

by:robbe
ID: 33725933
First of all it's a good idea to split out all the websites out. As one of the website would crash it will not affect all your other websites.

Besides that there are some different options here. You can limit the ip addresses on the webserver. This way all traffic to the webserver is allowed and the webserver itself will see if the ip is allowed or not. This is probably the most easy setup.

Option 2 is to ask for authentication. This way the internal web applications are also available outside the company IF you have a valid login. This is only usefull if you need it.

If you want to block access on the Firewall you should add an additional (internal) IP address on the network card of the server. Then you can select the public websites to run on that ip. If you then would open the public ip to that specific internal ip. This way access is blocked on the firewall instead of on the server.

If you need some more info on a specific scenario let me know!
0
 

Author Comment

by:jsvb1977
ID: 33726090
Thank you! Very helpful. Please read my responses below:

Besides that there are some different options here. You can limit the ip addresses on the web server. This way all traffic to the web server is allowed and the web server itself will see if the ip is allowed or not. This is probably the most easy setup.

[
Can you elaborate on this a little more? Correct me if I am wrong, but I think what you are saying is that if I separate the websites out so that they are not all under "Default Web Site" in IIS, then I can specify which IP Address is associated with each website? If so, would I not need to own multiple IP Addresses. Furthermore, can I keep all of the internal apps under "Default Website" and move only the public facing websites to their own containers?
]

Option 2 is to ask for authentication. This way the internal web applications are also available outside the company IF you have a valid log in. This is only useful if you need it.

[
All of our internal web apps utilize Authentication Methods which interact with Active Directory on our local network.
Our Public e Commerce website uses SQL Authentication.

I think this is good -- but I do not want to rely only on Authentication at each application. Thoughts?
]

If you want to block access on the Firewall you should add an additional (internal) IP address on the network card of the server. Then you can select the public websites to run on that ip. If you then would open the public ip to that specific internal ip. This way access is blocked on the firewall instead of on the server.

[
I think this is an important step. I like the idea of controlling access via the Firewall [Hardware] before folks even get to the web server. Our web server is a virtual machine, so I think that adding another NIC will be an easy task for our Systems Team.
]
0
 
LVL 6

Accepted Solution

by:
robbe earned 500 total points
ID: 33726170
1) no what i mean is that you can setup ip restrictions on each website that run on 1 ip
2) If all internal clients are in the active directory they won't notice as they would'nt need to enter the password if the website is in the intranet zone. I'll use automatic windows authentication to logon. The logon dialog only would pop up if you don't have access or are outside the company.
3) You don't need an additional NIC for this. Just an additional IP address to the one NIC that you have.

Just go to the TCP/IP properties  => IPV4 settings => Advanced => IP Settings
Add a free ip address in your range

Continue opening port 80 to that specific IP. Then change the properties of your internal website to run only on the First ip and change the ones you want to run public on the new one (or the first one as well if you'd like that) This can be changed if you click bindings in the action pane when opening the website.

Do note that you might need 'host headers' as you 'll be running multiple websites on the same ip. This way the only way you can access the website is by the dns name. for example: host header = www.google.be points to 10.0.0.1

You won't be able to access the site by entering 10.0.0.1 only by typing www.google.be in your browser.

Gluck!
0
 

Author Closing Comment

by:jsvb1977
ID: 33726189
Perfect. Exactly what I needed to know.
0
 
LVL 6

Expert Comment

by:robbe
ID: 33726197
no problem! tx for the rating!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SD - WAN 2 45
website went down 6 42
cant ping a windows 10 computer 12 56
Set up wireless network on Cisco ASA 5505 with DHCP 13 54
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now