?
Solved

How to configure IIS Version 7.5 to allow for both internal and public facing web applications

Posted on 2010-09-21
5
Medium Priority
?
1,571 Views
Last Modified: 2012-05-10
Clearly, I am a newb. I am in a situation where we have one web server. On that web server I would like to host both internally accessible and public facing website [applications] where the internal applications are only accessible to employees INSIDE our domain.

The public facing websites should be accessible from both inside and out our local network.

Currently, I have all web applications organized under 'Default Website' configured as applications in IIS.

Is there a way to segregate the apps so that the 'internal' apps are blocked from being accessed from the outside?

Should this be done by moving the 'public' websites outside of the 'Default Websites' container in IIS and/or should this be done using ports like :80, :8080, :81, etc...?

Here is a quick outline of how the sites look in IIS right now with tags as to how I want them to be accessed:

IIS >
Default Web Site >
Web App 1 [Should only be accessible internally]
Web App 2 [Should only be accessible internally]
e Commerce Site 1 [Should be accessible  both internally and externally]
e Commerce Site 2 [Should be accessible  both internally and externally]
Web App 3 [Should only be accessible internally]
etc...

The server has one IP Address and we intend to configure DNS for the Public Facing Site[s].

Thank you for your assistance.
Jason
0
Comment
Question by:jsvb1977
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 6

Expert Comment

by:robbe
ID: 33725933
First of all it's a good idea to split out all the websites out. As one of the website would crash it will not affect all your other websites.

Besides that there are some different options here. You can limit the ip addresses on the webserver. This way all traffic to the webserver is allowed and the webserver itself will see if the ip is allowed or not. This is probably the most easy setup.

Option 2 is to ask for authentication. This way the internal web applications are also available outside the company IF you have a valid login. This is only usefull if you need it.

If you want to block access on the Firewall you should add an additional (internal) IP address on the network card of the server. Then you can select the public websites to run on that ip. If you then would open the public ip to that specific internal ip. This way access is blocked on the firewall instead of on the server.

If you need some more info on a specific scenario let me know!
0
 

Author Comment

by:jsvb1977
ID: 33726090
Thank you! Very helpful. Please read my responses below:

Besides that there are some different options here. You can limit the ip addresses on the web server. This way all traffic to the web server is allowed and the web server itself will see if the ip is allowed or not. This is probably the most easy setup.

[
Can you elaborate on this a little more? Correct me if I am wrong, but I think what you are saying is that if I separate the websites out so that they are not all under "Default Web Site" in IIS, then I can specify which IP Address is associated with each website? If so, would I not need to own multiple IP Addresses. Furthermore, can I keep all of the internal apps under "Default Website" and move only the public facing websites to their own containers?
]

Option 2 is to ask for authentication. This way the internal web applications are also available outside the company IF you have a valid log in. This is only useful if you need it.

[
All of our internal web apps utilize Authentication Methods which interact with Active Directory on our local network.
Our Public e Commerce website uses SQL Authentication.

I think this is good -- but I do not want to rely only on Authentication at each application. Thoughts?
]

If you want to block access on the Firewall you should add an additional (internal) IP address on the network card of the server. Then you can select the public websites to run on that ip. If you then would open the public ip to that specific internal ip. This way access is blocked on the firewall instead of on the server.

[
I think this is an important step. I like the idea of controlling access via the Firewall [Hardware] before folks even get to the web server. Our web server is a virtual machine, so I think that adding another NIC will be an easy task for our Systems Team.
]
0
 
LVL 6

Accepted Solution

by:
robbe earned 2000 total points
ID: 33726170
1) no what i mean is that you can setup ip restrictions on each website that run on 1 ip
2) If all internal clients are in the active directory they won't notice as they would'nt need to enter the password if the website is in the intranet zone. I'll use automatic windows authentication to logon. The logon dialog only would pop up if you don't have access or are outside the company.
3) You don't need an additional NIC for this. Just an additional IP address to the one NIC that you have.

Just go to the TCP/IP properties  => IPV4 settings => Advanced => IP Settings
Add a free ip address in your range

Continue opening port 80 to that specific IP. Then change the properties of your internal website to run only on the First ip and change the ones you want to run public on the new one (or the first one as well if you'd like that) This can be changed if you click bindings in the action pane when opening the website.

Do note that you might need 'host headers' as you 'll be running multiple websites on the same ip. This way the only way you can access the website is by the dns name. for example: host header = www.google.be points to 10.0.0.1

You won't be able to access the site by entering 10.0.0.1 only by typing www.google.be in your browser.

Gluck!
0
 

Author Closing Comment

by:jsvb1977
ID: 33726189
Perfect. Exactly what I needed to know.
0
 
LVL 6

Expert Comment

by:robbe
ID: 33726197
no problem! tx for the rating!
0

Featured Post

Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question