Solved

How to configure IIS Version 7.5 to allow for both internal and public facing web applications

Posted on 2010-09-21
5
1,541 Views
Last Modified: 2012-05-10
Clearly, I am a newb. I am in a situation where we have one web server. On that web server I would like to host both internally accessible and public facing website [applications] where the internal applications are only accessible to employees INSIDE our domain.

The public facing websites should be accessible from both inside and out our local network.

Currently, I have all web applications organized under 'Default Website' configured as applications in IIS.

Is there a way to segregate the apps so that the 'internal' apps are blocked from being accessed from the outside?

Should this be done by moving the 'public' websites outside of the 'Default Websites' container in IIS and/or should this be done using ports like :80, :8080, :81, etc...?

Here is a quick outline of how the sites look in IIS right now with tags as to how I want them to be accessed:

IIS >
Default Web Site >
Web App 1 [Should only be accessible internally]
Web App 2 [Should only be accessible internally]
e Commerce Site 1 [Should be accessible  both internally and externally]
e Commerce Site 2 [Should be accessible  both internally and externally]
Web App 3 [Should only be accessible internally]
etc...

The server has one IP Address and we intend to configure DNS for the Public Facing Site[s].

Thank you for your assistance.
Jason
0
Comment
Question by:jsvb1977
  • 3
  • 2
5 Comments
 
LVL 6

Expert Comment

by:robbe
ID: 33725933
First of all it's a good idea to split out all the websites out. As one of the website would crash it will not affect all your other websites.

Besides that there are some different options here. You can limit the ip addresses on the webserver. This way all traffic to the webserver is allowed and the webserver itself will see if the ip is allowed or not. This is probably the most easy setup.

Option 2 is to ask for authentication. This way the internal web applications are also available outside the company IF you have a valid login. This is only usefull if you need it.

If you want to block access on the Firewall you should add an additional (internal) IP address on the network card of the server. Then you can select the public websites to run on that ip. If you then would open the public ip to that specific internal ip. This way access is blocked on the firewall instead of on the server.

If you need some more info on a specific scenario let me know!
0
 

Author Comment

by:jsvb1977
ID: 33726090
Thank you! Very helpful. Please read my responses below:

Besides that there are some different options here. You can limit the ip addresses on the web server. This way all traffic to the web server is allowed and the web server itself will see if the ip is allowed or not. This is probably the most easy setup.

[
Can you elaborate on this a little more? Correct me if I am wrong, but I think what you are saying is that if I separate the websites out so that they are not all under "Default Web Site" in IIS, then I can specify which IP Address is associated with each website? If so, would I not need to own multiple IP Addresses. Furthermore, can I keep all of the internal apps under "Default Website" and move only the public facing websites to their own containers?
]

Option 2 is to ask for authentication. This way the internal web applications are also available outside the company IF you have a valid log in. This is only useful if you need it.

[
All of our internal web apps utilize Authentication Methods which interact with Active Directory on our local network.
Our Public e Commerce website uses SQL Authentication.

I think this is good -- but I do not want to rely only on Authentication at each application. Thoughts?
]

If you want to block access on the Firewall you should add an additional (internal) IP address on the network card of the server. Then you can select the public websites to run on that ip. If you then would open the public ip to that specific internal ip. This way access is blocked on the firewall instead of on the server.

[
I think this is an important step. I like the idea of controlling access via the Firewall [Hardware] before folks even get to the web server. Our web server is a virtual machine, so I think that adding another NIC will be an easy task for our Systems Team.
]
0
 
LVL 6

Accepted Solution

by:
robbe earned 500 total points
ID: 33726170
1) no what i mean is that you can setup ip restrictions on each website that run on 1 ip
2) If all internal clients are in the active directory they won't notice as they would'nt need to enter the password if the website is in the intranet zone. I'll use automatic windows authentication to logon. The logon dialog only would pop up if you don't have access or are outside the company.
3) You don't need an additional NIC for this. Just an additional IP address to the one NIC that you have.

Just go to the TCP/IP properties  => IPV4 settings => Advanced => IP Settings
Add a free ip address in your range

Continue opening port 80 to that specific IP. Then change the properties of your internal website to run only on the First ip and change the ones you want to run public on the new one (or the first one as well if you'd like that) This can be changed if you click bindings in the action pane when opening the website.

Do note that you might need 'host headers' as you 'll be running multiple websites on the same ip. This way the only way you can access the website is by the dns name. for example: host header = www.google.be points to 10.0.0.1

You won't be able to access the site by entering 10.0.0.1 only by typing www.google.be in your browser.

Gluck!
0
 

Author Closing Comment

by:jsvb1977
ID: 33726189
Perfect. Exactly what I needed to know.
0
 
LVL 6

Expert Comment

by:robbe
ID: 33726197
no problem! tx for the rating!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
MAC Needs 2 Domains 2 45
not output on the show arp command 5 45
Device same like our heart 12 47
Public IP Address Amazon Servers 2 13
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now