External Access to Internal Network and Websites — Microsoft Networks
I need to be able to expose a set of "internal" web sites to Internet users somehow. Please bear with me as network engineering isn't my forte. I'd appreciate any insight or suggestions to this task. Here are the basics:
We have a network that is only available by connecting with the Cisco AnyConnect Secure Mobility Client. We use two-factor authentication. We have a VPN profile.
The network is primarily Microsoft-based with users in the active directory (AD). Once I connect to the network, I can log into four different websites. The websites are all running on a single IIS server and we use the user's AD account for authentication along with AD group membership for authorization.
Windows Server 2012 with IIS 8.5. Everything is virtualized with VMWare. The sites are ASP .NET webforms-based.
We have a need for making the sites accessible from the Internet.
We can't require a VPN. So, the sites need to be available without using a VPN.
I would prefer that we use the internal AD user store/identity provider if at all possible.
We must require two-factor authentication. Hence, the user must log in with a username and password and then, most likely, an RSA token authentication mechanism.
I know this seems silly in some regard, but the core of the problem is that our main client needs access to our internal sites and they have heavy restrictions on what they can and can't do. Each user at the client site is only allowed one VPN profile, and that profile is already in use. Likewise, they have severely heavy restrictions on their Internet usage, but we could open up a firewall rule such that they could access our "portal" and hence our sites.
So, I need some kind of portal or device or something that sits, exposed to the Internet with all the appropriate firewall and zone protections needed but allows non-VPN access with two-factor authentication and exposes the internal sites.
This device will need to make the VPN connection itself. Ideally, we'd be able to pass the user's credentials along for authorization and authentication.
My current research has pointed me in the direction of the Sophos UTM & Next-Gen Firewall product. However, I thought I'd engage some expert advice while I research my options.
I appreciate any insight into how to accomplish this task.
We have a network that is only available by connecting with the Cisco AnyConnect Secure Mobility Client. We use two-factor authentication. We have a VPN profile.
The network is primarily Microsoft-based with users in the active directory (AD). Once I connect to the network, I can log into four different websites. The websites are all running on a single IIS server and we use the user's AD account for authentication along with AD group membership for authorization.
Windows Server 2012 with IIS 8.5. Everything is virtualized with VMWare. The sites are ASP .NET webforms-based.
We have a need for making the sites accessible from the Internet.
We can't require a VPN. So, the sites need to be available without using a VPN.
I would prefer that we use the internal AD user store/identity provider if at all possible.
We must require two-factor authentication. Hence, the user must log in with a username and password and then, most likely, an RSA token authentication mechanism.
I know this seems silly in some regard, but the core of the problem is that our main client needs access to our internal sites and they have heavy restrictions on what they can and can't do. Each user at the client site is only allowed one VPN profile, and that profile is already in use. Likewise, they have severely heavy restrictions on their Internet usage, but we could open up a firewall rule such that they could access our "portal" and hence our sites.
So, I need some kind of portal or device or something that sits, exposed to the Internet with all the appropriate firewall and zone protections needed but allows non-VPN access with two-factor authentication and exposes the internal sites.
This device will need to make the VPN connection itself. Ideally, we'd be able to pass the user's credentials along for authorization and authentication.
My current research has pointed me in the direction of the Sophos UTM & Next-Gen Firewall product. However, I thought I'd engage some expert advice while I research my options.
I appreciate any insight into how to accomplish this task.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi, you're welcome, good luck with the implementation!
ASKER