External Access to Internal Network and Websites — Microsoft Networks

I need to be able to expose a set of "internal" web sites to Internet users somehow. Please bear with me as network engineering isn't my forte. I'd appreciate any insight or suggestions to this task. Here are the basics:

We have a network that is only available by connecting with the Cisco AnyConnect Secure Mobility Client. We use two-factor authentication. We have a VPN profile.

The network is primarily Microsoft-based with users in the active directory (AD). Once I connect to the network, I can log into four different websites. The websites are all running on a single IIS server and we use the user's AD account for authentication along with AD group membership for authorization.

Windows Server 2012 with IIS 8.5. Everything is virtualized with VMWare. The sites are ASP .NET webforms-based.

We have a need for making the sites accessible from the Internet.

We can't require a VPN. So, the sites need to be available without using a VPN.

I would prefer that we use the internal AD user store/identity provider if at all possible.

We must require two-factor authentication. Hence, the user must log in with a username and password and then, most likely, an RSA token authentication mechanism.

I know this seems silly in some regard, but the core of the problem is that our main client needs access to our internal sites and they have heavy restrictions on what they can and can't do. Each user at the client site is only allowed one VPN profile, and that profile is already in use. Likewise, they have severely heavy restrictions on their Internet usage, but we could open up a firewall rule such that they could access our "portal" and hence our sites.

So, I need some kind of portal or device or something that sits, exposed to the Internet with all the appropriate firewall and zone protections needed but allows non-VPN access with two-factor authentication and exposes the internal sites.

This device will need to make the VPN connection itself. Ideally, we'd be able to pass the user's credentials along for authorization and authentication.

My current research has pointed me in the direction of the Sophos UTM & Next-Gen Firewall product. However, I thought I'd engage some expert advice while I research my options.

I appreciate any insight into how to accomplish this task.
LVL 20
Daniel Van Der WerkenIndependent ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
You're not far off with the Sophos Firewall, I'm not sure it does what would probably be the solution what you can use, it probably does...

Anyway, a solution that can help you here is SSL VPN, it can be used clientless, this means that not VPN client is needed on the PC/Workstation that wants to access your site.

Here is a nice example from Fortinet, I'm not saying use this specific brand, it's just represented that way that it's easy to understand.

Another interesting paper here, by Cisco.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Daniel Van Der WerkenIndependent ConsultantAuthor Commented:
Thanks for the excellent references.
Zephyr ICTCloud ArchitectCommented:
Hi, you're welcome, good luck with the implementation!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.