Intranet website accessible from Internet?

[techfuzz]

We currently mirror a copy of our corporate Intranet to our Extranet, but this has its limitations. To get around some of these limitations, I am investigating what we need to do to make our corporate Intranet directly accessible from the Internet. The only solution I have come up with is to use a sub.domain.com, SSL, and a login form that authenticates with the AD. I would like to consider more options, but I can't seem to think of any. What do you think is the best way to make it accessible from the Internet? How does your company do it (and how well does it work)?

techfuzz

 

[JDMnAR1]

Our users have to establish a VPN session in order to access the intranet from outside the firewall. It works fine for us.

 

[techfuzz]

Originally posted by: JDMnAR1
Our users have to establish a VPN session in order to access the intranet from outside the firewall. It works fine for us.

Yeah, we already have that option, but some people cannot use VPN because they work at client sites or at home.

techfuzz

 

[TheKub]

Originally posted by: techfuzz
Yeah, we already have that option, but some people cannot use VPN because they work at client sites or at home.

techfuzz

Issue mobile broadband cards so they have access where they are at.

Also, an intranet that is accessible from the internet is a website.

 

[techfuzz]

Originally posted by: TheKub
Issue mobile broadband cards so they have access where they are at.

We can't give them mobile broadband cards because of client security restrictions (i.e. federal government). These people only have web access. Any and all access to our systems must be via the web so that means email, ftp, and intranet must be web-enabled for them. We have an extranet setup so they can access our various corporate apps. What we want to do is give them access to our intranet without the limitations that our current solution imposes.

techfuzz

 

[TheKub]

Originally posted by: techfuzz
We can't give them mobile broadband cards because of client security restrictions (i.e. federal government). These people only have web access. Any and all access to our systems must be via the web so that means email, ftp, and intranet must be web-enabled for them. We have an extranet setup so they can access our various corporate apps. What we want to do is give them access to our intranet without the limitations that our current solution imposes.

techfuzz

So you're basically looking at putting your entire intranet in the DMZ then?

 

[RebateMonger]

You can look at how this is done with Microsoft Windows Small Business Server 2003. We use a Proxy Server (Microsoft ISA Server) to "Publish" an internal web site (a SharePoint site in this case). It's published using SSL and requires Authentication to AD.

Since ISA Server is a Proxy, the outside client never actually "sees" the internal server. All communication is done with the ISA Server. ISA reads the inbound requests, makes the same request to the "real" web server, and then passes the result back to the external client, encrypted. ISA filters inbound web requests for known exploits.

 

[spidey07]

SSL vpn is made exactly for this purpose.

 

[techfuzz]

Originally posted by: TheKub
So you're basically looking at putting your entire intranet in the DMZ then?

No, just the intranet web server. I'm looking for other ideas to consider that may be easier to implement, more secure, or etc.

Originally posted by: RebateMongerYou can look at how this is done with Microsoft Windows Small Business Server 2003. We use a Proxy Server (Microsoft ISA Server) to "Publish" an internal web site (a SharePoint site in this case). It's published using SSL and requires Authentication to AD.

This sounds very intriguing and we already have ISA in place for outbound HTTP traffic. Can you point me towards some information about this possible solution. I would very much like to look into it.

Originally posted by: spidey07SSL vpn is made exactly for this purpose.

I'm not familiar with SSL VPN. How does it work?

techfuzz

 

[Cable God]

SSL VPN's use https, IE: Port 443.

I'd recommend looking at the Juniper SSL VPN lineup. We use a few SA4500's and find them to be fast, secure, and easy to configure/maintain.

If you're a smaller shop, the SA700 or SA2500 would suite you well.

https://www.juniper.net/produc...cure_access/index.html

 

[techfuzz]

Does SSL VPN need software loaded onto the client computer for it to work? The Juniper link seems to indicate that it doesn't which would be a good thing for our employees at client locations.

techfuzz

 

[RebateMonger]

Originally posted by: techfuzz

Originally posted by: RebateMongerYou can look at how this is done with Microsoft Windows Small Business Server 2003. We use a Proxy Server (Microsoft ISA Server) to "Publish" an internal web site (a SharePoint site in this case). It's published using SSL and requires Authentication to AD.

This sounds very intriguing and we already have ISA in place for outbound HTTP traffic. Can you point me towards some information about this possible solution. I would very much like to look into it.

There's a built-in Wizard for doing this. The ISA Help screens will also help with configuring it, as will http://isaserver.org . Search for "Publishing".

 

[Bashbelly]

using a citrix access gateway 7000 for ssl vpn. we use the clientless mode for the majority of users, works great.