I'm using IIS in Windows 2003 Server for a SharePoint intranet. External incoming requests will be using the host header portal.mycompany.com and be forced to use SSL.
I was wondering if there's a way to set up an alternate host header such as <http://internalportal/> which only accepts requests from the internal network, but doesn't force the users to use SSL.
Any recommendations for how to set this up?
-
Assuming that http://internalportal/ wasn't accessible from outside the company, you could set up two websites in IIS. The first site, configured to use a host header value of 'portal.mycompany.com', would require SSL. The second site, configured to use a host header value of 'internalportal', would not require SSL. The host header value is configured under 'Web Site' -> 'Advanced'.
Having a hardware load balancer makes things much easier. The site on the load balancer is set up to require SSL, and your websites in IIS are setup not to require SSL.
From Alan Hecht -
Daniel,
Why not just keep it simple and run with https://portal.mycompany.com ?
Any special reason?
From Kev -
Alan
The https://portal.mycompany.com works by the public IP address being NAT'ed to the internal IP for the MOSS server.
I'm just concerned that if someone in the external internet uses their hosts file to point http://internalportal/ to the public IP address, the IIS will accept the incoming request on port 80, without requiring https.
From Daniel O -
Kevin
Good point. It's really just for performance and ease of use internally. You're right there's no reason why we can't just use https internally as well. Just wondering if it's trivially easy to set up then we could use it.
From Daniel O -
@Daniel
You could just add a second host header and internal IP address to the site for internal non-ssl access
172.16.3.1:443:portal.mycompany.com
172.16.3.2:80:internalportal
From Kev -
Thanks Kevin, assigning the internal IP was the bit I wasn't thinking of. That way only internal requests can come in on port 80.
From Daniel O -
In testing, we have found that IIS will still respond even though it is listening on the internal IP. When the NAT occurss IIS thinks the incoming request is on the internal IP. So if you hack your hosts file you can get in from the outside.
The solution seems to be to assign the server a second internal IP address, and make IIS listen to that IP address for the internal-only site.
From Daniel O -
Daniel, keep in mind that just because something is possbile in IIS, and via any number of off box solutions (like hardware load balancers and SSL) doesn't mean that it is supported by SharePoint, or that it is implemented in the same way.
You can do what you are asking for, however you should do it via SharePoint Central Administration, and "Create or Extend a Web Application" and then "Extend and Existing Application".
In this way you can create a new web site (in IIS) for accessing your existing SharePoint Web Application, one that can be accessed via a different hostheader, port, using SSL, Authentication mechanism, etc.
As a general rule, if you can do something in IIS AND in SharePoint, you should do it only in SharePoint.
From Daniel McPherson -
Hi Daniel
Yea - after a bit of trial and error then general tip of making sure you do stuff in SharePoint via Extend Web App, and External Access Methods is very important!
From Daniel O
0 comments:
Post a Comment