06-18-2012 01:58 AM
I have an question :
let say i have 1 web server with 3 web application on it:
Those 3 web application running in same server with 1 IP Public : 202.x.x.x
If i just want to secure connection for domain : www.company.com or subdomain : my.company.com in SA using core access, how to do this if the server just using 1 IP public ?
Let say If user access domain : www.company.com or my.company.com from internet, traffic will directed to SA, consider like i told before just using 1 IP public.
Solved! Go to Solution.
06-18-2012 04:15 AM
Assuming you are running a windows internal domain, I would make use of this internal namespace that is not published outside you network.
Create an internal dns entry for each site - www.abc.internal - using the windows domain dns. These resolve to the internal ip address.
Add this as a second host header in your IIS setup for each site.
Use these internal names then when you setup the SA resource and be sure the SA is setup to use your internal DNS servers.
06-18-2012 05:45 AM
So do you mean, the most task is done in DNS internal server?
So DNS server is a must, right?
the flow like this: see the below diagram
HQ (local user) or user from internet------------------------------------------
There are 2 location : HQ and DC.
web app is located in DC site, and this server accessed by local user in HQ site and external user from outside(internet/ the local user is mobile).
The goal is to secure this WEB application for the local user and user form external.
for now this domain: www.abc.com, or other domain is published using 1 IP Public.
So the plan is: this web app is not to publish anymore. If user (local user/user form external) want to access this web app must via SA SSL VPN.
How to accomplish this using SA in this environment?
let say in the front is firewall.
Just change NAT in Firewall : NAT IP public to internal SA' IP private or how? considering there are 3 web app using same IP public.
sorry asking more, because i'm still not clear about this.
06-19-2012 01:39 AM
after i gather information from them, the condition is: Local user using Host File define in their PC if they access their web apps. This host file is contain domain name and it's IP local of the server which located in other site(not at HQ).
and for user from external site/internet to access this web apps is forwarding using web alias configured in web server( they said like that)
for the local user, i have clear about that.
I just not clear about external user/internet traffics flow.
Let say is user from internet access this web apps, ex: abc.com : the flow is through ISP's DNS forwarding to Public IP of web apps server in which in this web app server contains 3 web apps using the same Public IP.
If i want installed SA SSL VPN using the same domain : abc.com, so when user access this web apps is forwarding to SA SSL VPN and then access this web apps through SA SSL VPN.
Any idea how is the flow or concept to accompish this ?
for your info this web apps is plan to not publish into internet anymore if using SA SSL VPN.
or the solution is to give the new public IP for this domain that will be using for SA?
I think this can be okay, but need more time to update this domain with new public IP.
06-19-2012 04:15 PM
Sorry for the confusion. I am not sure I understand your full scenario, but here is what I think you are saying.
Currently the three sites are publicly avaialbe using a standard firewall to forward to your web server.
The server uses host headers to sort out the three sites on the single ip address.
The internal HQ users override the DNS and use the same host names to the internal ip address and this will not change.
What I am not clear on is:
When you secure the sites behind the SA will user login be required?
This is the typical scenario. You would setup the SA with either an LDAP user database or a local user database listing. Users authenticate to the SA then are presented with the resources that this user is allowed to see.
You create a new DNS entry and public ip address to have your firewall direct to the SA. The login and authentication are setup on the SA.
You create each web site as a resource using the DNS name. If the sites are no longer public you can just change the DNS entry to the internal ip address and use this in the SA.
You create a role for each type of user that will login. This defines how many and which of the three web sites that kind of user can access.
you map the role to the resources.
Now when the user logs in they receive their role and the web page displays the resources allowed to that role.
06-19-2012 10:01 PM
yes, first what you are said is correct about:
"Currently the three sites are publicly avaialbe using a standard firewall to forward to your web server.
The server uses host headers to sort out the three sites on the single ip address.
The internal HQ users override the DNS and use the same host names to the internal ip address and this will not change."
after discussion with them, they decide internal HQ users will be keep using the current condition (not via SA), but for the user from internet will be using SA.
user must be login to their web apps, so just for 1 web apps will be securing through SA, the 2 others web apps will still publish on internet/not through SA. So the task just for 1 web apps want to be secured and not publish anymore on internet.
The server uses host headers to sort out the three sites on the single ip address. this will keep like this using 1 public ip address.
let say the current domain use for this web apps is my.abc.com, so currently when user access this domain firewall will direct to web server local ip address. If i want to keep using this domain but change firewall directing to local IP of SA, is it possible right? or is it better solution to change public IP for domain my.abc.com?
one more question: i want to put the SA in HQ site(not in same location with web app server) and they have not internal dns server, like i mentioned before user in HQ using host-file define on their PC "override the DNS and use the same host names to the internal web server ip address and this will not change"
question is: is it possible to configure host-file in SA, like on user's pc, because there is no internal dns server which can be configured on SA's DNS setting?
06-20-2012 04:03 AM
Since you are keeping two applications normally public and only moving one behind the SA, you must setup a new ip address to point to your SA login page.
You will then delete the secured application DNS entry so this will no longer forward or work without using the SA.
The SA does allow you to create custom host entries.
But the better solution is to use your internal Microsoft AD DNS domain. In most MS networks you have a domain controller with DNS for an non-internet domain such as mycompany.local. You web server can have a DNS entry here created that can be added to the host header on your web server and remove the old external name. Now both internal clients and the SA use these DNS servers and no host files are needed anymore. These are not visible outside the network and then the site can only be used by the SA or internal domain computers.
06-20-2012 04:22 AM
yes, i think your opinion to setup new public ip address for this domain: my.abc.com that pointing to SA login page is best solution and then SA will forwarding to web app server when user click on bookmarks defined on SA and dns ip must be configured on SA so it can resolve this domain.
like your said "You will then delete the secured application DNS entry so this will no longer forward or work without using the SA" could you explain more details about the meaning?
06-20-2012 04:28 AM
Since you have three applications on the web server and two remain public, you must delete the DNS entry for the secured application. If you do not, then the same forwarding rules that allow the two public sites to work will continue to allow access to the third secured site.
Ideally, you also remove the original host header and setup a new one on that internal AD domain name. This way the outside world does not know the host header. They cannot get around the lack of the DNS entry by creating a host file on their private computer to continue to access the site without logging in.
06-20-2012 04:43 AM
So you mean is delete DNS entry on internal AD domain for secured web apps..
i think its clear for me.
Thank you Spuluka
06-20-2012 04:53 AM
Sorry for the lack of clarity.
You delete the PUBLIC DNS entry of the SECURED application.
Your public web sites have a firewall forwarding rule that allows the web server to deliver those sites to the public. This same rule and server will also allow the public to load that secured web site.
You delete that public dns entry so the public no longer has the ability to resolve the address and use the existing host headers to access the site you are moving secure.
You should also consider CHANGING the host header on the secured web site. Since the DNS entry was previously public a smart hacker can use that information to bypass the deleted DNS record by creating their own local host file. Then they still have access to the newly secured site. If you change the host header they will not know the new value and cannot do this.
I suggest that the new host header be your internal AD dns name. securesite.mycompany.local. Then this will work for your internal domain computers and can be what you setup in the web bookmark on the SA.
This also means the host files you use internally are no longer needed and users have a new bookmark to the secured site.
08-13-2012 03:33 AM
continuing for this issue, i already config SA and using local DNS and it's run well. user can login through SA and access the web resource server, but the question is : after successfull login to SA and sometimes when access the web server is slow and sometimes is fast for the page show up. i see in logging that SA already sent traffics to Web server but the received is take longer time, i think this is cause the web page is takes longer time to show up.
But if i access the web page directly from browser without using SA, the web page is show up fast.
any idea ?