Help with Extranet site and IIS / DNS settings

glenimp617 · 20 Aug 2015 at 14:25

Hi all,

I'm coding up a new extranet site, but struggling with what to do regarding IIS and DNS settings.

Internal clients will use the on-premise DNS servers to resolve addresses, but what about external clients? They will be resolving externally, so how do I make a site work for both internal and external clients?

The security will be handled by a fortinet 1500d firewall, clients coming in will authenticate through the firewall before hitting the websites. I only want clients to have to authenticate one time only, but every user has to be authenticated at least once for security.

IIS will be v8.5

Thanks

anything I don't mind · 20 Aug 2015 at 14:41

You need to usually create a subdomain on their external DNS provider like extranet.companydomain.co.uk then point that extranet subdomain to a free external ip. Then you nat the external IP through to the internal IP of the windows server that hosts the IIS.

You should have a split scope on your internal dns where you have a local domain and a zone for your external domain. inside the zone for your external domain create a record for extranet and point it to the internal or external ip, depending on preference and site settings. This way if people internally go to the subdomain they get through.

glenimp617 · 20 Aug 2015 at 14:58

anything I don't mind said:
You need to usually create a subdomain on their external DNS provider like extranet.companydomain.co.uk then point that extranet subdomain to a free external ip. Then you nat the external IP through to the internal IP of the windows server that hosts the IIS.

You should have a split scope on your internal dns where you have a local domain and a zone for your external domain. inside the zone for your external domain create a record for extranet and point it to the internal or external ip, depending on preference and site settings. This way if people internally go to the subdomain they get through.

Thanks

What do I do regarding links on the extranet site?

say I have a link to http://server.domain.com, internal clients resolve this to 10.10.1.2, but what happens when external clients click the link. Guess it will resolve server.domain.com with the external dns, but that shouldnt have our internal ip address in :confused:

anything I don't mind · 20 Aug 2015 at 15:06

I would recommend then on your internal DNS to point the extranet.yourdomain.co.uk to point to the external ip. Then when people internally access the site they will access it as if they external.

You may not have a split dns scope internally, if you have exchange 2010 and have updated your certificates to remove internal domains then you will have one, otherwise its possible that it has not been created yet. Then it won't need to be setup internally because the internal dns won't affect accessing the extranet.youdomain.co.uk.

glenimp617 · 20 Aug 2015 at 15:18

Thanks,

Basically we are saying that we need to make all of our internal websites, available externally (secured I'm assuming with IIS), and then point all the records towards our external IP

Ideally we don't want to do this, as we want all external traffic to point into our fortinet firewall. I think the only way we can do this, is by having all external traffic hitting a clientless vpn, and then allowing them access to internal sites

or...by using MS UAG server, again we don't want that product

anything I don't mind · 20 Aug 2015 at 15:20

Each site or external server will have to have its own external ip if they are on the same ports.

On your firewall you will have multiple wan ip configured. Then when someone goes to the external ip they will hit the firewall and the firewall will redirect through to the internal ip on the port 80/443. Each different external ip should be nat to a different internal ip.

glenimp617 · 20 Aug 2015 at 15:32

where would the authentication come in?

anything I don't mind · 20 Aug 2015 at 15:33

They would have to login like owa or similar. The IIS site would have to be configured to connect to the domain internally.

Pass through authentication won't work if you are accessing it externally. You would have to connect internally to get that working if the site supports it.

glenimp617 · 20 Aug 2015 at 15:39

ah I see, I guess they would have to login when hitting each individual site

I have one of my guys currently on the phone with fortinet who are demoing an ssl vpn proxy service which looks kinda cool, external clients hit one site, and then any they click use the internal address (no idea how it works, but the firewall is able to proxy them somehow to use internal addressing). Not sure if it will work yet