Help with Extranet site and IIS / DNS settings

glenimp617 · 20 Aug 2015 at 14:25

Hi all,

I'm coding up a new extranet site, but struggling with what to do regarding IIS and DNS settings.

Internal clients will use the on-premise DNS servers to resolve addresses, but what about external clients? They will be resolving externally, so how do I make a site work for both internal and external clients?

The security will be handled by a fortinet 1500d firewall, clients coming in will authenticate through the firewall before hitting the websites. I only want clients to have to authenticate one time only, but every user has to be authenticated at least once for security.

IIS will be v8.5

Thanks

glenimp617 · 20 Aug 2015 at 14:58

anything I don't mind said:
You need to usually create a subdomain on their external DNS provider like extranet.companydomain.co.uk then point that extranet subdomain to a free external ip. Then you nat the external IP through to the internal IP of the windows server that hosts the IIS.

You should have a split scope on your internal dns where you have a local domain and a zone for your external domain. inside the zone for your external domain create a record for extranet and point it to the internal or external ip, depending on preference and site settings. This way if people internally go to the subdomain they get through.

Thanks

What do I do regarding links on the extranet site?

say I have a link to http://server.domain.com, internal clients resolve this to 10.10.1.2, but what happens when external clients click the link. Guess it will resolve server.domain.com with the external dns, but that shouldnt have our internal ip address in :confused:

glenimp617 · 20 Aug 2015 at 15:18

Thanks,

Basically we are saying that we need to make all of our internal websites, available externally (secured I'm assuming with IIS), and then point all the records towards our external IP

Ideally we don't want to do this, as we want all external traffic to point into our fortinet firewall. I think the only way we can do this, is by having all external traffic hitting a clientless vpn, and then allowing them access to internal sites

or...by using MS UAG server, again we don't want that product

glenimp617 · 20 Aug 2015 at 15:32

where would the authentication come in?

glenimp617 · 20 Aug 2015 at 15:39

ah I see, I guess they would have to login when hitting each individual site

I have one of my guys currently on the phone with fortinet who are demoing an ssl vpn proxy service which looks kinda cool, external clients hit one site, and then any they click use the internal address (no idea how it works, but the firewall is able to proxy them somehow to use internal addressing). Not sure if it will work yet