Re: Mid-tier and internal network
** Is having another web server to service off-campus requests out of the question? That seems like the best idea, so far as DMZs and making *really* sure that your internal services remain that way go. fwiw, ~james -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin Sent: Thursday, May 29, 2008 9:19 AM To: arslist@ARSLIST.ORG Subject: Mid-tier and internal network Dear List, We have a Mid-Tier system on a web server that is accessible only to our university’s internal network. That is, someone from within the University can access the Mid-Tier, but someone outside can’t unless they have a VPN. Unfortunately, we also have numerous regular web pages that we DO want outsiders to be able to access. Has anyone had any experience setting up a web server so that Mid-Tier is only available internally, but regular web pages are available to the world? (Mid-Tier 7.1 patch 2, IIS 6 web server, Windows 2003 machine, Tomcat servlet server)
Re: Mid-tier and internal network
Perhaps you need to set up TWO MidTier servers: - One MidTier server for internal use only, located on the trusted network - Another MidTier server for external access, along with serving web pages, located within the DMZ -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin Sent: Thursday, May 29, 2008 7:19 AM To: arslist@ARSLIST.ORG Subject: Mid-tier and internal network Dear List, We have a Mid-Tier system on a web server that is accessible only to our university's internal network. That is, someone from within the University can access the Mid-Tier, but someone outside can't unless they have a VPN. Unfortunately, we also have numerous regular web pages that we DO want outsiders to be able to access. Has anyone had any experience setting up a web server so that Mid-Tier is only available internally, but regular web pages are available to the world? (Mid-Tier 7.1 patch 2, IIS 6 web server, Windows 2003 machine, Tomcat servlet server) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Mid-tier and internal network
Dwayne, This can be done but I cannot tell you exactly how as it has been a while since I secured websites on IIS. I believe the way to do this would be to create a separate website on the IIS server for the AR Mid-Tier and add an IP Address range restriction to it so that only users who have IP addresses in certain ranges can access the page. You may be able to find some information on Microsoft's site (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ 4117d9e2-c7e0-46db-88f6-6e804b4325b0.mspx?mfr=true)about setting this up in IIS and it will likely take some testing to get it to work properly with ARS. --- J.T. Shyman -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin Sent: Thursday, May 29, 2008 10:19 AM To: arslist@ARSLIST.ORG Subject: Mid-tier and internal network Dear List, We have a Mid-Tier system on a web server that is accessible only to our university's internal network. That is, someone from within the University can access the Mid-Tier, but someone outside can't unless they have a VPN. Unfortunately, we also have numerous regular web pages that we DO want outsiders to be able to access. Has anyone had any experience setting up a web server so that Mid-Tier is only available internally, but regular web pages are available to the world? (Mid-Tier 7.1 patch 2, IIS 6 web server, Windows 2003 machine, Tomcat servlet server) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Mid-tier and internal network
Thanks, Russel and Brad and JT. The trouble with a separate website is that we have links to all these websites that point to https://remedy.jmu.edu/whatever.asp.; Tracking all those links down and changing them, or changing our Mid-Tier address would be a major pain, but that might be the way we have to go. Dwayne Original message Date: Thu, 29 May 2008 10:41:38 -0400 From: J.T. Shyman [EMAIL PROTECTED] Subject: Re: Mid-tier and internal network To: arslist@ARSLIST.ORG Dwayne, This can be done but I cannot tell you exactly how as it has been a while since I secured websites on IIS. I believe the way to do this would be to create a separate website on the IIS server for the AR Mid-Tier and add an IP Address range restriction to it so that only users who have IP addresses in certain ranges can access the page. You may be able to find some information on Microsoft's site (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ 4117d9e2-c7e0-46db-88f6-6e804b4325b0.mspx?mfr=true)about setting this up in IIS and it will likely take some testing to get it to work properly with ARS. --- J.T. Shyman -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin Sent: Thursday, May 29, 2008 10:19 AM To: arslist@ARSLIST.ORG Subject: Mid-tier and internal network Dear List, We have a Mid-Tier system on a web server that is accessible only to our university's internal network. That is, someone from within the University can access the Mid-Tier, but someone outside can't unless they have a VPN. Unfortunately, we also have numerous regular web pages that we DO want outsiders to be able to access. Has anyone had any experience setting up a web server so that Mid-Tier is only available internally, but regular web pages are available to the world? (Mid-Tier 7.1 patch 2, IIS 6 web server, Windows 2003 machine, Tomcat servlet server) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Mid-tier and internal network
The alternative would be to write your own filter...I've got no experience in doing this but it may be possible to create an ISAPI filter (http://en.wikipedia.org/wiki/ISAPI) that checks for the arsys URL and then compares it to a list of IP address ranges and only allows access under certain conditions. Good luck and please let us know which way you go and any pains you run into. --- J.T. Shyman -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin Sent: Thursday, May 29, 2008 11:31 AM To: arslist@ARSLIST.ORG Subject: Re: Mid-tier and internal network Thanks, Russel and Brad and JT. The trouble with a separate website is that we have links to all these websites that point to https://remedy.jmu.edu/whatever.asp.; Tracking all those links down and changing them, or changing our Mid-Tier address would be a major pain, but that might be the way we have to go. Dwayne Original message Date: Thu, 29 May 2008 10:41:38 -0400 From: J.T. Shyman [EMAIL PROTECTED] Subject: Re: Mid-tier and internal network To: arslist@ARSLIST.ORG Dwayne, This can be done but I cannot tell you exactly how as it has been a while since I secured websites on IIS. I believe the way to do this would be to create a separate website on the IIS server for the AR Mid-Tier and add an IP Address range restriction to it so that only users who have IP addresses in certain ranges can access the page. You may be able to find some information on Microsoft's site (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS / 4117d9e2-c7e0-46db-88f6-6e804b4325b0.mspx?mfr=true)about setting this up in IIS and it will likely take some testing to get it to work properly with ARS. --- J.T. Shyman -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin Sent: Thursday, May 29, 2008 10:19 AM To: arslist@ARSLIST.ORG Subject: Mid-tier and internal network Dear List, We have a Mid-Tier system on a web server that is accessible only to our university's internal network. That is, someone from within the University can access the Mid-Tier, but someone outside can't unless they have a VPN. Unfortunately, we also have numerous regular web pages that we DO want outsiders to be able to access. Has anyone had any experience setting up a web server so that Mid-Tier is only available internally, but regular web pages are available to the world? (Mid-Tier 7.1 patch 2, IIS 6 web server, Windows 2003 machine, Tomcat servlet server) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Mid-tier and internal network
If IIS is your web server, why not create two separate virtual directories--one for your Remedy apps and one for your outside-facing non-Remedy apps. Then you can set directory security individually for each virtual directory (i.e., set up an IP range). Then to avoid changing links, replace your actual .asp pages with pages that do a redirect to the actual page. For example, suppose your actual page is https://remedy.jmu.edu/whatever.asp and that page show a nice list of professors or something. Rename that something like https://remedy.jmu.edu/virtualdirectoryname/professors.asp and then just turn whatever.asp into a redirect to professors.asp. Thus, the change would be invisible to the end user. -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin Sent: Thursday, May 29, 2008 10:31 AM To: arslist@ARSLIST.ORG Subject: Re: Mid-tier and internal network Thanks, Russel and Brad and JT. The trouble with a separate website is that we have links to all these websites that point to https://remedy.jmu.edu/whatever.asp.; Tracking all those links down and changing them, or changing our Mid-Tier address would be a major pain, but that might be the way we have to go. Dwayne Original message Date: Thu, 29 May 2008 10:41:38 -0400 From: J.T. Shyman [EMAIL PROTECTED] Subject: Re: Mid-tier and internal network To: arslist@ARSLIST.ORG Dwayne, This can be done but I cannot tell you exactly how as it has been a while since I secured websites on IIS. I believe the way to do this would be to create a separate website on the IIS server for the AR Mid-Tier and add an IP Address range restriction to it so that only users who have IP addresses in certain ranges can access the page. You may be able to find some information on Microsoft's site (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library /IIS/ 4117d9e2-c7e0-46db-88f6-6e804b4325b0.mspx?mfr=true)about setting this up in IIS and it will likely take some testing to get it to work properly with ARS. --- J.T. Shyman -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin Sent: Thursday, May 29, 2008 10:19 AM To: arslist@ARSLIST.ORG Subject: Mid-tier and internal network Dear List, We have a Mid-Tier system on a web server that is accessible only to our university's internal network. That is, someone from within the University can access the Mid-Tier, but someone outside can't unless they have a VPN. Unfortunately, we also have numerous regular web pages that we DO want outsiders to be able to access. Has anyone had any experience setting up a web server so that Mid-Tier is only available internally, but regular web pages are available to the world? (Mid-Tier 7.1 patch 2, IIS 6 web server, Windows 2003 machine, Tomcat servlet server) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Mid-tier and internal network
What about creating a non-ARS web front-end that pointed directly to the forms (menu? list of links?) you wanted to allow outside access to? That should be pretty easy for a Java/XML programmer to do. The only other way I can think of would be to create a separate mid-tier server that lives outside the firewall, and redirect all the traffic that goes there to the shorter list of forms (maybe put them in a separate application, and only deploy that application to that MT server?). Rick On Thu, May 29, 2008 at 8:30 AM, Dwayne Martin [EMAIL PROTECTED] wrote: Thanks, Russel and Brad and JT. The trouble with a separate website is that we have links to all these websites that point to https://remedy.jmu.edu/whatever.asp.; Tracking all those links down and changing them, or changing our Mid-Tier address would be a major pain, but that might be the way we have to go. Dwayne Original message Date: Thu, 29 May 2008 10:41:38 -0400 From: J.T. Shyman [EMAIL PROTECTED] Subject: Re: Mid-tier and internal network To: arslist@ARSLIST.ORG Dwayne, This can be done but I cannot tell you exactly how as it has been a while since I secured websites on IIS. I believe the way to do this would be to create a separate website on the IIS server for the AR Mid-Tier and add an IP Address range restriction to it so that only users who have IP addresses in certain ranges can access the page. You may be able to find some information on Microsoft's site ( http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ 4117d9e2-c7e0-46db-88f6-6e804b4325b0.mspx?mfr=true)about setting this up in IIS and it will likely take some testing to get it to work properly with ARS. --- J.T. Shyman -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin Sent: Thursday, May 29, 2008 10:19 AM To: arslist@ARSLIST.ORG Subject: Mid-tier and internal network Dear List, We have a Mid-Tier system on a web server that is accessible only to our university's internal network. That is, someone from within the University can access the Mid-Tier, but someone outside can't unless they have a VPN. Unfortunately, we also have numerous regular web pages that we DO want outsiders to be able to access. Has anyone had any experience setting up a web server so that Mid-Tier is only available internally, but regular web pages are available to the world? (Mid-Tier 7.1 patch 2, IIS 6 web server, Windows 2003 machine, Tomcat servlet server) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Mid-tier and internal network
Or two virtual servers, each with its own IP. That way you could limit access with NAT and firewall rules. -- Tony Worthington Sr. Technical Analyst Kohl's Department Stores [EMAIL PROTECTED] 262-703-5911 Kaiser Norm E CIV USAF 96 CS/SCCE [EMAIL PROTECTED] Sent by: Action Request System discussion list(ARSList) arslist@ARSLIST.ORG 05/29/2008 11:02 AM Please respond to arslist@ARSLIST.ORG To arslist@ARSLIST.ORG cc Subject Re: Mid-tier and internal network If IIS is your web server, why not create two separate virtual directories--one for your Remedy apps and one for your outside-facing non-Remedy apps. Then you can set directory security individually for each virtual directory (i.e., set up an IP range). Then to avoid changing links, replace your actual .asp pages with pages that do a redirect to the actual page. For example, suppose your actual page is https://remedy.jmu.edu/whatever.asp and that page show a nice list of professors or something. Rename that something like https://remedy.jmu.edu/virtualdirectoryname/professors.asp and then just turn whatever.asp into a redirect to professors.asp. Thus, the change would be invisible to the end user. -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin Sent: Thursday, May 29, 2008 10:31 AM To: arslist@ARSLIST.ORG Subject: Re: Mid-tier and internal network Thanks, Russel and Brad and JT. The trouble with a separate website is that we have links to all these websites that point to https://remedy.jmu.edu/whatever.asp.; Tracking all those links down and changing them, or changing our Mid-Tier address would be a major pain, but that might be the way we have to go. Dwayne Original message Date: Thu, 29 May 2008 10:41:38 -0400 From: J.T. Shyman [EMAIL PROTECTED] Subject: Re: Mid-tier and internal network To: arslist@ARSLIST.ORG Dwayne, This can be done but I cannot tell you exactly how as it has been a while since I secured websites on IIS. I believe the way to do this would be to create a separate website on the IIS server for the AR Mid-Tier and add an IP Address range restriction to it so that only users who have IP addresses in certain ranges can access the page. You may be able to find some information on Microsoft's site (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library /IIS/ 4117d9e2-c7e0-46db-88f6-6e804b4325b0.mspx?mfr=true)about setting this up in IIS and it will likely take some testing to get it to work properly with ARS. --- J.T. Shyman -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin Sent: Thursday, May 29, 2008 10:19 AM To: arslist@ARSLIST.ORG Subject: Mid-tier and internal network Dear List, We have a Mid-Tier system on a web server that is accessible only to our university's internal network. That is, someone from within the University can access the Mid-Tier, but someone outside can't unless they have a VPN. Unfortunately, we also have numerous regular web pages that we DO want outsiders to be able to access. Has anyone had any experience setting up a web server so that Mid-Tier is only available internally, but regular web pages are available to the world? (Mid-Tier 7.1 patch 2, IIS 6 web server, Windows 2003 machine, Tomcat servlet server) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are CONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc. and may contain information which is confidential and proprietary. If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited. If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000. CAUTION: Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time without any further consent. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are