You can have an extranet web application that is accessed anonymously. You can also extend the web application of your intranet so it's externally accessible. With different web applications used you can have different authentication methods and have one anonymous and the other using regular windows authentication.
The only problem with that is anyone can access your extended intranet and they will be presented with an ntlm login pop-up, and then anyone on the web can attempt to login to your intranet, and they'll be authenticating directly against your active directory. There's a chance hackers could try to brute force attack to determine passwords for accounts, or if you have an 'incorrect login attempt count' you could get anyone locking AD accounts by trying to login by guessing passwords. If this is a concern secure the extended external intranet with a client certificate, it won't require VPN, and it will keep the site more secure as you need to have the certificate before you can even attempt to login to your intranet. But it will require that external users be sent certificates and that they install them. Or simply require external users to VPN in first J Sezai Kömür Senior Developer - BEng, BSc - Microsoft Certified Technology Specialist - http://www.moss2007.com.au/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Culmsee Sent: Monday, 18 February 2008 8:33 AM To: [email protected] Subject: RE: [OzMOSS] Extranet Scenario Best Practice Advice Please Hiya Rather than provide a login on the external side, can they not just click a menu option like "customer logon" on the anonymous site, that links straight to the (likely ISA2006) published intranet web app (using different dns alias)? That might seem innocuous, but that alone means no app dev or customizations and then it's a fairly standard extended web app with FBA or some other non AD based auth provider. Microsoft don't support client integration in this scenario as Clayton mentioned a while back in another thread, but there are lots of blogs on how to make it work. (I've never had to do client integration in this scenario though). Whether all of this is a bad idea or not is a risk proposition. Certainly, I'd be using a different SSP/web app site collection for this external facing part or their intranet if I could. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Trevor Andrew Sent: Monday, 18 February 2008 8:18 AM To: [email protected] Subject: [OzMOSS] Extranet Scenario Best Practice Advice Please Hi All, I would like some advice regarding an Intranet / Extranet Scenario a client wants us to set up. They want to use MOSS External Connector to an externally facing, anonymously accessed MOSS installation. However they then want this anonymously accessed MOSS installation to provide a login link which allows an externally located user full access to the separate MOSS based Intranet on a separate server, on which content authoring and publishing is performed. They also want these external users to be able to use Office 2007 products against this secured MOSS based "Intranet" while accessing it externally without a VPN connection. I am uncomfortable with elements of this proposed scenario, and would really appreciate any pointers people can provide on the best way to approach such a scenario, or in fact the advisability / inadvisability of it, or superior alternative approaches. Kind Regards, Trevor Andrew ------------------------------------------------------------------- OzMOSS.com - to unsubscribe from this list, send a message back to the list with 'unsubscribe' as the subject. Powered by mailenable.com - List managed by www.readify.net No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.7/1283 - Release Date: 16/02/2008 2:16 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.7/1283 - Release Date: 16/02/2008 2:16 PM ------------------------------------------------------------------- OzMOSS.com - to unsubscribe from this list, send a message back to the list with 'unsubscribe' as the subject. Powered by mailenable.com - List managed by www.readify.net ------------------------------------------------------------------- OzMOSS.com - to unsubscribe from this list, send a message back to the list with 'unsubscribe' as the subject. Powered by mailenable.com - List managed by www.readify.net
