IIS - DNS - Internal vs. External

This is most likely the wrong place to ask this, but I'm not finding a web
based Microsoft IIS forum. And the MS USENET forums for DSN or IIS look
pretty dead.

I have IIS running on a Server 2003 machine on our LAN. There's one website
on there, some type of portal where people enter their hours worked. They
have a username/password to get in. They access this both internally and
from the internet. I've been working here a short time and I found out the
other day that it's using port 80. I don't feel comfortable leaving it at
port 80 for public access. And putting it on a DMZ isn't an option, it's
also a file server.

I'd like to do 2 things:
- create a public DNS record so that outside users can enter something
like: appName.DomainName.com, instead of the public IP and then then port
number
- something similar internally with DNS, like: AppName.Server.local

To do the first part I'd:
- change the port in IIS from 80 to 8080
- map the port in the router
- create an "A" record in DNS, and point it to our static IP

The second part:
- create the DNS record on a DC

Is this possible?
How do I specify the port number for the external DNS record, so the user
doesn't have to?

Thanks.

JohnB wrote:
> This is most likely the wrong place to ask this, but I'm not finding
> a web based Microsoft IIS forum. And the MS USENET forums for DSN or
> IIS look pretty dead.
>
> I have IIS running on a Server 2003 machine on our LAN. There's one
> website on there, some type of portal where people enter their hours
> worked. They have a username/password to get in. They access this
> both internally and from the internet. I've been working here a
> short time and I found out the other day that it's using port 80. I
> don't feel comfortable leaving it at port 80 for public access. And
> putting it on a DMZ isn't an option, it's also a file server.
>
> I'd like to do 2 things:
> - create a public DNS record so that outside users can enter something
> like: appName.DomainName.com, instead of the public IP and then then
> port number
> - something similar internally with DNS, like: AppName.Server.local
>
> To do the first part I'd:
> - change the port in IIS from 80 to 8080
> - map the port in the router
> - create an "A" record in DNS, and point it to our static IP
>
> The second part:
> - create the DNS record on a DC
>
> Is this possible?
> How do I specify the port number for the external DNS record, so the
> user doesn't have to?
>
> Thanks.

I'm not really a web guy, but I'd really think you'd want to get this on SSL
port 443 and keep port 80 out.
--
/kj

Right now I have 443 used for remote managment for our routers.


"kj [SBS MVP]" <> wrote in message
news:...
> I'm not really a web guy, but I'd really think you'd want to get this on
> SSL port 443 and keep port 80 out.
> --
> /kj
>

In article <#>,
says...
>
> This is most likely the wrong place to ask this, but I'm not finding a web
> based Microsoft IIS forum. And the MS USENET forums for DSN or IIS look
> pretty dead.
>
> I have IIS running on a Server 2003 machine on our LAN. There's one website
> on there, some type of portal where people enter their hours worked. They
> have a username/password to get in. They access this both internally and
> from the internet. I've been working here a short time and I found out the
> other day that it's using port 80. I don't feel comfortable leaving it at
> port 80 for public access. And putting it on a DMZ isn't an option, it's
> also a file server.
>
> I'd like to do 2 things:
> - create a public DNS record so that outside users can enter something
> like: appName.DomainName.com, instead of the public IP and then then port
> number
> - something similar internally with DNS, like: AppName.Server.local
>
> To do the first part I'd:
> - change the port in IIS from 80 to 8080
> - map the port in the router
> - create an "A" record in DNS, and point it to our static IP
>
> The second part:
> - create the DNS record on a DC
>
> Is this possible?
> How do I specify the port number for the external DNS record, so the user
> doesn't have to?
>
> Thanks.

Is this file server part of the domain you're talking about in another
thread?

If so, you don't want to allow anonymous port 80 access. While you might
be using SSL (443) to manage your routers (as you replied in a later
post), you can change that to any port you want and properly setup SSL
on your internal LAN side server and disable HTTP.

You can not set the port using external DNS, so, just change the router
management port, since that would only impact you.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(remove 999 for proper email address)

> Is this file server part of the domain you're talking about in another
> thread?
>
Hmm... not sure which thread. The server in question here is part of a
domain.


> If so, you don't want to allow anonymous port 80 access.
Right, I do not.


>While you might
> be using SSL (443) to manage your routers (as you replied in a later
> post), you can change that to any port you want and properly setup SSL
> on your internal LAN side server and disable HTTP.
Sure, I can change it in the router. I'm not a web guy, so I don't know how
to setup SSL. I see the box in IIS for SSL port. How is that going to
work?


> You can not set the port using external DNS, so, just change the router
> management port, since that would only impact you.
And that's what I don't understand about internet hosts/DNS. For example,
if I created an "A" record for "vpn", and someone setup a VPN client, they
could just put in vpn.domain.com, versus the ip address. But they wouldn't
have to specify a port number, the client takes care of that. If someone on
the internet wants to access our internal website, and it's not the default
port of 80, how does AppName.DomainName.com get forwarded to the IIS server,
if a port number isn't specified. That's what I'm hoping to get to. That
they just enter (from the internet) AppName.DomainName.com. But if a port
number isn't specified in a browser, isn't 80 assumed?

In article <>,
says...
>
> > Is this file server part of the domain you're talking about in another
> > thread?
> >
> Hmm... not sure which thread. The server in question here is part of a
> domain.
>
>
> > If so, you don't want to allow anonymous port 80 access.
> Right, I do not.
>
>
> >While you might
> > be using SSL (443) to manage your routers (as you replied in a later
> > post), you can change that to any port you want and properly setup SSL
> > on your internal LAN side server and disable HTTP.
> Sure, I can change it in the router. I'm not a web guy, so I don't know how
> to setup SSL. I see the box in IIS for SSL port. How is that going to
> work?
>
>
> > You can not set the port using external DNS, so, just change the router
> > management port, since that would only impact you.
> And that's what I don't understand about internet hosts/DNS. For example,
> if I created an "A" record for "vpn", and someone setup a VPN client, they
> could just put in vpn.domain.com, versus the ip address. But they wouldn't
> have to specify a port number, the client takes care of that. If someone on
> the internet wants to access our internal website, and it's not the default
> port of 80, how does AppName.DomainName.com get forwarded to the IIS server,
> if a port number isn't specified. That's what I'm hoping to get to. That
> they just enter (from the internet) AppName.DomainName.com. But if a port
> number isn't specified in a browser, isn't 80 assumed?

Because HTTP is port 80 by default, HTTPS is port 443 by default - the
clients apps (like FireFox, IE, Opera) know this and will use the
default port. Yes, if HTTP is used without :80, then port 80 is assumed,
since you're talking about HTTP traffic.

The same is true of your VPN, depending on the VPN client it will
automatically want to use certain ports.

As for managing your routers, you can always set them to port 444 and
then you would type HTTP://router.ip.address:444 to access them from a
web browser.

Before you screw this up and compromise your network you should hire a
consultant to do this right the first time.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(remove 999 for proper email address)

> Because HTTP is port 80 by default, HTTPS is port 443 by default - the
> clients apps (like FireFox, IE, Opera) know this and will use the
> default port. Yes, if HTTP is used without :80, then port 80 is assumed,
> since you're talking about HTTP traffic.
>
> The same is true of your VPN, depending on the VPN client it will
> automatically want to use certain ports.
>
> As for managing your routers, you can always set them to port 444 and
> then you would type HTTP://router.ip.address:444 to access them from a
> web browser.
>
> Before you screw this up and compromise your network you should hire a
> consultant to do this right the first time.

The internal website has been publically accessible from port 80 for about 5
years now. I can't do much worse than that. Well, I guess I could somehow
make it totally inaccessible. But, I think I'm pretty close to figuring
this out. I appreciate your advice.

On Thu, 13 May 2010 19:41:47 -0400, "JohnB" <> wrote:

>> Because HTTP is port 80 by default, HTTPS is port 443 by default - the
>> clients apps (like FireFox, IE, Opera) know this and will use the
>> default port. Yes, if HTTP is used without :80, then port 80 is assumed,
>> since you're talking about HTTP traffic.
>>
>> The same is true of your VPN, depending on the VPN client it will
>> automatically want to use certain ports.
>>
>> As for managing your routers, you can always set them to port 444 and
>> then you would type HTTP://router.ip.address:444 to access them from a
>> web browser.
>>
>> Before you screw this up and compromise your network you should hire a
>> consultant to do this right the first time.
>
>The internal website has been publically accessible from port 80 for about 5
>years now. I can't do much worse than that. Well, I guess I could somehow
>make it totally inaccessible. But, I think I'm pretty close to figuring
>this out. I appreciate your advice.
>
>

John:

Your traffic from outside should really use https as otherwise the
usernames and passwords are sniffable on the network. You will need to
purchase an SSL certificate and install that on the server. A good
book on IIS should explain the process. Certificates can be had for
$100 or less these days.

That said, if you wanted traffic for a specific IP to route to a
specific internal IP/port, you'd generally do that in the router, not
on the web server. The web server would be set up to listen on
whatever port you have the router forwarding. But, that would not be
the right approach in this case. Security by obscurity is really no
security at all.

After further review.... I think I'm going to leave it as is for now. Maybe
talk the manager into buying the software VPN client for our routers.

Thanks for the suggestions.


"+Bob+" <> wrote in message
news:...
> John:
>
> Your traffic from outside should really use https as otherwise the
> usernames and passwords are sniffable on the network. You will need to
> purchase an SSL certificate and install that on the server. A good
> book on IIS should explain the process. Certificates can be had for
> $100 or less these days.
>
> That said, if you wanted traffic for a specific IP to route to a
> specific internal IP/port, you'd generally do that in the router, not
> on the web server. The web server would be set up to listen on
> whatever port you have the router forwarding. But, that would not be
> the right approach in this case. Security by obscurity is really no
> security at all.
>
>