External Access creation and configuration Question

0
Hi,
We use windows authentication with SSO to identify users to use our SBM application.
We want to open SBM to be used outside our domain (for our customers use).
I noticed that 'Configurator' under 'Other Settings' tab there is a section of 'External Access' which contain a configuration for 'IIS application for external authentication'.

Q: Does someone has an example of such external authentication application and how to configure that in IIS.
I don't familiar with 'ISAPI' and 'ModSecurity IIS' which remind in documentation (sbms_installation_guide.pdf, page 79)

Accepted Answer

Monday, January 16 2017, 04:39 PM - #Permalink
0
Hi, yes the topology image is just what we have in place. In regards to your 2 questions.

Q1: All users have unique logins, so unless a customer can guess an employees username and password they can only log in as themselves.
Q2: We don't stop our employees logging in externally. However to do that they need to setup an internal SBM password so that they can use that to log in via the external server. (Even though they set a password, they still use domain authentication when using the system internally).
The reply is currently minimized Show
Responses (6)
  • Accepted Answer

    Wednesday, January 11 2017, 08:21 PM - #Permalink
    0
    google for custom IIS authentication "Membership provider"

    1
    2
    3
    4
    • Aviad Moses
      more than a month ago
      Hi Paul,
      First thanks for your comment.
      As far as i know, Membership provider uses to handle users account (Creating\changing password...).
      To use that I need to use Forms authentication.
      Till now all are OK.

      How the authentication in one site can affect the authentication in SBM's site?
      In other words, if the authentication succeeded in the "external site" how the credentials transfer to SBM's site?
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 15 2017, 03:28 PM - #Permalink
    0
    Sorry can't help with the External Authentication, but I can share with you how we address the same situation. For security reasons we needed to restrict as much as possible traffic that could potentially enter our internal network from outside, so instead of exposing our internal SBM app server to the world, we setup a second app server outside our firewalls, then configured specific firewall rules to limit traffic from that server to the database and license server (including restricting the ports available). While it meant that we had to purchase a second server license, that cost is not that onerous and gives us a level of comfort in the security restrictions imposed. On the external server we have authentication set for internal SBM passwords, and internally we use SSO.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 15 2017, 11:53 PM - #Permalink
    0
    Hi David,
    Thanks for your answer.
    Just to be sure, you have 3 Servers:
    1. DB (Internal)
    2. App (internal)
    3. App (External)

    The External app server connect to database server via firewall.
    The external app server exposed to WWW.

    If that so and regular users don't have a password (because they authenticate by SSO (LDAP, windows domain..))
    Q1: How you avoid customers to login SBM with the username of the 'Regular users'?
    Q2: How you avoid regular users (not Occasional\External users) to login your system from outside?

    (I tried to upload a server topology image, i hope i succeeded)
    Attachments:
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 15 2017, 11:54 PM - #Permalink
    0
    David Sheaffe wrote:

    Sorry can't help with the External Authentication, but I can share with you how we address the same situation. For security reasons we needed to restrict as much as possible traffic that could potentially enter our internal network from outside, so instead of exposing our internal SBM app server to the world, we setup a second app server outside our firewalls, then configured specific firewall rules to limit traffic from that server to the database and license server (including restricting the ports available). While it meant that we had to purchase a second server license, that cost is not that onerous and gives us a level of comfort in the security restrictions imposed. On the external server we have authentication set for internal SBM passwords, and internally we use SSO.


    Hi David,
    Thanks for your answer.
    Just to be sure, you have 3 Servers:
    1. DB (Internal)
    2. App (internal)
    3. App (External)

    The External app server connect to database server via firewall.
    The external app server exposed to WWW.

    If that so and regular users don't have a password (because they authenticate by SSO (LDAP, windows domain..))
    Q1: How you avoid customers to login SBM with the username of the 'Regular users'?
    Q2: How you avoid regular users (not Occasional\External users) to login your system from outside?

    (I tried to upload a server topology image, i hope i succeeded)
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, January 17 2017, 12:22 AM - #Permalink
    0
    David Sheaffe wrote:

    Hi, yes the topology image is just what we have in place. In regards to your 2 questions.

    Q1: All users have unique logins, so unless a customer can guess an employees username and password they can only log in as themselves.
    Q2: We don't stop our employees logging in externally. However to do that they need to setup an internal SBM password so that they can use that to log in via the external server. (Even though they set a password, they still use domain authentication when using the system internally).


    Thanks again David,
    Your answers help me to understand the puzzle.
    But now I have more questions:
    Q3: Is there a special SBM installation for such external app server? what exactly should i install there? should i install everything beside Database and Composer?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, January 17 2017, 03:50 PM - #Permalink
    0
    Even though it isn't needed, our external server has a complete install. I know there are components that aren't needed, but wasn't exactly sure which ones. I think I had seen on the Knowledgebase an article on what components are required for a distributed installation, so if you can find that it might give you the correct answer.
    The reply is currently minimized Show
Your Reply

Recent Tweets