firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Allowing Internet Access to MS Project Server
(jdgorin@computer.org)
2. Re: Allowing Internet Access to MS Project Server (D Sharp)
3. Re: Allowing Internet Access to MS Project Server
(Darden, Patrick S.)
4. Re: Allowing Internet Access to MS Project Server (D Sharp)
5. Re: Allowing Internet Access to MS Project Server
(jdgorin@computer.org)
----------------------------------------------------------------------
Message: 1
Date: Wed, 03 Oct 2007 19:00:38 +0200
From: jdgorin@computer.org
Subject: Re: [fw-wiz] Allowing Internet Access to MS Project Server
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <1191430838.4703cab68ffa6@imp.free.fr>
Content-Type: text/plain; charset=ISO-8859-1
Hi Duncan,
I have, some times ago, face the same challenge. And we have set a Citrix server
hosting the MS Project application (not the 2007 version), with a dedicated AD
forest for external users.
The Citrix server is accessed through a VPN connection.
So, an external user need :
* Credential from the security team to access the VPN.
* Credentials from the MS Project team to access the application.
The VPN credentials can be simple password, soft or hard certificate (depends of
your security policy).
Regards,
JDG
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.cybertrust.com
> On Behalf Of D Sharp
> Sent: Tuesday, October 02, 2007 8:10 PM
> To: Firewall Wizards Security Mailing List
> Subject: [fw-wiz] Allowing Internet Access to MS Project Server
>
> Hi;
>
> A IT project Managers would like to install MS Project 2007
> server and make that the central repository for all our IT
> related projects. Since we have significant numbers of out
> sourced contractors, the team would like external access
> enabled. Also to keep costs low they would like the server
> to have a Internet presence. Our server support team would
> like the server(s) to be part of our internal AD domain.
>
> We have OWA exposed to the Internet, but through a secure
> proxy.
>
> What would should be some key security areas.
>
> Thanks,
> Duncan Sharp
>
------------------------------
Message: 2
Date: Wed, 03 Oct 2007 09:39:31 -0700
From: D Sharp <drsharp@pacbell.net>
Subject: Re: [fw-wiz] Allowing Internet Access to MS Project Server
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <4703C5C3.404@pacbell.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Darden, Patrick S. wrote:
Yes, the logical layout would be how I would like it.
That is how we have our OWA setup, with a OWA filtering proxy server.
But I have not found a purpose built "MS PWA" secure proxy yet.
I am looking at general secure web application proxies.
Thanks,
Duncan
>So, I think you are saying you have this:
>
>internet-------------------------------------------
> |
> firewall
> |
>dmz------------------------------------------------
> | |
> firewall secure proxy server (https)
> |
>internal network---------------------------------
> |
> ms project server
>
>So, if the only way to access the ms project server from the internet is thru the proxy server, then you should be golden.
>
>--p
>
>
>-----Original Message-----
>From: firewall-wizards-bounces@listserv.icsalabs.com
>[mailto:firewall-wizards-bounces@listserv.icsalabs.com]On Behalf Of D
>Sharp
>Sent: Tuesday, October 02, 2007 2:10 PM
>To: Firewall Wizards Security Mailing List
>Subject: [fw-wiz] Allowing Internet Access to MS Project Server
>
>
>Hi;
>
>A IT project Managers would like to install MS Project 2007 server and
>make that the central repository for all our IT related projects. Since
>we have significant numbers of out sourced contractors, the team would
>like external access enabled. Also to keep costs low they would like the
>server to have a Internet presence. Our server support team would like
>the server(s) to be part of our internal AD domain.
>
>We have OWA exposed to the Internet, but through a secure proxy.
>
>What would should be some key security areas.
>
>Thanks,
>Duncan Sharp
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@listserv.icsalabs.com
>https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@listserv.icsalabs.com
>https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
------------------------------
Message: 3
Date: Wed, 3 Oct 2007 13:23:08 -0400
From: "Darden, Patrick S." <darden@armc.org>
Subject: Re: [fw-wiz] Allowing Internet Access to MS Project Server
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <CBE22E5FF427B149A272DD1DDE1075240184E2C2@EX2K3.armc.org>
Content-Type: text/plain; charset="iso-8859-1"
You could use several solutions. Here are a few:
--apache reverse proxy, free and industry standard http://www.apachetutor.org/admin/reverseproxies
--squid https web proxy server, free and industry standard http://www.squid-cache.org
--secure citrix gateway http://www.citrix.com/English/ps2/products/product.asp?contentID=15005
--ssl vpn (dozens of these out there, but I like Nortel's: inexpensive, comes with IPSEC vpn too)
--ipsec vpn (again, I love Nortel's Contivity Extranet Switch series--inexpensive and utterly reliable)
--p
-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com]On Behalf Of D
Sharp
Sent: Wednesday, October 03, 2007 12:40 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Allowing Internet Access to MS Project Server
Yes, the logical layout would be how I would like it.
That is how we have our OWA setup, with a OWA filtering proxy server.
But I have not found a purpose built "MS PWA" secure proxy yet.
I am looking at general secure web application proxies.
Thanks,
Duncan
------------------------------
Message: 4
Date: Wed, 03 Oct 2007 12:48:09 -0700
From: D Sharp <drsharp@pacbell.net>
Subject: Re: [fw-wiz] Allowing Internet Access to MS Project Server
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: firewall-wizards@listserv.cybertrust.com
Message-ID: <4703F1F9.8020307@pacbell.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
jdgorin@computer.org wrote:
>Hi Duncan,
>
>I have, some times ago, face the same challenge. And we have set a Citrix server
>hosting the MS Project application (not the 2007 version), with a dedicated AD
>forest for external users.
>The Citrix server is accessed through a VPN connection.
>
>
>
Given the newer MS Project server supports a web access function, the
plan was to use something with less overhead than Citrix/Terminal
Services. Possible methods are:
a: Secure Proxy server with specific PWA filters, yet to be identified.
b: Generic SSL/VPN security gateway that allows for URL filtering to a
DMZ'd PWA (web) server.
c: Web application security filter (transparent proxy) to a DMZ'd PWA
(web) server.
The MS Project Server would be separated into tiers: web, application, DB.
>So, an external user need :
> * Credential from the security team to access the VPN.
> * Credentials from the MS Project team to access the application.
>
>The VPN credentials can be simple password, soft or hard certificate (depends of
>your security policy).
>
>
>
So would the VPN credentials be separate from the "MS Project team"
credentials?
Right now the majority of our user vpn access is by AD credentials.
>Regards,
> JDG
>
>
>
>
>>-----Original Message-----
>>From: firewall-wizards-bounces@listserv.cybertrust.com
>>On Behalf Of D Sharp
>>Sent: Tuesday, October 02, 2007 8:10 PM
>>To: Firewall Wizards Security Mailing List
>>Subject: [fw-wiz] Allowing Internet Access to MS Project Server
>>
>>Hi;
>>
>>A IT project Managers would like to install MS Project 2007
>>server and make that the central repository for all our IT
>>related projects. Since we have significant numbers of out
>>sourced contractors, the team would like external access
>>enabled. Also to keep costs low they would like the server
>>to have a Internet presence. Our server support team would
>>like the server(s) to be part of our internal AD domain.
>>
>>We have OWA exposed to the Internet, but through a secure
>>proxy.
>>
>>What would should be some key security areas.
>>
>>Thanks,
>>Duncan Sharp
>>
>>
>>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@listserv.icsalabs.com
>https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
------------------------------
Message: 5
Date: Thu, 04 Oct 2007 10:57:44 +0200
From: jdgorin@computer.org
Subject: Re: [fw-wiz] Allowing Internet Access to MS Project Server
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <1191488264.4704ab08a764c@imp.free.fr>
Content-Type: text/plain; charset=ISO-8859-1
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.cybertrust.com
> On Behalf Of D Sharp
> Sent: Wednesday, October 03, 2007 9:48 PM
>
> Given the newer MS Project server supports a web access function, the
> plan was to use something with less overhead than Citrix/Terminal
> Services. Possible methods are:
> a: Secure Proxy server with specific PWA filters, yet to be
> identified.
> b: Generic SSL/VPN security gateway that allows for URL filtering to
> a DMZ'd PWA (web) server.
> c: Web application security filter (transparent proxy) to a DMZ'd PWA
> (web) server.
>
> The MS Project Server would be separated into tiers: web,
> application, DB.
I don't know PWA, but it might be some WebDAV protocol. So, don't put it in
front of the Internet!
Use a reverse proxy with some authentication to be sure of who connect to you
PWA server.
> >So, an external user need :
> > * Credential from the security team to access the VPN.
> > * Credentials from the MS Project team to access the application.
> >
> >The VPN credentials can be simple password, soft or hard
> >certificate (depends ofyour security policy).
> >
> So would the VPN credentials be separate from the "MS Project team"
> credentials?
In our case: Yes.
That's our policy: segregation of access (access to our information system
through the VPN, then access to the application: different credentials). That's
to deal with application manager (or AD manager) forgetting to cancel user
credential, or simply to cancel VPN access without canceling application access
(internal usage).
> Right now the majority of our user vpn access is by AD credentials.
That's a bad thing for us. But it depends of your risks, and so of you security
policy.
JDG
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 18, Issue 2
***********************************************
No comments:
Post a Comment