setting up Extranet

[FD]

We have an existing Project Server 2003 running on a Windows 2003 Server
which we use in an intranet configuration. This works really well so upper
management now wants another Project Server installed but use it in a single
computer configuration in an extranet configuration dedicated only to
outside customers who need to be able to view project files.
I set up the server on my Virtual PC in a test configuration (behind our
firewall) using the single computer installation guide and was able to
successfully make it work in our intranet. I then changed the local area
connection to an IP Address from a block of unused static IP addresses in
the 68.x.x.x range and used the ISP's DNS servers. (we used to be in a
workgroup with all static IP's leased from our ISP and these IP's are still
active) This enabled me to access the internet through our firewall. This
server will be on the same physical line as our domain but I want to keep it
completely separate from our domain. My confusion comes in setting up the
extranet. What do I need to do to have outside users securely access this
machine from the internet? Do I need to register a new domain name and
contact our ISP to link this 68.x.x.x. to the new domain? Any suggestions
will be greatly appreciated.

Thanks,
FD

 

[Rolly Perreaux]

Comments inline...

We have an existing Project Server 2003 running on a Windows 2003 Server
which we use in an intranet configuration. This works really well so upper
management now wants another Project Server installed but use it in a single
computer configuration in an extranet configuration dedicated only to
outside customers who need to be able to view project files.
I set up the server on my Virtual PC in a test configuration (behind our
firewall) using the single computer installation guide and was able to
successfully make it work in our intranet. I then changed the local area
connection to an IP Address from a block of unused static IP addresses in
the 68.x.x.x range and used the ISP's DNS servers. (we used to be in a
workgroup with all static IP's leased from our ISP and these IP's are still
active) This enabled me to access the internet through our firewall.

What type of IIS authentication are you using to access PWA?
Are you using SSL to secure the communication channel between client and
server?
What ports on your firewall are open?
What firewall product are you using?

This server will be on the same physical line as our domain but I want to
keep it completely separate from our domain.

If I understand correctly, you should place PWA in the perimeter subnet
or DMZ.

My confusion comes in setting up the extranet. What do I need to do to have
outside users securely access this machine from the internet?

The proper way to secure this scenario is to configure SSL on the IIS
server and issue client certificates to access the PWA web server

Do I need to register a new domain name and contact our ISP to link this
68.x.x.x. to the new domain?

Nope. If you manage the corporate DNS just create a pointer record
(alias) to the server and possibly configure the firewall filter rules
to allow https requests for the alias and direct the public traffic
there. Registering a new domain and adding your static IP address in the
ISP's DNS would be a bad thing. These records are public domain and you
don't want this information to be out in the public

Any suggestions will be greatly appreciated.

Personally I would probably implement a VPN solution for just PWA or
Terminal Services (Citrix) solution for PWA and Project Pro
connectivity.

Here's some additional reading on securing Web Servers:

Managing a Secure IIS 6.0 Solution (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/I
IS/92a064b1-6100-4b18-87cf-a6b179e7f0be.mspx
OR
http://tinyurl.com/8qtke

Windows Server 2003 Security Guide (Chapter 8 - Hardening IIS Servers)
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-
4d89-b655-521ea6c7b4db&displaylang=en
OR
http://tinyurl.com/dkbu

Good Luck

--
Rolly Perreaux, PMP
Project Server Trainer/Consultant

IT Summit Series
Advanced Microsoft Technology Training
http://www.itsummitseries.com

 

[FD]

Hi Rolly,
Thanks for taking the time to reply to my problem ---Here are some answers
and some more questions:
--I am going to use the certificate server and SSL on the Windows 2003
Project Server
--I am using a Watchguard Firebox III/700
--Port 443 is open on the firewall (what ports need to be opened for Project
Server
to work for an extranet?
--I talked with a Watchguard Tech and he said to use a 1 to 1 NAT solution
on the
Firebox because of the public IP but if I understand correctly, you said
it would
better to use a subnet and use my internal DNS server to create an Alias
record to
point towards the Project Server.
-I am currently using the Mobile User VPN solution and IAS Server to
authenticate our remote users. I was hoping not to have these outside users
install any kind of VPN client software
(This is a government agency that wants to attach to our Project Server and
read the project files as well as download and upload them through the
SharePoint documents feature. They will not publish any project files.

 

[Rolly Perreaux]

Hi Rolly,
Thanks for taking the time to reply to my problem ---Here are some answers
and some more questions:
--I am going to use the certificate server and SSL on the Windows 2003
Project Server
--I am using a Watchguard Firebox III/700
--Port 443 is open on the firewall (what ports need to be opened for Project
Server
to work for an extranet?
--I talked with a Watchguard Tech and he said to use a 1 to 1 NAT solution
on the
Firebox because of the public IP but if I understand correctly, you said
it would
better to use a subnet and use my internal DNS server to create an Alias
record to
point towards the Project Server.
-I am currently using the Mobile User VPN solution and IAS Server to
authenticate our remote users. I was hoping not to have these outside users
install any kind of VPN client software
(This is a government agency that wants to attach to our Project Server and
read the project files as well as download and upload them through the
SharePoint documents feature. They will not publish any project files.

Hi FD,

I was reading some information on the Firebox III (as I'm not familiar
with this product) and without looking at your network diagram, it
appears you should have things covered.

Can I assume that the all-in-one Project Server for you client is a
stand-alone server and not joined to your domain? If so, then I think
you're good to go

Cheers,

--
Rolly Perreaux, PMP
Project Server Trainer/Consultant

IT Summit Series
Advanced Microsoft Technology Training
http://www.itsummitseries.com

 

[FD]

Hi Rolly,
Yes, you are correct about the server being a stand-alone server and not
being joined to our domain. Am I correct about using your suggestion to use
a subnet and in internal DNS server instead of the 1 to 1 NAT solution?

Thanks,
FD

 

[Rolly Perreaux]

Hi Rolly,
Yes, you are correct about the server being a stand-alone server and not
being joined to our domain. Am I correct about using your suggestion to use
a subnet and in internal DNS server instead of the 1 to 1 NAT solution?

Thanks,
FD

Hi FD

My suggestion was for a Screened Subnet (DMZ), but the 1-to-1 NAT
solution from Watchguard will work as well, assuming your clients are
using the MUVPN client.

--
Rolly Perreaux, PMP
Project Server Trainer/Consultant

IT Summit Series
Advanced Microsoft Technology Training
http://www.itsummitseries.com