Ideas needed: Updating intranet websites from the internet
-
@thecreativeone91 said:
No real danger in doing it. HTTPS/SSL is going to be just as secure as a VPN.
It actually IS a VPN under the hood.
-
@scottalanmiller said:
@thecreativeone91 said:
No real danger in doing it. HTTPS/SSL is going to be just as secure as a VPN.
It actually IS a VPN under the hood.
True. But for some reason people seem to think a VPN is solely layer three (and therefore more secure) and not layer 7 just like any other SSL implementation.
-
@thecreativeone91 said:
No real danger in doing it.
Oh, OK. I wasn't sure. In that case, that is probably the easiest solution.
-
@thecreativeone91 said:
True. But for some reason people seem to think a VPN is solely layer three (and therefore more secure) and not layer 7 just like any other SSL implementation.
Yeah, an SSL VPN is layer seven, no matter where it happens or what it is called.
-
OK, SSL experts - newbie here! I currently have one UCC SSL Cert, which I use for my Exchange server. So that is mapped to the domain remote.ourmaincompanydomain.com
Now I could add an additional SAN like intranet.ourmaincompanydomain.com. That will have the same IP address - and our firewall directs traffic to the intranet server or the Exchange server depending on the port (443 for Exchange, another port for the intranet server). So, same IP address, different servers, same cert. That's ok, right?
Alternatively, I could create a new domain intranet.anotherdomain.com and purchase a separate, single cert (or a wildcard cert) and install that on our intranet server. That would be two certs but still only one IP address - is that allowed? I kind of like the idea of keeping everything separate - so if I screw one up I'm not going to screw the other up.
-
If this is just for your own use, why use a purchased cert at all?
-
@scottalanmiller said:
If this is just for your own use, why use a purchased cert at all?
Agreed, since this is only for you, a self signed cert should be just fine.
Sometime this summer the EFF will provide free basic SSL cert. Then you'll be able to have a real cert that your browsers won't complain about for free.
-
No, this would be for an application that several staff have access to.
-
@Carnival-Boy said:
No, this would be for an application that all staff have access to.
Oh, ok. Commercial signed makes sense then.
-
So I think I'm best off purchasing a new wildcard cert for a different domain to the one we use for Exchange. This way I leave Exchange and our main domain UCC cert alone, and our intranet sites use their own domain name externally (eg intranet1.domain2.com; intranet2.domain2.com).
Does that sound ok?
