Ideas needed: Updating intranet websites from the internet

A Former User

@Carnival-Boy said:

@thecreativeone91 said:

Do you not have a Static IP to setup a normal VPN? that or just opening up the ssl version of the site would be the normal way.

I do, but I don't want to expose the site to the internet for what is a very trivial purpose.

No real danger in doing it. HTTPS/SSL is going to be just as secure as a VPN.

scottalanmiller

@thecreativeone91 said:

No real danger in doing it. HTTPS/SSL is going to be just as secure as a VPN.

It actually IS a VPN under the hood.

A Former User

@scottalanmiller said:

@thecreativeone91 said:

No real danger in doing it. HTTPS/SSL is going to be just as secure as a VPN.

It actually IS a VPN under the hood.

True. But for some reason people seem to think a VPN is solely layer three (and therefore more secure) and not layer 7 just like any other SSL implementation.

Carnival Boy

@thecreativeone91 said:

No real danger in doing it.

Oh, OK. I wasn't sure. In that case, that is probably the easiest solution.

scottalanmiller

@thecreativeone91 said:

True. But for some reason people seem to think a VPN is solely layer three (and therefore more secure) and not layer 7 just like any other SSL implementation.

Yeah, an SSL VPN is layer seven, no matter where it happens or what it is called.

Carnival Boy

OK, SSL experts - newbie here! I currently have one UCC SSL Cert, which I use for my Exchange server. So that is mapped to the domain remote.ourmaincompanydomain.com

Now I could add an additional SAN like intranet.ourmaincompanydomain.com. That will have the same IP address - and our firewall directs traffic to the intranet server or the Exchange server depending on the port (443 for Exchange, another port for the intranet server). So, same IP address, different servers, same cert. That's ok, right?

Alternatively, I could create a new domain intranet.anotherdomain.com and purchase a separate, single cert (or a wildcard cert) and install that on our intranet server. That would be two certs but still only one IP address - is that allowed? I kind of like the idea of keeping everything separate - so if I screw one up I'm not going to screw the other up.

scottalanmiller

If this is just for your own use, why use a purchased cert at all?

Dashrender

@scottalanmiller said:

If this is just for your own use, why use a purchased cert at all?

Agreed, since this is only for you, a self signed cert should be just fine.

Sometime this summer the EFF will provide free basic SSL cert. Then you'll be able to have a real cert that your browsers won't complain about for free.

Carnival Boy

No, this would be for an application that several staff have access to.

scottalanmiller

@Carnival-Boy said:

No, this would be for an application that all staff have access to.

Oh, ok. Commercial signed makes sense then.

Carnival Boy

So I think I'm best off purchasing a new wildcard cert for a different domain to the one we use for Exchange. This way I leave Exchange and our main domain UCC cert alone, and our intranet sites use their own domain name externally (eg intranet1.domain2.com; intranet2.domain2.com).

Does that sound ok?