Externalizing your intranet is not covered by support and is done at your own risk.
You must take a snapshot of your web server before starting so you can revert back to your original settings if anything goes wrong.
There are many reasons to consider externalizing your intranet, including allowing mobile access, access from home or outside the office, or access for end users who are not full-time employees. The first thing to consider is your reason and evaluate your options. Many customers will simply use VPN client technology to grant access outside their LAN. Alternatively, you can make your intranet available over the internet.
This article focuses on the steps you need to perform to ensure your server is locked down and your data is secure if you choose to externalize the intranet.
This is an extremely technical process. All steps must be completed as outlined. Any misconfiguration or missed steps will lead to your site being completely inaccessible. Be extremely cautious.
Before starting the process of locking down, follow the steps below to prepare and gather the required information:
- Check if your URL contains /intranet, depending on the configuration of your intranet the URL may contain /intranet.
- Check current drive location of the Intranet. This can be found at the bottom of the Admin page within the Drive Location value.
- Check what CFML Engine you are currently using. This can be found at the bottom of the Admin page in the CFML Engine value. Note if you have Coldfusion as the CFML Engine it is best to upgrade your intranet software to the current version before continuing.
Refer back to the information gathered as you proceed through the lockdown process.
In This Article
Additional Security Considerations - IIS Crypto
B. Decide on a Consistent Web Location and Configure Public DNS
C. Isolate Web Applications, Change Drive Paths, Bindings & Web Location
E. Prevent Internet Search Engine Indexing
F. Login Settings & IIS Authentication
H. Set up Restricted External User Access
I. Enable Generic Errors (Version 13.0.4 +)
J. Secure your application files
Additional Security Considerations - IIS Crypto
This process has been implemented for other customers looking to further secure their site. This must be done before hardening your server. This process includes turning off TLS 1.0 and 1.1.
We do not provide support for configuring IIS Crypto outside of the instructions provided here as this is a separate software and not affiliated with IC. Please proceed with caution as failure to configure this software as mentioned in the following instructions, SQL will not start.
- SQL must be 2016 or 2017 if the SQL server is on the webserver- Compatibility reference
- IIS Crypto downloaded
- Local admin rights on the webserver
Suggested steps:
- Do a test of security on https://www.ssllabs.com/ssltest/
- Take a snapshot of the webserver
- Do registry entries on webserver, so that Stats will work (this linked file will work, the instructions in the article won't)
- Run IISCrypto. Choose Best Practices
- Uncheck TLS 1.0 and 1.1. Apply. Restart as suggested.
- Verify that the intranet loads successfully, and that the Stats Scheduled task runs successfully (confirm Stats is updating the next day for version 14.0+)
- Run SSL test again, as mentioned in Step one to compare the security rating
A. Harden Your Server
Hardening your server includes applying the latest security updates available for your Windows server and ensuring Windows Updates are regularly downloaded and installed. As well, it's recommended to turn off any services that are not essential on the server. Microsoft provides a Security Configuration Wizard (Server Manager > Tools > Security Configuration Wizard) to help you assess what services are running and apply the correct policies on your server.
Install Anti-Virus software - If you have real-time scanning, ensure that you exclude the drive location(s) where your web files are, or you may affect the performance of the intranet.
IIS Security Best Practices - There are many considerations when looking at securing IIS 8. We'll run through a number of these in the following steps but it's best to read through these to understand best practices.
SQL Server, Lucee - Make sure you have the latest updates installed, particularly ones that address security vulnerabilities.
Use Microsoft's Baseline Server Hardening Guide to ensure the operating system is as secure as possible.
B. Decide on a Consistent Web Location and Configure Public DNS
By default, your intranet is accessible internally using machine name, IP, or a local DNS name. To have a consistent URL you should configure your DNS & IIS so your users can use the same URL when accessing the site outside your network as inside (a fully qualified DNS entry). The standard is to use a subdomain of your company domain with the name you have given your intranet (e.g. sqintranet.sqbox.com (our company intranet)).
- Decide on a URL you can use inside and outside your network. In general, it is best to choose a three-part fully-qualified domain name, so that SSL certificates can bind well. eg. https://sqintranet.sqbox.com
- Configure a public DNS record to point to a public IP your intranet server can answer on (this can take some time to propagate to the internet)
- Verify your server responds to this DNS name and that traffic is allowed through your firewall
C. Isolate Web Applications, Change Drive Paths, Bindings & Web Location
In most cases, customers have Intranet Connections deployed by default under the "Default Web Site" as a subfolder called "Intranet". As well, it's common that this site is in the default location of C:\inetpub\wwwroot. Under this scenario you can browse the site as http://localhost/Intranet on the web server. It's best practice to have the intranet run as its own website under its own application pool, to use non-default drive locations and restrict access to the "Default Web Site".
If your intranet website is NOT in its own application pool, then you should follow these next steps.
Before making the changes below, go to the Lucee admin pages and take note of the current Datasource, Mappings, and mail settings.
- Stop Lucee and IIS (World Wide Web Publishing Service) service
- Create a different drive location for your Intranet site. If you have a separate drive from your OS one, it's recommended to move there. A suggested format is C:\home\domain\subdomain
- Move the Intranet files to the newly created folder. See the table below for a list of default folders that need to be moved for each version:
12.5 and prior | 13.0 and 13.5 | 14.0 | 14.5 and 15.0 |
---|---|---|---|
|
|
|
|
Note if you have /intranet within the URL you will have to also move "Web-INF"
4. If your site is on version 14.0 or above, please follow the below three sub-steps; otherwise skip to step 5.
- Adjust the schedule.json file in the TaskManager/Config file. Make sure the two "basepath" values accurately reflect the path to your Intranet.
- Adjust the value for "WorkDir" in the C:\SQBoxService\config accurately reflect the path to your TaskManager directory.
- If you have made any changes to the statistics components above, restart the SQBoxTaskManager service on the web server.
5. Create a new web site in IIS for your Intranet with the physical path pointed at the new "Intranet" folder location. Within the sites Bindings, configure the site to answer to the public URL you chose in the last section.
- Note If you have /intranet, point the IIS site physical path to the new webroot instead of the "Intranet" folder. If the site has already been created the physical path can be changed in the sites basic settings.
6. Start IIS and Lucee services. Browse to the Lucee Administrator (e.g. http://sqintranet.sqbox.com/lucee/admin/web.cfm), login (default password is 'connections'), click on Mappings. You will need to check the / mapping (the mapping may be /intranet depending on your URL) and delete it and create a new one.:
- Browse to your new intranet web location and confirm it's working (e.g. http://sqintranet.sqbox.com)
- Go to Admin > Setup and click update locations to change any absolute URLs in your data from the old web location to the new one you've just configured
Note if you log in and get redirected to the old path, type in your base URL and add this text to go directly to the admin setup page: admin/sitesettings/site_settings.cfm?tabidx=1 (e.g. http://sqintranet.sqbox.com/admin/sitesettings/site_settings.cfm?tabidx=1).
D. Secure Lucee Administrator
After you apply these changes, you will not be able to access either Lucee Web Admin or Server Admin panels. Important note: Before applying hotfixes, patches, or upgrades, you must temporarily remove these “deny” sequences.
-
On the web server, open Internet Information Services Manager (IIS).
-
Under Connections, click the server’s name.
-
In the middle pane, double-click Request Filtering. If you don’t see the option for Request Filtering, see the section “How To Enable Request Filtering”.
-
Under Actions in the right pane, click Deny Sequence.
-
Enter “lucee/admin/server.cfm”. Hit OK.
-
Under Actions in the right pane, click Deny Sequence again.
-
Enter “lucee/admin/web.cfm”. Hit OK.
At this point, you should not be able to access either admin panel. To get access again, temporarily remove the “deny” sequences from Request Filtering.
Important note: Always re-apply these “deny” sequences after you have finished your configuration changes in Lucee Admin.
Secure Lucee Administrator - Tomcat
You must also restrict web access to the Tomcat administrator screens if accessing directly using port 8888 which bypasses IIS.
- Edit the Tomcat server file: C:\lucee\tomcat\conf\server.xml
- Comment out the section which starts with <Connector port="8888" ... />
Comments start with <!-- and end with -->
E. Prevent Internet Search Engine Indexing
Stop your intranet site from being indexed by Google, Bing, Yahoo, and other search engines by deploying a robots.txt file in the root.
- Download our sample robots.txt file (https://support.intranetconnections.com/attachments/token/wY0q0NcAyNe0zicnVSWPqDEBk/?name=robots.txt)
- Place this file in the "Intranet" folder (your intranet web site root)
F. Login Settings & IIS Authentication
Intranet Connections supports Windows Authentication and Form-based Authentication or a mixture of both. It also allows for anonymous access. You can configure the authentication mode in the product to "Windows" only. If you support Form-based logins, you should leverage some of the more advanced login settings offered in the product, such as strong passwords, password reset, session management and login CAPTCHA.
Steps to setup Windows Authentication only:
- Go to Admin > Security > Site Level Login and set this setting to "YES" to require end users to login
- Go to Admin > Security > Authentication Mode and set this setting to "Windows Authentication"
Steps to improve Form-based security:
- Go to Admin > Security and you will find many options
- Under Session Management you can control timeouts and session IP checking
- Under Password Options, you can enable lockout, password resets, strength checking and whichever options you like
- For added security you can require users to enter a CAPTCHA image when logging in
G. Install SSL Certificate
Contact your server administrator to see if you have a SSL certificate already. If you are using Form-based logins or allow Anonymous access to your site, it is highly recommended that you configure a certificate to encrypt communication with the server.
- In IIS > Server Certificates, click Create Certificate Request. Your selected vendor will give instructions on how to fill out the details required
- Pass the certificate request info to the vendor who will issue you a certificate
- In IIS > Server Certificates, click Complete Certificate Request
- Once installed, you can now add a new Binding to your Intranet site for "https", the IP you want, port 443, and select your certificate
- You can then use a redirect rule to direct all http traffic over https
- Go to Admin > Setup and click on update locations to change absolute URLs in your data to use the https address
- If you log in and get redirected to the old path, type in your base URL and add this text to go directly to the admin setup page: admin/sitesettings/site_settings.cfm?tabidx=1 Example: http://sqintranet.sqbox.com/admin/sitesettings/site_settings.cfm?tabidx=1
- You may need to add a certificate to the Lucee Server administration, to make sure that the scheduled task runs smoothly by following Step 2 in the 'Enable SSL' article.
- Finally, you may need to open port 443 in your firewall and allow traffic to your web server
H. Set up Restricted External User Access as Needed
Once you've externalized your intranet, if your intention is now to grant access to users who you do not want to see content that is globally visible (e.g. contractor, consultant, vendor), you should provision user accounts and make use of an additional feature in Intranet Connections.
On the user record you can enable a checkbox setting labelled Global permissions do not apply. If you turn this on, the user will only be able to view content you explicitly give them view permissions to at the site, application, or folder/category level.
I. Enable Generic Errors (Version 13.0.4 +)
To make detailed errors visible only in the error logs, go to Admin > Errors & Logging and check Display enable generic error message only.
J. Secure your application files.
By default, the documents you upload to your Intranet apps will be "web readable". If someone knows the file name and folder location, they can get the file. You do not need to be logged into the Intranet application to get the file.
If you desire to have these files to be only accessible to logged in users of your Intranet. Follow this guide: File Migration Utility