There are many reasons to consider externalizing your intranet, whether it's to allow mobile access, access from home or outside the office, or access to end users who are not full time employees. The first thing to consider is your reason and evaluate your options. Many clients will simply use VPN client technology to grant access outside their LAN. Alternatively, you can make your intranet available over the internet and this article focuses on the steps you should perform to ensure your server is locked down and your data is secure if you choose this option.
Note: The steps will differ slightly depending on your CFML engine: Lucee (13.5), Railo (12.5 or 13.0) or Coldfusion (<13.0). You can find this setting on your Intranet admin page, after CFML Engine (bottom-right corner)
STEPS TO LOCKDOWN & EXTERNALIZE YOUR INTRANET
- Harden Your Server
- Decide on a Consistent Web Location and Configure Public DNS
- Isolate Web Applications, Change Drive Paths, Bindings & Web Location
- Secure Lucee/Railo/ColdFusion Services
- Secure Web Administrators
- Migrate Uploaded Files outside Web Root
- Prevent Internet Search Engine Indexing
- Login Settings & IIS Authentication
- Install an SSL Certificate
- Setup Restricted External User Access
- Enable Generic Errors (version 13.0.4 and up)
Windows Updates & Only Required Services - Hardening your server includes applying the latest security updates available for your Windows server and ensuring Windows Updates are regularly downloaded and installed. As well, it's recommended to turn off any services that are not essential on the server. Microsoft provides a Security Configuration Wizard (Server Manager > Tools > Security Configuration Wizard) to help you assess what services are running and apply policy on your server.
Install Anti-virus Software - Installing anti-virus software on your server is also recommended. Just be careful if you have real-time scanning that you exclude the drive locations where your web files are served from otherwise you may affect the performance of your server
IIS Security Best Practices - There are many considerations when looking at securing IIS 8. We will run through a number of these in the following steps but it's best to read through these to understand best practices.
SQL Server, Lucee/Railo/ColdFusion - Make sure you have the latest updates installed, particularly ones that address security vulnerabilities
By default your intranet is usually accessible internally using machine name, IP, or a local DNS name. To have a consistent URL you should configure your DNS & IIS so your users can use the same web address when accessing the site outside your network as inside (a fully qualified DNS entry). The standard is to use a subdomain of your company domain with the name you have given your intranet. Eg. sqintranet.sqbox.com (our company intranet).
Steps To Follow
a) Decide on a URL you can use inside & outside your network
b) Configure a public DNS record to point to a public IP your intranet server can answer on (this can take some time to propagate to the internet)
c) Verify your server responds to this DNS name and that traffic is allowed through your firewall
In most cases, customers have Intranet Connections deployed by default under the "Default Web Site" as a subfolder called "Intranet". As well, it's common that this site is in the default location of C:\inetpub\wwwroot. Under this scenario one can browse the site as http://localhost/Intranet on the web server. It's best practice to have the intranet run as its' own website under its' own application pool, to use non-default drive locations and restrict access to the "Default Web Site".
Steps To Follow
a) Stop Lucee/Railo/ColdFusion and IIS
b) Create a different drive location for your Intranet site. If you have a separate drive from your OS one, it's recommended to move there. A suggested format is C:\home\domain\subdomain
c) Move the "Intranet", "coldbox" and "elasticsearch" folders from C:\inetpub\wwwroot to this new folder (Versions older than 13.0 only have the Intranet folder)
d) Create a new web site in IIS for your Intranet pointed at the new "Intranet" folder location. This new site will isolate your intranet to it's own app pool. In the Binding, configure it to answer to your public URL you chose in the last section.
e) Start IIS and Lucee/Railo/ColdFusion
f) (Lucee/Railo only) Browse to the Railo Web Administrator (Eg. http://sqintranet.sqbox.com/railo-context/admin/web.cfm) or Lucee Web Administrator (Eg. http://sqintranet.sqbox.com/lucee/admin/web.cfm), login (default password is 'connections'), click on "Mappings". You will need to check the /Intranet mapping and delete it and create a new one similar to this (Railo screen shown. Lucee is similar):
g) Browse to your new intranet web location and confirm it's working (Eg. http://sqintranet.sqbox.com)
h) Go to the Admin > Setup screen and click "update locations" to change any absolute URLs in your data from the old web location to the new one you've just configured
This section involves altering the application server to run under a more restricted local user account and limiting access to the web administrators and the Default Web Site to local server access only.
Steps To Follow
Run Lucee/Railo under a new local account (not the Local System account)
a) Create a new local user account named "Lucee" or "Railo"
b) Alter the "Lucee" or "Railo Server" service to run as this account
c) Grant this account "Full Control" over the drive location setup in the last section (C:\home) and C:\lucee or C:\railo (or C:\coldfusionX) and C:\inetpub
Now we need to limit access to the Lucee/Railo Server Admin and Web Admin (or ColdFusion Admin) and create more secure passwords
a) Install "IP and Domain Restrictions" role service if not already in IIS
b) Using "Request Filtering" block the Lucee/Railo Server Admin at the server level.
Create a deny sequence for lucee/admin/server.cfm or railo-context/admin/server.cfm
For ColdFusion this would be cfide/administrator/index.cfm
c) Using "Request Filtering", remove the block of the Lucee/Railo Server admin in the Default Web Site.
Click on Request Filtering in the Default Web Site. You should see the deny sequence that has been delegated down from the server level. Remove this sequence setting. After this, you should only be able to access the page from the web server itself using localhost.
d) Block all access to the "Default Web Site" other than localhost. Click on the "Default Web Site", choose "IP Address and Domain Restrictions", click "Edit Feature Settings" and change access to "Deny" for unspecified clients. Now add an Allow entry for "127.0.0.1". This will prevent all access to the Lucee/Railo Server Admin and Default Web Site other than locally.
e) Block access to the Lucee/Railo Web Admin. Create an empty folder named "lucee" or "railo-context" under your "Intranet" folder. Click on your "Intranet" web site and select this folder in IIS. Choose "IP Address and Domain Restrictions", click "Edit Feature Settings" and change access to "Deny" for unspecified clients. Now add an Allow entry for the IP of the machine (Eg. "192.168.1.61"). This will prevent all access to the Lucee/Railo Web Admin other than locally. This assumes your "Intranet" site has a binding for this local IP
f) Make sure you can login to your Lucee/Railo (or ColdFusion) admin screens locally but you cannot from any other machine
g) Now change the Lucee/Railo Server Admin password to something more secure. The default password is "connections" or whatever you selected when you installed ColdFusion. For your intranet site you should also alter the Lucee/Railo Web Admin password to something other than the default of "connections"
h) Repeat steps b through f for URL lucee/admin/web.cfm or railo-context/admin/web.cfm if running Lucee/Railo.
You must also restrict web access to the Tomcat administrator screens if access directly using port 8888 which bypasses IIS.
a) Edit the Tomcat server file: C:\lucee\tomcat\conf\server.xml or C:\railo\tomcat\conf\server.xml
b) Comment out the section which starts with <Connector port="8888" ... />
Comments start with <!-- and end with -->
To prevent against insecure direct file access, you can migrate the location of your uploaded files from the default which is the "Intranet" folder. Earlier, we walked through migrating the "Intranet" folder from the default location. This step runs you through the "File Migration Utility" in the product to change your uploaded files location.
Steps To Follow
a) Create a folder named "Files" under your subdomain location created earlier (you can see it in the above screen snap)
b) Copy the contents of the "Intranet" folder into the new "Files" folder
c) Go to Admin > Security > File Migration Utility and click next
d) Paste in the new upload location (Eg. C:\home\sqbox.com\sqintranet\Files) and click next
e) Follow the prompts to complete the migration
Stop your intranet site from being indexed by Google, Bing, and other search engines by deploying a robots.txt file in the root.
Steps To Follow
a) Download a sample robots.txt file
b) Place this file in the "Intranet" folder (your intranet web site root)
Intranet Connections supports Windows Authentication and Form-based Authentication or a mixture of both. It also allows for anonymous access. If you only require Windows Authentication and make use of Single Sign On (SSO), it's highly recommended you disable "Anonymous" access to the site in IIS and the product. You also want to make sure you configure the authentication mode in the product to "Windows" only if this is your scenario. However, if you do support Form-based logins, you should leverage some of the more advanced login settings offered in the product, such as strong passwords, password reset, session management and login CAPTCHA.
Steps to setup Windows Authentication only
a) Go to Admin > Security > Site Level Login and set this setting to "YES" to require end users to login
b) Go to Admin > Security > Authentication Mode and set this setting to "Windows Authentication"
c) In IIS, select your Intranet site, click on Authentication and disable "Anonymous Authentication"
d) In IIS, select the subfolders "Scheduled" and "mfu" and enable "Anonymous Authentication"
Steps to improve Form-based security
a) Go to Admin > Security and you will find a number of options
b) Under Session Management you can control timeouts and session IP checking
c) Under Password Options, you can enable lockout, password resets, strength checking and whichever options you like
d) For added security you can require users to enter a CAPTCHA image when logging in
Contact your server administrator to see if you have an SSL certificate already you can use. If you are using Form-based logins or allow Anonymous access to your site, it is highly recommended that you configure a certificate to encrypt communication with the server.
Steps To Follow
a) In IIS > Server Certificates, click "Create Certificate Request". Your selected vendor will give instructions on how to fill out the details required
b) Pass the certificate request info to the vendor who will issue you a certificate
c) In IIS > Server Certificates, click "Complete Certificate Request"
d) Once installed, you can now add a new Binding to your Intranet site for "https", the IP you want, port 443, and select your certificate
e) You can then use a redirect rule to direct all http traffic over https as per this article.
f) Go to Admin > Setup and click on "update location" to change absolute URLs in your data to use the https address
g) You may need to add a certificate to the Railo/Lucee Server administration, to make sure that the scheduled task runs smoothly. Check Step 2 of this article.
g) Finally, you may need to open up port 443 in your firewall and allow traffic to your web server
Once you have externalized your intranet, if your intention is now to grant access to users who you do not want to see content that is globally visible (eg. contractor, consultant, vendor), you should provision user accounts and make use of an additional feature in Intranet Connections. On the user record you can enable a checkbox setting labelled "Global permissions do not apply". If you turn this on, the user will only be able to view content you explicitly give them view permissions to at the site, application, or folder/category level.
This guide should get you well on your way to utilizing your intranet outside the borders of your local network. If you have any questions don't hesitate to contact our support team for more information.
To make detailed errors visible only in the error logs, check "Display enable generic error message only".