Restricting access to website from public

Discussion in 'ASP General' started by wrytat, Apr 1, 2005.

  1. wrytat

    wrytat Guest

    Hi! I'm very new to ASP.NET and really need some good advice from experts
    here.

    I'm creating a web application for my company now. This application has 2
    parts. 1 part for the customers to access. The 2nd part is for our staff to
    access only. My director hopes to make the 2nd part to be something like an
    intranet, such that only our company's computers (maybe only 1 or 2 in the
    company) can login to this part of the application.

    1. My company's intending to put the application on shared server with a web
    host. Windows Authentication is NOT allowed.

    2. My company doesn't have a static IP address.

    3. My manager suggested using Network Card number (which I don't really
    quite understand. Is there a way to get the Network Card number that's on a
    client PC?).

    How??

    Some ISP told us that they can provide a firewall management feature such
    that it will restrict access to the website from anyone that is not coming
    from my company's network. This requires Static IP.

    Another told me that IIS Manager has the security feature that restrict
    access based on IP address. This requires Static IP again.

    Is it possible to implement the 2nd part (the part that is to be accessed by
    my company's PC) as a windows application instead? Then we only put the
    windows application on one computer. So, 1st part (for the public) will be a
    web application, 2nd part (for my company) is a windows application, both
    accessing the same database server from an ISP. Will the ISP allow the
    windows application to access its database server? I've no experience in
    making a windows application at all, is it the same as making a web
    application? Please advise.

    Do my company really have to get a Static IP? Any comments or other
    suggestions please? Thank you.
     
    wrytat, Apr 1, 2005
    #1
    1. Advertising

  2. wrytat

    Thomas Guest

    one workaround for dynamic ips would be to issue client ssl certificates and
    then identify your "intranet" users through their ssl certs... in iis6 you
    can map client-certificates to windows accounts. but this of course needs
    additional requirements on the hoster's side...

    another "easy" way is to set up a vpn. this implies having your own server
    tho, but lets you very easily create an intranet and access it securely from
    anywhere and even with dynamic ips.

    - thomas


    "wrytat" <> wrote in message
    news:...
    > Hi! I'm very new to ASP.NET and really need some good advice from experts
    > here.
    >
    > I'm creating a web application for my company now. This application has 2
    > parts. 1 part for the customers to access. The 2nd part is for our staff
    > to
    > access only. My director hopes to make the 2nd part to be something like
    > an
    > intranet, such that only our company's computers (maybe only 1 or 2 in the
    > company) can login to this part of the application.
    >
    > 1. My company's intending to put the application on shared server with a
    > web
    > host. Windows Authentication is NOT allowed.
    >
    > 2. My company doesn't have a static IP address.
    >
    > 3. My manager suggested using Network Card number (which I don't really
    > quite understand. Is there a way to get the Network Card number that's on
    > a
    > client PC?).
    >
    > How??
    >
    > Some ISP told us that they can provide a firewall management feature such
    > that it will restrict access to the website from anyone that is not coming
    > from my company's network. This requires Static IP.
    >
    > Another told me that IIS Manager has the security feature that restrict
    > access based on IP address. This requires Static IP again.
    >
    > Is it possible to implement the 2nd part (the part that is to be accessed
    > by
    > my company's PC) as a windows application instead? Then we only put the
    > windows application on one computer. So, 1st part (for the public) will be
    > a
    > web application, 2nd part (for my company) is a windows application, both
    > accessing the same database server from an ISP. Will the ISP allow the
    > windows application to access its database server? I've no experience in
    > making a windows application at all, is it the same as making a web
    > application? Please advise.
    >
    > Do my company really have to get a Static IP? Any comments or other
    > suggestions please? Thank you.
     
    Thomas, Apr 1, 2005
    #2
    1. Advertising

  3. wrytat

    wrytat Guest

    Thanks. Does that mean my company has to buy a SSL cert? How to identify
    users through SSL certs using ASP.NET codes? Is there any articles online? Or
    can you help? Sorry for being annoying.

    "Thomas" wrote:

    > one workaround for dynamic ips would be to issue client ssl certificates and
    > then identify your "intranet" users through their ssl certs... in iis6 you
    > can map client-certificates to windows accounts. but this of course needs
    > additional requirements on the hoster's side...
    >
    > another "easy" way is to set up a vpn. this implies having your own server
    > tho, but lets you very easily create an intranet and access it securely from
    > anywhere and even with dynamic ips.
    >
    > - thomas
    >
    >
    > "wrytat" <> wrote in message
    > news:...
    > > Hi! I'm very new to ASP.NET and really need some good advice from experts
    > > here.
    > >
    > > I'm creating a web application for my company now. This application has 2
    > > parts. 1 part for the customers to access. The 2nd part is for our staff
    > > to
    > > access only. My director hopes to make the 2nd part to be something like
    > > an
    > > intranet, such that only our company's computers (maybe only 1 or 2 in the
    > > company) can login to this part of the application.
    > >
    > > 1. My company's intending to put the application on shared server with a
    > > web
    > > host. Windows Authentication is NOT allowed.
    > >
    > > 2. My company doesn't have a static IP address.
    > >
    > > 3. My manager suggested using Network Card number (which I don't really
    > > quite understand. Is there a way to get the Network Card number that's on
    > > a
    > > client PC?).
    > >
    > > How??
    > >
    > > Some ISP told us that they can provide a firewall management feature such
    > > that it will restrict access to the website from anyone that is not coming
    > > from my company's network. This requires Static IP.
    > >
    > > Another told me that IIS Manager has the security feature that restrict
    > > access based on IP address. This requires Static IP again.
    > >
    > > Is it possible to implement the 2nd part (the part that is to be accessed
    > > by
    > > my company's PC) as a windows application instead? Then we only put the
    > > windows application on one computer. So, 1st part (for the public) will be
    > > a
    > > web application, 2nd part (for my company) is a windows application, both
    > > accessing the same database server from an ISP. Will the ISP allow the
    > > windows application to access its database server? I've no experience in
    > > making a windows application at all, is it the same as making a web
    > > application? Please advise.
    > >
    > > Do my company really have to get a Static IP? Any comments or other
    > > suggestions please? Thank you.

    >
    >
    >
     
    wrytat, Apr 1, 2005
    #3
  4. wrytat

    wrytat Guest

    And also what about the web application + windows application suggestion? Is
    it not possible? Or is it bad implementation? Or too complicated? Sorry.

    "Thomas" wrote:

    > one workaround for dynamic ips would be to issue client ssl certificates and
    > then identify your "intranet" users through their ssl certs... in iis6 you
    > can map client-certificates to windows accounts. but this of course needs
    > additional requirements on the hoster's side...
    >
    > another "easy" way is to set up a vpn. this implies having your own server
    > tho, but lets you very easily create an intranet and access it securely from
    > anywhere and even with dynamic ips.
    >
    > - thomas
    >
    >
    > "wrytat" <> wrote in message
    > news:...
    > > Hi! I'm very new to ASP.NET and really need some good advice from experts
    > > here.
    > >
    > > I'm creating a web application for my company now. This application has 2
    > > parts. 1 part for the customers to access. The 2nd part is for our staff
    > > to
    > > access only. My director hopes to make the 2nd part to be something like
    > > an
    > > intranet, such that only our company's computers (maybe only 1 or 2 in the
    > > company) can login to this part of the application.
    > >
    > > 1. My company's intending to put the application on shared server with a
    > > web
    > > host. Windows Authentication is NOT allowed.
    > >
    > > 2. My company doesn't have a static IP address.
    > >
    > > 3. My manager suggested using Network Card number (which I don't really
    > > quite understand. Is there a way to get the Network Card number that's on
    > > a
    > > client PC?).
    > >
    > > How??
    > >
    > > Some ISP told us that they can provide a firewall management feature such
    > > that it will restrict access to the website from anyone that is not coming
    > > from my company's network. This requires Static IP.
    > >
    > > Another told me that IIS Manager has the security feature that restrict
    > > access based on IP address. This requires Static IP again.
    > >
    > > Is it possible to implement the 2nd part (the part that is to be accessed
    > > by
    > > my company's PC) as a windows application instead? Then we only put the
    > > windows application on one computer. So, 1st part (for the public) will be
    > > a
    > > web application, 2nd part (for my company) is a windows application, both
    > > accessing the same database server from an ISP. Will the ISP allow the
    > > windows application to access its database server? I've no experience in
    > > making a windows application at all, is it the same as making a web
    > > application? Please advise.
    > >
    > > Do my company really have to get a Static IP? Any comments or other
    > > suggestions please? Thank you.

    >
    >
    >
     
    wrytat, Apr 1, 2005
    #4
  5. wrytat

    wrytat Guest

    I've read up about SSL, and configuring a web application to require client
    certificates. So this is how I understand it. Please correct me if I'm wrong.

    1. Firstly, I need to go to a certificate authority's web site to apply for
    the certificates. The authority will request a CSR file. So, if I'm putting
    my web application on an ISP's web server, my ISP will have to generate the
    CSR file for me?

    2. I'll receive my server certificate from the authority. My ISP will have
    to install the certificate on the web server I'm putting the web application
    on.

    3. My ISP will also have to configure the IIS Settings of the folder where I
    put the 2nd part (the "intranet" part) of my application, so that client
    certificate authentication is enabled.

    4. I've to install the client certificate on my company's computer's web
    browser.

    What I don't understand is the last step: Installing the client certificate.
    Will I get a client certificate from the certificate authority or what? Where
    shall I get it? And also, is this client certificate unique? If not, if
    someone else's computer also has this client certifcate installed, won't he
    be able to access to my website?


    "Thomas" wrote:

    > one workaround for dynamic ips would be to issue client ssl certificates and
    > then identify your "intranet" users through their ssl certs... in iis6 you
    > can map client-certificates to windows accounts. but this of course needs
    > additional requirements on the hoster's side...
    >
    > another "easy" way is to set up a vpn. this implies having your own server
    > tho, but lets you very easily create an intranet and access it securely from
    > anywhere and even with dynamic ips.
    >
    > - thomas
    >
    >
    > "wrytat" <> wrote in message
    > news:...
    > > Hi! I'm very new to ASP.NET and really need some good advice from experts
    > > here.
    > >
    > > I'm creating a web application for my company now. This application has 2
    > > parts. 1 part for the customers to access. The 2nd part is for our staff
    > > to
    > > access only. My director hopes to make the 2nd part to be something like
    > > an
    > > intranet, such that only our company's computers (maybe only 1 or 2 in the
    > > company) can login to this part of the application.
    > >
    > > 1. My company's intending to put the application on shared server with a
    > > web
    > > host. Windows Authentication is NOT allowed.
    > >
    > > 2. My company doesn't have a static IP address.
    > >
    > > 3. My manager suggested using Network Card number (which I don't really
    > > quite understand. Is there a way to get the Network Card number that's on
    > > a
    > > client PC?).
    > >
    > > How??
    > >
    > > Some ISP told us that they can provide a firewall management feature such
    > > that it will restrict access to the website from anyone that is not coming
    > > from my company's network. This requires Static IP.
    > >
    > > Another told me that IIS Manager has the security feature that restrict
    > > access based on IP address. This requires Static IP again.
    > >
    > > Is it possible to implement the 2nd part (the part that is to be accessed
    > > by
    > > my company's PC) as a windows application instead? Then we only put the
    > > windows application on one computer. So, 1st part (for the public) will be
    > > a
    > > web application, 2nd part (for my company) is a windows application, both
    > > accessing the same database server from an ISP. Will the ISP allow the
    > > windows application to access its database server? I've no experience in
    > > making a windows application at all, is it the same as making a web
    > > application? Please advise.
    > >
    > > Do my company really have to get a Static IP? Any comments or other
    > > suggestions please? Thank you.

    >
    >
    >
     
    wrytat, Apr 1, 2005
    #5
  6. wrytat

    Sean Guest

    It should be very easy to implement if you use a database and code to check
    who logs in. You can then redirect the user to either part 1 or part 2 of
    your web app. Of course you should put some checking code on top of each
    page that only allows for certain users.

    Happy coding.
    Shen



    "wrytat" <> wrote in message
    news:...
    > Hi! I'm very new to ASP.NET and really need some good advice from experts
    > here.
    >
    > I'm creating a web application for my company now. This application has 2
    > parts. 1 part for the customers to access. The 2nd part is for our staff
    > to
    > access only. My director hopes to make the 2nd part to be something like
    > an
    > intranet, such that only our company's computers (maybe only 1 or 2 in the
    > company) can login to this part of the application.
    >
    > 1. My company's intending to put the application on shared server with a
    > web
    > host. Windows Authentication is NOT allowed.
    >
    > 2. My company doesn't have a static IP address.
    >
    > 3. My manager suggested using Network Card number (which I don't really
    > quite understand. Is there a way to get the Network Card number that's on
    > a
    > client PC?).
    >
    > How??
    >
    > Some ISP told us that they can provide a firewall management feature such
    > that it will restrict access to the website from anyone that is not coming
    > from my company's network. This requires Static IP.
    >
    > Another told me that IIS Manager has the security feature that restrict
    > access based on IP address. This requires Static IP again.
    >
    > Is it possible to implement the 2nd part (the part that is to be accessed
    > by
    > my company's PC) as a windows application instead? Then we only put the
    > windows application on one computer. So, 1st part (for the public) will be
    > a
    > web application, 2nd part (for my company) is a windows application, both
    > accessing the same database server from an ISP. Will the ISP allow the
    > windows application to access its database server? I've no experience in
    > making a windows application at all, is it the same as making a web
    > application? Please advise.
    >
    > Do my company really have to get a Static IP? Any comments or other
    > suggestions please? Thank you.
     
    Sean, Apr 1, 2005
    #6
  7. wrytat

    wrytat Guest

    Yes, I understand what you mean. That was actually what I intended to do
    initially. But my director was thinking that it's not secure enough as some
    hackers (or whoever) might somehow get access to these pages after hacking
    the database to find out the password. So he wants to make it such that only
    our computer can access to these pages.

    "Sean" wrote:

    > It should be very easy to implement if you use a database and code to check
    > who logs in. You can then redirect the user to either part 1 or part 2 of
    > your web app. Of course you should put some checking code on top of each
    > page that only allows for certain users.
    >
    > Happy coding.
    > Shen
    >
    >
    >
    > "wrytat" <> wrote in message
    > news:...
    > > Hi! I'm very new to ASP.NET and really need some good advice from experts
    > > here.
    > >
    > > I'm creating a web application for my company now. This application has 2
    > > parts. 1 part for the customers to access. The 2nd part is for our staff
    > > to
    > > access only. My director hopes to make the 2nd part to be something like
    > > an
    > > intranet, such that only our company's computers (maybe only 1 or 2 in the
    > > company) can login to this part of the application.
    > >
    > > 1. My company's intending to put the application on shared server with a
    > > web
    > > host. Windows Authentication is NOT allowed.
    > >
    > > 2. My company doesn't have a static IP address.
    > >
    > > 3. My manager suggested using Network Card number (which I don't really
    > > quite understand. Is there a way to get the Network Card number that's on
    > > a
    > > client PC?).
    > >
    > > How??
    > >
    > > Some ISP told us that they can provide a firewall management feature such
    > > that it will restrict access to the website from anyone that is not coming
    > > from my company's network. This requires Static IP.
    > >
    > > Another told me that IIS Manager has the security feature that restrict
    > > access based on IP address. This requires Static IP again.
    > >
    > > Is it possible to implement the 2nd part (the part that is to be accessed
    > > by
    > > my company's PC) as a windows application instead? Then we only put the
    > > windows application on one computer. So, 1st part (for the public) will be
    > > a
    > > web application, 2nd part (for my company) is a windows application, both
    > > accessing the same database server from an ISP. Will the ISP allow the
    > > windows application to access its database server? I've no experience in
    > > making a windows application at all, is it the same as making a web
    > > application? Please advise.
    > >
    > > Do my company really have to get a Static IP? Any comments or other
    > > suggestions please? Thank you.

    >
    >
    >
     
    wrytat, Apr 1, 2005
    #7
  8. wrytat

    Jeff Cochran Guest

    On Thu, 31 Mar 2005 17:23:01 -0800, wrytat
    <> wrote:

    >Hi! I'm very new to ASP.NET and really need some good advice from experts
    >here.


    Then you really want to post in the ASP.NET groups, those with dotnet
    in the name. This one is for classic ASP code.

    Jeff
     
    Jeff Cochran, Apr 1, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Charles A. Lackman
    Replies:
    1
    Views:
    1,423
    smith
    Dec 8, 2004
  2. SpamProof
    Replies:
    0
    Views:
    618
    SpamProof
    Oct 21, 2003
  3. Andrew Banks

    Restricting access based on roles

    Andrew Banks, Feb 26, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    283
    Andrew Banks
    Feb 26, 2004
  4. =?Utf-8?B?SnVzdGlu?=

    Restricting access to certain pages

    =?Utf-8?B?SnVzdGlu?=, Oct 31, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    354
    Chris Austin
    Oct 31, 2004
  5. wrytat
    Replies:
    1
    Views:
    127
    wrytat
    Apr 1, 2005
Loading...

Share This Page