Re: Restricting access to website from public by wrytat
wrytat
Thu Mar 31 22:31:02 CST 2005
I've read up about SSL, and configuring a web application to require client
certificates. So this is how I understand it. Please correct me if I'm wrong.
1. Firstly, I need to go to a certificate authority's web site to apply for
the certificates. The authority will request a CSR file. So, if I'm putting
my web application on an ISP's web server, my ISP will have to generate the
CSR file for me?
2. I'll receive my server certificate from the authority. My ISP will have
to install the certificate on the web server I'm putting the web application
on.
3. My ISP will also have to configure the IIS Settings of the folder where I
put the 2nd part (the "intranet" part) of my application, so that client
certificate authentication is enabled.
4. I've to install the client certificate on my company's computer's web
browser.
What I don't understand is the last step: Installing the client certificate.
Will I get a client certificate from the certificate authority or what? Where
shall I get it? And also, is this client certificate unique? If not, if
someone else's computer also has this client certifcate installed, won't he
be able to access to my website?
"Thomas" wrote:
> one workaround for dynamic ips would be to issue client ssl certificates and
> then identify your "intranet" users through their ssl certs... in iis6 you
> can map client-certificates to windows accounts. but this of course needs
> additional requirements on the hoster's side...
>
> another "easy" way is to set up a vpn. this implies having your own server
> tho, but lets you very easily create an intranet and access it securely from
> anywhere and even with dynamic ips.
>
> - thomas
>
>
> "wrytat" <wrytat@discussions.microsoft.com> wrote in message
> news:77614E0E-A9F3-4D4C-A1AF-C52B2323F297@microsoft.com...
> > Hi! I'm very new to ASP.NET and really need some good advice from experts
> > here.
> >
> > I'm creating a web application for my company now. This application has 2
> > parts. 1 part for the customers to access. The 2nd part is for our staff
> > to
> > access only. My director hopes to make the 2nd part to be something like
> > an
> > intranet, such that only our company's computers (maybe only 1 or 2 in the
> > company) can login to this part of the application.
> >
> > 1. My company's intending to put the application on shared server with a
> > web
> > host. Windows Authentication is NOT allowed.
> >
> > 2. My company doesn't have a static IP address.
> >
> > 3. My manager suggested using Network Card number (which I don't really
> > quite understand. Is there a way to get the Network Card number that's on
> > a
> > client PC?).
> >
> > How??
> >
> > Some ISP told us that they can provide a firewall management feature such
> > that it will restrict access to the website from anyone that is not coming
> > from my company's network. This requires Static IP.
> >
> > Another told me that IIS Manager has the security feature that restrict
> > access based on IP address. This requires Static IP again.
> >
> > Is it possible to implement the 2nd part (the part that is to be accessed
> > by
> > my company's PC) as a windows application instead? Then we only put the
> > windows application on one computer. So, 1st part (for the public) will be
> > a
> > web application, 2nd part (for my company) is a windows application, both
> > accessing the same database server from an ISP. Will the ISP allow the
> > windows application to access its database server? I've no experience in
> > making a windows application at all, is it the same as making a web
> > application? Please advise.
> >
> > Do my company really have to get a Static IP? Any comments or other
> > suggestions please? Thank you.
>
>
>