> -----Original Message-----
> From: firewall-wizards-bounces_at_listserv.cybertrust.com
> On Behalf Of D Sharp
> Sent: Wednesday, October 03, 2007 9:48 PM
>
> Given the newer MS Project server supports a web access function, the
> plan was to use something with less overhead than Citrix/Terminal
> Services. Possible methods are:
> a: Secure Proxy server with specific PWA filters, yet to be
> identified.
> b: Generic SSL/VPN security gateway that allows for URL filtering to
> a DMZ'd PWA (web) server.
> c: Web application security filter (transparent proxy) to a DMZ'd PWA
> (web) server.
>
> The MS Project Server would be separated into tiers: web,
> application, DB.
I don't know PWA, but it might be some WebDAV protocol. So, don't put it in
front of the Internet!
Use a reverse proxy with some authentication to be sure of who connect to you
PWA server.
> >So, an external user need :
> > * Credential from the security team to access the VPN.
> > * Credentials from the MS Project team to access the application.
> >
> >The VPN credentials can be simple password, soft or hard
> >certificate (depends ofyour security policy).
> >
> So would the VPN credentials be separate from the "MS Project team"
> credentials?
In our case: Yes.
That's our policy: segregation of access (access to our information system
through the VPN, then access to the application: different credentials). That's
to deal with application manager (or AD manager) forgetting to cancel user
credential, or simply to cancel VPN access without canceling application access
(internal usage).
> Right now the majority of our user vpn access is by AD credentials.
That's a bad thing for us. But it depends of your risks, and so of you security
policy.
JDG
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Oct 04 2007
Intro
