Externalizing your intranet is not covered by support and is done at your own risk. You must take a snapshot of your web server before starting so you can revert back to your original settings if anything goes wrong.
There are many reasons to consider externalizing your intranet, including allowing mobile access, access from home or outside the office, or access for end users who are not full-time employees. The first thing to consider is your reason and evaluate your options. Many customers will simply use VPN client technology to grant access outside their LAN. Alternatively, you can make your intranet available over the internet.
This article focuses on the steps you need to perform to ensure your server is locked down and your data is secure if you choose to externalize the intranet.
This is an extremely technical process. All steps must be completed as outlined. Any misconfiguration or missed steps will lead to your site being completely inaccessible. Be extremely cautious.
Before starting the process of locking down, follow the steps below to prepare and gather the required information:
- Check if your URL contains /intranet, depending on the configuration of your intranet the URL may contain /intranet.
- Check current drive location of the Intranet. This can be found at the bottom of the Admin page within the Drive Location value.
- Check what CFML Engine you are currently using. This can be found at the bottom of the Admin page in the CFML Engine value. Note if you have Coldfusion as the CFML Engine it is best to upgrade your intranet software to the current version before continuing.
Refer back to the information gathered as you proceed through the lockdown process.
In This Article
The steps will differ slightly depending on your CFML engine: Lucee (Version 13.5), Railo (Version 12.5 or 13.0) or Coldfusion (earlier than Version 13.0). You can find this setting on Admin > Setup tab, after CFML Engine (bottom-right corner)
Additional Security Considerations - IIS Crypto
This process has been implemented for other customers looking to further secure their site. This must be done before hardening your server. This process includes turning off TLS 1.0 and 1.1.
We do not provide support for configuring IIS Crypto outside of the instructions provided here as this is a separate software and not affiliated with IC Thrive. Please proceed with caution as failure to configure this software as mentioned in the following instructions, SQL will not start.
- SQL must be 2016 or 2017 if the SQL server is on the webserver- Compatibility reference
- IIS Crypto downloaded
- Local admin rights on the webserver
- Do a test of security on https://www.ssllabs.com/ssltest/
- Take a snapshot of the webserver
- Do registry entries on webserver, so that Stats will work (this linked file will work, the instructions in the article won't)
- Run IISCrypto. Choose Best Practices
- Uncheck TLS 1.0 and 1.1. Apply. Restart as suggested.
- Verify that the intranet loads successfully, and that the Stats Scheduled task runs successfully (confirm Stats is updating the next day for version 14.0+)
- Run SSL test again, as mentioned in Step one to compare the security rating
A. Harden Your Server
Hardening your server includes applying the latest security updates available for your Windows server and ensuring Windows Updates are regularly downloaded and installed. As well, it's recommended to turn off any services that are not essential on the server. Microsoft provides a Security Configuration Wizard (Server Manager > Tools > Security Configuration Wizard) to help you assess what services are running and apply the correct policies on your server.
Install Anti-Virus software - If you have real-time scanning, ensure that you exclude the drive location(s) where your web files are, or you may affect the performance of the intranet.
IIS Security Best Practices - There are many considerations when looking at securing IIS 8. We'll run through a number of these in the following steps but it's best to read through these to understand best practices.
SQL Server, Lucee/Railo/ColdFusion - Make sure you have the latest updates installed, particularly ones that address security vulnerabilities.
Use Microsoft's Baseline Server Hardening Guide to ensure the operating system is as secure as possible.
B. Decide on a Consistent Web Location and Configure Public DNS
By default, your intranet is accessible internally using machine name, IP, or a local DNS name. To have a consistent URL you should configure your DNS & IIS so your users can use the same URL when accessing the site outside your network as inside (a fully qualified DNS entry). The standard is to use a subdomain of your company domain with the name you have given your intranet (e.g. sqintranet.sqbox.com (our company intranet)).
- Decide on a URL you can use inside and outside your network
- Configure a public DNS record to point to a public IP your intranet server can answer on (this can take some time to propagate to the internet)
- Verify your server responds to this DNS name and that traffic is allowed through your firewall
C. Isolate Web Applications, Change Drive Paths, Bindings & Web Location
In most cases, customers have Intranet Connections deployed by default under the "Default Web Site" as a subfolder called "Intranet". As well, it's common that this site is in the default location of C:\inetpub\wwwroot. Under this scenario you can browse the site as http://localhost/Intranet on the web server. It's best practice to have the intranet run as its own website under its own application pool, to use non-default drive locations and restrict access to the "Default Web Site".
Before making the changes below, go to the Lucee/Railo admin pages and take note of the current Datasource, Mappings, and mail settings.
- Stop Lucee/Railo/ColdFusion and IIS (World Wide Web Publishing Service) services
- Create a different drive location for your Intranet site. If you have a separate drive from your OS one, it's recommended to move there. A suggested format is C:\home\domain\subdomain
- Move the Intranet files to the newly created folder. See the table below for a list of default folders that need to be moved for each version:
|12.5 and prior||13.0 and 13.5||14.0||14.5 and 15.0|
Note if you have /intranet within the URL you will have to also move "Web-INF"
4. If your site is on version 14.0 or above, please follow the below three sub-steps; otherwise skip to step 5.
- Adjust the schedule.json file in the TaskManager/Config file. Make sure the two "basepath" values accurately reflect the path to your Intranet.
- Adjust the value for "WorkDir" in the C:\SQBoxService\config accurately reflect the path to your TaskManager directory.
- If you have made any changes to the statistics components above, restart the SQBoxTaskManager service on the web server.
5. Create a new web site in IIS for your Intranet with the physical path pointed at the new "Intranet" folder location. Within the sites Bindings, configure the site to answer to the public URL you chose in the last section.
- Note If you have /intranet, point the IIS site physical path to the new webroot instead of the "Intranet" folder. If the site has already been created the physical path can be changed in the sites basic settings.
6. Start IIS and Lucee/Railo/ColdFusion services. For Lucee and Railo only browse to the Railo Web Administrator (e.g. http://sqintranet.sqbox.com/railo-context/admin/web.cfm) or Lucee Web Administrator (e.g. http://sqintranet.sqbox.com/lucee/admin/web.cfm), login (default password is 'connections'), click on Mappings. You will need to check the / mapping (the mapping may be /intranet depending on your URL) and delete it and create a new one like this (Railo screen shown. Lucee is similar):
- Browse to your new intranet web location and confirm it's working (e.g. http://sqintranet.sqbox.com)
- Go to Admin > Setup and click update locations to change any absolute URLs in your data from the old web location to the new one you've just configured
Note if you log in and get redirected to the old path, type in your base URL and add this text to go directly to the admin setup page: admin/sitesettings/site_settings.cfm?tabidx=1 (e.g. http://sqintranet.sqbox.com/admin/sitesettings/site_settings.cfm?tabidx=1).
D. Secure Lucee/Railo Administrator
Now we need to limit access to the Lucee/Railo Server Admin and Web Admin (or ColdFusion Admin) and create more secure passwords. We’re going to place a general block on access to Lucee/Railo and then open access specifically for this server only.
- Install "IP and Domain Restrictions" role service in IIS if not already installed. For Windows 2012, this is found in the Add Roles and Features wizard (within the server manager) under Web Server > Web Server > Security.
- Using “Request Filtering” block the Lucee/Railo Admin at the server level.
Create a deny sequence for lucee/admin/server.cfm or railo-context/admin/server.cfm
For ColdFusion this would be cfide/administrator/index.cfm
- Using "Request Filtering", remove the block of the Lucee/Railo Server admin in the Default Web Site. Click on Request Filtering in the Default Web Site. You should see the deny sequence that has been delegated down from the server level. Remove this sequence setting to allow access to the page from the web server itself using ‘localhost’.
- Block all access to the "Default Web Site" other than localhost. Click on Default Web Site, choose IP Address and Domain Restrictions, click Edit Feature Settings and change access to Deny for unspecified clients. Now add an Allow entry for 127.0.0.1. This will prevent all access to the Lucee/Railo Server Admin and Default Web Site other than locally.
- Block access to the Lucee/Railo Web Admin. Create an empty folder named "lucee" or "railo-context" under your "Intranet" folder. Click on your "Intranet" web site and select this folder in IIS. Choose IP Address and Domain Restrictions, click Edit Feature Settings and change access to Deny for unspecified clients. Now add an Allow entry for the IP of the machine (e.g. "192.168.1.61"). This will prevent all access to the Lucee/Railo Web Admin other than locally. This assumes your "Intranet" site has a binding for this local IP.
- Make sure you can login to your Lucee/Railo (or ColdFusion) admin screens locally but you cannot from any other machine.
- Now change the Lucee/Railo Server Admin password to something more secure. The default password is "connections" or whatever you selected when you installed ColdFusion. For your intranet site, you should also alter the Lucee/Railo Web Admin password to something other than the default of "connections".
Secure Lucee/Railo Administrator - Tomcat
You must also restrict web access to the Tomcat administrator screens if accessing directly using port 8888 which bypasses IIS.
- Edit the Tomcat server file: C:\lucee\tomcat\conf\server.xml or C:\railo\tomcat\conf\server.xml
- Comment out the section which starts with <Connector port="8888" ... />
Comments start with <!-- and end with -->
E. Prevent Internet Search Engine Indexing
Stop your intranet site from being indexed by Google, Bing, Yahoo, and other search engines by deploying a robots.txt file in the root.
- Download a sample robots.txt file (https://support.intranetconnections.com/attachments/token/wY0q0NcAyNe0zicnVSWPqDEBk/?name=robots.txt)
- Place this file in the "Intranet" folder (your intranet web site root)
F. Login Settings & IIS Authentication
Intranet Connections supports Windows Authentication and Form-based Authentication or a mixture of both. It also allows for anonymous access. You can configure the authentication mode in the product to "Windows" only. If you support Form-based logins, you should leverage some of the more advanced login settings offered in the product, such as strong passwords, password reset, session management and login CAPTCHA.
Steps to setup Windows Authentication only:
- Go to Admin > Security > Site Level Login and set this setting to "YES" to require end users to login
- Go to Admin > Security > Authentication Mode and set this setting to "Windows Authentication"
Steps to improve Form-based security:
- Go to Admin > Security and you will find many options
- Under Session Management you can control timeouts and session IP checking
- Under Password Options, you can enable lockout, password resets, strength checking and whichever options you like
- For added security you can require users to enter a CAPTCHA image when logging in
G. Install SSL Certificate
Contact your server administrator to see if you have a SSL certificate already. If you are using Form-based logins or allow Anonymous access to your site, it is highly recommended that you configure a certificate to encrypt communication with the server.
- In IIS > Server Certificates, click Create Certificate Request. Your selected vendor will give instructions on how to fill out the details required
- Pass the certificate request info to the vendor who will issue you a certificate
- In IIS > Server Certificates, click Complete Certificate Request
- Once installed, you can now add a new Binding to your Intranet site for "https", the IP you want, port 443, and select your certificate
- You can then use a redirect rule to direct all http traffic over https
- Go to Admin > Setup and click on update locations to change absolute URLs in your data to use the https address
- If you log in and get redirected to the old path, type in your base URL and add this text to go directly to the admin setup page: admin/sitesettings/site_settings.cfm?tabidx=1 Example: http://sqintranet.sqbox.com/admin/sitesettings/site_settings.cfm?tabidx=1
- You may need to add a certificate to the Railo/Lucee Server administration, to make sure that the scheduled task runs smoothly by following Step 2 in the 'Enable SSL' article.
- Finally, you may need to open port 443 in your firewall and allow traffic to your web server
H. Set up Restricted External User Access as Needed
Once you've externalized your intranet, if your intention is now to grant access to users who you do not want to see content that is globally visible (e.g. contractor, consultant, vendor), you should provision user accounts and make use of an additional feature in Intranet Connections.
On the user record you can enable a checkbox setting labelled Global permissions do not apply. If you turn this on, the user will only be able to view content you explicitly give them view permissions to at the site, application, or folder/category level.
I. Enable Generic Errors (Version 13.0.4 +)
To make detailed errors visible only in the error logs, go to Admin > Errors & Logging and check Display enable generic error message only.