New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Absent Member.
Absent Member.
9815 views

External Access creation and configuration

Jump to solution
Hi,
We use windows authentication with SSO to identify users to use our SBM application.
We want to open SBM to be used outside our domain (for our customers use).
I noticed that 'Configurator' under 'Other Settings' tab there is a section of 'External Access' which contain a configuration for 'IIS application for external authentication'.

Q: Does someone has an example of such external authentication application and how to configure that in IIS.
I don't familiar with 'ISAPI' and 'ModSecurity IIS' which remind in documentation (sbms_installation_guide.pdf, page 79)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Fleet Admiral
Fleet Admiral
Hi, yes the topology image is just what we have in place. In regards to your 2 questions.

Q1: All users have unique logins, so unless a customer can guess an employees username and password they can only log in as themselves.
Q2: We don't stop our employees logging in externally. However to do that they need to setup an internal SBM password so that they can use that to log in via the external server. (Even though they set a password, they still use domain authentication when using the system internally).

View solution in original post

0 Likes
8 Replies
Highlighted
Fleet Admiral
Fleet Admiral
google for custom IIS authentication "Membership provider"

1
2
3
4
0 Likes
Highlighted
Fleet Admiral
Fleet Admiral
Sorry can't help with the External Authentication, but I can share with you how we address the same situation. For security reasons we needed to restrict as much as possible traffic that could potentially enter our internal network from outside, so instead of exposing our internal SBM app server to the world, we setup a second app server outside our firewalls, then configured specific firewall rules to limit traffic from that server to the database and license server (including restricting the ports available). While it meant that we had to purchase a second server license, that cost is not that onerous and gives us a level of comfort in the security restrictions imposed. On the external server we have authentication set for internal SBM passwords, and internally we use SSO.
0 Likes
Highlighted
Absent Member.
Absent Member.
Hi David,
Thanks for your answer.
Just to be sure, you have 3 Servers:
1. DB (Internal)
2. App (internal)
3. App (External)

The External app server connect to database server via firewall.
The external app server exposed to WWW.

If that so and regular users don't have a password (because they authenticate by SSO (LDAP, windows domain..))
Q1: How you avoid customers to login SBM with the username of the 'Regular users'?
Q2: How you avoid regular users (not Occasional\External users) to login your system from outside?

(I tried to upload a server topology image, i hope i succeeded)
0 Likes
Highlighted
Absent Member.
Absent Member.
David Sheaffe wrote:

Sorry can't help with the External Authentication, but I can share with you how we address the same situation. For security reasons we needed to restrict as much as possible traffic that could potentially enter our internal network from outside, so instead of exposing our internal SBM app server to the world, we setup a second app server outside our firewalls, then configured specific firewall rules to limit traffic from that server to the database and license server (including restricting the ports available). While it meant that we had to purchase a second server license, that cost is not that onerous and gives us a level of comfort in the security restrictions imposed. On the external server we have authentication set for internal SBM passwords, and internally we use SSO.


Hi David,
Thanks for your answer.
Just to be sure, you have 3 Servers:
1. DB (Internal)
2. App (internal)
3. App (External)

The External app server connect to database server via firewall.
The external app server exposed to WWW.

If that so and regular users don't have a password (because they authenticate by SSO (LDAP, windows domain..))
Q1: How you avoid customers to login SBM with the username of the 'Regular users'?
Q2: How you avoid regular users (not Occasional\External users) to login your system from outside?

(I tried to upload a server topology image, i hope i succeeded)
0 Likes
Highlighted
Fleet Admiral
Fleet Admiral
Hi, yes the topology image is just what we have in place. In regards to your 2 questions.

Q1: All users have unique logins, so unless a customer can guess an employees username and password they can only log in as themselves.
Q2: We don't stop our employees logging in externally. However to do that they need to setup an internal SBM password so that they can use that to log in via the external server. (Even though they set a password, they still use domain authentication when using the system internally).

View solution in original post

0 Likes
Highlighted
Absent Member.
Absent Member.
David Sheaffe wrote:

Hi, yes the topology image is just what we have in place. In regards to your 2 questions.

Q1: All users have unique logins, so unless a customer can guess an employees username and password they can only log in as themselves.
Q2: We don't stop our employees logging in externally. However to do that they need to setup an internal SBM password so that they can use that to log in via the external server. (Even though they set a password, they still use domain authentication when using the system internally).


Thanks again David,
Your answers help me to understand the puzzle.
But now I have more questions:
Q3: Is there a special SBM installation for such external app server? what exactly should i install there? should i install everything beside Database and Composer?
0 Likes
Highlighted
Fleet Admiral
Fleet Admiral
Even though it isn't needed, our external server has a complete install. I know there are components that aren't needed, but wasn't exactly sure which ones. I think I had seen on the Knowledgebase an article on what components are required for a distributed installation, so if you can find that it might give you the correct answer.
0 Likes
Highlighted
Absent Member.
Absent Member.
Hi Paul,
First thanks for your comment.
As far as i know, Membership provider uses to handle users account (Creating\changing password...).
To use that I need to use Forms authentication.
Till now all are OK.

How the authentication in one site can affect the authentication in SBM's site?
In other words, if the authentication succeeded in the "external site" how the credentials transfer to SBM's site?
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.