We have a webserver (VM) hosting several sites.
One of the applications has a part intranet and a part public.
(archiving/docflow = intranet, customer invoices = public)
This webserver is currently hosted with IP (example IPs): 11.11.0.80/20
in our LAN.
Our gateway points to a MPLS router (11.11.0.33/20
), from there our internet traffic goes
to a colocation where we have central internet access.
Let me explain the colocation situation. We come in through a cisco device (MPLS provider), from this device one cable is connected to an HP Procurve switch to get access to the different VLANS that comes from MPLS (MPLS, Internet, DMZ). Ports configured for each VLAN are then connected to a Juniper SRX240 to create trust/untrust/dmz zones and do NAT.
DMZ network IP is 11.172.1.0/24
and configured on the Juniper SRX240 port where the cable from the switch comes from.
Now, my problem is how should I serve exclusive access to one part of the hosted sites to my network (11.11.0.0/20
, 80 443, 21) and the other part can have access from outside. (443, 21)?
My first thought was adding a second NIC to webserver VM and correctly setup NAT/Firewall on my SRX device and configure firewall per NIC on the webserver? Though this effectively creates a possible breach in DMZ.
I'm not an expert on these things but I have basic knowledge and in need of some experts advice.
Please ask if something is not clear. Thank you for your time!
Stanny
I suggest you use the IP Address restrictions feature in IIS. You need to install it as a Role Service to the Web Server Role. It's called "IP and Domain Restrictions"
After installing it, on the Website, you have an "IPv4 Address and Domain Restrictions" option You can allow and deny access from networks there.
Have a look here for a step by step tutorial.