Exposing the TeamSite URL to the public Internet - Pros/Cons?

We are considering exposing our TeamSite URL to the public internet. The primary reasons are:

- To possibly improve performance (we recently switched to using VPN for TeamSite access, which is significantly slower than our old LAN environment)
- To give the contributors more flexible access to TeamSite

We're already using SSL, so all traffic would be encrypted. The only serious drawback that I can think of is that a contributor could possibly use one of our "shared" logins anonymously from home to publish unwanted content. However, we can probably figure out a way to get rid of shared logins in this case.

My question is: Can anyone think of any compelling reasons NOT to expose the TeamSite URL to the public internet?

Thanks in advance,

Dan Pike
Senior Consultant
Strategic Solutions Northwest
dpike@ssnwllc.com

Find more posts tagged with

Comments

nipper

So this wiould be a publicly accessible server (not behind the firewall) ?

Normally webservers sit in the DMZ, between 2 firewalls.:

INTERNET ----|----- Webservers ---|---- corp LAN

where only port 80 is open between INTERNET and Webservers, while port 80, Oracle, OpenDeploy, other
ports are open in the webserver/LAN firewall

So if your TS server is truly out in the internet you are clear. However if it gets place into the DMZ then you
will need to open ports 80 and 81 (for virtualization) , I am not certain if any other ports will be required (proxy,
etc).

BTW, why do you think this will help ? I have used TS through VPN often without a large performance hit.

HTH

Andy

Migrateduser

Thanks for the reply, Andy.

Yes, I believe it'll be in between two firewalls (DMZ), but I'll have to double check that. If that's the case, then I'm sure we'll be able to open the appropriate ports.

We're not completely sure that making it publicly accessible will improve speed, but we'd like to try it with our test box. Our network folks think it'll be better because it's a 7Mb pipe (VPN) vs. a 600+ Mb pipe (Interenet). Of course, we have to factor in latency in too. I'm not quite sure what the difference is there.

Dan Pike
Senior Consultant
Strategic Solutions Northwest
dpike@ssnwllc.com

nipper

Be certain you know exactly what ports to open. Networking folks are not too happy to
do this sometimes, esp on the outside firewall.

But since you are already talking to the networking guys, should not be to hard to get a straight answer

Migrateduser

Definitely good advice. Thanks again, Andy.

Assuming we can open the appropriate ports to make TeamSite publicly available, I'd love to hear feedback from folks who have either done this before (or not done it for good reason).

Thanks,

Dan Pike
Senior Consultant
Strategic Solutions Northwest
dpike@ssnwllc.com

stefanmaier

Hi Dan,

consider about attaching a web application firewall (aka web shield) in front of your TS server.
Contrary to classic firewalls or intrusion detection systems a WAF scans all service layer communications.
They are capable of preventing attacks by blocking forbidden requests to your TS server.

Stefan

Migrateduser

Thanks, Stefan! This is good stuff. Here's an Open Source WAF for Apache called "modsecurity": http://www.modsecurity.org/ . Maybe we'll give it a try.

Dan Pike
Senior Consultant
Strategic Solutions Northwest
dpike@ssnwllc.com

Gregg Faus

We run TeamSite on a public URL since most of our customers aren't within our organization. We only have port 80 open for the CC web app and a few outbound IPs for port 21 specific traffic (used to deploy content to outside web hosting firms via OD adapter).

Error.JPG

We run MP and have it open to the Net as well. If you are concerned after you set it up and lock it down, run a snort server and monitor your traffic.