2

I have .NET web application running on IIS behind the firewall.
Application is using Windows authentication (NTLM) to authenticate users.
I need to make this application accessible from Internet so that:

  • When user tries to access application, login form is shown, generated by [Reverse Proxy].
  • User enters login and password and submits the form.
  • [Reverse Proxy] matches external credentials to Windows credentials, we are Ok to store Windows domain logins and passwords in some DB.
  • [Reverse Proxy] provides access to web application using provided credentials.

To be clear, I do not want NTLM passthrough to the user, I need [Reverse Proxy] to speak to IIS on user's behalve instead. User may enter different credentials, may use other authentication type (Google, FB etc) and [Reverse Proxy] will match external account to internal one. E.g. employees will configure external accounts they want use to access intranet portal.

What are my options?
Can I use Nginx or Squid to implement such scenario with help of custom module / plugin?

Improve this question

3 Answers 3

Reset to default
1

It almost sounds like SAML or oOth would be a good option for you. Have you looked down that path at all? Typically its used for delegating another sites credentials, but it should work for internal sites as well. You'd probably have to build a custom front end in your DMZ though.

Improve this answer
0

The fact that you want your reverse proxy to do this complicates it a bit. I do not know of any out of the box proxy software that does this, but some of junipers VPN appliances offer a web interface that not only allows users to start a VPN connection, but can also be used as such a proxy indeed after user authenticated to the VPN appliance web interface.

Improve this answer
4
  • 1
    I can think of one - Microsoft Forefront TMG 2010 with forms based authentication... sadly, they discontinued the product just before christmas :\ Commented Apr 15, 2013 at 17:20
  • I would classify forefront as 'similar to the above' and not as a proxy server though Commented Apr 15, 2013 at 17:24
  • Yes, @Mathias, we used to use ISA for a very similar task, but now looking for a Linux based solution, more extendable one. We are also considering writing module/plugin if needed. Commented Apr 15, 2013 at 20:38
  • What about Forefront Unified Application Gateway? Commented Apr 19, 2013 at 16:51
0

It's not a good idea to use a reverse proxy for this goal. Windows Authentication is meant to be used only in an intranet application. There are many reasons why you don't want this, some of them can be found here. The most important one is that you're opening a way from your DMZ to you're internal network, which can be abused by hackers.

You should use a VPN to acquire the goal you're looking for. Here is a list of free VPN software. My personal favorite is OpenVPN.

Another possibility is to use Form Authentication is the web application and use separate credentials for your users to log on to the web application.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.