I was hoping not to have to deal with this just yet, but hey we don't always get what we want do we 
I have heard a few Squiz clients are running both intranet and internet sites out of the same matrix install, this is what we are now wanting to do.
So first off, is what I have heard accurate, can internet and intranet sites both be run off the same install securely? If so then is there any recommended way of doing it?
At this point I am thinking of a putting a Squid box on the DMZ, the matrix box internal, and having a pinhole punched in the firewall between them. The squid box would then only route externally available requests to the matrix box, all requests for the internal content would have to come from inside the firewall.
I haven't talked to our sys admins about this idea yet, so if there is a better setup out there, or something major I have missed then I would prefer to find out before I talk to them.
Thanks
Ryan
That's how we usually do it. Having them both on the same box is obviously not quite as secure as having them on separate physical hardware, but if you take good care to ensure that the Intranet content cannot be served to the Internet, you should be good.
Something you can do is to use Apache's allow/deny to Deny access to the Intranet virtual host from the Squid box.
So I am on the right track then. That is always good to know.
Thanks
[quote]So I am on the right track then. That is always good to know.
Thanks[/quote]
The only addition that we are using to this is that we use a Layer 7 (BIGIP) switch to interrogate incoming requests before they reach any server. In this way we can manage where https traffic goes seperately to http. Another advantage of the layer 7 switch is the use of irules, which allow for the parsing and intelligent processing of the http request (and its uri component).
For example our migration from static to CMS requires that our content is spread across both environments. Traffic flow is managed via the switch so the client never knows if thier request is being served via the cms or the old static site. Secure Traffic is routed to our reverse proxy layer which in turn routes traffic to the CMS. In the CMS we have a seperate site asset that manages our Intranet content. This seemed to be the best way to seperate http and https content, for both management and for security…
Let us know how you go…our CMS Intranet is still very young and developing each day…(although we have an existing mature Portal Intranet/Application environment that is serviced by the PeopleSoft product).
A