Hi everyone,
I am moving our intranet onto our install of matrix which already has the internet as a site (as well as a couple of smaller public sites).
Just wondering what people would recommend in order to stop people outside the network seeing the intranet site. Should I just use Apache to turn them away or set something in Matrix…? Curious to know what other people are doing!
If you reject people with apache (by IP address?) that can be a pain as everyone will have to VPN in just to get on your intranet. I think you are using ldap, so you could assign LDAP groups read permission and deny public user.
That's what I thought I could do originally but since found out that all staff members would have to 'log on' to the intranet even if they have signed into Windows. 
Hi - having just read Daniel's Matrix Secrets Book (i'm in no way affiliated with matrixsecrets.com btw!), i think you should investigate running another instance of matrix for your intranet. The number one issue seems to be file attachments - they are in a publically accessible directory (data) that has no restrictions by default. In theory someone could access any file on your intranet (in practice they would need to know its matrix asset id, but there's nothing stopping them adding a string to any of your sites (http://example.com/?a=1234).
Dont shoot the messenger 
Bruce
Don't worry, I'm feeling too deflated to fire straight. -_-
Please note that only publicly accessible files are stored in a publicly accessible directory. Any files you have under standard intranet permissions restrictions (public read denied for example) will not ever be made public. Keep everything separated and you will be fine. Matrix is, after all, designed to work this way and you get the benefit of shared content if you need it.
Yes, but my question is how to separate it? If LDAP still requires individuals to log-in on the browser even when they are logged in to the machine then I'm going to have a hard time convincing staff to actually use it.
Do all your other systems have no sign in? They log you in based on being logged into windows on your internal network? You could change your session expiry settings so they login once and it can remain valid for quite a while. If that's not ok I suppose you either need a single sign on solution or to split the intranet into a new install and restrict by IP (which I imagine will be problematic in itself, people will need VPN to be on the network.)
If you go the LDAP route all you'd need to do for the separation would be to create a new site asset with it's own 'intranet' url and assign permissions from there.
[quote]
Yes, but my question is how to separate it? If LDAP still requires individuals to log-in on the browser even when they are logged in to the machine then I'm going to have a hard time convincing staff to actually use it.
[/quote]
If these credentials are shared it would require custom integration with a single sign-on solution. This is not something provided as standard with Matrix.
We are soon to implement single sign on for our other major systems so perhaps in an ideal world it will all just magically piggy-back off that! :rolleyes:
Thanks for the info folk; I am making an appointment with our project manager at Squiz so will make some plans for custom integration then.
we run our current intranet with apache ldap config so if staff are using a computer within a IP range then they are regarded as staff and they can access the site without prompts - if they are outside the ip range then they have to use their ldap credentials to login. Note, we dont currently have any personalised content though - if you want that then you will need to use the ldap for all (using matrix login screen). I guess it really depends on how secure your intranet needs to be - with 800 odd staff having full read access i have no illusion that files on our intranet are secure when anyone can save the file and email them out of the place.
That's what I was thinking we could do… everyone is supposed to be going through the proxy so I thought maybe we could just limit it to that IP but then previous people started talking about needing VPN so I thought maybe that wasn't possible…
[quote]
We are soon to implement single sign on for our other major systems so perhaps in an ideal world it will all just magically piggy-back off that! :rolleyes:
Thanks for the info folk; I am making an appointment with our project manager at Squiz so will make some plans for custom integration then.
[/quote]
Just a little reminder on the single sign on front. Our Sys Admin here in Canberra has a working Kerberos single sign on implementation that doesn't require any development within the matrix system. As explained to me it uses an Apache module and Matrix's ability to pass through http authentication details. So it's possible - lots of work for the sys admins to setup I believe.
(oh yes, and and LDAP setup of course)
Thanks, will bring that up on Friday.