I want to allow everyone on the Internet to just be able to browse an IIS6.0 website (running on its own website not the Default Website), published behind ISA 2004 (very easy and I've accomplished this without any problems thousands of times). Now here's the part that' stumping me....And, at the same time, from the Internet, I want to allow users who have domain accounts in the domain that the webserver is a part, who are authenticated securely (read Basic Authentication encapsulated in HTTPS via SSL or otherwise) to be able to publish via FrontPage, SharePoint Designer, Expression Web or FTP (from the Internet not VPNing in). Summarily said: Allow Anonymous Users to browse only via HTTP, and securely authenticated users to be able to publish to the website via FrontPage, etc...both at the same time.
IIS6 running on W2K3 Server SP2 with FrontPage Extensions 2002 enabled on www.webiste.com (fake name of website that I'm trying to accomplish the objective on);
Root Certificate Authority (offline but has signed an Issuing Certificate Authority's certificate);
Issuing Certificate Authority online and has issued a certificate to www.website.com;
ISA Server 2004 at edge with two NICs (one INTRAnet facing and INTERnet facing) and has the Root CAs certificate in the Local Computer Trusted CAs certificate store and the www.website.com certificate in the Local Computer Personal store;
Two Active Directory domain controllers;
PKI Support Site published via ISA 2004;
Static IPs on external interface of ISA 2004;
FrontPage 2002 Server Extensions installed on IIS 6 www.website.com and Extended thereon;
Anonymous Access enabled in FrontPage 2002 Server Extensions Administration Site (from now forward called "Administration Site") for a role created therein called Web Browsers (who were only assigned to the Web Design right "Browse" only ). That group was assigned as the Anonymous Access user through the Administration site for the www.webiste.com site;
Administration Site role called Web Authors assigned to all the Web Design Rights (except "Set Source Control"), and this role was assigned to the domain group "domain\Web Publishers";
Domain\Web Publishers group assigned Modify rights to the directory and files therein where the www.website.com is located;
IIS 6 currently set to port 80 and/or 443 for www.website.com with Basic Authentication checked and www.webiste.com self-signed certificate installed with certificate chain to Root CA all showing perfectly - green check marks accross the board;
ISA Server 2004 publishing rule for both HTTP/HTTPS with Listener set to port 80 (I've also set it back and forth to 80 and/or 443 when trying to make this work but now its just on port 80) brigded to internal web server on port 80 (again, I've also set bridging back and forth to 80 and/or 443 when trying to make this work but now its just on port 80);
Listener currently set just to Basic Authentication and not requiring SSL Authentication (yes I know that's insecure and my objective as stated above is to make it work securly and at the same time allow Anonymous browsing;
I can either only seem to configure IIS and ISA to securely prompt for authentication via Basic Authentication going to https://www.website.com using SSL briding (which isn't the only thing I want as I want for everyone on the Internet to be able to browse anonymously) or only allow for Anonymous Access to http://www.webiste.com (which isn't the only thing that I want as I want persons in the Domain\Web Publishers group, from the Internet, to be able to publish and transfer files to the web server after they are securly authenticated by being prompted for username and password (securely - read Basic Authentication but encapsulated in an HTTPS stream via SSL).
Can anyone assist me with the configuration I need on the IIS/Administration Site side and the ISA Server Publishing rule/listener side to make this configuration work? Gift certificate for Ruths Chris Steak House ($100 value) to the person that helps me make it work! Or just let me know that its not possible.
Interesting problem. Does the client you want to authenticate need to connect to a specific directly to log on? Maybe you can create a rule that requires authentication in order to access that or those specific directory or directories.