Securing ITP/OnLine

Configuring an application to run in Secure Mode is not enough to ensure security. It is not safe to expose the entire ITP/OnLine ASP.NET web application to the Internet, unless:

• All custom applications on that server have been configured to run in Secure Mode, and have been deployed.
• The custom applications have been carefully written according the guidelines set out in the section Secure customizations, and do not contain any security vulnerabilities.
• The remainder of the server is shielded from the Internet by a firewall, or secured by some other means.
• Web URLs on the server that are outside the ITP/OnLine virtual directory are protected by the firewall, or secured by some other means.

If an ITP/OnLine installation contains Secure Mode as well as non-Secure Mode applications, it is still possible to expose the Secure Mode applications to the Internet. In this case, one must place a firewall between ITP/OnLine ASP.NET and the Internet which exposes only the URLs that belong to the Secure Mode applications, and no other URLs.

If the custom applications contain ASP.NET (aspx) pages that use ASP.NET web controls, it may be necessary to expose the web URL /itp/WebResource.axd through the firewall; where itp is the name of the virtual directory of ITP/OnLine. This URL is used by ASP.NET to expose certain dynamically generated content. The default content and sample applications delivered with ITP/OnLine ASP.NET do not use ASP.NET web controls and therefore do not require this URL to be exposed.