I dont know what is the best thing to do to secure my website via internet and intranet. It happens that some of my pages should be able to view via the internet but all pages should keep running and able to access via intranet. On web.config I set the authentication mode to "WINDOWS". According to some article "WINDOWS authentication" is for intranet and not advisable to use it via internet. Right now, I know the best thing to do is to set it to "FORMS authentication".
My problem is, how do I secure or restrict my other pages/files which not suppose to be seen on the internet. I try to set the IP/PORT but the access on the file still able to view(e.g by typing the file directory).
You are correct that setting the authentication to "windows" is not going to work well for Intenet users. Windows authentication is best for an intranet for networks that run Windows operating systems.
If you are going to have one web application, secured by forms based authentication, you'll force both your intranet and internet users to login using a username and password. If there are certain pages you want to restrict access and deny internet users, you can do so by setting up a function that checks to see if the source IP from the visitor is from within the local intranet or if its a public IP from the Internet. If its local, allow access to the page, if not, redirect the user to another page.
@JorgeM, thanks for the advise.
One more thing, If I did not modify the authentication from "windows". Could I be able to manage or control my website access using proxy or domain host? Could it be possible we can restrict which file are accessible on the internet and intranet. It's just an idea, Do these things possible?
Just about any network device that can do URL filtering would be able to take care of this... Firewalls, Forward Proxies, Reverse Proxies, to name a few. consider... Check Point, Palo Alto, F5, NetScaler, etc.. (very costly)
You can also do this in software (code) as i previously mentioned by inspecting the source IP. You can leverage Server.Variables such as HTTP_X_FORWARDED_FOR and REMOTE_ADDR. (Free). If I were to do this in code, I would simply create a static function that takes in the IP address as a parameter, then have the function return true or false by examining the IP. In your code, you either allow access to the page based on this return value.