We have a TabletPC application used by remote, roaming users who only have
Internet access. We would like to place the deployment site on our Internet
so they will be able to apply updates, however the issue of security for
ClickOnce seems not to have been considered by Microsoft for some odd reason
(considering that Microsoft has, in theory, become so security conscience
these days). For example, we would like the users to be authenticated prior
to applying updates. This can be somewhat dicey because we do not have AD
for our internal network users in the DMZ, even if it could be done at all
(which appears to not be the case).

Has anyone faced this issue and, if so, how did you go about solving it?

Nope, we use AD to enforce this stuff. That said,
if you open up the default.htm generated by
clickonce, you'll see it ain't doing a whole lot.

You could easily do away with default.htm
and replace it with a .asp or .aspx page
that incorporates your own authentication.

You'd have to tweak stuff to hide the folders and
files. But, it could definitely be done.

P.S. I think MS is really heavily on AD if
you want something like this locked down.

You could also make the site only accessible
from inside your network.

--
Robbe Morris - 2004-2006 Microsoft MVP C#
Earn money answering .NET questions
http://www.eggheadcafe.com/forums/merit.asp





"Thirsty Traveler" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We have a TabletPC application used by remote, roaming users who only have
> Internet access. We would like to place the deployment site on our
> Internet so they will be able to apply updates, however the issue of
> security for ClickOnce seems not to have been considered by Microsoft for
> some odd reason (considering that Microsoft has, in theory, become so
> security conscience these days). For example, we would like the users to
> be authenticated prior to applying updates. This can be somewhat dicey
> because we do not have AD for our internal network users in the DMZ, even
> if it could be done at all (which appears to not be the case).
>
> Has anyone faced this issue and, if so, how did you go about solving it?
>

I would prefer to limit it to the inside network, but unfortunetly our
TabletPC's are being used by remote staff throughout the country. For SOX
reasons, we are not allowed to give them VPN access to our internal network.

"Robbe Morris [C# MVP]" <(E-Mail Removed)> wrote in message
news:uP5u%(E-Mail Removed)...
> Nope, we use AD to enforce this stuff. That said,
> if you open up the default.htm generated by
> clickonce, you'll see it ain't doing a whole lot.
>
> You could easily do away with default.htm
> and replace it with a .asp or .aspx page
> that incorporates your own authentication.
>
> You'd have to tweak stuff to hide the folders and
> files. But, it could definitely be done.
>
> P.S. I think MS is really heavily on AD if
> you want something like this locked down.
>
> You could also make the site only accessible
> from inside your network.
>
> --
> Robbe Morris - 2004-2006 Microsoft MVP C#
> Earn money answering .NET questions
> http://www.eggheadcafe.com/forums/merit.asp
>
>
>
>
>
> "Thirsty Traveler" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> We have a TabletPC application used by remote, roaming users who only
>> have Internet access. We would like to place the deployment site on our
>> Internet so they will be able to apply updates, however the issue of
>> security for ClickOnce seems not to have been considered by Microsoft for
>> some odd reason (considering that Microsoft has, in theory, become so
>> security conscience these days). For example, we would like the users to
>> be authenticated prior to applying updates. This can be somewhat dicey
>> because we do not have AD for our internal network users in the DMZ, even
>> if it could be done at all (which appears to not be the case).
>>
>> Has anyone faced this issue and, if so, how did you go about solving it?
>>
>
>

Thirsty Traveler wrote:
> I would prefer to limit it to the inside network, but unfortunetly our
> TabletPC's are being used by remote staff throughout the country. For SOX
> reasons, we are not allowed to give them VPN access to our internal network.

I have to ask; what specifically in SOX disallows you from giving VPN
access to your internal network? It would seem rather odd that SOX
suddenly makes the use of VPN illegal...

It is not illegal, but VPN access is tightly controlled and much more
difficult to get approval.

"Andy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thirsty Traveler wrote:
>> I would prefer to limit it to the inside network, but unfortunetly our
>> TabletPC's are being used by remote staff throughout the country. For SOX
>> reasons, we are not allowed to give them VPN access to our internal
>> network.
>
> I have to ask; what specifically in SOX disallows you from giving VPN
> access to your internal network? It would seem rather odd that SOX
> suddenly makes the use of VPN illegal...
>