Hi Portal Community I need your collective help!
I have the following scenario:
- Single SAP NW Portal (7.31)
- Two sets of users "Internal" and "External"
- SAP Web Dispatcher as a reverse proxy/application gateway in a DMZ
- Two URLs http://portal.internal.com/irj/portal (internal) and http://portal.external.com/irj/portal (external) resolving to the same portal system
To start with internal users should only be allowed to access the portal when they are on the corporate network - they should not be allowed to log on via the external URL (e.g. when they go home or are out of the office).
At some point in the future internal users will be given limited access to certain content via the external URL (but not all the content they have when accessing via the internal URL). For example they may be able to see corporate news and check their payment summary externally but they won't be allowed access to change their bank details.
I spent some time thinking about this and did some searching for similar scenarios:
Re: Internal access (direct) and external access (via reverse proxy) to Portal from Glen Simpson
Portal Filter ID Tips and Tricks from Tobias Hofmann
Re: Externalize BI Portal for limited set of Users from Eldose Baby
I have come to the conclusion that in order to block access for internal users on the external URL I would need to write a custom login module (JAAS module) that would check the URL (or URL alias) and if using the external URL it would check that the user was assigned to a certain UME group (e.g. External Users Group). If the user wasn't in the group it would fail the log on attempt. The other option is a separate portal (but I would like to avoid that if possible).
Once internal users are given access via the external URL I thought about using the Filter ID feature of the portal to filter out any top level entry points that should not be shown to the user. The problem with this is that it only filters the entry point, it doesn't actually block access. If the user has for example saved a portal favourite to a filtered area they can still use that favourite to access it.
So I throw it open to you guys and gals... please make suggestions and help me brainstorm this 
Thanks in advance,
Simon