Planning on deploying an Extranet on SharePoint? Before you open up your internal site for the your partners, consider the security, confidentiality, authentication and licencing implications
08448380779 Call Girls In Friends Colony Women Seeking Men
Deploying an Extranet on SharePoint
1. Deploying a SharePoint Extranet
By Alan Marshall
Twitter: pomealan
Linkedin:http://nz.linkedin.com/pub/alan-
marshall/3/980/267
Acknowledgements: Chandan Banerjee and Wayne
Ewington (Microsoft)
2. Session Agenda
— Extranet Definition
— Implementation Scenarios
— Design Considerations and Challenges
— Deployment topologies
— Which SharePoint version and licenses
— Hints and Tips
— Wrap up
3. What is an Extranet
ex-tra-net [ek-struh-net]
— Noun
An intranet that is partially accessile to authorized persons
outside of a company or organisation.
A network (as of a company) similar to an intranet that also
allows access by certain others (such as customer or
suppliers)
4. Implementation Scenarios
Share secure Collaborate with Personalised
Remote Access
information Partners Customer Portal
•Employees •Provide reports •Design a •View loyalty
working to suppliers solution card
remotely •Display order •Request transactions
•Teleworkers tracking support •Reward
•Student Portal schemes
•Specialised
content
5. Design Considerations and
Challenges
— Authentication
— Single Sign-on
— Managing accounts
— Security
— Sensitivity of data
— Protect against resources being compromised
— SharePoint Platform
— How much do you trust external users
— Platform deployment requirements
— Features required
— Which version of SharePoint? Foundation, Server, Enterprise
— Integration
— License Costs
— Network infrastructure
6. Implementation Options
— Option 1 – Provide access to internal SharePoint Server
— Remote Employees
— Partners
— Option 2 – Publish content to an external environment
(read only)
— Share secure information
— Remote Employees
— Partners
— Option 3 – Provide an Extranet Farm dual authenticated
— Share secure information
— Partners
— Customer Portal
— Option 4 – Host in the cloud
— Partners
— Customer Portal
7. Option 1 – Perimeter Proxy
Internet DMZ Internal Network
• Threat Management Gateway
(TMG) – acts as a reverse proxy
SharePoint Farm
translating external encrypted
traffic to internal SharePoint server.
HTTPS HTTPS HTTP • Firewall ports required for 443
Perimeter
externally and 80 internal LAN
Remote
Employees Firewall
TMG
Server
LAN Firewall firewall.
• Authentication occurs on
Authentication
SharePoint Web Front ends with
internal AD
Unknown User Device
• Virus Scanner
• Private Browsing Unauthenticated traffic
8. What’s TMG
— Threat Management Gateway
— Formally ISA Server
— Forefront TMG server features
— URL filtering
— antimalware inspection
— intrusion prevention
— application- and network-layer firewall
— HTTP/HTTPS inspection in a single solution
— Reverse Proxy HTTP – HTTPS
— Authentication – including 2 phase
9. Option 1a – Perimeter Proxy with
RODC
Internet DMZ Internal Network
• TMG – performs authentication and
acts as a reverse proxy translating
TMG
Server SharePoint Farm
external encrypted traffic to
internal SharePoint server.
HTTPS HTTPS HTTP • Firewall ports required for 443
Perimeter
externally and 80 internal LAN
Remote
Employees Firewall LAN Firewall firewall, plus ports for IPSec
Authentication • Authentication occurs on the TMG
Server with the Read Only Domain
Secure Controller (RODC).
Account
Replication
RODC Active
Server Directory
Unknown User Device
• Virus Scanner Accounts replicated to DMZ
• Private Browsing • Subset of attributes
• Admin accounts excluded
• No updates permitted
• Windows 2008 feature
10. What’s an RODC
— Read Only Domain Controller
— Windows Server 2008
— Removes the need for a trust between domains
— Limit replication accounts and attributes
11. Option 1b – Perimeter Proxy with
RODC and UAG
Internet DMZ Internal Network
• Unified Access Gateway (UAG)
replaces TMG – performs
UAG
Server SharePoint Farm
authentication, user privilege
throttling, acts as a reverse proxy
HTTPS HTTPS HTTP translating external encrypted
Perimeter
traffic to internal SharePoint server.
Remote
Employees Firewall LAN Firewall • Firewall ports required for 443
Authentication externally and 80 internal LAN
firewall, plus ports for IPSec
Secure • Authentication occurs on the UAG
Account Server with the Read Only Domain
Replication
Controller (RODC)
RODC
Server
Accounts replicated to DMZ
• Subset of attributes
• Admin accounts excluded
• No updates permitted
12. UAG
— Unified Access Gateway
— Spin-off of ISA Server
— Remote Access to SharePoint and/or Exchange.
— granular application filtering capabilities
— deep endpoint health detection
— wizard driven configuration
— Comprehensive Remote Access (SSL VPN)
— DirectAccess
13. Option 2 – Publish content
Internet DMZ Internal Network
• Threat Management Gateway
(TMG) – Authentication, Reverse
SharePoint Farm Proxy.
HTTPS HTTPS Content
Deployment
• Firewall ports required for central
admin port outbound and
External Perimeter
Firewall TMG
HTTPS
LAN Firewall externally 443.
People
Server • All or part of intranet is content
Authentication deployed to the DMZ server
SharePoint
Server(s)
IntegrationActive
options
SQL Server
• Limited integration with back-
Directory
DMZ AD
end systems
New SharePoint Farm
• Same version as internal
• Separate domain and SQL
Separate domain
• No single sign on for internal
users
14. Option 3 - Extranet Farm dual
authenticated
Internet DMZ Internal Network
Internal
• Unified Access Gateway (UAG) –
UAG
Server
Users Authentication. Note TMG does not
LAN Firewall
support Forms hand off.
HTTPS HTTPS HTTP • Firewall ports required for IPSec
AD replication
External Perimeter
Firewall
• All content accessed by internal
People
and external users is hosted in
Authenticate
LDAP External
SQL Server DMZ
Users
Internal Users
• Data layer (SQL) is separated into
Separate SharePoint
Authenticate
Replicate
farm another network layer
SharePoint • No content sharing Shared SQL Environment
Accounts
Active (use
Server(s)
Extranet AD or
LDS
workflow or third party)Authentication for Server
Directory
SQL
• Consideration to IAnot supported
for
DMZ AD
useability
SharePoint 2010 configured
CLAIMS authentication
15. Option 3a - Extranet Farm dual
authenticated with ADFS
Internet
Corp A DMZ Internal Network
Internal
UAG
Server
Users • Unified Access Gateway (UAG) – All
LAN Firewall
access and authentication.
HTTPS HTTPS HTTPS • Firewall ports required for IPSec
AD replication and ADFS port 443
External Perimeter
Firewall
• All content accessed by internal
People
and external users is hosted in
All user
SQL Server DMZ
Authentication SharePoint • Data layer (SQL) is separated into
Service
Accounts
another network layer
Replicate
Accounts
• ADFS server hands off
SharePoint
ADFS 2.0 Server(s)
Active authentication to internal AD or
ADFS 2.0 Directory
Server
Proxy Server partner AD
DMZ AD
ADFS 2.0
Server
Authentication hand off
16. Option 4 – use the cloud
— All content
Internet Internal Network
stored in
SharePoint cloud
service
HTTPS
Remote Perimeter Internal
— Internal users
Employees Firewall Users
authenticated
against
replicated AD
Secure
Account
Replication
Internal AD
— External users
use Windows
Live ID
Content Sharing
- Use workflow or third party tool
- Content deployment not supported
17. Which SharePoint version
Applicable to Deployment Licences
option
SharePoint Collaboration Option 3 - 4 Windows
Foundation (or Solutions External
Search server Connector SQL
express) CPU
SharePoint Portals with WCM, Option 3 – 4 SharePoint Std
Server 2010 Profiles, Option 1 for read CAL
Std Intranet publishing only SQL CPU or
CAL
SharePoint Same as Std+ Option 3 SharePoint
Server 2010 form services, BI Std+Ent CAL
Ent and FAST SQL CPU or
CAL
SharePoint Anonymous or Option 3 - 4 SharePoint FIS
Server 2010 unknown user base SQL CPU
FIS
18. Component Parts
— DMZ
— Unified Access Gateway
— Threat Management Gateway
— SharePoint Foundation
— SharePoint Server
— Standard
— Enterprise
— Active Directory
— Active Directory Lightweight Directory Services
— Active Directory Federated Services
— SQL Server
— IPSec
19. Hints and Tips
— When using an RODC with SharePoint member server
direct access to RWDC required to:
— Try to find a user who is not currently existing in a SharePoint site
using people picker
— Create a new farm by creating a new configuration database.
— Running the PSconfig wizard to maintain/upgrade SharePoint
— Create Site collections
— AD Attribute filtering not per RODC so affects all network
including branches that have an RODC
— Profile service does not support LDAP import. See option
3
20. Wrap up
— Decide what functionality you require
— Pick appropriate version of SharePoint
— Understand the limitations
— Design deployment of appropriate option
— Consider Test environments in same configuration as
security of components usually issue