Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly architect SharePoint for extranets, to isolate content, and to manage identities across disparate systems. The complexity involved in understanding how to isolate content from a security perspective but still provide for a collaborative space for end users is complex, and if not done correctly can lead to security breaches and confusion. This session focuses on understanding the various extranet models for SharePoint 2010 and providing real world guidance on how to implement them. Covered are extranet content models and extranet authentication options, including advanced options using tools such as Microsoft's Forefront Identity Manager (FIM) 2010 to centralize identity management to SharePoint 2010 farms, allowing for better control, automatic account provisioning, and synchronization of profile information across multiple SharePoint authentication providers.

1. Planning Extranet Environments with SharePoint 2010 Michael Noel Convergent Computing (CCO.com) @MichaelTNoel

2. Michael Noel Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint 2007 Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles . Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security

3. What we’ll cover Why an Extranet? SharePoint 2010 Extranets Extranet Architecture Options Claims-based Authentication Forefront Unified Access Gateway (UAG) for extranets Forefront Identity Manager for Identity Management in an Extranet

4. Why an Extranet?

5. Why an Extranet? Security Isolation Isolation of Data Less Exposure, Perimeter Network Scenarios Partner Collaboration Share SP Content with External Partners Control Partner Accounts Anonymous Customer Scenarios are not really Extranets

6. SharePoint 2010 Extranets Claims-based Authentication Support Multiple Authentication Providers Better Scalability (Services Architecture) Goodbye SSP! Server Groups Services Applications Multiple Authentication Types per Web Application

7. Sample Extranet Architecture

8. Design around Security Requirements Less Secure More Secure Scenario 1: Extranet and Internal Users in Single Farm 1A: Single Web App / Single Site Collection 1B: Single Web App / Separate Site Collections 1C: Multiple Web Apps / Content DBs 1D: Separate App Pool / Service App Group Scenario 2: Extranet and Internal Users in Single Farm / Separate Trusted Forests Scenario 3: Extranet and Internal Users in Multiple Farms / One-Way Trust Scenario 4: Extranet an Internal Users in Separate Farms / Claims-based Authfor Internal Access to Extranet Scenario 5: Extranet an Internal Users in Separate Farms / No Access for Internal Accounts to Extranet Scenario 6: Separate Farms / AD FS Federation for Extranet Auth

9. Extranet Scenario 1:Extranet and Internal Users in Single Farm 1A: Single Web App / Single Site Collection 1B: Single Web App / Separate Site Collections 1C: Multiple Web Apps / Content DBs 1D: Separate App Pool / Service App Group

10. Extranet Scenario 2:Extranet and Internal Users in Single Farm / Separate Trusted Forests

11. Extranet Scenario 3:Extranet and Internal Users in Multiple Farms and Perimeter Network / One-Way Trust

12. Extranet Scenario 4:Extranet an Internal Users in Separate Farms / Claims-based Auth Provider for Internal Auth to Extranet

13. Extranet Scenario 5:Extranet an Internal Users in Separate Farms / No Access for Internal Accounts to Extranet

14. Extranet Scenario 6:Separate Farms / AD FS Federation for Extranet Auth

15. Extranet Notes

16. One-Way Trust Scenarios People Picker needs to be configured to crawl domain if it doesn’t trust the domain where the SharePoint farm is installed. Only with STSADM (Rare exception when you can’t use PowerShell) Example Syntax: stsadm.exe -o setapppassword -password AnyPassw0rd stsadm.exe -o setproperty -pnpeoplepicker-searchadforests -pv "domain:companyabc.com,COMPANYABCvc_sppplpick,Password1;domain:extranetabc.com" -url https://extranet.companyabc.com stsadm.exe -o setproperty -pnpeoplepicker-searchadforests -pv "domain:companyabc.com,COMPANYABCvc_sppplpick,Password1;domain:extranetabc.com" -url https://spcaext.companyabc.com Syntax is critical Run against all web apps

17. Design for Clientless Access to SharePoint Services Applications for Extranet Clients: Word Services Excel Services Visio Services Access Services InfoPath Forms Services Allows ‘Clientless’ access to SharePoint content, for Extranet partners without Office

18. Standard Requirements Apply to Extranets as well SharePoint-aware Antivirus i.e. Forefront Protection for SharePoint SharePoint-aware Backup and Restore i.e. System Center Data Protection Manager (DPM) 2010 Rights Management? Active Directory Rights Management Services (AD RMS)

19. Content Deployment with Extranets

20. Claims-based Authentication

21. Claims-Based Auth SharePoint doesn’t actually Authenticate Users, it relies on IIS or other providers SharePoint 2010 Allows for Classic and Claims-based AuthScenarios Classic Authentication is similar to SharePoint 2007 Claims based Auth adds the following key benefits: Allows for Multiple Authentication Types per Web Application Zone Removes SharePoint from the Authentication Provider Allows for federation between organizations (AD FS, etc.) scenarios Does not require Kerberos Delegation Remember the difference between Authentication and Authorization…

22. Classic vs. Claims-based Auth

23. Mixed-Mode vs. Multi-Authentication

24. Example: Partner Environment with Multiple Auth Types on single W.A.

25. Forefront Unified Access Gateway 2010

26. UAG Architecture Data Center / Corporate Network Exchange CRM SharePoint IIS based IBM, SAP, Oracle Mobile HTTPS / HTTP Home / Friend / Kiosk Terminal / Remote Desktop Services Layer3 VPN HTTPS (443) Internet DirectAccess Non web Business Partners / Sub-Contractors AD, ADFS, RADIUS, LDAP…. NPS, ILM Employees Managed Machines

28. What about ISA? (TMG)

29. What is Forefront Identity Manager?

30. Identity and Access Management Secure Messaging Secure Endpoint Secure Collaboration Information Protection Identity and Access Management Active Directory®Federation Services

31. Why FIM for SharePoint?

32. Manage SharePoint Identities Create Multiple Authentication Providers for SharePoint Farms AD DS Forests (Extranet forests) AD LDS Authentication Providers SQL Table (FBA) Authentication Sources LDAP Providers Etc… Keep those Authentication Providers Managed

34. Password Reset

35. New EntitlementsRetire Policy Management De-provision identities Revoke credentials De-provision resources Policy enforcement Approvals and notifications Audit trails Change Role changes Phone # or titlechange Password and PIN reset Resource requests

37. Built-in workflow for identity management

38. Automatically synchronize all user information to different directories across the enterprise

39. Automates the process of on-boarding usersActiveDirectory Extranet Forest Workflow User Enrollment Test Forest FIM FBA Table Approval HR System LOB App VPN Manager User provisioned on all allowed systems

41. Built-in workflow for identity management

42. Real-time de-provisioning from all systems to prevent unauthorized access and information leakageActiveDirectory Extranet Forest Workflow User de-provisioned Test Forest FIM FBA Table HR System LOB App VPN User de-provisioned or disabled on all systems

43. GivenName Samantha sn Dearing title Coordinator mail someone@example.com employeeID 007 telephone 555-0129 givenName sn title mail employeeID telephone Identity Synchronization and ConsistencyIdentity synchronization across multiple directories HR System FIM Samantha givenName Samantha sn Dearing Dearing title mail Attribute Ownership employeeID 007 007 telephone FirstName LastName EmployeeID Internal AD givenName Samara sn Darling title Coordinator Coordinator mail employeeID 007 telephone Identity Data Aggregation Title Extranet AD givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone E-Mail someone@example.com LDAP givenName Sammy sn Dearling title mail employeeID 008 555-0129 telephone 555-0129 Telephone

44. Identity Synchronization and ConsistencyIdentity consistency across multiple directories FIM HR System givenName Samantha sn Dearing title mail Attribute Ownership employeeID 007 telephone givenName Bob Samantha Samantha Samantha sn Dearing Dearing Dearing FirstName LastName EmployeeID title Coordinator Coordinator Coordinator Coordinator Internal AD givenName Samara mail someone@example.com someone@example.com someone@example.com someone@example.com sn Darling employeeID 007 title Coordinator telephone 555-0129 555-0129 555-0129 555-0129 mail Incorrect or Missing Information employeeID 007 telephone Identity Data Brokering (Convergence) Title Extranet AD givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone E-Mail LDAP givenName Sammy sn Dearling title mail employeeID 007 telephone 555-0129 Telephone

45. Customizable Identity Portal SharePoint-based Identity Portal for Management and Self Service How you extend it Add your own portal pages or web parts Build new custom solutions Expose new attributes to manage by extending FIM schema Choose SharePoint theme to customize look and feel

46. Customizable Identity Portal Can be used to allow Extranet Partners to Perform Self-Service Management Give control of Account Management to users/administrators of the extranet partner Secure access to portal through VPN/Reverse Proxy Portal in the DMZ Can be used for Self-Service Password Reset (via domain-joined computer)

48. Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)

49. Can be used to automate Certificate management for dual factor auth approaches to SharePoint loginsUser is validated using multi-factor authentication FIM policy triggers request for FIM CM to issue certificate or SmartCard Certificate is issued to user and written to either machine or smart card SmartCard End User End User FIM CM Active Directory Certificate Services (AD CS) FIM SmartCard User ID andPassword Multi-Factor Authentication FIM Certificate Management (CM) requests certificate creation from AD CS User Enrollment and Authentication request sent by HR System HR System

50. Real World FIM Usage Scenarios

51. FIM for Extranet Forest Mgmt Internal AD DS Forest DMZ Extranet AD DS Forest FIM Auto-provisions certain user accounts in Extranet forest and keeps Passwords in Sync to allow Internal users to access/collaborate with Partners FIM allows Self-Service Portal Access for Extranet user accounts in the partner forest Two-factor Auth scenarios, to automate provisioning of user accounts AND certificates to systems

52. FIM for Role Based Access Control FIM is central to RBAC Strategy Can auto-add users to Groups based on RBAC Criteria HR Defines a user’s access based on their role FIM auto-adds that user to specific Role Groups in AD DS, which are tied to SharePoint Groups that have the rights that that role group requires. SharePoint Group

53. Session Summary Understand the Extranet Design Options for 2010 Keep Extranet Accounts out of local AD Determine how Identities will be Managed Use FIM for Identity Management, Self-Service, and Provisioning/Deprovisioning of Extranet Accounts Use UAG to secure inbound access to extranets/intranets

54. Your Feedback is Important Please fill out a session evaluation form drop it off at the conference registration desk. Thank you!

55. Thanks for attending!Questions? Michael Noel Twitter: @MichaelTNoel www.cco.com