Secure Collaboration: Install and Configure Remote Access for Microsoft SharePoint Server in an Hour Uri LichtenfeldSecurity SpecialistCertified Security Solutions – Microsoft Partner

SESSION CODE: SIA312

Across on-premises & cloud

Business Ready SecurityHelp securely enable business by managing risk and empowering people

Integrate and extend securityacross the enterprise

Block

from:

Enable

Cost Value

Siloed Seamless

to:

Simplify the security experience, manage compliance

Protect everywhere,access anywhere

Highly Secure & Interoperable Platform

Identity

Business Ready Security Solutions

Information Protection

Identity and Access Management

Secure Messaging Secure EndpointSecure Collaboration

PROTECT everywhere ACCESS anywhere

SIMPLIFY security,MANAGE compliance

Enable more secure business collaboration from virtually anywhere and across devices, while preventing unauthorized use of confidential information

INTEGRATE and EXTEND security

Secure Collaboration

• Secure, seamless access

• Protect sensitive information in documents

• Best-in-class anti-malware

• Enterprise-wide visibility

• Easier partner management

• Deep Microsoft SharePoint and Office integration

• Standards-based interoperability across organizations and cloud

SharePoint Server 2010 Security Capabilities

• Active Directory Rights Management Services (AD RMS) template is built in with SharePoint.• Windows SharePoint with AD RMS can be used to convert the stored file to an encrypted format each time a user

downloads the file.

Microsoft Solution“Defense in Depth”Competitors’ Solutions

Automatic Engine Updates

Single Engine Multiple Engines

38 times faster response

Forefront Security for SharePoint…gives us an extra layer of protection for our SharePoint environment in ways that no other product can match. Tom Booth, Sr. Collaboration Engineer

Eliminates single point of failure

“

Protect Documents from Malware

SharePoint Server Farm

Exchange 2010

AD DSAD FS

Business Partners

AD DS AD FS

AD RMS

FederationTrust

Application Access

Redirect to Security Token Service (STS)

Auth

enti

cati

on

Token a

nd

claim

s

Post claims

Trey ResearchAccount Forest

Woodgrove BankResource Forest

User Account/Credentials Security Token

• Shared identity with partner organizations and cloud services

• Boost cross-organizational efficiency and communication with more secure access

− Support the sharing of rights-protected messages between organizations

− Improved support for Microsoft SharePoint Server as a claims-aware application

Active Directory Federation Services

DirectAccess

HTTPS (443)

Layer3 VPN

Data Center/Corporate Network

Business Partners

AD, ADFS, RADIUS, LDAP….

Home/Kiosk

Employee-Managed Machines

Mobile

Exchange

CRM

SharePoint

IIS based

IBM, SAP, Oracle

TS/ RDSCitrix

Non-Web

HTTPS / HTTP

NPS, ILM

Internet

• Integrated SSL VPN capabilities• Simplified remote access by non-Windows, down-level, or non-trusted endpoints• DirectAccess in Windows Server 2008 R2, along with Unified Access Gateway, enables secure, seamless,

always-on access to messaging and applications from Windows 7 clients.

Always-on Secure and Seamless Access Protect everywhere,

access anywhere

• Single point of entry to shared and published applications• Can locate applications without tracking site addresses• Offers same user experience for remote users• Supports strong two-factor authentication, which can help organizations to keep their shared information safe

Consolidated Network Access Portal

Remote user can have access to corporate applications and shared folders without direct access to internal resources.

Business partner has limited access to corporate network; Unified Access Gateway allows access only to those applications for which users have permissions.

• Identity-centered, policy-based granular access and security for shared resources on collaborative portals • Policy definitions to help provide controlled access to application areas and operations• Can allow or block application functions,

including:– Document download/upload– Document check out/check in– Edit document/properties– Delete

Policy-based Granular Access and Security Protect everywhere,

access anywhere

UAG User Experience

DEMO

Simplified Management

Step 1:Choose the type of application you wish to publish.

Step 2:Provide the internal name of the SharePoint Server.

Provide the external name.

Step 3:Configure the same external name on your SharePoint Server.

AllDone!

• Simplifies deployment and ongoing tasks through wizards and built-in policies.• Simplified user experience - reducing support costs• Consolidates remote access infrastructure

AAM Configuration

Zone Internal URL Public URL for Zone

Default http://hrportal http://hrportal

Internet http://hrportal.woodgrovebank.com https://hrportal.woodgrovebank.com

Internet https://hrportal.woodgrovebank.com https://hrportal.woodgrovebank.com

Zone Internal URL Public URL for Zone

Default http://hrportal http://hrportal

Internet https://hrportal.woodgrovebank.com https://hrportal.woodgrovebank.com

• Overlay granular access control to specific sites and/or features within sites• Built-in endpoint security policies (integrated with NAP)• Expanded authentication and authorization capabilities• Session clean-up and information leakage prevention• Integrated network security

Integrated Security

Granular Policies

DEMO

Publish all Exchange mail services as a single UAG application:

• Easier publishing experience

• Symmetrical topology for all front-end mail services

Publish each Exchange service as a separate application:

• Greater back-end topology

Anywhere Access. . . And simple, secure access optimized for Exchange

Configuring SharePoint Access through UAG

DEMO

SharePoint Workspace Mobile Easier access to SharePoint libraries and listsAbility to synchronize Office docs edited and stored locally on the deviceUAG allows access for on-premises SharePoint Server 2010 via SSL

Access multiple sites and libraries

Browse a site and view list & libraries easily

Access your documents

offline

Simplified connectivity Applies GPOs to remote computers

Full NAP integrationAuthentication and encryption mitigate

many attacks

Anywhere AccessForefront UAG: A key enabler of DirectAccess

VPNs connect the user to the network

DirectAccess extends the network to the computer and user

Always On

Manage Out

Access Policies

Protected Transactions

Improved productivity

Not user initiated

"Light up" remote clients

Decreases patch miss rates

Pre-logon health checks

and remediation

Replaces modal "connect-time" health

checks

Supports authenticated transactions

Supports encrypted transactions

UAG extends the benefits of Windows DirectAccess across your infrastructure, enhancing scalability and simplifying deployments and ongoing management

SSL-VPN

SSL-VPN

{

DirectAccess Server+

IPv6

Windows 7Always On

Windows Server 2008 R2

Windows Server 2008 R2

Windows Server 2008 R2

Windows 7

IPv6

Windows Server 2003

Legacy Application Server

Non Windows Server

IPv4{

PDA

Windows Vista/ Windows XP

Non-Windows

IPv6

or I

Pv4

UAG and DirectAccess better together:

Extends access to line of business servers with IPv4 support

Access for down level and non Windows clients

Enhances scalability and management

Simplifies deployment and administration

Hardened Edge Solution

UAG provides access for down-level and non- Windows clientsUAG improves adoption and extends access to existing infrastructureUAG enhances scale and management with integrated LB and array capabilitiesUAG uses wizards and tools to simplify deployments and ongoing managementUAG is a hardened edge appliance available in HW and virtual options

SSL-VPN

SSL-VPN

{

DirectAccess Server+

Man

ag

ed

Windows 7

Always On

Windows Server 2008

R2

Windows Server 2008

R2

Windows Server 2008

R2

IPv6

Windows 7

IPv6

Windows Server 2003

Legacy Application

Server

Non Windows Server

IPv4{

PDA

Windows Vista/ Windows XP

Non-Windows

Unm

anaged

IPv6or

IPv4

UAG and DirectAccess better together: Extends access to line of business servers with IPv4

supportAccess for down level and non Windows clients

Enhances scalability and management

Simplifies deployment and administration

Hardened Edge Solution

UAG provides access for down-level and non- Windows clientsUAG improves adoption and extends access to existing infrastructure

UAG enhances scale and management with integrated LB and array capabilities

UAG uses wizards and tools to simplify deployments and ongoing management

UAG is a hardened edge appliance available in HW and virtual options

APPLICATION PUBLISHING

Granular Application Filtering

Session cleanup and removal

End point health detection

INTEGRATION

Integrated with NAP policies

Remote Desktop and RemoteApp integration

Extends and simplifies DirectAccess deployments

SCALE AND MANAGEMENT

From IAG to UAG

Built in load balancing

Array management capabilities

Enhanced monitoring and management (SCOM)

IAG UAG

New

New

New

New

New

New

Improved

Improved

Server Software install (MSI)Installs on hardware or virtual servers on Hyper-V or SVVP guest

Hardware appliance from OEM partners

23

UAG Form Factors

How to BuyServer License

OEM Partners: Customers can buy Forefront UAG as a physical appliance. This includes the underlying Windows Server 2003 R2 license.

Microsoft Volume Licensing: Customers can run Forefront UAG as a virtual machine or as software. These options require provisioning the Windows license from a customer’s existing agreement.

Client Access and Other LicensesMicrosoft Volume Licensing: Customers can buy Forefront UAG CALs, External Connectors, and SPLAs through Microsoft Volume Licensing. In addition to individual CALs, customers with large environments can purchase a 10,000 CAL pack.

Deployment Tips

Wildcard SSL certificate for UAG sitesConfiguring SharePoint AAM for UAG

UAG guide for SharePoint publishinghttp://technet.microsoft.com/en-us/library/dd857356.aspx

UAG team bloghttp://blogs.technet.com/edgeaccessblog/archive/2008/10/13/publishing-sharepoint-with-iag-2007-part-3-sharepoint-topologies.aspx

TechNet: Plan Alternate Access Mappingshttp://technet.microsoft.com/en-us/library/cc288609.aspx

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Related Content

Breakout Sessions (session codes and titles)

Interactive Sessions (session codes and titles)

Hands-on Labs (session codes and titles)

Product Demo Stations (demo station title and location)

Complete an evaluation on CommNet and enter to win!

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Appendix

Simplify security,manage

compliance

Manage Compliance

• Enterprise policy enforcement to protect from unauthorized access

• Enhanced security with reduced risk of information leaks through persistent data protection

• Streamlined adoption and deployment with out-of-the-box integration with collaboration workflow, the Microsoft Office system, and Active Directory

• Prevents information leakage from within the documents while moving to the external user

• Enterprise policy enforcement for external partners and vendors to protect from unauthorized access

• Dashboard and risk-centered prioritized view throughout the enterprise

• Centralized reporting and alerting with Unified Access Gateway management console

• Access to SharePoint sites and ability to edit documents from virtually anywhere: managed laptops, home computers, kiosks, and mobile devices

• Includes multiple scanning engines from industry-leading security partners integrated in a single solution to help businesses protect against single point of failure

• Content filters to help keep users from posting or retrieving ethically questionable material and confidential company information

• Configurable file-filtering rules to help block file types known for carrying viruses or opening organizations to legal exposure

Track Resources

Learn more about our solutions:

http://www.microsoft.com/forefront

Try our products:http://www.microsoft.com/forefront/trial

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

JUNE 7-10, 2010 | NEW ORLEANS, LA