Deploying a SharePoint Extranet By Alan Marshall Twitter: pomealan Linkedin:http://nz.linkedin.com/pub/alan-marshall/ 3/980/267 Acknowledgements: Chandan Banerjee and Wayne Ewington (Microsoft)
Planning on deploying an Extranet on SharePoint? Before you open up your internal site for the your partners, consider the security, confidentiality, authentication and licencing implications
Citation preview
1. Deploying a SharePoint ExtranetBy Alan MarshallTwitter:
pomealanLinkedin:http://nz.linkedin.com/pub/alan-marshall/3/980/267Acknowledgements:
Chandan Banerjee and WayneEwington (Microsoft)
2. Session Agenda Extranet Definition Implementation Scenarios
Design Considerations and Challenges Deployment topologies Which
SharePoint version and licenses Hints and Tips Wrap up
3. What is an Extranetex-tra-net [ek-struh-net] NounAn intranet
that is partially accessile to authorized personsoutside of a
company or organisation.A network (as of a company) similar to an
intranet that alsoallows access by certain others (such as customer
orsuppliers)
4. Implementation Scenarios Share secure Collaborate with
Personalised Remote Access information Partners Customer
PortalEmployees Provide reports Design a View loyalty working to
suppliers solution card remotely Display order Request
transactionsTeleworkers tracking support Reward Student Portal
schemes Specialised content
5. Design Considerations andChallenges Authentication Single
Sign-on Managing accounts Security Sensitivity of data Protect
against resources being compromised SharePoint Platform How much do
you trust external users Platform deployment requirements Features
required Which version of SharePoint? Foundation, Server,
Enterprise Integration License Costs Network infrastructure
6. Implementation Options Option 1 Provide access to internal
SharePoint Server Remote Employees Partners Option 2 Publish
content to an external environment (read only) Share secure
information Remote Employees Partners Option 3 Provide an Extranet
Farm dual authenticated Share secure information Partners Customer
Portal Option 4 Host in the cloud Partners Customer Portal
7. Option 1 Perimeter Proxy Internet DMZ Internal Network
Threat Management Gateway (TMG) acts as a reverse proxy SharePoint
Farm translating external encrypted traffic to internal SharePoint
server. HTTPS HTTPS HTTP Firewall ports required for 443 Perimeter
externally and 80 internal LAN RemoteEmployees Firewall TMG Server
LAN Firewall firewall. Authentication occurs on Authentication
SharePoint Web Front ends with internal ADUnknown User Device Virus
Scanner Private Browsing Unauthenticated traffic
8. Whats TMG Threat Management Gateway Formally ISA Server
Forefront TMG server features URL filtering antimalware inspection
intrusion prevention application- and network-layer firewall
HTTP/HTTPS inspection in a single solution Reverse Proxy HTTP HTTPS
Authentication including 2 phase
9. Option 1a Perimeter Proxy with RODC Internet DMZ Internal
Network TMG performs authentication and acts as a reverse proxy
translating TMG Server SharePoint Farm external encrypted traffic
to internal SharePoint server. HTTPS HTTPS HTTP Firewall ports
required for 443 Perimeter externally and 80 internal LAN
RemoteEmployees Firewall LAN Firewall firewall, plus ports for
IPSec Authentication Authentication occurs on the TMG Server with
the Read Only Domain Secure Controller (RODC). Account Replication
RODC Active Server DirectoryUnknown User Device Virus Scanner
Accounts replicated to DMZ Private Browsing Subset of attributes
Admin accounts excluded No updates permitted Windows 2008
feature
10. Whats an RODC Read Only Domain Controller Windows Server
2008 Removes the need for a trust between domains Limit replication
accounts and attributes
11. Option 1b Perimeter Proxy with RODC and UAG Internet DMZ
Internal Network Unified Access Gateway (UAG) replaces TMG performs
UAG Server SharePoint Farm authentication, user privilege
throttling, acts as a reverse proxy HTTPS HTTPS HTTP translating
external encrypted Perimeter traffic to internal SharePoint server.
RemoteEmployees Firewall LAN Firewall Firewall ports required for
443 Authentication externally and 80 internal LAN firewall, plus
ports for IPSec Secure Authentication occurs on the UAG Account
Server with the Read Only Domain Replication Controller (RODC) RODC
Server Accounts replicated to DMZ Subset of attributes Admin
accounts excluded No updates permitted
12. UAG Unified Access Gateway Spin-off of ISA Server Remote
Access to SharePoint and/or Exchange. granular application
filtering capabilities deep endpoint health detection wizard driven
configuration Comprehensive Remote Access (SSL VPN)
DirectAccess
13. Option 2 Publish content Internet DMZ Internal Network
Threat Management Gateway (TMG) Authentication, Reverse SharePoint
Farm Proxy. HTTPS HTTPS Content Deployment Firewall ports required
for central admin port outbound andExternal Perimeter Firewall TMG
HTTPS LAN Firewall externally 443. People Server All or part of
intranet is content Authentication deployed to the DMZ server
SharePoint Server(s) IntegrationActive options SQL Server Limited
integration with back- Directory DMZ AD end systems New SharePoint
Farm Same version as internal Separate domain and SQL Separate
domain No single sign on for internal users
14. Option 3 - Extranet Farm dual authenticated Internet DMZ
Internal Network Internal Unified Access Gateway (UAG) UAG Server
Users Authentication. Note TMG does not LAN Firewall support Forms
hand off. HTTPS HTTPS HTTP Firewall ports required for IPSec AD
replicationExternal Perimeter Firewall All content accessed by
internal People and external users is hosted in Authenticate LDAP
External SQL Server DMZ Users Internal Users Data layer (SQL) is
separated into Separate SharePoint Authenticate Replicate farm
another network layer SharePoint No content sharing Shared SQL
Environment Accounts Active (use Server(s) Extranet AD or LDS
workflow or third party)Authentication for Server Directory SQL
Consideration to IAnot supported for DMZ AD useability SharePoint
2010 configured CLAIMS authentication
15. Option 3a - Extranet Farm dual authenticated with ADFS
Internet Corp A DMZ Internal Network Internal UAG Server Users
Unified Access Gateway (UAG) All LAN Firewall access and
authentication. HTTPS HTTPS HTTPS Firewall ports required for IPSec
AD replication and ADFS port 443External Perimeter Firewall All
content accessed by internal People and external users is hosted in
All user SQL Server DMZ Authentication SharePoint Data layer (SQL)
is separated into Service Accounts another network layer Replicate
Accounts ADFS server hands off SharePoint ADFS 2.0 Server(s) Active
authentication to internal AD or ADFS 2.0 Directory Server Proxy
Server partner AD DMZ AD ADFS 2.0 Server Authentication hand
off
16. Option 4 use the cloud All content Internet Internal
Network stored in SharePoint cloud service HTTPS Remote Perimeter
Internal Internal usersEmployees Firewall Users authenticated
against replicated AD Secure Account Replication Internal AD
External users use Windows Live ID Content Sharing - Use workflow
or third party tool - Content deployment not supported
17. Which SharePoint version Applicable to Deployment Licences
optionSharePoint Collaboration Option 3 - 4 WindowsFoundation (or
Solutions ExternalSearch server Connector SQLexpress) CPUSharePoint
Portals with WCM, Option 3 4 SharePoint StdServer 2010 Profiles,
Option 1 for read CALStd Intranet publishing only SQL CPU or
CALSharePoint Same as Std+ Option 3 SharePointServer 2010 form
services, BI Std+Ent CALEnt and FAST SQL CPU or CALSharePoint
Anonymous or Option 3 - 4 SharePoint FISServer 2010 unknown user
base SQL CPUFIS
18. Component Parts DMZ Unified Access Gateway Threat
Management Gateway SharePoint Foundation SharePoint Server Standard
Enterprise Active Directory Active Directory Lightweight Directory
Services Active Directory Federated Services SQL Server IPSec
19. Hints and Tips When using an RODC with SharePoint member
server direct access to RWDC required to: Try to find a user who is
not currently existing in a SharePoint site using people picker
Create a new farm by creating a new configuration database. Running
the PSconfig wizard to maintain/upgrade SharePoint Create Site
collections AD Attribute filtering not per RODC so affects all
network including branches that have an RODC Profile service does
not support LDAP import. See option 3
20. Wrap up Decide what functionality you require Pick
appropriate version of SharePoint Understand the limitations Design
deployment of appropriate option Consider Test environments in same
configuration as security of components usually issue