Deploying an Extranet on SharePoint
Download as PPTX, PDF8 likes16,276 views
The document outlines the deployment of a SharePoint extranet, discussing its definition, implementation scenarios, design considerations, and deployment options. Key topics include authentication methods, security challenges, and the integration of various SharePoint versions and licenses. It also provides various options for setting up access, including using a perimeter proxy or hosting in the cloud.
![What is an Extranet
ex-tra-net [ek-struh-net]
— Noun
An intranet that is partially accessile to authorized persons
outside of a company or organisation.
A network (as of a company) similar to an intranet that also
allows access by certain others (such as customer or
suppliers)](https://image.slidesharecdn.com/deployingasharepointextranet-120711152854-phpapp01/85/Deploying-an-Extranet-on-SharePoint-3-320.jpg)
More Related Content
Similar to Deploying an Extranet on SharePoint (20)
Deploying an Extranet on SharePoint
- 1. Deploying a SharePoint Extranet By Alan Marshall Twitter: pomealan Linkedin:http://nz.linkedin.com/pub/alan- marshall/3/980/267 Acknowledgements: Chandan Banerjee and Wayne Ewington (Microsoft)
- 2. Session Agenda — Extranet Definition — Implementation Scenarios — Design Considerations and Challenges — Deployment topologies — Which SharePoint version and licenses — Hints and Tips — Wrap up
- 3. What is an Extranet ex-tra-net [ek-struh-net] — Noun An intranet that is partially accessile to authorized persons outside of a company or organisation. A network (as of a company) similar to an intranet that also allows access by certain others (such as customer or suppliers)
- 4. Implementation Scenarios Share secure Collaborate with Personalised Remote Access information Partners Customer Portal •Employees •Provide reports •Design a •View loyalty working to suppliers solution card remotely •Display order •Request transactions •Teleworkers tracking support •Reward •Student Portal schemes •Specialised content
- 5. Design Considerations and Challenges — Authentication — Single Sign-on — Managing accounts — Security — Sensitivity of data — Protect against resources being compromised — SharePoint Platform — How much do you trust external users — Platform deployment requirements — Features required — Which version of SharePoint? Foundation, Server, Enterprise — Integration — License Costs — Network infrastructure
- 6. Implementation Options — Option 1 – Provide access to internal SharePoint Server — Remote Employees — Partners — Option 2 – Publish content to an external environment (read only) — Share secure information — Remote Employees — Partners — Option 3 – Provide an Extranet Farm dual authenticated — Share secure information — Partners — Customer Portal — Option 4 – Host in the cloud — Partners — Customer Portal
- 7. Option 1 – Perimeter Proxy Internet DMZ Internal Network • Threat Management Gateway (TMG) – acts as a reverse proxy SharePoint Farm translating external encrypted traffic to internal SharePoint server. HTTPS HTTPS HTTP • Firewall ports required for 443 Perimeter externally and 80 internal LAN Remote Employees Firewall TMG Server LAN Firewall firewall. • Authentication occurs on Authentication SharePoint Web Front ends with internal AD Unknown User Device • Virus Scanner • Private Browsing Unauthenticated traffic
- 8. What’s TMG — Threat Management Gateway — Formally ISA Server — Forefront TMG server features — URL filtering — antimalware inspection — intrusion prevention — application- and network-layer firewall — HTTP/HTTPS inspection in a single solution — Reverse Proxy HTTP – HTTPS — Authentication – including 2 phase
- 9. Option 1a – Perimeter Proxy with RODC Internet DMZ Internal Network • TMG – performs authentication and acts as a reverse proxy translating TMG Server SharePoint Farm external encrypted traffic to internal SharePoint server. HTTPS HTTPS HTTP • Firewall ports required for 443 Perimeter externally and 80 internal LAN Remote Employees Firewall LAN Firewall firewall, plus ports for IPSec Authentication • Authentication occurs on the TMG Server with the Read Only Domain Secure Controller (RODC). Account Replication RODC Active Server Directory Unknown User Device • Virus Scanner Accounts replicated to DMZ • Private Browsing • Subset of attributes • Admin accounts excluded • No updates permitted • Windows 2008 feature
- 10. What’s an RODC — Read Only Domain Controller — Windows Server 2008 — Removes the need for a trust between domains — Limit replication accounts and attributes
- 11. Option 1b – Perimeter Proxy with RODC and UAG Internet DMZ Internal Network • Unified Access Gateway (UAG) replaces TMG – performs UAG Server SharePoint Farm authentication, user privilege throttling, acts as a reverse proxy HTTPS HTTPS HTTP translating external encrypted Perimeter traffic to internal SharePoint server. Remote Employees Firewall LAN Firewall • Firewall ports required for 443 Authentication externally and 80 internal LAN firewall, plus ports for IPSec Secure • Authentication occurs on the UAG Account Server with the Read Only Domain Replication Controller (RODC) RODC Server Accounts replicated to DMZ • Subset of attributes • Admin accounts excluded • No updates permitted
- 12. UAG — Unified Access Gateway — Spin-off of ISA Server — Remote Access to SharePoint and/or Exchange. — granular application filtering capabilities — deep endpoint health detection — wizard driven configuration — Comprehensive Remote Access (SSL VPN) — DirectAccess
- 13. Option 2 – Publish content Internet DMZ Internal Network • Threat Management Gateway (TMG) – Authentication, Reverse SharePoint Farm Proxy. HTTPS HTTPS Content Deployment • Firewall ports required for central admin port outbound and External Perimeter Firewall TMG HTTPS LAN Firewall externally 443. People Server • All or part of intranet is content Authentication deployed to the DMZ server SharePoint Server(s) IntegrationActive options SQL Server • Limited integration with back- Directory DMZ AD end systems New SharePoint Farm • Same version as internal • Separate domain and SQL Separate domain • No single sign on for internal users
- 14. Option 3 - Extranet Farm dual authenticated Internet DMZ Internal Network Internal • Unified Access Gateway (UAG) – UAG Server Users Authentication. Note TMG does not LAN Firewall support Forms hand off. HTTPS HTTPS HTTP • Firewall ports required for IPSec AD replication External Perimeter Firewall • All content accessed by internal People and external users is hosted in Authenticate LDAP External SQL Server DMZ Users Internal Users • Data layer (SQL) is separated into Separate SharePoint Authenticate Replicate farm another network layer SharePoint • No content sharing Shared SQL Environment Accounts Active (use Server(s) Extranet AD or LDS workflow or third party)Authentication for Server Directory SQL • Consideration to IAnot supported for DMZ AD useability SharePoint 2010 configured CLAIMS authentication
- 15. Option 3a - Extranet Farm dual authenticated with ADFS Internet Corp A DMZ Internal Network Internal UAG Server Users • Unified Access Gateway (UAG) – All LAN Firewall access and authentication. HTTPS HTTPS HTTPS • Firewall ports required for IPSec AD replication and ADFS port 443 External Perimeter Firewall • All content accessed by internal People and external users is hosted in All user SQL Server DMZ Authentication SharePoint • Data layer (SQL) is separated into Service Accounts another network layer Replicate Accounts • ADFS server hands off SharePoint ADFS 2.0 Server(s) Active authentication to internal AD or ADFS 2.0 Directory Server Proxy Server partner AD DMZ AD ADFS 2.0 Server Authentication hand off
- 16. Option 4 – use the cloud — All content Internet Internal Network stored in SharePoint cloud service HTTPS Remote Perimeter Internal — Internal users Employees Firewall Users authenticated against replicated AD Secure Account Replication Internal AD — External users use Windows Live ID Content Sharing - Use workflow or third party tool - Content deployment not supported
- 17. Which SharePoint version Applicable to Deployment Licences option SharePoint Collaboration Option 3 - 4 Windows Foundation (or Solutions External Search server Connector SQL express) CPU SharePoint Portals with WCM, Option 3 – 4 SharePoint Std Server 2010 Profiles, Option 1 for read CAL Std Intranet publishing only SQL CPU or CAL SharePoint Same as Std+ Option 3 SharePoint Server 2010 form services, BI Std+Ent CAL Ent and FAST SQL CPU or CAL SharePoint Anonymous or Option 3 - 4 SharePoint FIS Server 2010 unknown user base SQL CPU FIS
- 18. Component Parts — DMZ — Unified Access Gateway — Threat Management Gateway — SharePoint Foundation — SharePoint Server — Standard — Enterprise — Active Directory — Active Directory Lightweight Directory Services — Active Directory Federated Services — SQL Server — IPSec
- 19. Hints and Tips — When using an RODC with SharePoint member server direct access to RWDC required to: — Try to find a user who is not currently existing in a SharePoint site using people picker — Create a new farm by creating a new configuration database. — Running the PSconfig wizard to maintain/upgrade SharePoint — Create Site collections — AD Attribute filtering not per RODC so affects all network including branches that have an RODC — Profile service does not support LDAP import. See option 3
- 20. Wrap up — Decide what functionality you require — Pick appropriate version of SharePoint — Understand the limitations — Design deployment of appropriate option — Consider Test environments in same configuration as security of components usually issue