How to create a secure efficient extranet user experience
Upcoming SlideShare
Loading in...5
×
 

How to create a secure efficient extranet user experience

on

  • 2,496 views

Jeremy Thake, SharePoint MVP and AvePoint Enterprise Architect, will introduce why organizations leverage extranets, share the common issues found in customers’ extranet environments, and discuss ...

Jeremy Thake, SharePoint MVP and AvePoint Enterprise Architect, will introduce why organizations leverage extranets, share the common issues found in customers’ extranet environments, and discuss the advantages and disadvantages with the available approaches for authentication and topologies. Jeremy will then illustrate the importance of instilling appropriate governance for extranets built upon SharePoint to ensure that the common issues identified are mitigated, including guidance on what processes can be put in place to ensure a better user experience.

Statistics

Views

Total Views
2,496
Views on SlideShare
2,496
Embed Views
0

Actions

Likes
0
Downloads
57
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Jeremy Thake, SharePoint MVP and AvePoint Enterprise Architect, will introduce why organizations leverage extranets, share the common issues found in customers’ extranet environments, and discuss the advantages and disadvantages with the available approaches for authentication and topologies. Jeremy will then illustrate the importance of instilling appropriate governance for extranets built upon SharePoint to ensure that the common issues identified are mitigated, including guidance on what processes can be put in place to ensure a better user experience.
  • In the simplest example, a firewall such as Microsoft Forefront Unified Access Gateway is used to allow external users to access SharePoint that is hosted in the internal network. Internal users can access the SharePoint instance directly without going through the firewall.ProsSimplest solution – if you already have an existing SharePoint environment, you can just open up a few ports and get goingInside Corporate network – for most organizations hosting this internally will not be seen as a negative thing and having the content stored inside is more secure.ConsSecurity model complex – users will have to be provisioned as discussed in last section inside Active Directory.One site for both internal/external – the IA can get hard because you need areas that aren’t seen by external users and areas that are seen by both. Often sub sites are used here.Sensitive docs visibleSingle firewall separates corporate network from the internet
  • In this approach, the server farm is isolated in a separate perimeter network. Each layer can be isolated for more security via routers. Internal network requests can be directed through the internal facing ISA server or routed through the public one.ProsIsolated to single farmExternal user access is isolated to perimeter networkConsAdditional n/w gear req.Single firewall separates corporate network from the internet
  • The back-to-back perimeter network can be made more secure by moving the Services farm internally within the network for service applications such as User Profile, Search, Business Data Connectivity, and Management Metadata. This in turn means that the Extranet can consume some of the same services that other workloads like the Intranet may be consuming on internal farms.ProsIsolation from corporateNetwork traffic isolationPrevents sensitive doc leaksShared services managed corporateConsAdditional SP farm req.Additional n/w gear req.Two way trusts req. for someNo mechanism to publish content internal to external
  • The next typical thing we see from a security perspective is that a content staging farm be put in place. This means that all versioning of draft documents are created in the staging farm and only once content has gone through the approval process will the content be pushed through to the Extranet farm. This does benefit from the ability for internal users to store documents that are related to the content being published to the extranet in the same place.ProsIsolation from corporateNetwork traffic isolationPrevents sensitive doc leaksShared services managed corporateAbility to publish content from internal to externalConsAdditional SP farm req.Additional n/w gear req.Two way trusts req. for someContent management complexNo two-way content sync (read-only)
  • In this example, the web front ends and possibly application servers are moved into the perimeter network for performance reasons.ProSQL stored in corporate n/wConDomain trust requiredComplex architectureInterfarmcomms in 2 n/wOne site for both internal/externalSensitive docs visible
  • ProsSQL stored in corporate n/wConsDomain trust requiredComplex architectureInterfarmcomms in 2 n/wOne site for both internal/externalSensitive docs visible
  • Same as last but introducing the content publishing.ProsSQL stored in corporate n/wAbility to publish content from internal to externalConsDomain trust requiredComplex architectureInterfarmcomms in 2 n/wContent management complexNo two-way content sync (read-only)
  • SharePoint Online is a scenario that keeps coming up in this scenario due to the speed to deploy. ProsQuick to setupProvisioning users outside ADConsAdditional costs of subscriber modelSome features not availableNo supported OOTB content publishing

How to create a secure efficient extranet user experience How to create a secure efficient extranet user experience Presentation Transcript

  • Governing your Extranet for a better userexperienceJeremy Thake, Enterprise Architect
  • Jeremy Thake • Enterprise Architect – AvePoint • SharePoint MVP since July ‘10 • Founded SharePointDevWiki.com • Co-founder of NothingButSharePoint.com • Speaker at MS TechEd 2009/10, SPC 11 jeremy.thake@avepoint.com gplus.to/jthake @jthake www.linkedin.com/in/jeremythake
  • Agenda• What is an extranet?• Common issues with extranets• Authentication Sources• Extranet topologies• Enforcing processes © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • What is an Extranet?
  • What is an extranet?• Controlled access from external networks• Typically walled areas of content• Access by internal and external users via authentication• Mixture of – published read only content for reference – shared collaboration content accessible internally/externally to company © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Examples• Software Partner extranet – manuals, software, blogs – discussion forums• Engineering Partner extranet – Collaborating on documents – Project plans, meeting minutes, agenda etc.• Software Customer extranet – Portal for various systems: helpdesk, sales © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Common issues with Extranets
  • Onboarding• Creating new users – 1 to 1 – Shared accounts• ECAL licensing © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Managing users• Forgotten passwords• Access requests• Expiring accounts• Claims © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Internal content• Content collaborated and managed internally• Making published versions available securely• Internal users aggregated view• Data sensitivity issues• Auditing © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Branding & Navigation• Purposely looks different from internal content• Cross site collection navigation• Internal users have to look in Intranet & Extranet © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Authentication sources© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Active Directory• Existing AD with in OU with internal users – Most organizations won’t agree with this• Existing AD but isolated in OU – Some organizations won’t like external users in internal AD• External AD with one way trust – Some won’t like even trust• Office 365 federated © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Claims Based Auth• Forms Based Authentication (FBA)• Azure ACS (Live ID, Google, Facebook)• ADFS 2.0• Office 365 Microsoft Online ID © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Extranet topologies© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Edge firewall © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Edge firewallPros Cons• Simplest solution • Security model complex• Inside Corporate network • One site for both internal/external – Sensitive docs visible • Single firewall separates corporate network from the internethttp://technet.microsoft.com/en-us/library/cc263513.aspx © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Back-to-back perimeter © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Back-to-back perimeterPros Cons• Isolated to single farm • Additional n/w gear req.• External user access is • Single firewall separates isolated to perimeter corporate network from the network internethttp://technet.microsoft.com/en-us/library/cc263513.aspx © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Back-to-back perimeter with cross-farm services © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Back-to-back perimeter with cross-farm servicesPros Cons• Isolation from corporate • Additional SP farm req.• Network traffic isolation • Additional n/w gear req.• Prevents sensitive doc leaks • Two way trusts req. for• Shared services managed some corporate • No mechanism to publish content internal to externalhttp://technet.microsoft.com/en-us/library/cc263513.aspx © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Back-to-back perimeter with content publishing © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Back-to-back perimeter with content publishingPros Cons• Isolation from corporate • Additional SP farm req.• Network traffic isolation • Additional n/w gear req.• Prevents sensitive doc leaks • Two way trusts req. for• Shared services managed some corporate • Content management• Ability to publish content complex from internal to external • No two-way content sync (read-only)http://technet.microsoft.com/en-us/library/cc263513.aspx © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Split back-to-back © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Split back-to-back or “stretched” farmPros Cons• SQL stored in corporate n/w • Domain trust required • Complex architecture • Interfarm comms in 2 n/w • One site for both internal/external – Sensitive docs visiblehttp://technet.microsoft.com/en-us/library/cc263513.aspx © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Split back-to-back optimized for content publishing © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Split back-to-back optimized for content publishingPros Cons• SQL stored in corporate n/w • Domain trust required• Ability to publish content • Complex architecture from internal to external • Interfarm comms in 2 n/w • Content management complex • No two-way content sync (read-only)http://technet.microsoft.com/en-us/library/cc263513.aspx © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Office 365 SharePoint Online © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Office 365 SharePoint OnlinePros Cons• Quick to setup • Additional costs of• Provisioning users outside subscriber model AD • Some features not available • No supported OOTB content publishing © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Enforcing processes
  • New content area• Site collection or sub site provisioning – Site templates, service level agreements• Security model – Grant users direct permissions – Add users to preexisting SharePoint Groups – Add users to preexisting AD Groups – Grant a claim direct permissions• Chargeback © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Provisioning New User• SharePoint requires you to create User first – Active Directory requires IT to create user – Open ID sources can be created by user• Once created – Can authenticate – Request authorization • Turn on “Manage Access Request” in Site Permissions• Better approach – Request Form • “same as User x” • Tick what roles required, or list projects working on © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Security audits• Viewed content – By user – By third party organization – Transmittals• Accessible content – See what they “can” see• Out of the box audit data pruned after 60 days• DocAve Auditor allows retention of audit data © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Publishing content to Extranet• Content Deployment one-way – Can be set on published flag – Content Deployment APIs history of issues• AvePoint Replicator – Allows replication of content on business rules © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Decommissioning content area• Lifecycle of content areas – Project finish – Unused areas based on activity on site• Records Management compliance• DocAve Archiver can archive site collections © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Decommissioning user• Audits on whether Users still at company – Enforce external companies notify of people leaving – Enforce a report is signed each month to confirm• Password expiry enforces “is alive check” – Need add-on to enable this © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
  • Q&AJeremy Thakewww.NothingButSharePoint.comjeremy.thake@avepoint.comgplus.to/jthake@jthakewww.linkedin.com/in/jeremythake
  • References• Extranet topologies• Planning an Extranet Environment for Office SharePoint Server• Michael Noels presentation (technical)• Dan Holme – SharePoint Governance, Part I: Architecting SharePoint for Scalability and Enforceable Governance – SharePoint Governance, Part II: Automating SharePoint Governance and Management © 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.