SharePoint 2010 anywhere access uag vs dmz

SharePoint 2010Anywhere Access
Kjell-Sverre Jerijærvi
Puzzlepart - June 2010
SharePoint 2010 Anywhere Access

Anywhere Access: UAG vs DMZ
Business drivers
Give employees secure anywhere access from mobile devices such as smart phones and laptops to applications while on the road or at home
Give partner and suppliers secure access to a controlled set of applications and web-sites for cross-organization collaboration
Forefront Unified Access Gateway
Secure application-by-application remote access to internal solutions
Also for controlled application access for partners and suppliers
Classic DMZ extranet or VPN
Access to web-sites in DMZ for employees, partners and suppliers
No access to internal solutions with DMZ extranet
Full access to internal solutions with VPN

UAG Pros & Cons
Secure remote access to specific applications
For remote employees with mobile devices
For partners and suppliers based on identity (IAM)
Rich Office client integration supported
No VPN connection required, uses IPsec tunneling
Client integrity check
Health check of client device using Network Access Protection (NAP)
Traditional DMZ and VPN is exposed to security risks through compromised client
Information leakage mitigation
Cleanup of the client endpoint, including cache, temporary files, and cookies
Single firewall disadvantage
This configuration results in a single firewall that separates the corporate internal network from the Internet

UAG Topology

DMZ Pros & Cons
Well-known infrastructure and operational policies
High level of solution and information isolation
Separated by design from internal solutions and information
Opens public HTTP/S access to entire SharePoint server
Must also open outer firewall for Office client integration
Requires an extra farm to host the DMZ extranet
Double the number of servers
Double the license costs
Double operations efforts
DMZ back-to-back perimeter effects
Database backups to internal storage more difficult
Integrations with internal systems more difficult
AD trusting or double all applicable user accounts
Split back-to-back perimeter possible
More complex infrastructure when split between DMZ and LAN
Must open inner firewall for access to internal app-servers, DB-servers

DMZ Back-to-Back Perimeter

IAM for Partners & Suppliers
Identity & Access Management (IAM)
Authenticate external users to establish their identity
Delegate user account management to partner / supplier
Based on STS & SAML standards for federated IAM and claims-based security
Active Directory Federation Services (ADFS)
Microsoft’s federated identity solution is ADFS 2.0
Forefront UAG integrates with ADFS
SharePoint 2010 integrates with ADFS
UAG must be used to control access to specific applications
Integrated with SharePoint 2010
Integrated with Office 2007 and 2010

Other Security Aspects
Anti-virus for SharePoint documents and content
Forefront for SharePoint 2010
Client security integrity checking
NAP is a Forefront UAG feature
Client cache cleanup
Forefront UAG feature
Two-factor authentication (2FA)
Supported by Forefront UAG

Forefront Secure Access Solutions

Office 2010 & Web Apps
Office Web Apps allows employees to view and edit document on mobile devices with no Office installed
Office Web Apps allows external users to view and edit documents, even if they don’t have Office
Office 2010 new file-transfer protocol provides faster open and save of documents, even on poor bandwidth networks
Office 2010 allows for co-authoring documents, across multiple locations and device types

SharePoint 2010 anywhere access uag vs dmz

by Kjell-Sverre Jerijærvi on Jun 07, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 21

Statistics

SharePoint 2010 anywhere access uag vs dmz — Presentation Transcript