SharePoint and Forefront Unified Access Gateway<br />James Tramel<br />Solutions Architect<br />Planet Technologies<br />
In other lives:<br />Network Engineer<br />Network Admin<br />WAN admin<br />Cloud admin<br />Now<br />SharePoint experien...
As a portal<br />As an intranet<br />As an extranet<br />SharePoint<br />
How is your farm built?<br />Where does it reside?<br />Who accesses it and How?<br />What does it look like in your netwo...
Network topology is the layout pattern of interconnections of the various elements (links, nodes, etc.) of a computer  or ...
What is a LAN?<br />Inside / Outside<br />
A local area network (LAN) is a computer network that connects computers and devices in a limited geographical area such a...
LAN: Local Area Network - Basic<br />
LAN: Typical<br />
What is a LAN?<br />What is a WAN?<br />Inside / Outside<br />
A wide area network(WAN) is a telecommunication network that covers a broad area (i.e., any network that links across metr...
WAN: Frame<br />
WAN: VPN<br />
What is a LAN?<br />What is a WAN?<br />What is a Host?<br />Inside / Outside<br />
A network host is a computer connected to a computer network. A network host may offer information resources, services, an...
Inside network protocols<br />Outside network protocols<br />How can SP be setup for outside?<br />How to use SharePoint f...
SharePoint Topology<br />
Anonymous Access<br />SSL<br />Authentication methods<br />Windows Based<br />Token based<br />Claims based<br />Forms Bas...
Authentication Demo<br />
AD is not authoritative directory<br />SAML tokens are not allowed to be consumed<br />No guarantee of Internet Explorer<b...
What is a LAN?<br />What is a WAN?<br />What is a Host?<br />What is a DMZ?<br />Inside / Outside<br />
A DMZ, or De Militarized Zone, is a physical or logical subnetwork that contains and exposes an organization's external se...
DMZ: 1 firewall<br />
DMZ: 2 Firewalls<br />
Access Scenarios<br />Remote employee<br />External partner or customer<br />Branded Internet sites<br />Web hosting<br />...
SharePoint and UAG<br />
Part of ForeFront Suite<br />Reverse Proxy, Direct Access, Remote Desktop Services and VPN solution<br />Built with/on TMG...
Follow the Program<br />
TMG is installed before you install UAG<br />TMG can act as a router, an Internet gateway, a virtual private network (VPN)...
Publishing Microsoft Exchange Server Applications<br />Publishing Remote Desktop Services<br />Remote Network Access Using...
UAG direct access<br />Single server endpoint outside of perimeter<br />Everything on VM’s<br />Multiple SP Applications<b...
Edge firewall<br />UAG – SP Extranets<br />
UAG – SP Extranets<br />Split back-to-back optimized for content publishing <br />
UAG – SP Extranets<br />Back-to-back perimeter with content publishing (and optional TMG caching)<br />
Know the network topology<br />Know how to get around the network topology<br />VM’s and VM topology<br />Static Routes<br...
Virtual Network Types<br />Private Virtual Network <br />Internal Virtual Network <br />External Virtual Network<br />Virt...
Addressing UAG<br />
Name your Network Adapters<br />Configure the External NIC<br />Get rid of properties you don’t need<br />Default Gateway<...
Configure the Internal NIC<br />No Gateway<br />Register the connection in DNS<br />Check your static route to internal ni...
You can associate a Web application with a collection of mappings between internal and public URLs. <br />Alternate access...
The UAG portal is an ASP.Net-based Web application using AJAX, and is the front-end Web application for UAG<br />A UAG por...
Each Web app is associated with a unique public-facing host name, which is used to access the application remotely.<br />A...
Addressing SharePoint:Public Host Names<br />
All the public host names that are used in the trunk should be covered by this certificate, including the trunk's public h...
Demo / Tour<br />
UAG is away to go for extranets for a highly secure deployment<br />Big ROI for its other uses, as well as SP<br />Know yo...
Q and A<br />
MSDN<br />Technet<br />Microsoft Press<br />Wikipedia<br />http://mikecrowley.files.wordpress.com/2010/11/<br />http://www...
Upcoming SlideShare
Loading in...5
×

SharePoint and Forefront United Access Gateway

2,291

Published on

In this session Solutions Architect, James Tramel of Planet Technologies delivers an understanding of various Networking concepts as it relates to the performance, authentication, and internal and external access of SharePoint.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,291
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
75
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Formerly
  • Lots of ways to create SharePoint, some of which require more secure setups
  • SharePoint resides in a…
  • If you don’t know, to understand network topology…
  • Concept we’ll return to a few timesKey components to networkWho’s in your inner circle?
  • Notice the wall
  • Notice the wall / the blockade
  • To understand what all this means, let’s go back to inside and outside for a moment
  • To understand what all this means, let’s go back to inside and outside for a moment
  • Bring this up, as this is common – you host SharePoint yourself – althought don’t have to
  • Question for SP - How do users get to your data and your farm
  • Add slide from mind to matter on topology, explain web application and zones
  • Lead to how do we do this
  • Create kerberos token for claims – follow Shannon and keep it simpleThat’s great, but what if you want this stuff:
  • CU – great – but what’s wrongIs it supported?How safe is it?What is the cost?What is the benefit?
  • To understand what all this means, let’s go back to inside and outside for a moment
  • http://go.microsoft.com/fwlink/?LinkId=187987
  • http://technet.microsoft.com/en-us/library/dd861393.aspx
  • http://en.wikipedia.org/wiki/Microsoft_Forefront_Unified_Access_Gatewayauthentication vendors such as RSA Security, Vasco, GrIDsure, Swivel, ActivCard and Aladdinnumerous authentication systems and protocols such as Active Directory, RADIUS, LDAP, NTLM, Lotus Domino, PKI and TACACS+.
  • Secure socket tunneling porotocal
  • What we’re going to do / What I’ve done
  • Simple, right?
  • More Complicated
  • Where to put thingsHow to get from point A to BVLANSTMG does not play around
  • Who can name all 5? Default Intranet Internet Custom ExtranetDemo
  • Browse to PlanetsExplain redirectionShow service
  • http://technet.microsoft.com/en-us/virtuallabs/bb499665.aspx – configure portal trunkShow http redirectShow AAMShow IISShow PortalShow TMGShow UAG
  • References
  • SharePoint and Forefront United Access Gateway

    1. 1. SharePoint and Forefront Unified Access Gateway<br />James Tramel<br />Solutions Architect<br />Planet Technologies<br />
    2. 2. In other lives:<br />Network Engineer<br />Network Admin<br />WAN admin<br />Cloud admin<br />Now<br />SharePoint experience and certification (custom and oob/ data and architect)<br />Forefront IM and UAG<br />About me<br />
    3. 3. As a portal<br />As an intranet<br />As an extranet<br />SharePoint<br />
    4. 4. How is your farm built?<br />Where does it reside?<br />Who accesses it and How?<br />What does it look like in your network?<br />What does your network topology look like?<br />SharePoint and Network Infrastructure<br />
    5. 5. Network topology is the layout pattern of interconnections of the various elements (links, nodes, etc.) of a computer or network<br />Physical topology refers to the physical design of a network including the devices, location and cable installation.<br />Logical topology refers to how data is actually transferred in a network as opposed to its physical design<br />What is Network Topology<br />
    6. 6. What is a LAN?<br />Inside / Outside<br />
    7. 7. A local area network (LAN) is a computer network that connects computers and devices in a limited geographical area such as home, school, computer laboratory or office building. The defining characteristics of LANs includes their usually high data-transfer rates, smaller geographic area, and lack of a need for leased telecommunication lines<br />LAN<br />
    8. 8. LAN: Local Area Network - Basic<br />
    9. 9. LAN: Typical<br />
    10. 10. What is a LAN?<br />What is a WAN?<br />Inside / Outside<br />
    11. 11. A wide area network(WAN) is a telecommunication network that covers a broad area (i.e., any network that links across metropolitan, regional, or national boundaries). Business and government entities utilize WAN to relay data among employees, clients, buyers, and suppliers from various geographical locations. In essence this mode of telecommunication allows a business to effectively carry out its daily function regardless of location.<br />WAN<br />
    12. 12. WAN: Frame<br />
    13. 13. WAN: VPN<br />
    14. 14. What is a LAN?<br />What is a WAN?<br />What is a Host?<br />Inside / Outside<br />
    15. 15. A network host is a computer connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network<br />A web hosting service is a type of Internet hosting service that allows individuals and organizations to make their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own or lease for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center<br />Host<br />
    16. 16. Inside network protocols<br />Outside network protocols<br />How can SP be setup for outside?<br />How to use SharePoint from Outside<br />
    17. 17. SharePoint Topology<br />
    18. 18. Anonymous Access<br />SSL<br />Authentication methods<br />Windows Based<br />Token based<br />Claims based<br />Forms Based<br />Common Outside Methods<br />
    19. 19. Authentication Demo<br />
    20. 20. AD is not authoritative directory<br />SAML tokens are not allowed to be consumed<br />No guarantee of Internet Explorer<br />High security / sensitive data<br />Authentication Example<br />
    21. 21. What is a LAN?<br />What is a WAN?<br />What is a Host?<br />What is a DMZ?<br />Inside / Outside<br />
    22. 22. A DMZ, or De Militarized Zone, is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. It is sometimes referred to as a perimeter network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.<br />DMZ<br />
    23. 23. DMZ: 1 firewall<br />
    24. 24. DMZ: 2 Firewalls<br />
    25. 25. Access Scenarios<br />Remote employee<br />External partner or customer<br />Branded Internet sites<br />Web hosting<br />Mobile phone access<br />Building a SharePoint Extranet<br />
    26. 26. SharePoint and UAG<br />
    27. 27. Part of ForeFront Suite<br />Reverse Proxy, Direct Access, Remote Desktop Services and VPN solution<br />Built with/on TMG (firewall, endpoint security)<br />Great for LOB apps<br />Highly customizable, integrates with a lot<br />What is UAG?<br />
    28. 28. Follow the Program<br />
    29. 29. TMG is installed before you install UAG<br />TMG can act as a router, an Internet gateway, a virtual private network (VPN) server, a network address translation (NAT) server and a proxy server.<br />TMG is a firewall that offers application layer protection, stateful filtering, content filtering and anti-malware protection.<br />TMG can compress web traffic and offers web caching<br />UAG and TMG<br />
    30. 30. Publishing Microsoft Exchange Server Applications<br />Publishing Remote Desktop Services<br />Remote Network Access Using SSTP<br />Intra-Site Automatic Tunnel Addressing Protocol<br />Endpoint Policies and Network Access Protection<br />UAG Arrays<br />Direct Access<br />UAG Setup in General<br />
    31. 31. UAG direct access<br />Single server endpoint outside of perimeter<br />Everything on VM’s<br />Multiple SP Applications<br />Multiple Forests<br />UAG Direct Access and SharePoint<br />
    32. 32. Edge firewall<br />UAG – SP Extranets<br />
    33. 33. UAG – SP Extranets<br />Split back-to-back optimized for content publishing <br />
    34. 34. UAG – SP Extranets<br />Back-to-back perimeter with content publishing (and optional TMG caching)<br />
    35. 35. Know the network topology<br />Know how to get around the network topology<br />VM’s and VM topology<br />Static Routes<br />Make sure you have access to local session – you will likely lose ip your first time<br />Things to note for installing UAG<br />
    36. 36. Virtual Network Types<br />Private Virtual Network <br />Internal Virtual Network <br />External Virtual Network<br />Virtual NIC’s<br />Physical NIC’s<br />Static Routes<br />Understanding VM’s<br />
    37. 37. Addressing UAG<br />
    38. 38. Name your Network Adapters<br />Configure the External NIC<br />Get rid of properties you don’t need<br />Default Gateway<br />Un check register the connection in DNS<br />Disable NetBIOS<br />Addressing UAG<br />
    39. 39. Configure the Internal NIC<br />No Gateway<br />Register the connection in DNS<br />Check your static route to internal nic<br />Change the binding order<br />Check routes<br />Addressing UAG<br />
    40. 40. You can associate a Web application with a collection of mappings between internal and public URLs. <br />Alternate access mappings enable a Web application that receives a request for an internal URL, in one of the five authentication zones, to return pages that contain links to the public URL for the zone.<br />The UAG server responds with identical content, even though external users submit a different protocol (HTTPS) and a different host header than internal users.<br />Alternate access mappings to allow the SharePoint server to perform URL changes on its own. This ensures that reverse proxies, such as UAG, do not have to change the content of the pages they serve to external sources.<br />Addressing SharePoint:AAM – Alternate Access Mappings<br />
    41. 41. The UAG portal is an ASP.Net-based Web application using AJAX, and is the front-end Web application for UAG<br />A UAG portal trunk is a transfer channel that allows endpoints to connect to the trunk’s portal home page over HTTP or HTTPS. You can also create a redirect trunk that redirects HTTP endpoint requests to an HTTPS trunk.<br />Each trunk has a portal home page to which remote endpoints connect to interact with the trunk, and access published applications. <br />For each trunk UAG adds the Portal application to the trunk in order to provide a default home page. Alternatively, you can define a customized home page.<br />UAG Portals and Trunks<br />
    42. 42. Each Web app is associated with a unique public-facing host name, which is used to access the application remotely.<br />A Web app that is published through the Forefront UAG trunk shares the trunk's definitions in addition to some of the trunk's functionality, such as the logon and logoff pages.<br />This means that the application's public host name must reside under the same parent domain as the trunk's public host name; that is, the application and the trunk are subdomains of the same parent domain.<br />Addressing SharePoint:Public Host Names<br />
    43. 43. Addressing SharePoint:Public Host Names<br />
    44. 44. All the public host names that are used in the trunk should be covered by this certificate, including the trunk's public host name and the public host names of all the applications that are accessed via the trunk.<br />Addressing SharePoint and UAG:Server certificates<br />
    45. 45. Demo / Tour<br />
    46. 46. UAG is away to go for extranets for a highly secure deployment<br />Big ROI for its other uses, as well as SP<br />Know your network infrastructure<br />Plan your SP install<br />Access to the local UAG server<br />Know your risks<br />Conclusion<br />
    47. 47. Q and A<br />
    48. 48. MSDN<br />Technet<br />Microsoft Press<br />Wikipedia<br />http://mikecrowley.files.wordpress.com/2010/11/<br />http://www.windowsnetworking.com/articles_tutorials/Understanding-Virtual-Networking-Microsoft-Hyper-V.html> <br />http://mrshannon.wordpress.com/2010/04/30/setting-ip-addresses-on-a-uag-directaccess-server/> <br />http://blog.concurrency.com/infrastructure/uag-directaccess-ip-addressing-the-server/><br />http://www.bibble-it.com/2010/02/21/forefront-uag-in-10-minutes<br />References<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×