Internet Sites in Microsoft Azure using SharePoint Server 2013
Public-facing Internet sites benefit from cloud elasticity ...
Upcoming SlideShare
Loading in …5

Internet Sites in Microsoft Azure Using SharePoint 2013 - Solution Model


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Internet Sites in Microsoft Azure Using SharePoint 2013 - Solution Model

  1. 1. Internet Sites in Microsoft Azure using SharePoint Server 2013 Public-facing Internet sites benefit from cloud elasticity and Microsoft Azure AD for customer accounts Example: Medium Internet Sites farm (~85 Page views per second) This farm is intended to provide a fault-tolerant SharePoint Server 2013 search farm topology that is optimized for a corpus that contains 3,400,000 items. Three-zone design — separation of internal and customer accountsIn SharePoint 2013, identity management is factored into the configuration of zones and authentication. This design provides clear separation of customer accounts from all other accounts. · Use this design if you want customer accounts to be treated entirely different from the internal accounts for authors and site developers. · This design allows you to use zone policies to limit customer actions within a web application. · This design results in different URLs for customer accounts and internal accounts. In this example: · Configure the default zone for internal accounts. · Configure the Extranet zone for customer authenticated access. Use Microsoft Azure Active Directory for customer accounts, or use a different SAML-based provider. · Configure the Internet zone for anonymous access. Connecting to Microsoft Azure Active Directory This example architecture includes the following elements: § A site-to-site VPN connection is optional and extends the on-premises Windows AD DS and DNS environment to the virtual network in Microsoft Azure. § Optionally, a dedicated domain can be used in Microsoft Azure to support the SharePoint farm. § Servers are split across Microsoft Azure cloud services based on role. § Availability sets ensure high availability of identically configured server roles. For more information, see the following article on TechNet: Microsoft Azure Architectures for SharePoint Solutions. Virtual Network On Premises VPN Tunnel Active Directory and ADFS Microsoft Azure Active Directory Tenant Zone: Default Windows Authentication (NTLM) Site developers and authors Visitors and customers Web application Zone: Extranet Authenticated SharePoint 2013 Farm Zone: Internet Anonymous Active Directory Application Pool Web Application (http://internal:8000) http://internal:8000 (root site) SearchApplication Pool — Services crawl queries SAML 1.1, WS-Fed Microsoft Azure Active Directory Tenant SAML 2.0, WS-Fed ACS Tenant Use the topology, capacity, and performance guidance for SharePoint Server 2013 on TechNet to design the farm topology. See the following technical diagram: Internet Sites Search Architectures for SharePoint Server 2013. Ensure the farm you design meets the objectives for capacity and performance. The example farm processes 100-200 documents per second, depending on the language, and it accommodates 85 page views per second and 100 queries per second. Web Server Host Query processing Managed metadata To scale out: add an additional web server to allow for an additional 28 page views per second. WebServers Paired hosts for fault tolerance Application Server Host Content processing Crawl To scale out: add one application server with a crawl component and a content processing component to process an additional 40 documents per second. Host D Analytics Content processing Crawl Admin Application Server Host E Content processing Crawl Admin Application Server Host F Content processing Crawl Application Server ApplicationServers Host A Web Server Query processing Managed metadata Web Server Host B Web Server Host C Query processing Managed metadata Query processing Managed metadata DatabaseServers Host H All SharePoint Databases Redundant copies of all databases using SQL clustering, mirroring, or SQL Server 2012 AlwaysOn Host G All SharePoint Databases Crawl DB Analytics DB Search admin DB Link DB All other SharePoint Databases Crawl DB Index Partition 0 ReplicaReplicaReplica Distributed cache Distributed cache Distributed cache Distributed cache Replica User Profile User ProfileUser Profile User Profile The SharePoint farm might need to be fine-tuned for availability sets in the Microsoft Azure platform. To ensure high availability of all components, ensure that the server roles are all configured identically. In the example topology above: § The web servers and the database servers are configured identically. § The three application servers are not configured identically. These server roles require fine tuning for availability sets in Microsoft Azure. Host D Analytics Content processing Crawl Admin Application Server Before Host E Content processing Crawl Admin Application Server Host F Content processing Crawl Application Server After Host D Analytics Content processing Crawl Admin Application Server Host E Application Server Analytics Content processing Crawl Admin Host F Application Server Analytics Content processing Crawl Admin The number of components is determined by the performance and capacity targets for the farm. To adapt this architecture for Microsoft Azure, we’ll replicate the four components across all three servers. This increases the number of components beyond what is necessary for performance and capacity. The tradeoff is that this design ensures high availability of all four components in the Microsoft Azure platform when these three virtual machines are assigned to an availability set. Choose the Active Directory model333 Fine-tune for Microsoft Azure2 Design and size the farm topology1 All SharePoint solutions require Windows Active Directory Domain Services. At this time, there are two options for SharePoint solutions in Microsoft Azure. Option Description Dedicated domain You can deploy a dedicated and isolated domain to Windows Azure to support a SharePoint farm. This is a good choice for public-facing Internet sites. Extend the on- premises domain through a site-to-site VPN connection When you extend the on-premises domain through a site-to-site VPN connection, users access the SharePoint farm as if it were hosted on- premises. You can take advantage of your existing Active Directory and DNS implementation. Determine how accounts will be managed and which type of authentication will be used. Accounts for site developers and authors · Add accounts to the domain in Microsoft Azure. · Use ADFS on premises to federate the internal accounts to the domain in Microsoft Azure. · If the design includes a site-to-site VPN connection, use the internal accounts. Accounts for customers · Use Microsoft Azure Active Directory. · Use a different SAML-based provider. Accounts and authentication Zones At this time, a two-zone design in which all authenticated users are configured to use the default zone is not recommended. Microsoft Azure Design for identity management, zones, and authentication4 Design sites and URLs for cross-site publishing5 Design the Microsoft Azure environment6 Microsoft Azure AD provides identity management and access control capabilities for cloud services. Capabilities include a cloud-based store for directory data and a core set of identity services, including user logon processes, authentication services, and Federation Services. The identity services that are included with Microsoft Azure AD easily integrate with your on-premises Active Directory deployments and fully support third- party identity providers. When integrating SharePoint 2013 with Microsoft Azure Active Directory, a Microsoft Azure Access Control Service (ACS) serves two purposes: § AAD uses SAML 2.0, and SharePoint only works with SAML 1.1. ACS understands both formats and serves as the intermediary to transform the token formats between SharePoint and AAD. § ACS replaces the need for the identity provider security token service (IP-STS) for this SAML scenario.See Configure Microsoft Azure Active Directory with SharePoint 2013 in the TechNet library. Path-based site collection Host-named site collection Host-named site collection Host-named site collection A one web-application design is recommended for publishing scenarios. § Both authoring and publishing sites are in the same web application. § Cross-site publishing is used to publish assets. Use path-based and host-named site collections. § A root site collection is a requirement. Create this site as a path-based site. § Create all other site collections as host-named site collections. Web application and root site URLs · Use an internal name for the web application URL. SharePoint uses the local machine name as the default name unless a different name is specified. You can use a domain name that is reserved for the internal network environment. · SharePoint assigns a non-standard port number when the web application is created. Use this port number instead of port 80 or port 443. Or use a different but non-standard port number. · Use the same name and port number for the root site collection, which is a path-based site collection. Virtual Network Cloud Service Availability Set Active Directory & DNS Cloud Service Cloud Service Availability Set Front End Availability Set App server Availability Set Database Microsoft Azure VPN Gateway Gateway subnet Active VPN Active Directory Windows Server 2012 RRAS On-premises environment Optional! © 2014 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at