Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deploying an Extranet on SharePoint

17,976 views

Published on

Planning on deploying an Extranet on SharePoint? Before you open up your internal site for the your partners, consider the security, confidentiality, authentication and licencing implications

Published in: Technology
  • http://www.realbraindumps.com/640-864-braindumps.html
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • http://www.realbraindumps.com/640-911-braindumps.html
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Deploying an Extranet on SharePoint

  1. 1. Deploying a SharePoint ExtranetBy Alan MarshallTwitter: pomealanLinkedin:http://nz.linkedin.com/pub/alan-marshall/3/980/267Acknowledgements: Chandan Banerjee and WayneEwington (Microsoft)
  2. 2. Session Agenda— Extranet Definition— Implementation Scenarios— Design Considerations and Challenges— Deployment topologies— Which SharePoint version and licenses— Hints and Tips— Wrap up
  3. 3. What is an Extranetex-tra-net [ek-struh-net]— NounAn intranet that is partially accessile to authorized personsoutside of a company or organisation.A network (as of a company) similar to an intranet that alsoallows access by certain others (such as customer orsuppliers)
  4. 4. Implementation Scenarios Share secure Collaborate with Personalised Remote Access information Partners Customer Portal•Employees •Provide reports •Design a •View loyalty working to suppliers solution card remotely •Display order •Request transactions•Teleworkers tracking support •Reward •Student Portal schemes •Specialised content
  5. 5. Design Considerations andChallenges— Authentication — Single Sign-on — Managing accounts— Security — Sensitivity of data — Protect against resources being compromised — SharePoint Platform — How much do you trust external users— Platform deployment requirements— Features required — Which version of SharePoint? Foundation, Server, Enterprise — Integration— License Costs— Network infrastructure
  6. 6. Implementation Options— Option 1 – Provide access to internal SharePoint Server — Remote Employees — Partners— Option 2 – Publish content to an external environment (read only) — Share secure information — Remote Employees — Partners— Option 3 – Provide an Extranet Farm dual authenticated — Share secure information — Partners — Customer Portal— Option 4 – Host in the cloud — Partners — Customer Portal
  7. 7. Option 1 – Perimeter Proxy Internet DMZ Internal Network • Threat Management Gateway (TMG) – acts as a reverse proxy SharePoint Farm translating external encrypted traffic to internal SharePoint server. HTTPS HTTPS HTTP • Firewall ports required for 443 Perimeter externally and 80 internal LAN RemoteEmployees Firewall TMG Server LAN Firewall firewall. • Authentication occurs on Authentication SharePoint Web Front ends with internal ADUnknown User Device• Virus Scanner• Private Browsing Unauthenticated traffic
  8. 8. What’s TMG— Threat Management Gateway — Formally ISA Server— Forefront TMG server features — URL filtering — antimalware inspection — intrusion prevention — application- and network-layer firewall — HTTP/HTTPS inspection in a single solution — Reverse Proxy HTTP – HTTPS — Authentication – including 2 phase
  9. 9. Option 1a – Perimeter Proxy with RODC Internet DMZ Internal Network • TMG – performs authentication and acts as a reverse proxy translating TMG Server SharePoint Farm external encrypted traffic to internal SharePoint server. HTTPS HTTPS HTTP • Firewall ports required for 443 Perimeter externally and 80 internal LAN RemoteEmployees Firewall LAN Firewall firewall, plus ports for IPSec Authentication • Authentication occurs on the TMG Server with the Read Only Domain Secure Controller (RODC). Account Replication RODC Active Server DirectoryUnknown User Device• Virus Scanner Accounts replicated to DMZ• Private Browsing • Subset of attributes • Admin accounts excluded • No updates permitted • Windows 2008 feature
  10. 10. What’s an RODC— Read Only Domain Controller— Windows Server 2008— Removes the need for a trust between domains— Limit replication accounts and attributes
  11. 11. Option 1b – Perimeter Proxy with RODC and UAG Internet DMZ Internal Network • Unified Access Gateway (UAG) replaces TMG – performs UAG Server SharePoint Farm authentication, user privilege throttling, acts as a reverse proxy HTTPS HTTPS HTTP translating external encrypted Perimeter traffic to internal SharePoint server. RemoteEmployees Firewall LAN Firewall • Firewall ports required for 443 Authentication externally and 80 internal LAN firewall, plus ports for IPSec Secure • Authentication occurs on the UAG Account Server with the Read Only Domain Replication Controller (RODC) RODC Server Accounts replicated to DMZ • Subset of attributes • Admin accounts excluded • No updates permitted
  12. 12. UAG— Unified Access Gateway — Spin-off of ISA Server— Remote Access to SharePoint and/or Exchange. — granular application filtering capabilities — deep endpoint health detection — wizard driven configuration— Comprehensive Remote Access (SSL VPN)— DirectAccess
  13. 13. Option 2 – Publish content Internet DMZ Internal Network • Threat Management Gateway (TMG) – Authentication, Reverse SharePoint Farm Proxy. HTTPS HTTPS Content Deployment • Firewall ports required for central admin port outbound andExternal Perimeter Firewall TMG HTTPS LAN Firewall externally 443. People Server • All or part of intranet is content Authentication deployed to the DMZ server SharePoint Server(s) IntegrationActive options SQL Server • Limited integration with back- Directory DMZ AD end systems New SharePoint Farm • Same version as internal • Separate domain and SQL Separate domain • No single sign on for internal users
  14. 14. Option 3 - Extranet Farm dual authenticated Internet DMZ Internal Network Internal • Unified Access Gateway (UAG) – UAG Server Users Authentication. Note TMG does not LAN Firewall support Forms hand off. HTTPS HTTPS HTTP • Firewall ports required for IPSec AD replicationExternal Perimeter Firewall • All content accessed by internal People and external users is hosted in Authenticate LDAP External SQL Server DMZ Users Internal Users • Data layer (SQL) is separated into Separate SharePoint Authenticate Replicate farm another network layer SharePoint • No content sharing Shared SQL Environment Accounts Active (use Server(s) Extranet AD or LDS workflow or third party)Authentication for Server Directory SQL • Consideration to IAnot supported for DMZ AD useability SharePoint 2010 configured CLAIMS authentication
  15. 15. Option 3a - Extranet Farm dual authenticated with ADFS Internet Corp A DMZ Internal Network Internal UAG Server Users • Unified Access Gateway (UAG) – All LAN Firewall access and authentication. HTTPS HTTPS HTTPS • Firewall ports required for IPSec AD replication and ADFS port 443External Perimeter Firewall • All content accessed by internal People and external users is hosted in All user SQL Server DMZ Authentication SharePoint • Data layer (SQL) is separated into Service Accounts another network layer Replicate Accounts • ADFS server hands off SharePoint ADFS 2.0 Server(s) Active authentication to internal AD or ADFS 2.0 Directory Server Proxy Server partner AD DMZ AD ADFS 2.0 Server Authentication hand off
  16. 16. Option 4 – use the cloud — All content Internet Internal Network stored in SharePoint cloud service HTTPS Remote Perimeter Internal — Internal usersEmployees Firewall Users authenticated against replicated AD Secure Account Replication Internal AD — External users use Windows Live ID Content Sharing - Use workflow or third party tool - Content deployment not supported
  17. 17. Which SharePoint version Applicable to Deployment Licences optionSharePoint Collaboration Option 3 - 4 WindowsFoundation (or Solutions ExternalSearch server Connector SQLexpress) CPUSharePoint Portals with WCM, Option 3 – 4 SharePoint StdServer 2010 Profiles, Option 1 for read CALStd Intranet publishing only SQL CPU or CALSharePoint Same as Std+ Option 3 SharePointServer 2010 form services, BI Std+Ent CALEnt and FAST SQL CPU or CALSharePoint Anonymous or Option 3 - 4 SharePoint FISServer 2010 unknown user base SQL CPUFIS
  18. 18. Component Parts— DMZ— Unified Access Gateway— Threat Management Gateway— SharePoint Foundation— SharePoint Server — Standard — Enterprise— Active Directory— Active Directory Lightweight Directory Services— Active Directory Federated Services— SQL Server— IPSec
  19. 19. Hints and Tips— When using an RODC with SharePoint member server direct access to RWDC required to: — Try to find a user who is not currently existing in a SharePoint site using people picker — Create a new farm by creating a new configuration database. — Running the PSconfig wizard to maintain/upgrade SharePoint — Create Site collections— AD Attribute filtering not per RODC so affects all network including branches that have an RODC— Profile service does not support LDAP import. See option 3
  20. 20. Wrap up— Decide what functionality you require— Pick appropriate version of SharePoint— Understand the limitations— Design deployment of appropriate option— Consider Test environments in same configuration as security of components usually issue

×