View
224
Download
0
Category
Tags:
Preview:
Citation preview
Secure Collaboration: Install and Configure Remote Access for Microsoft SharePoint Server in an Hour Uri LichtenfeldSecurity SpecialistCertified Security Solutions – Microsoft Partner
SESSION CODE: SIA312
Across on-premises & cloud
Business Ready SecurityHelp securely enable business by managing risk and empowering people
Integrate and extend securityacross the enterprise
Block
from:
Enable
Cost Value
Siloed Seamless
to:
Simplify the security experience, manage compliance
Protect everywhere,access anywhere
Highly Secure & Interoperable Platform
Identity
Business Ready Security Solutions
Information Protection
Identity and Access Management
Secure Messaging Secure EndpointSecure Collaboration
PROTECT everywhere ACCESS anywhere
SIMPLIFY security,MANAGE compliance
Enable more secure business collaboration from virtually anywhere and across devices, while preventing unauthorized use of confidential information
INTEGRATE and EXTEND security
Secure Collaboration
• Secure, seamless access
• Protect sensitive information in documents
• Best-in-class anti-malware
• Enterprise-wide visibility
• Easier partner management
• Deep Microsoft SharePoint and Office integration
• Standards-based interoperability across organizations and cloud
SharePoint Server 2010 Security Capabilities
• Active Directory Rights Management Services (AD RMS) template is built in with SharePoint.• Windows SharePoint with AD RMS can be used to convert the stored file to an encrypted format each time a user
downloads the file.
Microsoft Solution“Defense in Depth”Competitors’ Solutions
Automatic Engine Updates
Single Engine Multiple Engines
38 times faster response
Forefront Security for SharePoint…gives us an extra layer of protection for our SharePoint environment in ways that no other product can match. Tom Booth, Sr. Collaboration Engineer
Eliminates single point of failure
“
Protect Documents from Malware
SharePoint Server Farm
Exchange 2010
AD DSAD FS
Business Partners
AD DS AD FS
AD RMS
FederationTrust
Application Access
Redirect to Security Token Service (STS)
Auth
enti
cati
on
Token a
nd
claim
s
Post claims
Trey ResearchAccount Forest
Woodgrove BankResource Forest
User Account/Credentials Security Token
• Shared identity with partner organizations and cloud services
• Boost cross-organizational efficiency and communication with more secure access
− Support the sharing of rights-protected messages between organizations
− Improved support for Microsoft SharePoint Server as a claims-aware application
Active Directory Federation Services
DirectAccess
HTTPS (443)
Layer3 VPN
Data Center/Corporate Network
Business Partners
AD, ADFS, RADIUS, LDAP….
Home/Kiosk
Employee-Managed Machines
Mobile
Exchange
CRM
SharePoint
IIS based
IBM, SAP, Oracle
TS/ RDSCitrix
Non-Web
HTTPS / HTTP
NPS, ILM
Internet
• Integrated SSL VPN capabilities• Simplified remote access by non-Windows, down-level, or non-trusted endpoints• DirectAccess in Windows Server 2008 R2, along with Unified Access Gateway, enables secure, seamless,
always-on access to messaging and applications from Windows 7 clients.
Always-on Secure and Seamless Access Protect everywhere,
access anywhere
• Single point of entry to shared and published applications• Can locate applications without tracking site addresses• Offers same user experience for remote users• Supports strong two-factor authentication, which can help organizations to keep their shared information safe
Consolidated Network Access Portal
Remote user can have access to corporate applications and shared folders without direct access to internal resources.
Business partner has limited access to corporate network; Unified Access Gateway allows access only to those applications for which users have permissions.
• Identity-centered, policy-based granular access and security for shared resources on collaborative portals • Policy definitions to help provide controlled access to application areas and operations• Can allow or block application functions,
including:– Document download/upload– Document check out/check in– Edit document/properties– Delete
Policy-based Granular Access and Security Protect everywhere,
access anywhere
UAG User Experience
DEMO
Simplified Management
Step 1:Choose the type of application you wish to publish.
Step 2:Provide the internal name of the SharePoint Server.
Provide the external name.
Step 3:Configure the same external name on your SharePoint Server.
AllDone!
• Simplifies deployment and ongoing tasks through wizards and built-in policies.• Simplified user experience - reducing support costs• Consolidates remote access infrastructure
AAM Configuration
Zone Internal URL Public URL for Zone
Default http://hrportal http://hrportal
Internet http://hrportal.woodgrovebank.com https://hrportal.woodgrovebank.com
Internet https://hrportal.woodgrovebank.com https://hrportal.woodgrovebank.com
Zone Internal URL Public URL for Zone
Default http://hrportal http://hrportal
Internet https://hrportal.woodgrovebank.com https://hrportal.woodgrovebank.com
• Overlay granular access control to specific sites and/or features within sites• Built-in endpoint security policies (integrated with NAP)• Expanded authentication and authorization capabilities• Session clean-up and information leakage prevention• Integrated network security
Integrated Security
Granular Policies
DEMO
Publish all Exchange mail services as a single UAG application:
• Easier publishing experience
• Symmetrical topology for all front-end mail services
Publish each Exchange service as a separate application:
• Greater back-end topology
Anywhere Access. . . And simple, secure access optimized for Exchange
Configuring SharePoint Access through UAG
DEMO
SharePoint Workspace Mobile Easier access to SharePoint libraries and listsAbility to synchronize Office docs edited and stored locally on the deviceUAG allows access for on-premises SharePoint Server 2010 via SSL
Access multiple sites and libraries
Browse a site and view list & libraries easily
Access your documents
offline
Simplified connectivity Applies GPOs to remote computers
Full NAP integrationAuthentication and encryption mitigate
many attacks
Anywhere AccessForefront UAG: A key enabler of DirectAccess
VPNs connect the user to the network
DirectAccess extends the network to the computer and user
Always On
Manage Out
Access Policies
Protected Transactions
Improved productivity
Not user initiated
"Light up" remote clients
Decreases patch miss rates
Pre-logon health checks
and remediation
Replaces modal "connect-time" health
checks
Supports authenticated transactions
Supports encrypted transactions
UAG extends the benefits of Windows DirectAccess across your infrastructure, enhancing scalability and simplifying deployments and ongoing management
SSL-VPN
SSL-VPN
{
DirectAccess Server+
IPv6
Windows 7Always On
Windows Server 2008 R2
Windows Server 2008 R2
Windows Server 2008 R2
Windows 7
IPv6
Windows Server 2003
Legacy Application Server
Non Windows Server
IPv4{
PDA
Windows Vista/ Windows XP
Non-Windows
IPv6
or I
Pv4
UAG and DirectAccess better together:
Extends access to line of business servers with IPv4 support
Access for down level and non Windows clients
Enhances scalability and management
Simplifies deployment and administration
Hardened Edge Solution
UAG provides access for down-level and non- Windows clientsUAG improves adoption and extends access to existing infrastructureUAG enhances scale and management with integrated LB and array capabilitiesUAG uses wizards and tools to simplify deployments and ongoing managementUAG is a hardened edge appliance available in HW and virtual options
SSL-VPN
SSL-VPN
{
DirectAccess Server+
Man
ag
ed
Windows 7
Always On
Windows Server 2008
R2
Windows Server 2008
R2
Windows Server 2008
R2
IPv6
Windows 7
IPv6
Windows Server 2003
Legacy Application
Server
Non Windows Server
IPv4{
PDA
Windows Vista/ Windows XP
Non-Windows
Unm
anaged
IPv6or
IPv4
UAG and DirectAccess better together: Extends access to line of business servers with IPv4
supportAccess for down level and non Windows clients
Enhances scalability and management
Simplifies deployment and administration
Hardened Edge Solution
UAG provides access for down-level and non- Windows clientsUAG improves adoption and extends access to existing infrastructure
UAG enhances scale and management with integrated LB and array capabilities
UAG uses wizards and tools to simplify deployments and ongoing management
UAG is a hardened edge appliance available in HW and virtual options
APPLICATION PUBLISHING
Granular Application Filtering
Session cleanup and removal
End point health detection
INTEGRATION
Integrated with NAP policies
Remote Desktop and RemoteApp integration
Extends and simplifies DirectAccess deployments
SCALE AND MANAGEMENT
From IAG to UAG
Built in load balancing
Array management capabilities
Enhanced monitoring and management (SCOM)
IAG UAG
New
New
New
New
New
New
Improved
Improved
Server Software install (MSI)Installs on hardware or virtual servers on Hyper-V or SVVP guest
Hardware appliance from OEM partners
23
UAG Form Factors
How to BuyServer License
OEM Partners: Customers can buy Forefront UAG as a physical appliance. This includes the underlying Windows Server 2003 R2 license.
Microsoft Volume Licensing: Customers can run Forefront UAG as a virtual machine or as software. These options require provisioning the Windows license from a customer’s existing agreement.
Client Access and Other LicensesMicrosoft Volume Licensing: Customers can buy Forefront UAG CALs, External Connectors, and SPLAs through Microsoft Volume Licensing. In addition to individual CALs, customers with large environments can purchase a 10,000 CAL pack.
Deployment Tips
Wildcard SSL certificate for UAG sitesConfiguring SharePoint AAM for UAG
UAG guide for SharePoint publishinghttp://technet.microsoft.com/en-us/library/dd857356.aspx
UAG team bloghttp://blogs.technet.com/edgeaccessblog/archive/2008/10/13/publishing-sharepoint-with-iag-2007-part-3-sharepoint-topologies.aspx
TechNet: Plan Alternate Access Mappingshttp://technet.microsoft.com/en-us/library/cc288609.aspx
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Related Content
Breakout Sessions (session codes and titles)
Interactive Sessions (session codes and titles)
Hands-on Labs (session codes and titles)
Product Demo Stations (demo station title and location)
Complete an evaluation on CommNet and enter to win!
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Appendix
Simplify security,manage
compliance
Manage Compliance
• Enterprise policy enforcement to protect from unauthorized access
• Enhanced security with reduced risk of information leaks through persistent data protection
• Streamlined adoption and deployment with out-of-the-box integration with collaboration workflow, the Microsoft Office system, and Active Directory
• Prevents information leakage from within the documents while moving to the external user
• Enterprise policy enforcement for external partners and vendors to protect from unauthorized access
• Dashboard and risk-centered prioritized view throughout the enterprise
• Centralized reporting and alerting with Unified Access Gateway management console
• Access to SharePoint sites and ability to edit documents from virtually anywhere: managed laptops, home computers, kiosks, and mobile devices
• Includes multiple scanning engines from industry-leading security partners integrated in a single solution to help businesses protect against single point of failure
• Content filters to help keep users from posting or retrieving ethically questionable material and confidential company information
• Configurable file-filtering rules to help block file types known for carrying viruses or opening organizations to legal exposure
Track Resources
Learn more about our solutions:
http://www.microsoft.com/forefront
Try our products:http://www.microsoft.com/forefront/trial
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
JUNE 7-10, 2010 | NEW ORLEANS, LA
Recommended