Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical

Philadelphia Area SharePoint User Group

Building Customer/Partner Extranets

Designing a Secure Extranet with Sharepoint 2007

Russ BasiuraRJB Technical [email protected]

http://www.rjbtech.com/


Agenda1. Intro SharePoint Extranets and FBA

2. Scenarios

3. Scenarios

4. Challenges

5. Demonstration


WHAT IS AN EXTRANET??


EXTRANETS POSE UNIQUE CHALLENGES FOR SHAREPOINT ADMINISTRATORSHow can I provide SharePoint sites for our employees to use to

collaborate with our customers, suppliers, partners and maintain proper security?

How can I keep user accounts & passwords for non-employees in a separate database?

How can I delegate management of extranet users to trusted individuals and still maintain proper security control?

How can extranet users perform their own password changes?

How can I define and gather custom user profile data from my extranet site's users?

How can I automate user site requests and site creation?


What is the purpose of FBA?

Forms authentication uses an authentication ticket

created when a user logs on to a site

Validated against a user store, such as a SQL Server database

User is redirected to a configured logon

page

Once authenticated, the user is redirected to the

originally requested page

Ticket is usually contained inside a cookie

Cookie tracks the user throughout the site


For what scenarios is FBA useful?S

toring users in Active Directory is not desirable

Storing users in Active Directory is not feasible

Need customized or proprietary logon page

FBA


What are the issues and limitations with the out-of-the-box features?

User self-service features including ‘reset my password’ and profile

management

Granular governance of site creation processInvitations

with definable

meta fields

User self-registration

Management interface to user store

Profile field mismatches


Simple Extranet Scenario


Scenario• Active Directory in the DMZ

– No Trusts• Single Server or small farm

– All servers in the DMZ• All Services in the DMZ

– Mail– IM

• Basic Authentication over HTTPS• Digest Authentication (Not Supported)


Scenario• All Users must logon• Management via Remote Desktop• All content stored in portal• Ports

– TCP 3389 open to intranet for RDP– TCP 80 open to intranet for HTTP– TCP 443 open to extranet for HTTPS


MEDIUM EXTRANET SCENARIO


HIGH COMPLEXITY SCENARIO


User Challenges• Authentication

– Users don’t like being asked for identity– Use SSO to access other resources

• URLS– Store content on the portal– Put content links on the portal


Technical Challenges• Authentication• SSL• Account Creation and Maintentance• Site Creation Process


Common Challenges• Where should I locate my servers?• How is my firewall affected?• What other solutions should be

considered?• Authentication Security• High Availability• How does this effect my SharePoint

architecture?• Do I really need another SharePoint

Farm?


Authentication• Basic over https• Integrated

– NTLM– Kerberos

• Digest– Single web server or web farm with

affinity– Not Supported

• Custom – ISAPI Filter with persistent cookie– Not Supported


Custom Authentication• Must create a valid Windows Principal• Must attach context to thread before

entering .Net pipeline– Ows.dll is an ISAPI extension– ISAPI extensions cannot be chained

• Build an ISAPI filter– Create and manage Windows Principal– Embed basic authentication headers in

request


• Service Level Agreements• End User training• Information lifecycle controls• Communicating with external

users• Acceptable Use Policies

Extranet Governance


Questions and Discussion

Documents

Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical