1. Deploying a SharePoint ExtranetBy Alan MarshallTwitter: pomealanLinkedin:http://nz.linkedin.com/pub/alan-marshall/3/980/267Acknowledgements: Chandan Banerjee and WayneEwington (Microsoft)

2. Session Agenda Extranet Definition Implementation Scenarios Design Considerations and Challenges Deployment topologies Which SharePoint version and licenses Hints and Tips Wrap up

3. What is an Extranetex-tra-net [ek-struh-net] NounAn intranet that is partially accessile to authorized personsoutside of a company or organisation.A network (as of a company) similar to an intranet that alsoallows access by certain others (such as customer orsuppliers)

4. Implementation Scenarios Share secure Collaborate with Personalised Remote Access information Partners Customer PortalEmployees Provide reports Design a View loyalty working to suppliers solution card remotely Display order Request transactionsTeleworkers tracking support Reward Student Portal schemes Specialised content

5. Design Considerations andChallenges Authentication Single Sign-on Managing accounts Security Sensitivity of data Protect against resources being compromised SharePoint Platform How much do you trust external users Platform deployment requirements Features required Which version of SharePoint? Foundation, Server, Enterprise Integration License Costs Network infrastructure

6. Implementation Options Option 1 Provide access to internal SharePoint Server Remote Employees Partners Option 2 Publish content to an external environment (read only) Share secure information Remote Employees Partners Option 3 Provide an Extranet Farm dual authenticated Share secure information Partners Customer Portal Option 4 Host in the cloud Partners Customer Portal

7. Option 1 Perimeter Proxy Internet DMZ Internal Network Threat Management Gateway (TMG) acts as a reverse proxy SharePoint Farm translating external encrypted traffic to internal SharePoint server. HTTPS HTTPS HTTP Firewall ports required for 443 Perimeter externally and 80 internal LAN RemoteEmployees Firewall TMG Server LAN Firewall firewall. Authentication occurs on Authentication SharePoint Web Front ends with internal ADUnknown User Device Virus Scanner Private Browsing Unauthenticated traffic

8. Whats TMG Threat Management Gateway Formally ISA Server Forefront TMG server features URL filtering antimalware inspection intrusion prevention application- and network-layer firewall HTTP/HTTPS inspection in a single solution Reverse Proxy HTTP HTTPS Authentication including 2 phase

9. Option 1a Perimeter Proxy with RODC Internet DMZ Internal Network TMG performs authentication and acts as a reverse proxy translating TMG Server SharePoint Farm external encrypted traffic to internal SharePoint server. HTTPS HTTPS HTTP Firewall ports required for 443 Perimeter externally and 80 internal LAN RemoteEmployees Firewall LAN Firewall firewall, plus ports for IPSec Authentication Authentication occurs on the TMG Server with the Read Only Domain Secure Controller (RODC). Account Replication RODC Active Server DirectoryUnknown User Device Virus Scanner Accounts replicated to DMZ Private Browsing Subset of attributes Admin accounts excluded No updates permitted Windows 2008 feature

10. Whats an RODC Read Only Domain Controller Windows Server 2008 Removes the need for a trust between domains Limit replication accounts and attributes

11. Option 1b Perimeter Proxy with RODC and UAG Internet DMZ Internal Network Unified Access Gateway (UAG) replaces TMG performs UAG Server SharePoint Farm authentication, user privilege throttling, acts as a reverse proxy HTTPS HTTPS HTTP translating external encrypted Perimeter traffic to internal SharePoint server. RemoteEmployees Firewall LAN Firewall Firewall ports required for 443 Authentication externally and 80 internal LAN firewall, plus ports for IPSec Secure Authentication occurs on the UAG Account Server with the Read Only Domain Replication Controller (RODC) RODC Server Accounts replicated to DMZ Subset of attributes Admin accounts excluded No updates permitted

12. UAG Unified Access Gateway Spin-off of ISA Server Remote Access to SharePoint and/or Exchange. granular application filtering capabilities deep endpoint health detection wizard driven configuration Comprehensive Remote Access (SSL VPN) DirectAccess

13. Option 2 Publish content Internet DMZ Internal Network Threat Management Gateway (TMG) Authentication, Reverse SharePoint Farm Proxy. HTTPS HTTPS Content Deployment Firewall ports required for central admin port outbound andExternal Perimeter Firewall TMG HTTPS LAN Firewall externally 443. People Server All or part of intranet is content Authentication deployed to the DMZ server SharePoint Server(s) IntegrationActive options SQL Server Limited integration with back- Directory DMZ AD end systems New SharePoint Farm Same version as internal Separate domain and SQL Separate domain No single sign on for internal users

14. Option 3 - Extranet Farm dual authenticated Internet DMZ Internal Network Internal Unified Access Gateway (UAG) UAG Server Users Authentication. Note TMG does not LAN Firewall support Forms hand off. HTTPS HTTPS HTTP Firewall ports required for IPSec AD replicationExternal Perimeter Firewall All content accessed by internal People and external users is hosted in Authenticate LDAP External SQL Server DMZ Users Internal Users Data layer (SQL) is separated into Separate SharePoint Authenticate Replicate farm another network layer SharePoint No content sharing Shared SQL Environment Accounts Active (use Server(s) Extranet AD or LDS workflow or third party)Authentication for Server Directory SQL Consideration to IAnot supported for DMZ AD useability SharePoint 2010 configured CLAIMS authentication

15. Option 3a - Extranet Farm dual authenticated with ADFS Internet Corp A DMZ Internal Network Internal UAG Server Users Unified Access Gateway (UAG) All LAN Firewall access and authentication. HTTPS HTTPS HTTPS Firewall ports required for IPSec AD replication and ADFS port 443External Perimeter Firewall All content accessed by internal People and external users is hosted in All user SQL Server DMZ Authentication SharePoint Data layer (SQL) is separated into Service Accounts another network layer Replicate Accounts ADFS server hands off SharePoint ADFS 2.0 Server(s) Active authentication to internal AD or ADFS 2.0 Directory Server Proxy Server partner AD DMZ AD ADFS 2.0 Server Authentication hand off

16. Option 4 use the cloud All content Internet Internal Network stored in SharePoint cloud service HTTPS Remote Perimeter Internal Internal usersEmployees Firewall Users authenticated against replicated AD Secure Account Replication Internal AD External users use Windows Live ID Content Sharing - Use workflow or third party tool - Content deployment not supported

17. Which SharePoint version Applicable to Deployment Licences optionSharePoint Collaboration Option 3 - 4 WindowsFoundation (or Solutions ExternalSearch server Connector SQLexpress) CPUSharePoint Portals with WCM, Option 3 4 SharePoint StdServer 2010 Profiles, Option 1 for read CALStd Intranet publishing only SQL CPU or CALSharePoint Same as Std+ Option 3 SharePointServer 2010 form services, BI Std+Ent CALEnt and FAST SQL CPU or CALSharePoint Anonymous or Option 3 - 4 SharePoint FISServer 2010 unknown user base SQL CPUFIS

18. Component Parts DMZ Unified Access Gateway Threat Management Gateway SharePoint Foundation SharePoint Server Standard Enterprise Active Directory Active Directory Lightweight Directory Services Active Directory Federated Services SQL Server IPSec

19. Hints and Tips When using an RODC with SharePoint member server direct access to RWDC required to: Try to find a user who is not currently existing in a SharePoint site using people picker Create a new farm by creating a new configuration database. Running the PSconfig wizard to maintain/upgrade SharePoint Create Site collections AD Attribute filtering not per RODC so affects all network including branches that have an RODC Profile service does not support LDAP import. See option 3

20. Wrap up Decide what functionality you require Pick appropriate version of SharePoint Understand the limitations Design deployment of appropriate option Consider Test environments in same configuration as security of components usually issue