planning and configuring extranets in sharepoint 2010 by geoff varosky - sptechcon
Post on 08-Jun-2015
691 Views
Preview:
DESCRIPTION
TRANSCRIPT
Planning and Configuring Extranets in SharePoint 2010Geoff VaroskyMarch 4, 2013
ABOUT ME
geoff@varosky.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Geoff Varosky Jornata
Managing Consultant, Senior Architect, Senior Developer, Director of Evangelism
President & Co-Founder Boston Area SharePoint Users Group Co-Organizer SharePoint Saturday Boston
Recent Awards Top 25 2012 Harmon.ie Online Community Influencer Top 50 2012 KnowledgeLake Community Influencer
Blog – www.SharePointYankee.com Email – geoff@varosky.com Twitter – @gvaro
ABOUT ME
geoff@varosky.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
AGENDA
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Thinking What is an Extranet? Design
Topology Authentication Mechanism User Identity Storage Location
Evaluating Your Requirements SharePoint 2010 Considerations
Doing Configuration User and Role Management
WHAT IS AN EXTRANET?
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
WHAT IS AN EXTRANET?
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
WHAT IS AN EXTRANET?
Controlled access fromexternal networks
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
WHAT IS AN EXTRANET?
Controlled access fromEXTeRnAl NETworks
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
DESIGN CONSIDERATIONS
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
DESIGN CONSIDERATIONS Topology Authentication Methods User Identity Storage Location
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
TOPOLOGY
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
VERY SIMPLE EXTRANET
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
EDGE FIREWALL
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Perimeter network
Corporate network
External Users
Firewall/UAG
Server Farm
I nternetsa/k/a where you access Facebook
from every morning
BACK TO BACK PERIMETER
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Perimeter network Corporate network
Firewall/UAG
LAYER 1Web Servers
LAYER 2APP & SQL
Servers
Router A Router B
LAYER 3DNS, Active Directory,
LOB Systems
Firewall/UAG
I nternets
BACK-TO-BACK PERIMETERWITH CROSS-FARM SERVICES
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Perimeter network Corporate network
External Users
Firewall/UAG
CONSUMING FARM
Firewall/UAG
SERVICES FARM
I nternets
SPLIT BACK-TO-BACK
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Perimeter networkCorporate network
External Users
Firewall/UAG
Web Servers, Application
Servers,DNS, Active Directory
Firewall/UAG
I nternetsYAY! FACEBOOKS! LOLS!
SQL Servers, Application
Servers,DNS, Active Directory
AUTHENTICATION
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
AUTHENTICATION METHODS Windows
NTLM Kerberos Basic
Forms Based Authentication (FBA)* *Claims needs to be enabled for FBA
Claims Based Authentication SAML tokens
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
USER IDENTITY STORAGE
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
USER IDENTITY STORAGE Active Directory LDAP SQL Server Other
Facebooks Twitters
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS What do you really need?
Who needs access? How sensitive is the data? How sensitive is the network? Budget?**
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS Who needs access?
Internal employees only Active Directory
Internal employees and external users Active Directory
Additional domain with restricted access Active Directory & Forms Based Authentication
Claims Authentication External only (rare)
Clients, partners, consultants Active Directory or LDAP or SQL? Forms Based Authentication or Windows auth? Separate or together?
Hosting Mobile Clients
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS How sensitive is the data & internal network?
Network & SharePoint Separate site? Separate site collection? Separate web application? Multiple farms with cross-farm services & publishing? Separate farm? DMZ?
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS How sensitive is the data & internal network?
Security Secure Certificates (SSL) Encryption Firewall
Both hardware and software? Content Filtering ACLs
Virtual Private Network Anti-Virus and Anti-Malware Client-based certificates One-time passwords (RSA tokens) Phone verification Biometrics
Retina, fingerprint, facial structure, hair and blood samples
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS How sensitive is the data & internal network?
Security Secure Certificates (SSL) Encryption Firewall
Both hardware and software? Content Filtering ACLs
Virtual Private Network Anti-Virus and Anti-Malware Client-based certificates One-time passwords (RSA tokens) Phone verification Biometrics
Retina, fingerprint, facial structure, hair and blood samples
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS Budget**
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS REMEMBER THIS…
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
You are giving a key to access your company’s data in
some form or another.
SHAREPOINT 2010
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
SHAREPOINT 2010 Supported versions
All – Foundation up through Enterprise Office 365
Can be used as an extranet (since that is basically what it is!)
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
SUPER HAPPY DEMO TIME!! Assumptions
Any Topology Multi-Mode (Windows & FBA Authentication) SQL User Database
1. Create ASP.NET Membership Database2. Configure SharePoint3. Configure IIS4. Create and Manage Users
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
MANAGING USERS IIS
Using your SharePoint Site = BAD Must first change default role manager, and then membership provider each
time from claims to your SQL providers No one can log into SharePoint during this time
And then change them back when done Each change recycles the application pool.
Create a separate IIS Virtual Web Application and Manage from there
BCS Great way to search for and manage users (passwords, email, etc.) No way to create users without additional logic
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
MANAGING USERS CodePlex (www.codeplex.com)
SharePoint 2010 FBA Pack http://sharepoint2010fba.codeplex.com
Third Party Solutions
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
REMEMBER THIS. Test your configuration Review security regularly Be wary of cats
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
RESOURCES My Blog Series
Part 1 : http://go.gvaro.net/ExtranetsP1 Part 2 : http://go.gvaro.net/ExtranetsP2 Part 3 : http://go.gvaro.net/ExtranetsP3
Phone Factor – Phone Verification http://www.phonefactor.com
Plan Security Hardening (TechNet) http://go.gvaro.net/uSyY1Z
SharePoint 2007 & 2010 Farm Ports (Firewall Config) http://go.gvaro.net/uWQZzU
Disabling SSL v2.0, PCT 1.0 +more in IIS7 http://go.gvaro.net/N5GgEa
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
RESOURCES SharePoint Ports, Proxies, and Protocols (Firewall Config)
http://go.gvaro.net/tblxCn Harden SQL Server for SharePoint
http://go.gvaro.net/viVQuN Visual FBA configuration by Donal Conlon
http://go.gvaro.net/oPnAYx Extranet tested topologies for SP 2010 Model
http://go.gvaro.net/SP2010ExtTopMod ASP.NET 2.0 Membership Database Reference
Create, Add Users, etc. http://go.gvaro.net/AN2Mbr
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
RESOURCES FBA Configuration in SharePoint 2010
LDAP: http://go.gvaro.net/FBALDAP ASP.NET Membership DB
http://go.gvaro.net/FBAANMDB PeoplePicker Wildcard Search
http://go.gvaro.net/FBAWildCard Helpful Resources for Troubleshooting Membership
Providers http://go.gvaro.net/TSMemProv
“Sign me in automatically” in FBA http://go.gvaro.net/pAkDQP
Configuring SSL in a Development Environment http://go.gvaro.net/uOTTlJ
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
QUESTIONS?
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
BOSTON AREA SHAREPOINT UG Meets 2nd Wednesday/month 6-8PM Microsoft N.E.R.D. (Cambridge) BostonSharePointUG.org Twitter: @BASPUG / #BASPUG SPTechCon Hosted Meeting in August!
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
QUESTIONS?
gvarosky@jornata.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
ABOUT ME
geoff@varosky.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Geoff Varosky Jornata
Managing Consultant, Senior Architect, Senior Developer, Director of Evangelism
President & Co-Founder Boston Area SharePoint Users Group Co-Organizer SharePoint Saturday Boston
Recent Awards Top 25 2012 Harmon.ie Online Community Influencer Top 50 2012 KnowledgeLake Community Influencer
Blog – www.SharePointYankee.com Email – geoff@varosky.com Twitter – @gvaro
ABOUT ME
geoff@varosky.com | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
top related