SHAREPOINT AND FOREFRONT UNIFIED ACCESS GATEWAY

James TramelSolutions ArchitectPlanet Technologies

• In other lives:– Network Engineer– Network Admin– WAN admin– Cloud admin

• Now– SharePoint experience and

certification (custom and oob / data and architect)

– Forefront IM and UAG

ABOUT ME

• As a portal• As an intranet• As an extranet

SHAREPOINT

• How is your farm built?• Where does it reside?• Who accesses it and How?• What does it look like in your

network?• What does your network

topology look like?

SHAREPOINT AND NETWORK INFRASTRUCTURE

• Network topology is the layout pattern of interconnections of the various elements (links, nodes, etc.) of a computer or network

• Physical topology refers to the physical design of a network including the devices, location and cable installation.

• Logical topology refers to how data is actually transferred in a network as opposed to its physical design

WHAT IS NETWORK TOPOLOGY

• What is a LAN?INSIDE / OUTSIDE

• A local area network (LAN) is a computer network that connects computers and devices in a limited geographical area such as home, school, computer laboratory or office building. The defining characteristics of LANs includes their usually high data-transfer rates, smaller geographic area, and lack of a need for leased telecommunication lines

LAN

LAN: LOCAL AREA NETWORK - BASIC

LAN: TYPICAL

• What is a LAN?• What is a WAN?

INSIDE / OUTSIDE

• A wide area network(WAN) is a telecommunication network that covers a broad area (i.e., any network that links across metropolitan, regional, or national boundaries). Business and government entities utilize WAN to relay data among employees, clients, buyers, and suppliers from various geographical locations. In essence this mode of telecommunication allows a business to effectively carry out its daily function regardless of location.

WAN

WAN: FRAME

WAN: VPN

• What is a LAN?• What is a WAN?• What is a Host?

INSIDE / OUTSIDE

• A network host is a computer connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network

• A web hosting service is a type of Internet hosting service that allows individuals and organizations to make their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own or lease for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center

HOST

• Inside network protocols• Outside network protocols• How can SP be setup for

outside?

HOW TO USE SHAREPOINT FROM OUTSIDE

SHAREPOINT TOPOLOGY

• Anonymous Access• SSL• Authentication methods

– Windows Based– Token based– Claims based– Forms Based

COMMON OUTSIDE METHODS

AUTHENTICATION DEMO

• AD is not authoritative directory• SAML tokens are not allowed to

be consumed• No guarantee of Internet

Explorer• High security / sensitive data

AUTHENTICATION EXAMPLE

• What is a LAN?• What is a WAN?• What is a Host?• What is a DMZ?

INSIDE / OUTSIDE

• A DMZ, or De Militarized Zone, is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. It is sometimes referred to as a perimeter network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

DMZ

DMZ: 1 FIREWALL

DMZ: 2 FIREWALLS

• Access Scenarios– Remote employee– External partner or

customer– Branded Internet sites– Web hosting– Mobile phone access

BUILDING A SHAREPOINT EXTRANET

SHAREPOINT AND UAG

• Anywhere access

• Information leakage prevention

• Endpoint health-based authorization

• Web farm load balancing

• Advanced authentication schemes

• Enabling access to SharePoint sites from Microsoft Office Outlook Web Access

• Unified Portal

• Automatic timeouts

• Internet-ready appliances

Secure Sockets Layer (SSL) termination

• Application protection

• Policy-based access

• Single sign on

• Part of ForeFront Suite• Reverse Proxy, Direct Access,

Remote Desktop Services and VPN solution

• Built with/on TMG (firewall, endpoint security)

• Great for LOB apps• Highly customizable, integrates

with a lot

WHAT IS UAG?

FOLLOW THE PROGRAM

• TMG is installed before you install UAG

• TMG can act as a router, an Internet gateway, a virtual private network (VPN) server, a network address translation (NAT) server and a proxy server.

• TMG is a firewall that offers application layer protection, stateful filtering, content filtering and anti-malware protection.

• TMG can compress web traffic and offers web caching

UAG AND TMG

• Publishing Microsoft Exchange Server Applications

• Publishing Remote Desktop Services

• Remote Network Access Using SSTP

• Intra-Site Automatic Tunnel Addressing Protocol

• Endpoint Policies and Network Access Protection

• UAG Arrays• Direct Access

UAG SETUP IN GENERAL

• UAG direct access• Single server endpoint outside

of perimeter• Everything on VM’s• Multiple SP Applications• Multiple Forests

UAG DIRECT ACCESS AND SHAREPOINT

• Edge firewall

UAG – SP EXTRANETS

UAG – SP EXTRANETS

Split back-to-back optimized for content publishing

Back-to-back perimeter with content publishing (and optional TMG caching)

UAG – SP EXTRANETS

• Know the network topology• Know how to get around the

network topology• VM’s and VM topology• Static Routes• Make sure you have access to

local session – you will likely lose ip your first time

THINGS TO NOTE FOR INSTALLING UAG

• Virtual Network Types– Private Virtual Network – Internal Virtual Network – External Virtual Network

• Virtual NIC’s• Physical NIC’s• Static Routes

UNDERSTANDING VM’S

ADDRESSING UAG

• Name your Network Adapters• Configure the External NIC

– Get rid of properties you don’t need

– Default Gateway– Un check register the

connection in DNS– Disable NetBIOS

ADDRESSING UAG

• Configure the Internal NIC– No Gateway– Register the connection in

DNS• Check your static route to

internal nic• Change the binding order• Check routes

ADDRESSING UAG

• You can associate a Web application with a collection of mappings between internal and public URLs.

• Alternate access mappings enable a Web application that receives a request for an internal URL, in one of the five authentication zones, to return pages that contain links to the public URL for the zone.

• The UAG server responds with identical content, even though external users submit a different protocol (HTTPS) and a different host header than internal users.

• Alternate access mappings to allow the SharePoint server to perform URL changes on its own. This ensures that reverse proxies, such as UAG, do not have to change the content of the pages they serve to external sources.

ADDRESSING SHAREPOINT:AAM – ALTERNATE ACCESS MAPPINGS

• The UAG portal is an ASP.Net-based Web application using AJAX, and is the front-end Web application for UAG

• A UAG portal trunk is a transfer channel that allows endpoints to connect to the trunk’s portal home page over HTTP or HTTPS. You can also create a redirect trunk that redirects HTTP endpoint requests to an HTTPS trunk.

• Each trunk has a portal home page to which remote endpoints connect to interact with the trunk, and access published applications.

• For each trunk UAG adds the Portal application to the trunk in order to provide a default home page. Alternatively, you can define a customized home page.

UAG PORTALS AND TRUNKS

• Each Web app is associated with a unique public-facing host name, which is used to access the application remotely.

• A Web app that is published through the Forefront UAG trunk shares the trunk's definitions in addition to some of the trunk's functionality, such as the logon and logoff pages.

• This means that the application's public host name must reside under the same parent domain as the trunk's public host name; that is, the application and the trunk are subdomains of the same parent domain.

ADDRESSING SHAREPOINT:PUBLIC HOST NAMES

Forefront UAG trunk’s public host name

Trunk’s parent domain

Examples of valid public host names for Web app

Examples of non valid public host names for Web app

uag.woodgrovebank.com

woodgrovebank.com

hrportal.woodgrovebank.com

hrportal.a.b.woodgrovebank.com

hrportal.uag.woodgrovebank.com

hrportal.com

uag.ext.example.com

ext.example.com

hrportal.ext.example.com

hrportal.a.b.ext.example.com

hrportal.uag.ext.example.com

hrportal.com

hrportal.example.com

ADDRESSING SHAREPOINT:PUBLIC HOST NAMES

• All the public host names that are used in the trunk should be covered by this certificate, including the trunk's public host name and the public host names of all the applications that are accessed via the trunk.

ADDRESSING SHAREPOINT AND UAG:SERVER CERTIFICATES

DEMO / TOUR

• UAG is a way to go for extranets for a highly secure deployment

• Big ROI for its other uses, as well as SP

• Know your network infrastructure

• Plan your SP install• Access to the local UAG server• Know your risks

CONCLUSION

Q AND A

1. MSDN2. Technet3. Microsoft Press4. Wikipedia5. http://mikecrowley.files.wordpress.com/

2010/11/6. http://www.windowsnetworking.com/

articles_tutorials/Understanding-Virtual-Networking-Microsoft-Hyper-V.html>

7. http://mrshannon.wordpress.com/2010/04/30/setting-ip-addresses-on-a-uag-directaccess-server/>

8. http://blog.concurrency.com/infrastructure/uag-directaccess-ip-addressing-the-server/>

9. http://www.bibble-it.com/2010/02/21/forefront-uag-in-10-minutes

REFERENCES