Planning and Configuring Extranets in SharePoint 2010 by Geoff Varosky - SPTechCon
42
Planning and Configuring Extranets in SharePoint 2010 Geoff Varosky March 4, 2013
description
Technical Class:
Transcript of Planning and Configuring Extranets in SharePoint 2010 by Geoff Varosky - SPTechCon
Planning and Configuring Extranets in SharePoint 2010Geoff VaroskyMarch 4, 2013
ABOUT ME
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Geoff Varosky Jornata
Managing Consultant, Senior Architect, Senior Developer, Director of Evangelism
President & Co-Founder Boston Area SharePoint Users Group Co-Organizer SharePoint Saturday Boston
Recent Awards Top 25 2012 Harmon.ie Online Community Influencer Top 50 2012 KnowledgeLake Community Influencer
Blog – www.SharePointYankee.com Email – [email protected] Twitter – @gvaro
AGENDA
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Thinking What is an Extranet? Design
Topology Authentication Mechanism User Identity Storage Location
Evaluating Your Requirements SharePoint 2010 Considerations
Doing Configuration User and Role Management
WHAT IS AN EXTRANET?
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
WHAT IS AN EXTRANET?
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
WHAT IS AN EXTRANET?
Controlled access fromexternal networks
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
WHAT IS AN EXTRANET?
Controlled access fromEXTeRnAl NETworks
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
DESIGN CONSIDERATIONS
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
DESIGN CONSIDERATIONS Topology Authentication Methods User Identity Storage Location
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
VERY SIMPLE EXTRANET
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
EDGE FIREWALL
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Perimeter network
Corporate network
External Users
Firewall/UAG
Server Farm
I nternetsa/k/a where you access Facebook
from every morning
BACK TO BACK PERIMETER
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Perimeter network Corporate network
Firewall/UAG
LAYER 1Web Servers
LAYER 2APP & SQL
Servers
Router A Router B
LAYER 3DNS, Active Directory,
LOB Systems
Firewall/UAG
I nternets
BACK-TO-BACK PERIMETERWITH CROSS-FARM SERVICES
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Perimeter network Corporate network
External Users
Firewall/UAG
CONSUMING FARM
Firewall/UAG
SERVICES FARM
I nternets
SPLIT BACK-TO-BACK
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Perimeter networkCorporate network
External Users
Firewall/UAG
Web Servers, Application
Servers,DNS, Active Directory
Firewall/UAG
I nternetsYAY! FACEBOOKS! LOLS!
SQL Servers, Application
Servers,DNS, Active Directory
AUTHENTICATION
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
AUTHENTICATION METHODS Windows
NTLM Kerberos Basic
Forms Based Authentication (FBA)* *Claims needs to be enabled for FBA
Claims Based Authentication SAML tokens
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
USER IDENTITY STORAGE
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
USER IDENTITY STORAGE Active Directory LDAP SQL Server Other
Facebooks Twitters
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS What do you really need?
Who needs access? How sensitive is the data? How sensitive is the network? Budget?**
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS Who needs access?
Internal employees only Active Directory
Internal employees and external users Active Directory
Additional domain with restricted access Active Directory & Forms Based Authentication
Claims Authentication External only (rare)
Clients, partners, consultants Active Directory or LDAP or SQL? Forms Based Authentication or Windows auth? Separate or together?
Hosting Mobile Clients
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS How sensitive is the data & internal network?
Network & SharePoint Separate site? Separate site collection? Separate web application? Multiple farms with cross-farm services & publishing? Separate farm? DMZ?
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS How sensitive is the data & internal network?
Security Secure Certificates (SSL) Encryption Firewall
Both hardware and software? Content Filtering ACLs
Virtual Private Network Anti-Virus and Anti-Malware Client-based certificates One-time passwords (RSA tokens) Phone verification Biometrics
Retina, fingerprint, facial structure, hair and blood samples
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS How sensitive is the data & internal network?
Security Secure Certificates (SSL) Encryption Firewall
Both hardware and software? Content Filtering ACLs
Virtual Private Network Anti-Virus and Anti-Malware Client-based certificates One-time passwords (RSA tokens) Phone verification Biometrics
Retina, fingerprint, facial structure, hair and blood samples
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS Budget**
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
YOUR REQUIREMENTS REMEMBER THIS…
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
You are giving a key to access your company’s data in
some form or another.
SHAREPOINT 2010
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
SHAREPOINT 2010 Supported versions
All – Foundation up through Enterprise Office 365
Can be used as an extranet (since that is basically what it is!)
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
SUPER HAPPY DEMO TIME!! Assumptions
Any Topology Multi-Mode (Windows & FBA Authentication) SQL User Database
1. Create ASP.NET Membership Database2. Configure SharePoint3. Configure IIS4. Create and Manage Users
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
MANAGING USERS IIS
Using your SharePoint Site = BAD Must first change default role manager, and then membership provider each
time from claims to your SQL providers No one can log into SharePoint during this time
And then change them back when done Each change recycles the application pool.
Create a separate IIS Virtual Web Application and Manage from there
BCS Great way to search for and manage users (passwords, email, etc.) No way to create users without additional logic
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
MANAGING USERS CodePlex (www.codeplex.com)
SharePoint 2010 FBA Pack http://sharepoint2010fba.codeplex.com
Third Party Solutions
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
REMEMBER THIS. Test your configuration Review security regularly Be wary of cats
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
RESOURCES My Blog Series
Part 1 : http://go.gvaro.net/ExtranetsP1 Part 2 : http://go.gvaro.net/ExtranetsP2 Part 3 : http://go.gvaro.net/ExtranetsP3
Phone Factor – Phone Verification http://www.phonefactor.com
Plan Security Hardening (TechNet) http://go.gvaro.net/uSyY1Z
SharePoint 2007 & 2010 Farm Ports (Firewall Config) http://go.gvaro.net/uWQZzU
Disabling SSL v2.0, PCT 1.0 +more in IIS7 http://go.gvaro.net/N5GgEa
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
RESOURCES SharePoint Ports, Proxies, and Protocols (Firewall Config)
http://go.gvaro.net/tblxCn Harden SQL Server for SharePoint
http://go.gvaro.net/viVQuN Visual FBA configuration by Donal Conlon
http://go.gvaro.net/oPnAYx Extranet tested topologies for SP 2010 Model
http://go.gvaro.net/SP2010ExtTopMod ASP.NET 2.0 Membership Database Reference
Create, Add Users, etc. http://go.gvaro.net/AN2Mbr
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
RESOURCES FBA Configuration in SharePoint 2010
LDAP: http://go.gvaro.net/FBALDAP ASP.NET Membership DB
http://go.gvaro.net/FBAANMDB PeoplePicker Wildcard Search
http://go.gvaro.net/FBAWildCard Helpful Resources for Troubleshooting Membership
Providers http://go.gvaro.net/TSMemProv
“Sign me in automatically” in FBA http://go.gvaro.net/pAkDQP
Configuring SSL in a Development Environment http://go.gvaro.net/uOTTlJ
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
BOSTON AREA SHAREPOINT UG Meets 2nd Wednesday/month 6-8PM Microsoft N.E.R.D. (Cambridge) BostonSharePointUG.org Twitter: @BASPUG / #BASPUG SPTechCon Hosted Meeting in August!
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
ABOUT ME
[email protected] | @gvaro | www.sharepointyankee.com | www.jornata.com | @JornataLLC
Geoff Varosky Jornata
Managing Consultant, Senior Architect, Senior Developer, Director of Evangelism
President & Co-Founder Boston Area SharePoint Users Group Co-Organizer SharePoint Saturday Boston
Recent Awards Top 25 2012 Harmon.ie Online Community Influencer Top 50 2012 KnowledgeLake Community Influencer
Blog – www.SharePointYankee.com Email – [email protected] Twitter – @gvaro
