Jeremy Thake, SharePoint MVP and AvePoint Enterprise Architect, will introduce why organizations leverage extranets, share the common issues found in customers’ extranet environments, and discuss the advantages and disadvantages with the available approaches for authentication and topologies. Jeremy will then illustrate the importance of instilling appropriate governance for extranets built upon SharePoint to ensure that the common issues identified are mitigated, including guidance on what processes can be put in place to ensure a better user experience.
2. Jeremy Thake
• Enterprise Architect – AvePoint
• SharePoint MVP since July ‘10
• Founded SharePointDevWiki.com
• Co-founder of NothingButSharePoint.com
• Speaker at MS TechEd 2009/10, SPC 11
jeremy.thake@avepoint.com
gplus.to/jthake
@jthake
www.linkedin.com/in/jeremythake
Jeremy Thake, SharePoint MVP and AvePoint Enterprise Architect, will introduce why organizations leverage extranets, share the common issues found in customers’ extranet environments, and discuss the advantages and disadvantages with the available approaches for authentication and topologies. Jeremy will then illustrate the importance of instilling appropriate governance for extranets built upon SharePoint to ensure that the common issues identified are mitigated, including guidance on what processes can be put in place to ensure a better user experience.
In the simplest example, a firewall such as Microsoft Forefront Unified Access Gateway is used to allow external users to access SharePoint that is hosted in the internal network. Internal users can access the SharePoint instance directly without going through the firewall.ProsSimplest solution – if you already have an existing SharePoint environment, you can just open up a few ports and get goingInside Corporate network – for most organizations hosting this internally will not be seen as a negative thing and having the content stored inside is more secure.ConsSecurity model complex – users will have to be provisioned as discussed in last section inside Active Directory.One site for both internal/external – the IA can get hard because you need areas that aren’t seen by external users and areas that are seen by both. Often sub sites are used here.Sensitive docs visibleSingle firewall separates corporate network from the internet
In this approach, the server farm is isolated in a separate perimeter network. Each layer can be isolated for more security via routers. Internal network requests can be directed through the internal facing ISA server or routed through the public one.ProsIsolated to single farmExternal user access is isolated to perimeter networkConsAdditional n/w gear req.Single firewall separates corporate network from the internet
The back-to-back perimeter network can be made more secure by moving the Services farm internally within the network for service applications such as User Profile, Search, Business Data Connectivity, and Management Metadata. This in turn means that the Extranet can consume some of the same services that other workloads like the Intranet may be consuming on internal farms.ProsIsolation from corporateNetwork traffic isolationPrevents sensitive doc leaksShared services managed corporateConsAdditional SP farm req.Additional n/w gear req.Two way trusts req. for someNo mechanism to publish content internal to external
The next typical thing we see from a security perspective is that a content staging farm be put in place. This means that all versioning of draft documents are created in the staging farm and only once content has gone through the approval process will the content be pushed through to the Extranet farm. This does benefit from the ability for internal users to store documents that are related to the content being published to the extranet in the same place.ProsIsolation from corporateNetwork traffic isolationPrevents sensitive doc leaksShared services managed corporateAbility to publish content from internal to externalConsAdditional SP farm req.Additional n/w gear req.Two way trusts req. for someContent management complexNo two-way content sync (read-only)
In this example, the web front ends and possibly application servers are moved into the perimeter network for performance reasons.ProSQL stored in corporate n/wConDomain trust requiredComplex architectureInterfarmcomms in 2 n/wOne site for both internal/externalSensitive docs visible
ProsSQL stored in corporate n/wConsDomain trust requiredComplex architectureInterfarmcomms in 2 n/wOne site for both internal/externalSensitive docs visible
Same as last but introducing the content publishing.ProsSQL stored in corporate n/wAbility to publish content from internal to externalConsDomain trust requiredComplex architectureInterfarmcomms in 2 n/wContent management complexNo two-way content sync (read-only)
SharePoint Online is a scenario that keeps coming up in this scenario due to the speed to deploy. ProsQuick to setupProvisioning users outside ADConsAdditional costs of subscriber modelSome features not availableNo supported OOTB content publishing