James Tramel discussed how SharePoint can be accessed from outside a network using Forefront Unified Access Gateway (UAG). UAG acts as a reverse proxy and VPN solution to securely publish SharePoint and other line of business applications externally. It is important to understand the network topology and infrastructure in order to properly configure UAG, SharePoint alternate access mappings, and server certificates. A demonstration of a sample UAG and SharePoint extranet configuration was provided.

1. SharePoint and Forefront Unified Access Gateway James Tramel Solutions Architect Planet Technologies

2. In other lives: Network Engineer Network Admin WAN admin Cloud admin Now SharePoint experience and certification (custom and oob/ data and architect) Forefront IM and UAG About me

3. As a portal As an intranet As an extranet SharePoint

4. How is your farm built? Where does it reside? Who accesses it and How? What does it look like in your network? What does your network topology look like? SharePoint and Network Infrastructure

5. Network topology is the layout pattern of interconnections of the various elements (links, nodes, etc.) of a computer or network Physical topology refers to the physical design of a network including the devices, location and cable installation. Logical topology refers to how data is actually transferred in a network as opposed to its physical design What is Network Topology

6. What is a LAN? Inside / Outside

7. A local area network (LAN) is a computer network that connects computers and devices in a limited geographical area such as home, school, computer laboratory or office building. The defining characteristics of LANs includes their usually high data-transfer rates, smaller geographic area, and lack of a need for leased telecommunication lines LAN

8. LAN: Local Area Network - Basic

9. LAN: Typical

10. What is a LAN? What is a WAN? Inside / Outside

11. A wide area network(WAN) is a telecommunication network that covers a broad area (i.e., any network that links across metropolitan, regional, or national boundaries). Business and government entities utilize WAN to relay data among employees, clients, buyers, and suppliers from various geographical locations. In essence this mode of telecommunication allows a business to effectively carry out its daily function regardless of location. WAN

12. WAN: Frame

13. WAN: VPN

14. What is a LAN? What is a WAN? What is a Host? Inside / Outside

15. A network host is a computer connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network A web hosting service is a type of Internet hosting service that allows individuals and organizations to make their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own or lease for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center Host

16. Inside network protocols Outside network protocols How can SP be setup for outside? How to use SharePoint from Outside

17. SharePoint Topology

18. Anonymous Access SSL Authentication methods Windows Based Token based Claims based Forms Based Common Outside Methods

19. Authentication Demo

20. AD is not authoritative directory SAML tokens are not allowed to be consumed No guarantee of Internet Explorer High security / sensitive data Authentication Example

21. What is a LAN? What is a WAN? What is a Host? What is a DMZ? Inside / Outside

22. A DMZ, or De Militarized Zone, is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. It is sometimes referred to as a perimeter network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network. DMZ

23. DMZ: 1 firewall

24. DMZ: 2 Firewalls

25. Access Scenarios Remote employee External partner or customer Branded Internet sites Web hosting Mobile phone access Building a SharePoint Extranet

26. SharePoint and UAG

27. Part of ForeFront Suite Reverse Proxy, Direct Access, Remote Desktop Services and VPN solution Built with/on TMG (firewall, endpoint security) Great for LOB apps Highly customizable, integrates with a lot What is UAG?

28. Follow the Program

29. TMG is installed before you install UAG TMG can act as a router, an Internet gateway, a virtual private network (VPN) server, a network address translation (NAT) server and a proxy server. TMG is a firewall that offers application layer protection, stateful filtering, content filtering and anti-malware protection. TMG can compress web traffic and offers web caching UAG and TMG

30. Publishing Microsoft Exchange Server Applications Publishing Remote Desktop Services Remote Network Access Using SSTP Intra-Site Automatic Tunnel Addressing Protocol Endpoint Policies and Network Access Protection UAG Arrays Direct Access UAG Setup in General

31. UAG direct access Single server endpoint outside of perimeter Everything on VM’s Multiple SP Applications Multiple Forests UAG Direct Access and SharePoint

32. Edge firewall UAG – SP Extranets

33. UAG – SP Extranets Split back-to-back optimized for content publishing

34. UAG – SP Extranets Back-to-back perimeter with content publishing (and optional TMG caching)

35. Know the network topology Know how to get around the network topology VM’s and VM topology Static Routes Make sure you have access to local session – you will likely lose ip your first time Things to note for installing UAG

36. Virtual Network Types Private Virtual Network Internal Virtual Network External Virtual Network Virtual NIC’s Physical NIC’s Static Routes Understanding VM’s

37. Addressing UAG

38. Name your Network Adapters Configure the External NIC Get rid of properties you don’t need Default Gateway Un check register the connection in DNS Disable NetBIOS Addressing UAG

39. Configure the Internal NIC No Gateway Register the connection in DNS Check your static route to internal nic Change the binding order Check routes Addressing UAG

40. You can associate a Web application with a collection of mappings between internal and public URLs. Alternate access mappings enable a Web application that receives a request for an internal URL, in one of the five authentication zones, to return pages that contain links to the public URL for the zone. The UAG server responds with identical content, even though external users submit a different protocol (HTTPS) and a different host header than internal users. Alternate access mappings to allow the SharePoint server to perform URL changes on its own. This ensures that reverse proxies, such as UAG, do not have to change the content of the pages they serve to external sources. Addressing SharePoint:AAM – Alternate Access Mappings

41. The UAG portal is an ASP.Net-based Web application using AJAX, and is the front-end Web application for UAG A UAG portal trunk is a transfer channel that allows endpoints to connect to the trunk’s portal home page over HTTP or HTTPS. You can also create a redirect trunk that redirects HTTP endpoint requests to an HTTPS trunk. Each trunk has a portal home page to which remote endpoints connect to interact with the trunk, and access published applications. For each trunk UAG adds the Portal application to the trunk in order to provide a default home page. Alternatively, you can define a customized home page. UAG Portals and Trunks

42. Each Web app is associated with a unique public-facing host name, which is used to access the application remotely. A Web app that is published through the Forefront UAG trunk shares the trunk's definitions in addition to some of the trunk's functionality, such as the logon and logoff pages. This means that the application's public host name must reside under the same parent domain as the trunk's public host name; that is, the application and the trunk are subdomains of the same parent domain. Addressing SharePoint:Public Host Names

43. Addressing SharePoint:Public Host Names

44. All the public host names that are used in the trunk should be covered by this certificate, including the trunk's public host name and the public host names of all the applications that are accessed via the trunk. Addressing SharePoint and UAG:Server certificates

45. Demo / Tour

46. UAG is away to go for extranets for a highly secure deployment Big ROI for its other uses, as well as SP Know your network infrastructure Plan your SP install Access to the local UAG server Know your risks Conclusion

47. Q and A

48. MSDN Technet Microsoft Press Wikipedia http://mikecrowley.files.wordpress.com/2010/11/ http://www.windowsnetworking.com/articles_tutorials/Understanding-Virtual-Networking-Microsoft-Hyper-V.html> http://mrshannon.wordpress.com/2010/04/30/setting-ip-addresses-on-a-uag-directaccess-server/> http://blog.concurrency.com/infrastructure/uag-directaccess-ip-addressing-the-server/> http://www.bibble-it.com/2010/02/21/forefront-uag-in-10-minutes References