James Tramel discussed how SharePoint can be accessed from outside a network using Forefront Unified Access Gateway (UAG). UAG acts as a reverse proxy and VPN solution to securely publish SharePoint and other line of business applications externally. It is important to understand the network topology and infrastructure in order to properly configure UAG, SharePoint alternate access mappings, and server certificates. A demonstration of a sample UAG and SharePoint extranet configuration was provided.
Axa Assurance Maroc - Insurer Innovation Award 2024
SharePoint and Forefront United Access Gateway
1. SharePoint and Forefront Unified Access Gateway James Tramel Solutions Architect Planet Technologies
2. In other lives: Network Engineer Network Admin WAN admin Cloud admin Now SharePoint experience and certification (custom and oob/ data and architect) Forefront IM and UAG About me
3. As a portal As an intranet As an extranet SharePoint
4. How is your farm built? Where does it reside? Who accesses it and How? What does it look like in your network? What does your network topology look like? SharePoint and Network Infrastructure
5. Network topology is the layout pattern of interconnections of the various elements (links, nodes, etc.) of a computer or network Physical topology refers to the physical design of a network including the devices, location and cable installation. Logical topology refers to how data is actually transferred in a network as opposed to its physical design What is Network Topology
7. A local area network (LAN) is a computer network that connects computers and devices in a limited geographical area such as home, school, computer laboratory or office building. The defining characteristics of LANs includes their usually high data-transfer rates, smaller geographic area, and lack of a need for leased telecommunication lines LAN
10. What is a LAN? What is a WAN? Inside / Outside
11. A wide area network(WAN) is a telecommunication network that covers a broad area (i.e., any network that links across metropolitan, regional, or national boundaries). Business and government entities utilize WAN to relay data among employees, clients, buyers, and suppliers from various geographical locations. In essence this mode of telecommunication allows a business to effectively carry out its daily function regardless of location. WAN
14. What is a LAN? What is a WAN? What is a Host? Inside / Outside
15. A network host is a computer connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network A web hosting service is a type of Internet hosting service that allows individuals and organizations to make their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own or lease for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center Host
16. Inside network protocols Outside network protocols How can SP be setup for outside? How to use SharePoint from Outside
20. AD is not authoritative directory SAML tokens are not allowed to be consumed No guarantee of Internet Explorer High security / sensitive data Authentication Example
21. What is a LAN? What is a WAN? What is a Host? What is a DMZ? Inside / Outside
22. A DMZ, or De Militarized Zone, is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. It is sometimes referred to as a perimeter network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network. DMZ
25. Access Scenarios Remote employee External partner or customer Branded Internet sites Web hosting Mobile phone access Building a SharePoint Extranet
27. Part of ForeFront Suite Reverse Proxy, Direct Access, Remote Desktop Services and VPN solution Built with/on TMG (firewall, endpoint security) Great for LOB apps Highly customizable, integrates with a lot What is UAG?
29. TMG is installed before you install UAG TMG can act as a router, an Internet gateway, a virtual private network (VPN) server, a network address translation (NAT) server and a proxy server. TMG is a firewall that offers application layer protection, stateful filtering, content filtering and anti-malware protection. TMG can compress web traffic and offers web caching UAG and TMG
30. Publishing Microsoft Exchange Server Applications Publishing Remote Desktop Services Remote Network Access Using SSTP Intra-Site Automatic Tunnel Addressing Protocol Endpoint Policies and Network Access Protection UAG Arrays Direct Access UAG Setup in General
31. UAG direct access Single server endpoint outside of perimeter Everything on VM’s Multiple SP Applications Multiple Forests UAG Direct Access and SharePoint
35. Know the network topology Know how to get around the network topology VM’s and VM topology Static Routes Make sure you have access to local session – you will likely lose ip your first time Things to note for installing UAG
38. Name your Network Adapters Configure the External NIC Get rid of properties you don’t need Default Gateway Un check register the connection in DNS Disable NetBIOS Addressing UAG
39. Configure the Internal NIC No Gateway Register the connection in DNS Check your static route to internal nic Change the binding order Check routes Addressing UAG
40. You can associate a Web application with a collection of mappings between internal and public URLs. Alternate access mappings enable a Web application that receives a request for an internal URL, in one of the five authentication zones, to return pages that contain links to the public URL for the zone. The UAG server responds with identical content, even though external users submit a different protocol (HTTPS) and a different host header than internal users. Alternate access mappings to allow the SharePoint server to perform URL changes on its own. This ensures that reverse proxies, such as UAG, do not have to change the content of the pages they serve to external sources. Addressing SharePoint:AAM – Alternate Access Mappings
41. The UAG portal is an ASP.Net-based Web application using AJAX, and is the front-end Web application for UAG A UAG portal trunk is a transfer channel that allows endpoints to connect to the trunk’s portal home page over HTTP or HTTPS. You can also create a redirect trunk that redirects HTTP endpoint requests to an HTTPS trunk. Each trunk has a portal home page to which remote endpoints connect to interact with the trunk, and access published applications. For each trunk UAG adds the Portal application to the trunk in order to provide a default home page. Alternatively, you can define a customized home page. UAG Portals and Trunks
42. Each Web app is associated with a unique public-facing host name, which is used to access the application remotely. A Web app that is published through the Forefront UAG trunk shares the trunk's definitions in addition to some of the trunk's functionality, such as the logon and logoff pages. This means that the application's public host name must reside under the same parent domain as the trunk's public host name; that is, the application and the trunk are subdomains of the same parent domain. Addressing SharePoint:Public Host Names
44. All the public host names that are used in the trunk should be covered by this certificate, including the trunk's public host name and the public host names of all the applications that are accessed via the trunk. Addressing SharePoint and UAG:Server certificates
46. UAG is away to go for extranets for a highly secure deployment Big ROI for its other uses, as well as SP Know your network infrastructure Plan your SP install Access to the local UAG server Know your risks Conclusion
http://en.wikipedia.org/wiki/Microsoft_Forefront_Unified_Access_Gatewayauthentication vendors such as RSA Security, Vasco, GrIDsure, Swivel, ActivCard and Aladdinnumerous authentication systems and protocols such as Active Directory, RADIUS, LDAP, NTLM, Lotus Domino, PKI and TACACS+.
Secure socket tunneling porotocal
What we’re going to do / What I’ve done
Simple, right?
More Complicated
Where to put thingsHow to get from point A to BVLANSTMG does not play around
Who can name all 5? Default Intranet Internet Custom ExtranetDemo