Empower employees with external access to SharePoint and other intranet resources Microsoft SharePoint authorizes user access based on a Microsoft domain session using Kerberos or similar technologies. An external user without a direct domain session cannot access SharePoint directly using common Single Sign-On (SSO) solutions deployed at the perimeter of the enterprise. Requiring VPN access to the enterprise for accessing SharePoint and other intranet resources is not practical and widens the attack surface of the enterprise. Layer 7 delivers a simple solution for brokering access to Microsoft-based Web applications and APIs. By deploying Layer 7’s SecureSpan Gateway in the DMZ, the enterprise can enable and control access to Microsoft SharePoint without the need for VPN connections. The enterprise can leverage the same SecureSpan Gateway to control access to any Web applications and APIs that need to be consumed by mobile applications.

1. Enable Secure Mobile & Web
Access to Microsoft SharePoint
Empower Mobile Employees by Providing Secure Access to Microsoft SharePoint & Other
Intranet Resources from Beyond the Enterprise Perimeter
Remote SharePoint Access:
1. Remote user launches browser or
native mobile app to access Microsoft
SharePoint or other intranet resource.
2. SecureSpan Gateway challenges user
for credentials and authenticates using
Microsoft Active Directory.
3. SSO session is created. A cookie or
OAuth access token is issued and
returned to the mobile application.
4. Mobile application consumes
SharePoint Web application or API on
Gateway using the cookie or token.
5. Gateway reverse‐proxies Web
application or intranet API, maps
external cookie/token with Kerberos
ticket for internal authorization.
Learn More About Layer 7’s The Problem: Accessing SharePoint Beyond the Enterprise Perimeter
Mobile Access Solutions Microsoft SharePoint authorizes user access based on a Microsoft domain session using
 Phone Kerberos or similar technologies. An external user without a direct domain session
+1‐800‐681‐9377 cannot access SharePoint directly using common Single Sign‐On (SSO) solutions
(toll free within North America) deployed at the perimeter of the enterprise. Requiring VPN access to the enterprise for
or +1‐604‐681‐9377 accessing SharePoint and other intranet resources is not practical and widens the attack
 Email surface of the enterprise.
info@layer7.com
 Web The Solution: Layer 7 SecureSpan Gateway
www.layer7.com
Layer 7 delivers a simple solution for brokering access to Microsoft‐based Web
 Facebook
applications and APIs. By deploying Layer 7’s SecureSpan Gateway in the DMZ, the
www.facebook.com/layer7
enterprise can enable and control access to Microsoft SharePoint without the need for
 Twitter
VPN connections. This solution integrates into the existing environment, including the
@layer7
SSO solution. Once this infrastructure is in place, the enterprise can leverage the same
SecureSpan Gateway to control access to any Web applications and APIs that need to
be consumed by mobile applications.
Layer 7’s comprehensive suite of Mobile Access technologies includes:
• SecureSpan Mobile Access Gateway
Provides Mobile Access to APIs and Web applications and enforces policies for
controlling this access
• Identity Broker
Integrates with backend and externally‐facing identity and access management
(IAM) solutions and brokers between them at runtime
• Layer 7 OAuth Toolkit
Provides a complete OAuth implementation for issuing tokens to mobile
applications consuming APIs plus flexible token/session lifecycle management
Copyright © 2013 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.

2.
Key Features
Mediation & Security for External Access
 Ability to reverse‐proxy Web and API traffic
Reverse‐Proxying
 Support for a wide range of protocols including HTTP(S), WebSocket, (S)FTP(S) and XMPP
 Filter, redact and encrypt content to help identify and suppress leakage of sensitive
information (credit card numbers etc.)
 Configure and deploy the SecureSpan Gateway as part of a PCI‐compliant process using Layer
7’s PCI‐DSS installation and configuration guide
Security & Compliance
 Institute threat protection against SQL injection, denial‐of‐service (DoS) and cross‐site
scripting (XSS) attacks
 Validate HTTP parameters, REST query/POST parameters, JSON data structures, XML
schemas etc.
Auditing/Logging  Record all instances of access to Web applications and APIs
 Policy enforcement
Access Control  Integration with existing IAM and SSO solutions
 Attribute‐based authorization
Identity Brokering
 Authenticate users via form‐based authentication, HTTP Basic, NTLM, mutual authentication
Direct/Indirect or multi‐factor authentication
Authentication  Create and manage sessions directly
 Federate authentication to external SSO systems by redirecting
 Integrate with IAM and SSO solutions including Microsoft Active Directory, CA SiteMinder,
IAM Integration Oracle Access Manager, OpenSSO/OpenAM, Tivoli and custom auth APIs
 Map between external cookie/token and internal cookie/token
OAuth
 Support for OAuth 1.0, 1.0a and 2.0
 Sample applications for each core grant type (authorization code, implicit, password, client
Specification creds) and relevant extension grant types (SAML bearer, JWT), as well as two‐ and three‐
legged scenarios
 Bearer token or MAC token types
 Policy‐based implementation for easy integration with existing APIs and IAM systems
 Out‐of‐the‐box authorization server endpoints and resource server actions
Implementation
 Token lifecycle management through APIs
 Easy token revocation
Supported Standards
HTTP(S), TLS 1.0 to 1.2, WebSocket, XMPP, AMQP, MQ Series, Tibco EMS, (S)FTP(S), WCF, Kerberos, Kerberos Delegation,
Kerberos Constrained Delegation, NTLM, OAuth 2.0, OAuth 1.0, OpenID Connect, SAML 1.1, SAML 2.0, Active Directory, LDAP,
XACML, PKCS, FIPS 140‐2, X.509 Certificates, Apple Push Notifications, Android Notifications, WS‐Security, WS‐Trust,
WS‐Federation, WS‐Addressing, WSSecureConversation, WS‐I BSP, WS‐ MetadataExchange, WS‐Policy, WS‐SecurityPolicy,
WS‐PolicyAttachment, WS‐SecureExchange, WS‐I, WSIL, UDDI, WSRR, MTOM, XML Signature, XML Encryption, XML, SOAP,
REST, XPath, XSLT, WSDL, XML Schema, JSON, JSON Path, JSON Schema
To learn more about Layer 7, call us today at +1‐800‐681‐9377 (toll free within North America) or +1‐604‐681‐9377. You can also: email
us at info@layer7.com; friend us on Facebook at facebook.com/layer7; visit us at layer7.com; follow us on Twitter (@layer7).
Copyright © 2013 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.