Thursday, May 08, 2008

SharePoint Extranet Topology

A challenge that a lot of companies is how to design  a SharePoint architecture where internal people as well as external people external can collaborate around documents.

Most common constraints:

  • Internal people from you company should have a seamless experience where they don't need to logon separately on the SharePoint environment.
  • Data and documents should only reside in one place
  • Provide a secure solution.

When you encounter something like this, there are a number of decisions to be made:

  • Which topology?
  • Authentication : how will external users authenticate?
  • Account management
  • Isolation of external accounts

Discussion about topology

The most common options are described within this article - Design Extranet topology - .

1. Perimeter proxy/edge firewall topology - intranet.

2. Back to back perimeter topology.

3. Back to back perimeter topology with content publishing (Not relevant in current scenario)

4. Back to back perimeter topology optimized for hosting static content (Not relevant in current scenario) 5. Split back to back topology

If you have a pure collaboration scenario (no publishing) Only options 1,2 and 5 are relevant.

Perimeter proxy/edge firewall topology

This is the most simple solution where a reverse proxy server sits on the border between the Internet and the corporate network to intercept and then forward requests to the appropriate Web server located in the corporate network. The disadvantage is that there is only boundary between the internet and your corporate network

Back to back perimeter topology

Separate farm setup in the perimeter/DMZ. You can create a separate Active Directory in your perimeter to manage external accounts.

Split back to back topology

Database servers reside within the corporate network - other servers within the perimeter.

Another interesting post which you might want to take a look at is Plan security hardening for extranet environments - and if you are not that familiar with ISA firewalls - these are definitely must reads:

In a next posting I will talk about authentication and management of external accounts.


Anonymous said...

damn interesting! thanks

Serge Luca

Anonymous said...

Thanks for this information. By the way, have you posted the follow-up on authentication yet?

sharepoint @ decatec said...

Excellent intranet info ...