A challenge that a lot of companies is how to design a SharePoint architecture where internal people as well as external people external can collaborate around documents.
Most common constraints:
- Internal people from you company should have a seamless experience where they don't need to logon separately on the SharePoint environment.
- Data and documents should only reside in one place
- Provide a secure solution.
When you encounter something like this, there are a number of decisions to be made:
- Which topology?
- Authentication : how will external users authenticate?
- Account management
- Isolation of external accounts
Discussion about topology
The most common options are described within this article - Design Extranet topology - http://technet.microsoft.com/en-us/library/cc263513.aspx .
1. Perimeter proxy/edge firewall topology - intranet.
2. Back to back perimeter topology.
3. Back to back perimeter topology with content publishing (Not relevant in current scenario)
4. Back to back perimeter topology optimized for hosting static content (Not relevant in current scenario) 5. Split back to back topology
If you have a pure collaboration scenario (no publishing) Only options 1,2 and 5 are relevant.
Perimeter proxy/edge firewall topology
This is the most simple solution where a reverse proxy server sits on the border between the Internet and the corporate network to intercept and then forward requests to the appropriate Web server located in the corporate network. The disadvantage is that there is only boundary between the internet and your corporate network
Back to back perimeter topology
Separate farm setup in the perimeter/DMZ. You can create a separate Active Directory in your perimeter to manage external accounts.
Split back to back topology
Database servers reside within the corporate network - other servers within the perimeter.
Another interesting post which you might want to take a look at is Plan security hardening for extranet environments - http://technet2.microsoft.com/windowsserver/WSS/en/library/5b000a77-471a-400d-b446-aa68a9526f3e1033.mspx?mfr=true and if you are not that familiar with ISA firewalls - these are definitely must reads:
- http://www.isaserver.org/tutorials/Teaching-Boss-Network-ISA-Firewall-Part1.html
- http://www.isaserver.org/tutorials/Teaching-Boss-Network-ISA-Firewall-Part2.html
- http://www.isaserver.org/tutorials/Teaching-Boss-Network-ISA-Firewall-Part3.html
In a next posting I will talk about authentication and management of external accounts.
damn interesting! thanks
ReplyDeleteSerge Luca
Thanks for this information. By the way, have you posted the follow-up on authentication yet?
ReplyDeleteExcellent intranet info ...
ReplyDelete