Building Extranets with SharePoint
advertisement
Welcome to the Minnesota SharePoint User Group September 9th, 2009 Building Extranets with SharePoint Brian Caauwe http://www.sharepointmn.com Meeting # 58 Agenda • • • • • Introductions Features Alignment Break Technical Challenges Wrap up and Drawing http://www.sharepointmn.com User Group Goal / Objectives Develop and support a local community focused on Microsoft SharePoint Technologies • • • • Educate user group members about SharePoint Technologies Transfer knowledge within the community Communicate best practices Introduce new products / solutions http://www.sharepointmn.com Introductions – MNSPUG Sponsors Inetium (www.inetium.com) • Technology consulting company • Microsoft Gold Certified Partner • Practice area focused on SharePoint New Horizons – Minnesota (www.newhorizonsmn.com) • Microsoft Gold Certified Partner • Training on many technologies Microsoft (www.microsoft.com) http://www.sharepointmn.com www.sharepointmn.com • • • • • • Website for user group SharePoint resource documents SharePoint resource links RSS Feeds Meeting Schedule Past User Group Presentations www.sharepointmn.com http://www.sharepointmn.com Upcoming Schedule • Next Meeting • October 14th 9:00 AM to 11:30 AM • Microsoft’s Bloomington Office • Topic: Panel Discussion Check www.sharepointmn.com for updates! • Ongoing Schedule • 2nd Wednesday of every month • 9:00 to 11:30 am • Microsoft’s Bloomington Office http://www.sharepointmn.com Conferences SharePoint Conference 2009 – October 19-22, 2009 http://www.mssharepointconference.com Las Vegas, NV Local Events Twin Cities SharePoint Camp – September 19, 2009 http://www.twincitiessharepointcamp.com Edina, MN Minneapolis Office Developer Interest Group – October http://www.sharepointmn.com/MODIG Topic: SharePoint and Office 2010 stuff… http://www.sharepointmn.com Announcements • Microsoft Virtualization: Best Choice for SharePoint – http://blogs.msdn.com/sharepoint/archive/2009/09/02/microsoft-virtualization-best-choice-forsharepoint.aspx • SharePoint Administration Toolkit v4 – http://blogs.msdn.com/sharepoint/archive/2009/08/27/announcing-the-fourth-release-of-themicrosoft-sharepoint-administration-toolkit.aspx • SharePoint in Plain English Video – http://www.microsoft.com/video/en/us/details/76e8d3af-c2bd-42a6-bb12-befcbd041bf1 http://www.sharepointmn.com Presentation http://www.sharepointmn.com Extranet Definition – (ěk'strə-nět‘) • Merriam Webster A network (as of a company) similar to an intranet that also allows access by certain others (as customers or suppliers) • Microsoft - TechNet An extranet environment is a private network that is securely extended to share part of an organization’s information or processes with remote employees, external partners, or customers. http://www.sharepointmn.com Scenarios • Customers – • Partners – • Intranet Client / Project Sites Collaboration Employees – Internal Systems Internet http://www.sharepointmn.com Extranet Collaboration • Starting point to collaborate with outside sources • More than just document libraries – – – – • Project Timelines Tasks Assignment Alerts / Notifications Contact Information Be creative with use of lists – – Survey’s Discussion Boards http://www.sharepointmn.com Portal • Employee Profile Information – – • Audience Targeting Content – – • Highlight new products / initiatives Push content to internal users Site Directory / Navigation – – • MySite public profile Summary Links web part Require categories Publishing vs. Collaboration navigation options Branding / Consistency – – Alternate CSS Theme http://www.sharepointmn.com Search • Internal People Search – • Best Bests / Keywords – – • Scopes and Tabs Auditing / Usage analysis – – • Drive traffic Product name changes Customizing search results – • Modify People scope for internal only Review how people are utilizing search Think from an internal AND external perspective Search results are security trimmed http://www.sharepointmn.com Content Management • Consistency – – • Content Types – – • Page Layouts Master Pages Site Columns Templates Versioning – Major / Minor • Pages vs. Lists • Permissions Management http://www.sharepointmn.com Business Process • Out of the box Workflows – – • SharePoint Designer Workflows – – • Out of the box options Custom activities: http://www.codeplex.com/SPDActivities InfoPath – – • WSS MOSS Forms Services Publishing with multiple URL’s Custom List Forms – – – New Edit Display http://www.sharepointmn.com Business Intelligence • Dashboards – – • Excel Services – – • Key Performance Indicators Connected web parts Provide read only system data Build charts, graphs Business Data Catalog – – Tag items with business data Search business data http://www.sharepointmn.com Challenges • Information Accessibility • Authenticating Users • Ensuring a secure environment • Maintaining a corporate image • How is an extranet licensed • Extranet Governance http://www.sharepointmn.com Break http://www.sharepointmn.com Challenges : Information Accessibility • Where are my servers located? • How is my firewall affected? • What other related products do I need to consider? • Does this require high availability? • How do I ensure authentication is secured? • How does this effect my SharePoint architecture? http://www.sharepointmn.com Architecture • Server Locations – – – • Inside network Perimeter network Collocation environment Combine hardware – – – Intranet Extranet Internet • Firewall Configuration • ISA Server / TMG Server / IAG • Load balancing for high availability http://www.sharepointmn.com Architecture (cont’d) • Authentication – – – Domain Trusts LDAP / SQL Federation • SSL for authentication • SharePoint Architecture – – Web Applications / SSP alignment Sites / Site Collections (security inheritance … good & bad) http://www.sharepointmn.com Challenges : Authenticating Users • How do users log in? • Where are their credentials stored? • What is the user experience? • How is client integration affected? http://www.sharepointmn.com Authentication • Windows Authentication – NTLM – Kerberos • Web Single Sign-On (Federation / ADFS) • URL Challenge for multiple authentication types http://www.sharepointmn.com Authentication (cont’d) • Forms Based Authentication – Windows Live • – SQL • – http://fba.codeplex.com ADAM • • http://spwla.codeplex.com http://www.microsoft.com/downloads/details.aspx?FamilyId=D9AF2C25-989C-45C4-8008-1F15722190ED&displaylang=en Managing Users – IIS 7.0 Management Utilities – ASP.NET Membership Provider (Development) http://www.sharepointmn.com Challenges : Ensuring a secure environment • What tools are available? • How can I secure my farm? • How do I ensure site privacy? • Do I need additional anti-virus protection? http://www.sharepointmn.com Security: Hardening • Extranet Hardening Tool • Security Compliance Management Toolkit (Group Policy Accelerator) – – Server 2003: http://technet.microsoft.com/en-us/library/cc163140.aspx Server 2008: http://technet.microsoft.com/en-us/library/cc514539.aspx • Server Permission modification • Non-standard ports (proxy) • Forefront http://www.sharepointmn.com Security: Hardening (cont’d) • Extranet Hardening Tool: Back-to-back perimeter – Visio Template: http://go.microsoft.com/fwlink/?LinkId=85531&clcid=0x409 http://www.sharepointmn.com Extranet hardening planning tool: Back-to-back perimeter Use this planning tool with the following article: Plan security hardening for extranet environments (http://go.microsoft.com/fwlink/?LinkId=85531&clcid=0x409) Internet Security and Acceleration (ISA) Server A Internet Ports and protocol requirements Perimeter Network ISA Server A Router A Administrator Workstation Web Server Central Administration Web Server & Query Server Index Server * * File and printer sharing service — Either of the following: § TCP/UDP 445 (SMB) — Recommended § TCP/UDP 137, 138, 139 (NetBIOS over TCP/IP) — Disable if not used Active Directory Domain Controller Office Server Web Services — TCP 56737, TCP 56738 (SSL) Database communication: § TCP/SSL 1433 (default instance) § TCP/SSL random ports — named instance, customizable Search crawling — depending on how authentication is configured: § TCP 80 § TCP 443 (SSL) § Custom ports Web Servers Layer 2 Application Servers and Database Servers SQL Server One-way data stream for content publishing Layer 3 DNS and Domain Controller This back-to-back perimeter network topology diagram illustrates the server and client roles across an extranet environment. The purpose of the diagram is to articulate each of the possible roles and their relationship to the overall environment. Consequently, the query role appears twice. In an actual implementation, the query role is deployed either on Web servers or as an application server, but not both. Moreover, if the query role is deployed to the Web servers, it is deployed to all Web servers in a farm. For the purpose of communicating hardening requirements, the diagram illustrates all options. The routers illustrated can be exchanged for firewalls. Single Sign-on Service — TCP 135 and either: § Static RPC—restricted high ports (recommended) § Dynamic RPC—random high ports in the range of TCP 1024-65535. + * Only if the query role is deployed to Layer 2. TCP/UDP 389 by default, customizable (LDAP) TCP 636 by default, customizable (LDAP SSL) TCP 3268 (LDAP GC) optional TCP 25 (SMTP) — route outgoing e-mail through either SMTP or a dedicated e-mail server TCP 3269 (LDAP GC SSL) TCP/UDP 53 (DNS) TCP/UDP 88 (Kerberos) TCP/UDP 445 (Directory Services) * * TCP/UDP 749 (Kerberos-Adm) TCP 750 (Kerberos-IV) * Only required to maintain a domain trust relationship between the perimeter domain and the corporate domain. http://www.sharepointmn.com TCP/UDP 389 by default, customizable (LDAP) TCP 636 by default, customizable (LDAP SSL) TCP 3268 (LDAP GC) TCP 3269 (LDAP GC SSL) TCP/UDP 53 (DNS) TCP/UDP 88 (Kerberos) TCP/UDP 445 (Directory Services) TCP/UDP 749 (Kerberos-Adm) TCP 750 (Kerberos-IV) * Only required to maintain a domain trust relationship between the perimeter domain and the corporate domain. Ports and protocol requirements Client access — one or more of the following: § TCP 80 § TCP 443 (SSL) § Custom ports (additional ports to access additional Web applications) TCP/UDP 135 (RPC) * * TCP/UDP 135 (RPC) Router/Firewall B Only if the query role is deployed to Web servers in Layer 1. * * * * * * * * * * * Central Administration SQL Server Excel Calculation Services Layer 1 Web Servers TCP 25 (SMTP) — route outgoing e-mail through either SMTP or a dedicated e-mail server Content publishing: § Port number of the Central Administration site on the destination server farm. § TCP 80 or TCP 443 (SSL) — For SOAP and HTTP Post Content staging farm TCP 25 (SMTP) — route outgoing e-mail through either SMTP or a dedicated e-mail server + optional DNS Query Server Ports and protocol requirements optional Client access — one or more of the following: § TCP 80 § TCP 443 (SSL) § Custom ports (additional ports to access additional Web applications) Users Router/Firewall A Client access — one or more of the following: § TCP 80 § TCP 443 (SSL) § Custom ports (additional ports to access additional Web applications) Ports and protocol requirements ISA Server B Client access — one or more of the following: § TCP 80 § TCP 443 (SSL) § Custom ports (additional ports to access additional Web applications) TCP 25 (SMTP) — route outgoing e-mail through optional either SMTP or a dedicated e-mail server ISA Server B Corporate Network Router B Content publishing: § Port number of the Central Administration site on the destination server farm. § TCP 80 or TCP 443 (SSL) — For SOAP and HTTP Post Ports and protocol requirements TCP/UDP 135 (RPC) * TCP/UDP 389 by default, customizable (LDAP) TCP 636 by default, customizable (LDAP SSL) * * TCP 3268 (LDAP GC) TCP 3269 (LDAP GC SSL) TCP/UDP 53 (DNS) TCP/UDP 88 (Kerberos) TCP/UDP 445 (Directory Services) * * TCP/UDP 749 (Kerberos-Adm) TCP 750 (Kerberos-IV) * Only required to maintain a domain trust relationship between the perimeter domain and the corporate domain. Security: SharePoint Permissions • Active Directory Groups • SharePoint Groups • Forms Based Authentication Users and Roles • People Picker – – • FBA considerations Additional domains SharePoint Admin Toolkit – Permissions Reporting Tool – http://blogs.msdn.com/sharepoint/archive/2009/08/27/announcing-the-fourth-release-of-themicrosoft-sharepoint-administration-toolkit.aspx http://www.sharepointmn.com Challenges : Maintaining a corporate image • How is branding an extranet different than an intranet or public internet site? • How do I retain a similar look and feel? • How do I ensure appropriate content is viewable? • How do I integrate external company logos? http://www.sharepointmn.com Branding / Content Management • Scenarios – – – • Consistency – – • Page layouts Master pages Approval – – • Intranet Extranet Public Internet Approval Workflow Moderators Co-branding – Combined user experience http://www.sharepointmn.com Challenges : How is an extranet licensed • Do I need an External Connector? • What do I need for CAL’s? • How do I license SQL? • Does it matter what approach is used for authentication? http://www.sharepointmn.com Licensing : Company A • Employee Portal – • Authenticated Employees must have CAL’s Partner / Customer Extranet – – – Authenticated Employees must have CAL’s Authenticated Non-Employee users can have CAL’s or External Connector SQL External Connector required for non-employees – – Employees authenticate using Active Directory Non-Employees are authenticating using SQL FBA http://www.sharepointmn.com Licensing : Company B • • Partner / Customer Extranet – – – Authenticated Employees must have CAL’s Authenticated Non-Employee users can have CAL’s or External Connector SQL External Connector required for non-employees – – Employees authenticate using Active Directory Non-Employees are authenticating using Windows Live FBA Anonymous Access Portal – – – Authenticated Employees must have CAL’s for content management Anonymous access requires External Connector SQL External Connector required for non-employees – Employees authenticate using Active Directory http://www.sharepointmn.com Licensing • Contact your licensing representative • MOSS 2007 FAQ – Licensing – http://office.microsoft.com/en-us/sharepointserver/HA101655351033.aspx#2 http://www.sharepointmn.com Challenges : Extranet Governance • What are the expected Service Level Agreements? • How are end users trained? • What is the expected lifecycle of information? • Do I need to manage quotas for storage? • Do I need to manage multi-lingual sites? • How is extranet information communicated to external users? • What is acceptable use of the extranet? http://www.sharepointmn.com Extranet Governance • Service Level Agreements – – • Training – – • Frequently Asked Questions SharePoint Training Kit: http://www.microsoft.com/downloads/details.aspx?familyid=673DC932-626A4E59-9DCA-16D685600A51&displaylang=en Information Lifecycle – – • Patch Management Backup / Recovery Site lifecycle Content lifecycle Storage – – Site Collection Quota Content Database footprint http://www.sharepointmn.com Extranet Governance (cont’d) • Multi-Lingual – – • Communication – – • Language Packs Variations Internal Communication External Communication Acceptable Use – – Publishing Content Collaboration Content http://www.sharepointmn.com Q&A http://www.sharepointmn.com References • Microsoft – Extranet Collaboration Toolkit: http://www.microsoft.com/downloads/details.aspx?FamilyId=D9AF2C25-989C-45C4-80081F15722190ED&displaylang=en – Extranet Hardening Tool: http://go.microsoft.com/fwlink/?LinkId=85531&clcid=0x409 – MOSS 2007 FAQ: http://office.microsoft.com/en-us/sharepointserver/HA101655351033.aspx#2 – Security Compliance Management Toolkit (Group Policy Accelerator) • • Server 2003: http://technet.microsoft.com/en-us/library/cc163140.aspx Server 2008: http://technet.microsoft.com/en-us/library/cc514539.aspx – SharePoint Admin Toolkit: http://blogs.msdn.com/sharepoint/archive/2009/08/27/announcing-thefourth-release-of-the-microsoft-sharepoint-administration-toolkit.aspx – SharePoint Training Kit: http://www.microsoft.com/downloads/details.aspx?familyid=673DC932-626A4E59-9DCA-16D685600A51&displaylang=en http://www.sharepointmn.com References (cont’d) • Codeplex – Custom activities: http://www.codeplex.com/SPDActivities – FBA SQL Management: http://fba.codeplex.com – Windows Live: http://spwla.codeplex.com http://www.sharepointmn.com
