sharepoint.microsoft.com

IT13 - Extranets and Internet Facing Environments in the Real WorldDeployment and Management

European Microsoft SharePoint Conference 2007February 12th to 14th, 2007Convention CenterHotel Estrel, Berlin, Germany

Important

If you’re looking for “Building Internet Facing SharePoint Sites” session, it’s tomorrow (Wednesday) at 11:45AM.This session is about how MS IT implemented SharePoint extranets and Internet accessible internal applications.

Agenda

Three extranet/Internet facing case studies

Key featuresChallengesToday’s workarounds2007 enhancements

Secure, flexible, scalable topologiesDemo

ISA 2006 web publishingExchange 2007 offline SharePoint files

Three Scenarios

MS IT hosted collaboration extranet

For collaboration with business partnersMCS Intellectual Capital Exchange

For MS consultants on site with customersEnterprise intranet web presence

For employees working away from work

Terms

Authentication – who you areAuthorization – what can you doAlternate domain (namespace) – “Zones”

Domains used to access a single set of content, e.g.

http://customerhttps://customer.domain.com

Web Application = IIS Virtual Server = IIS Web Site

Three Scenarios



For MS consultants on site with customersEnterprise intranet web presence


Key Features

Partner Partner CollaboratioCollaboratio

nnICEICE SPSitesSPSites

WSS HostingWSS Hosting

My Site HostingMy Site Hosting

Site DirectorySite Directory

SearchSearch

AreasAreas

AD AccountsAD Accounts

Partner Account AccessPartner Account Access

Dublin

Singapore

Redmond

AmericasTeam

Asia/SouthPacificSPTeam

EuropeETeam

Microsoft Partner Collaboration

https://*.team.extranet.microsoft.comhttps://*.eteam.extranet.microsoft.comhttps://*.spteam.extranet.microsoft.com

Issues

Authentication

Two factor?Account management

AD Account Creation Mode?Isolation of partner accounts

Separate AD forest?

Workarounds for SharePoint 2003

Authentication

Basic over SSL with logout buttonAuth delegation with ISA 2006 support for forms and cookies

Account management

Managed partner forestCustom web account provisioning

Isolation of partner access

Separate farm in DMZ

Enhancements in SharePoint 2007Authentication

Pluggable authentication (ASP.NET 2.0)Forms based authentication (FBA) with cookiesADFS federation with Passport/LiveID, others

Account management

LDAP directoriesUsers database (SQL Server, etc.)

Isolation of partner access

Application isolation with Web applicationMultiple authentication providers

ASP.NET 2.0 Authentication

Pluggable authentication provider framework

User identity is independent from Windows or Activity Directory identityCustom code to handle authenticationTwo related providers

Membership – user identitiesRole – roles/groups/attributes for a user

Out of the box providers

LDAP v3 (provided by MOSS 2007)SQL Server (ASP.NET 2.0)AD – single domain only (ASP.NET 2.0)

ASP.NET Authentication Limitations

Browser clients only

Search crawler must use Windows accountOffice client interaction degraded due to lack of FBA support

One authentication type per web applicationForms over Windows accounts

Forms user not the same as Windows user

Three Scenarios



For MS Consultants on site with customers

Enterprise intranet web presence


Key Features


nn

ConsultantConsultantPortalPortal

SPSitesSPSites




SearchSearch

AreasAreas



ICE Topology

Topics and AreasMy ICE

Sub Areas

ICE

http://ice

https://ice.partners.extranet.microsoft.com

Challenges

Granular securityCross Browser CompatibilityReverse publishing/zones


Granular security

IRM’d documentsCross Browser Compatibility

End user education re: depreciated functionality

Reverse publishing/zones

Use ISA web publishing for reverse proxyingZones in WSS 2.0 SP2

Enhancements in SharePoint 2007

Granular security

Item level securityServer side IRM policy enforcement

Cross Browser Compatibility

Improved cross browser supportReverse publishing/zones

No absolute URLsSupport for reverse proxyZone based policy support

Three Scenarios



For consultants on site with customersEnterprise intranet web presence


Key Features


nn

ConsultantConsultantPortalPortal

EmployeeEmployeePortalPortal




SearchSearch

AreasAreas



SpSites Topology

https://spsites.microsoft.com

10,000’sWSS Sites

10,000’s

My Sites

Site Directory

Profiles

Challenges

Cross forest add user (people picker)Delegation of Shared Services (Search)Multilingual MySitesAuthentication token timeout


Cross forest add user (people picker)

Custom developed UI using profilesDelegation of Shared Services (Search)

Build custom UI with delegationMultilingual MySites

Content editor web parts (not full solution)

Authentication token timeout

Custom “logout” button

Enhancements in SharePoint 2007

Cross forest add user (people picker)

Cross forest support – stsadm commandDelegation of Shared Services (Search)

Delegation with security trimmed UIMultilingual MySites

User chooses site language during provisioning

Authentication token timeout

Forms authorization and expiring cookie support“Logout” button built-in

Secure, Scalable, Flexible Topologies

Perimeter Proxy (Reverse Proxy/Web Publishing)

ISA Server

SQL Server

Network Load BalancedWeb Front-End Servers

Application Servers

Internet Perimeter Network Corporate Network

Back To Back Perimeter

ISA Server

SQL Server


Application ServersISA Server


Back To Back Perimeter With Publishing

SQL Server



SQL Server



PUBLISH

Authors


Back To Back Perimeter With Publishing And Content Caching


SQL Server


Application Servers

SQL Server



PUBLISH

Authors

Cached Array of ISA Servers

4-Factor Authentication with ISA 2006

4-Factor Authentication with ISA 2006

1st Factor: Smart Card

https://portal.public.microsoft.com

2nd Factor: Smart Card

3rd Factor: Smart Card PIN

4th Factor: Forms Based Authentication

“SharePoint Web Access”“SharePoint Web Access”

No Smart Card, No VPN Required

https://spsites.microsoft.com

Key Take Aways

Flexible scalable topologies

Consolidation with isolationInternal URL, external URL, partner URLIsolate Partner accounts from IntranetEmployees use same account in intranet & extranet

Internet ready/PublishingCross forest support

Extensible authentication

ASP.NET 2.0 pluggable auth/multi authZone policiesForms/cookies/logout

Key Take Aways

Test! Test! Test!

Network latency and bandwidth Locally: 50-80 msGlobally: 180-250 ms (as much as 450 ms)

Understand the datasizesEngineering & Manufacturing documents (large)

Understand usage scenariosUnderstand the collaboration policy in the organization

Authorization, roles, retention policies.

Resources

Planning, Designing & Securing an Extranet and Internet Facing WSSv3 and SharePoint Server 2007 Environments

http://blogs.msdn.com/sharepoint/archive/2006/08/08/planning-designing-amp-securing-an-extranet-and-internet-facing-wssv3-and-sharepoint-server-2007-environments.aspx

SharePoint Community Searchhttp://search.live.com/macros/lliu/spsearch

SharePoint Community Portalhttp://sharepoint.microsoft.com/sharepoint

Sweepstake

Complete your Feedback form and have a chance to win a Zune!*

* English US version

sharepoint.microsoft.com

Documents

Transcript of sharepoint.microsoft.com