Agenda
-
Upload
lucy-rowland -
Category
Documents
-
view
17 -
download
1
description
Transcript of Agenda
Philadelphia Area SharePoint User Group
Building Customer/Partner Extranets
Designing a Secure Extranet with Sharepoint 2007
Russ BasiuraRJB Technical [email protected]
Philadelphia Area SharePoint User Group
Agenda1. Intro SharePoint Extranets and FBA
2. Scenarios
3. Scenarios
4. Challenges
5. Demonstration
Philadelphia Area SharePoint User Group
WHAT IS AN EXTRANET??
Philadelphia Area SharePoint User Group
EXTRANETS POSE UNIQUE CHALLENGES FOR SHAREPOINT ADMINISTRATORSHow can I provide SharePoint sites for our employees to use to
collaborate with our customers, suppliers, partners and maintain proper security?
How can I keep user accounts & passwords for non-employees in a separate database?
How can I delegate management of extranet users to trusted individuals and still maintain proper security control?
How can extranet users perform their own password changes?
How can I define and gather custom user profile data from my extranet site's users?
How can I automate user site requests and site creation?
Philadelphia Area SharePoint User Group
What is the purpose of FBA?
Forms authentication uses an authentication ticket
created when a user logs on to a site
Validated against a user store, such as a SQL Server database
User is redirected to a configured logon
page
Once authenticated, the user is redirected to the
originally requested page
Ticket is usually contained inside a cookie
Cookie tracks the user throughout the site
Philadelphia Area SharePoint User Group
For what scenarios is FBA useful?S
toring users in Active Directory is not desirable
Storing users in Active Directory is not feasible
Need customized or proprietary logon page
FBA
Philadelphia Area SharePoint User Group
What are the issues and limitations with the out-of-the-box features?
User self-service features including ‘reset my password’ and profile
management
Granular governance of site creation processInvitations
with definable
meta fields
User self-registration
Management interface to user store
Profile field mismatches
Philadelphia Area SharePoint User Group
Simple Extranet Scenario
Philadelphia Area SharePoint User Group
Scenario• Active Directory in the DMZ
– No Trusts• Single Server or small farm
– All servers in the DMZ• All Services in the DMZ
– Mail– IM
• Basic Authentication over HTTPS• Digest Authentication (Not Supported)
Philadelphia Area SharePoint User Group
Scenario• All Users must logon• Management via Remote Desktop• All content stored in portal• Ports
– TCP 3389 open to intranet for RDP– TCP 80 open to intranet for HTTP– TCP 443 open to extranet for HTTPS
Philadelphia Area SharePoint User Group
MEDIUM EXTRANET SCENARIO
Philadelphia Area SharePoint User Group
HIGH COMPLEXITY SCENARIO
Philadelphia Area SharePoint User Group
User Challenges• Authentication
– Users don’t like being asked for identity– Use SSO to access other resources
• URLS– Store content on the portal– Put content links on the portal
Philadelphia Area SharePoint User Group
Technical Challenges• Authentication• SSL• Account Creation and Maintentance• Site Creation Process
Philadelphia Area SharePoint User Group
Common Challenges• Where should I locate my servers?• How is my firewall affected?• What other solutions should be
considered?• Authentication Security• High Availability• How does this effect my SharePoint
architecture?• Do I really need another SharePoint
Farm?
Philadelphia Area SharePoint User Group
Authentication• Basic over https• Integrated
– NTLM– Kerberos
• Digest– Single web server or web farm with
affinity– Not Supported
• Custom – ISAPI Filter with persistent cookie– Not Supported
Philadelphia Area SharePoint User Group
Custom Authentication• Must create a valid Windows Principal• Must attach context to thread before
entering .Net pipeline– Ows.dll is an ISAPI extension– ISAPI extensions cannot be chained
• Build an ISAPI filter– Create and manage Windows Principal– Embed basic authentication headers in
request
Philadelphia Area SharePoint User Group
• Service Level Agreements• End User training• Information lifecycle controls• Communicating with external
users• Acceptable Use Policies
Extranet Governance
Philadelphia Area SharePoint User Group
Questions and Discussion