Arizona sharepoint professionals group
This presentation is the property of its rightful owner.
Sponsored Links
1 / 45

April 23 rd 2009 meeting PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Arizona SharePoint Professionals Group. April 23 rd 2009 meeting. Agenda. Community News – Just Released!. SharePoint 2010 Announced Key Things to Know SP2 will release April 28 th Configuring and Deploying Anonymous Publishing Site. Community News – Web Site Updated!.

Download Presentation

April 23 rd 2009 meeting

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Arizona sharepoint professionals group

Arizona SharePoint Professionals Group

April 23rd 2009meeting



Community news just released

Community News – Just Released!

  • SharePoint 2010 Announced

    • Key Things to Know

  • SP2 will release April 28th

  • Configuring and Deploying Anonymous Publishing Site

Community news web site updated

Community News – Web Site Updated!

  • New Resources Section – Contribute and Win!!!

    • Over 75+ resources already available and categorized

  • New Sign-up Tool

  • New Member Blog for staying informed throughout the month!

  • New Sponsor program announced

  • New RSS Feeds for Events, Resources & Blog

  • Secure access coming in May!

Community news events

Community News - Events

SharePoint Conference 2009 will be the conference to learn about SharePoint “14”

Tech-Ed 2009 – LA May 11-15

Developing Publishing Sites with MOSS – Andrew Connell – LV April 20-24

Sp2 overview

SP2 Overview

An STSADM command line that scans your server farm to establish whether it is ready for upgrade to the next version of SharePoint and provides feedback and best practice recommendations on your current environment.

SP2 offers support for a broader range of Web browsers.

Windows Server 2008 SP2 and Windows Server 2008 R2 will be supported on their release.

The performance and stability of content deployment and variations feature has been improved.

A new tool has been added to the STSADM command-line utility that enables a SharePoint administrator to scan sites that use the variations feature for errors.

SP2 makes it easier to configure Excel Web Access Web Parts on new sites.

Several rendering, calculation, and security issues have been resolved.

Some display issues have been addressed.

Improved compatibility with Mozilla Firefox browsers.

Much, much more…

Next meeting may 28 th 2009

Next Meeting – May 28th, 2009

  • Chris Gerchak from Statera will be discussing operational tools like USPM & DocAve as well as giving us some insight into “Budget DR”

  • Metalogix will be discussing their Migration Manager toolset that can be used to reduce costs by eliminating other technologies and reducing file shares

  • K2 will be in town to discuss BlackPearl

June 25 th 2009 meeting

June 25th 2009 Meeting

Using Records Management to improve compliance and reduce costs from a real-world implementation.

KnowledgeLake will be showcasing how their tools streamline records management and reduce paper based processes.



What we ll talk about

What We’ll Talk About

  • Terminology

  • Network Topologies

  • Planning for security

  • Planning the implementation

  • Best Practices for Extranet

  • Chalk Talk – White Board Session

Extranet what is it

Extranet - What is it?

  • Intranet - content is available to known internal users behind a firewall ONLY

  • Internet - content is available to unknown* users outside a firewall

  • Extranet - content is available to known external users behind a firewall*

Definitions general

Definitions - General

  • Extranet

  • DMZ

  • Perimeter Networks

  • Firewalls

  • Proxy Server

  • Reverse Proxy

  • Domain

  • Trust

    • One way / two way

    • Transitive / Nontransitive

Definitions sharepoint

Definitions - SharePoint

  • Farm

  • Shared Services

  • Web Application

  • Virtual Server (IIS Web Site)

  • Zone

  • Alternate Access Mapping

  • Authentication Provider

  • Web Application Policy

Alternate access mappings

Alternate Access Mappings

  • Alternate Access Mappings - “Zones”

    • Namespaces used to access a single set of content, e.g.

      • http://office


    • Default Zone for Alerts URLs and Search results

Don t zone the zones

Don’t Zone the Zones!

  • In an extranet environment, the design of zones is critical for the following two reasons:

    • User requests can be initiated from several different networks.

    • Users can consume content across multiple Web applications. Internal and remote employees can potentially contribute to and administer content across all of the Web applications: Intranet, Partner Web, and the corporate Internet site.

April 23 rd 2009 meeting

Network topologies

  • Perimeter Network Topologies

    • Edge Firewall/Single firewall

    • Dual firewall

    • Back to back perimeter

    • Split back-to-back perimeter

April 23 rd 2009 meeting

Edge Firewall / Single


April 23 rd 2009 meeting

Front – to – Back


April 23 rd 2009 meeting

Back-to-Back Perimeter

April 23 rd 2009 meeting

Split back-to-back


What is r ight for me

What is Right ForMe

  • It depends !

    • Business & ITStrategy

      • Functional requirements

      • Compliance/security requirements

      • Cost

      • Existing Infrastructure

      • Nature /type of applications

Internet security and acceleration server isa tmg

Internet Security and Acceleration Server (ISA / TMG)

  • ISA Roles:

    • Authentication Server

    • Reverse proxy

    • Firewall

  • ISA benefits:

    • Application Filtering

    • Farm Balancing

    • Multiple Authentication Approaches

    • Performance Opportunities

    • Simplified Application Publishing

Intelligent application gateway iag

Intelligent Application Gateway (IAG)

  • IAG Role:

    • SSL VPN gateway

  • IAG Benefits:

    • Encapsulates all Web and non-Web applications in a single SSL session

    • Supports multiple authentication methods, including AD, LDAP and RADIUS.

    • Provides granular endpoint security compliance checks

    • Client-side cache clean-up and Attachment Wiper™



April 23 rd 2009 meeting

Planning for security

  • Where are my users?

  • Identity stores

  • Authentication methods

  • Authentication patterns

  • Federated authentication

  • Authorization

  • Communication Ports

Where are my users

Where are my users?

  • Are they at home?

  • Are they at a kiosk?

  • Are in they in a partner intranet?

April 23 rd 2009 meeting

Identity Stores

  • Both MOSS 2007 / WSS build on ASP.NET 2.0’s pluggable authentication provider model, you can now support users in all these stores

  • WSS V3 does not ship with any Membership providers, Microsoft Office SharePoint Server (MOSS) 2007 will include an LDAP V3 Membership provider, and ASP.NET 2.0 includes a SQL Server provider

April 23 rd 2009 meeting

Authentication Methods

April 23 rd 2009 meeting

Authentication Patterns

  • Separate AD Domains

    • Corporate users in internal domain

    • Partners in DMZ domain

    • DMZ trusts corporate AD domain to authenticate corporate users (one-way trust)

  • Self-contained DMZ

    • Shadow copies of corporate users in DMZ domain (AD or ADAM aka AD LDS)

    • AD to ADAM synchronizer or ILM

  • Public key infrastructure (PKI)

    • Supports SSL, client certificate authentication

April 23 rd 2009 meeting

Federated Authentication

  • Active Directory® Federation Services (ADFS) is for organizations that need to participate in standards-based identity federation

  • Federation identity management solution that extend an organization’s existing Active Directory deployment. 

  • ADFS server will act as either an:

    • Account partner : is configured to interact with an account store (either ADAM or Active Directory) to authenticate users

    • Resource partner. is configured to support ADFS-aware applications.

April 23 rd 2009 meeting


  • AD Groups / Custom Roles

  • SharePoint Groups


  • Do not add users individually to a web site but use SharePoint  groups / AD Groups instead (except maybe the admins/site owners)

  • For search reasons, add "authenticated users" on content that is outward facing /open to make it discoverable

  • Stick with the out of the box created SharePoint groups /permission levels. Remember, SharePoint groups are defined at site collection levels.

  • Nested Windows security groups while possible may be problematic

  • Users per SharePoint ACL: Query results must not exceed 64k, or ~2000 users per ACL

  • Adding users to SharePoint group causes a full crawl.

  • When you get create custom permission levels and assign permissions using the object model, the dependencies are not included. Make sure to double check the dependency matrix.

  • If getting users added/removed in AD groups in a bottleneck, use SharePoint groups as you can delegate control of SharePoint groups to site administrator

Firewall ports

Firewall Ports

April 23 rd 2009 meeting

Planning the extranet implementation

  • Physical / Logical Architecture

  • Content Publishing

  • Shared Services (horizontal services)

April 23 rd 2009 meeting

Planning the extranet implementation

  • Should your extranet be its own:

    • Farm ?

    • Web application ?

    • Site collection ?

April 23 rd 2009 meeting

Content Publishing

  • Things to think about:

    • Where does the content get created ?

      • Internally / Externally / both?

  • Content sync?

    • One way/ two way?

  • Where should the content be?

    • Copy to multiple locations / links to the original document?

  • Which is the authoritative source of the content?

    • Internal / external? What should people see when they search?

  • Geo replication?

    • OOB / 3rd party tools ?

  • April 23 rd 2009 meeting

    Content Publishing (2)

    • Things to think about:

      • Content Owner

        • Should an employee always be the owner?

      • Compliance

        • When does the content expire? What happens then? What audit policies should we have?

      • Security

        • Whose IP is it anyway?

        • Do we need rights protection? Across the enterprise?

        • If there is sensitive data, how do we plan SharePoint groups and permission levels?

    April 23 rd 2009 meeting

    Horizontal Services

    • How should horizontal services like search be configured?

      • Separate farm?

      • Separate SSP?

      • Separate content source indexed by an existing SSP ?

    • Does Mysites make sense?

    • Are there personalization needs?

    • Do you need to surface LOB data(e.g. CRM/ ERP data)?

    April 23 rd 2009 meeting

    Best Practices

    • Plan for defense in depth

    • Plan your firewall strategy

    • Plan trust relationships if using AD / ADFS

    • Evaluating the risks of server failures to plan for server role redundancy

    • Increase the performance of a server farm by optimizing the farm for applications with similar performance profiles (static content vs collaboration sites)

    • Think about your caching options

    April 23 rd 2009 meeting

    Best Practices

    • Use AD Groups for authorization

    • Plan governance for you farm, web app, site collection before the site goes live !

    • Use SharePoint zones to have multiple authentication channels to the same content

    • Look at our licensing structure

    • Understand your scalability / availability requirements to do the farm sizing. Tools like the SharePoint capacity planner help

    • Use the Extranet security hardening tool

    April 23 rd 2009 meeting

    Best Practices

    • Functionality

      • Search

      • Office Integration – use Basic Authentication

    • Security

      • SSL – must be bound to all MOSS servers

    • Ease of use

      • http to https redirection

    Best practices

    Best Practices

    • In an extranet environment, ensure that the following design principles are followed:

      • Configure zones across multiple Web applications to mirror each other. The configuration of authentication and the intended users should be the same. However, the policies associated with zones can differ across Web applications. For example, ensure that the intranet zone is used for the same employees across all Web applications. In other words, do not configure the Intranet zone for internal employees in one Web application and remote employees in another.

      • Configure alternate access mappings appropriately and accurately for each zone and each resource.

    Best practices1

    Best Practices

    • SSP

      • Use a separate SSP for Extranet or secure your content so that sensitive information cannot be searched on

    Best practices gotchas

    Best Practices Gotchas

    • Basic Authentication

      • Search has issues during crawl in Default Zone

        • Create another Zone just for Search (e.g. Intranet)

        • Configuring Content Sources should use port 80, not 443

    • HTTP redirection in Windows 2008

      • Must extend the web application to port 80 and put in a different zone (e.g. Custom)

      • Must install IIS Redirect as a Role Service

    • Will get prompted twice

      • Set Custom Zone to Allow Anonymous and then clear Basic authentication

      • Clear Integrated Windows Authentication

  • Login