1 / 45

April 23 rd 2009 meeting

Arizona SharePoint Professionals Group. April 23 rd 2009 meeting. Agenda. Community News – Just Released!. SharePoint 2010 Announced Key Things to Know SP2 will release April 28 th Configuring and Deploying Anonymous Publishing Site. Community News – Web Site Updated!.

sally
Download Presentation

April 23 rd 2009 meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Arizona SharePoint Professionals Group April 23rd 2009meeting

  2. Agenda

  3. Community News – Just Released! • SharePoint 2010 Announced • Key Things to Know • SP2 will release April 28th • Configuring and Deploying Anonymous Publishing Site

  4. Community News – Web Site Updated! • New Resources Section – Contribute and Win!!! • Over 75+ resources already available and categorized • New Sign-up Tool • New Member Blog for staying informed throughout the month! • New Sponsor program announced • New RSS Feeds for Events, Resources & Blog • Secure access coming in May!

  5. Community News - Events SharePoint Conference 2009 will be the conference to learn about SharePoint “14” Tech-Ed 2009 – LA May 11-15 Developing Publishing Sites with MOSS – Andrew Connell – LV April 20-24

  6. SP2 Overview An STSADM command line that scans your server farm to establish whether it is ready for upgrade to the next version of SharePoint and provides feedback and best practice recommendations on your current environment. SP2 offers support for a broader range of Web browsers. Windows Server 2008 SP2 and Windows Server 2008 R2 will be supported on their release. The performance and stability of content deployment and variations feature has been improved. A new tool has been added to the STSADM command-line utility that enables a SharePoint administrator to scan sites that use the variations feature for errors. SP2 makes it easier to configure Excel Web Access Web Parts on new sites. Several rendering, calculation, and security issues have been resolved. Some display issues have been addressed. Improved compatibility with Mozilla Firefox browsers. Much, much more…

  7. Next Meeting – May 28th, 2009 • Chris Gerchak from Statera will be discussing operational tools like USPM & DocAve as well as giving us some insight into “Budget DR” • Metalogix will be discussing their Migration Manager toolset that can be used to reduce costs by eliminating other technologies and reducing file shares • K2 will be in town to discuss BlackPearl

  8. June 25th 2009 Meeting Using Records Management to improve compliance and reduce costs from a real-world implementation. KnowledgeLake will be showcasing how their tools streamline records management and reduce paper based processes.

  9. Extranets

  10. What We’ll Talk About • Terminology • Network Topologies • Planning for security • Planning the implementation • Best Practices for Extranet • Chalk Talk – White Board Session

  11. Extranet - What is it? • Intranet - content is available to known internal users behind a firewall ONLY • Internet - content is available to unknown* users outside a firewall • Extranet - content is available to known external users behind a firewall*

  12. Definitions - General • Extranet • DMZ • Perimeter Networks • Firewalls • Proxy Server • Reverse Proxy • Domain • Trust • One way / two way • Transitive / Nontransitive

  13. Definitions - SharePoint • Farm • Shared Services • Web Application • Virtual Server (IIS Web Site) • Zone • Alternate Access Mapping • Authentication Provider • Web Application Policy

  14. Alternate Access Mappings • Alternate Access Mappings - “Zones” • Namespaces used to access a single set of content, e.g. • http://office • https://office.microsoft.com • Default Zone for Alerts URLs and Search results

  15. Don’t Zone the Zones! • In an extranet environment, the design of zones is critical for the following two reasons: • User requests can be initiated from several different networks. • Users can consume content across multiple Web applications. Internal and remote employees can potentially contribute to and administer content across all of the Web applications: Intranet, Partner Web, and the corporate Internet site.

  16. Network topologies • Perimeter Network Topologies • Edge Firewall/Single firewall • Dual firewall • Back to back perimeter • Split back-to-back perimeter

  17. Edge Firewall / Single Firewall

  18. Front – to – Back Firewalls

  19. Back-to-Back Perimeter

  20. Split back-to-back Perimeter

  21. What is Right ForMe • It depends ! • Business & ITStrategy • Functional requirements • Compliance/security requirements • Cost • Existing Infrastructure • Nature /type of applications

  22. Internet Security and Acceleration Server (ISA / TMG) • ISA Roles: • Authentication Server • Reverse proxy • Firewall • ISA benefits: • Application Filtering • Farm Balancing • Multiple Authentication Approaches • Performance Opportunities • Simplified Application Publishing

  23. Intelligent Application Gateway (IAG) • IAG Role: • SSL VPN gateway • IAG Benefits: • Encapsulates all Web and non-Web applications in a single SSL session • Supports multiple authentication methods, including AD, LDAP and RADIUS. • Provides granular endpoint security compliance checks • Client-side cache clean-up and Attachment Wiper™

  24. Comparisions

  25. Planning for security • Where are my users? • Identity stores • Authentication methods • Authentication patterns • Federated authentication • Authorization • Communication Ports

  26. Where are my users? • Are they at home? • Are they at a kiosk? • Are in they in a partner intranet?

  27. Identity Stores • Both MOSS 2007 / WSS build on ASP.NET 2.0’s pluggable authentication provider model, you can now support users in all these stores • WSS V3 does not ship with any Membership providers, Microsoft Office SharePoint Server (MOSS) 2007 will include an LDAP V3 Membership provider, and ASP.NET 2.0 includes a SQL Server provider

  28. Authentication Methods

  29. Authentication Patterns • Separate AD Domains • Corporate users in internal domain • Partners in DMZ domain • DMZ trusts corporate AD domain to authenticate corporate users (one-way trust) • Self-contained DMZ • Shadow copies of corporate users in DMZ domain (AD or ADAM aka AD LDS) • AD to ADAM synchronizer or ILM • Public key infrastructure (PKI) • Supports SSL, client certificate authentication

  30. Federated Authentication • Active Directory® Federation Services (ADFS) is for organizations that need to participate in standards-based identity federation • Federation identity management solution that extend an organization’s existing Active Directory deployment.  • ADFS server will act as either an: • Account partner : is configured to interact with an account store (either ADAM or Active Directory) to authenticate users • Resource partner. is configured to support ADFS-aware applications.

  31. Authorization • AD Groups / Custom Roles • SharePoint Groups Rules: • Do not add users individually to a web site but use SharePoint  groups / AD Groups instead (except maybe the admins/site owners) • For search reasons, add "authenticated users" on content that is outward facing /open to make it discoverable • Stick with the out of the box created SharePoint groups /permission levels. Remember, SharePoint groups are defined at site collection levels. • Nested Windows security groups while possible may be problematic • Users per SharePoint ACL: Query results must not exceed 64k, or ~2000 users per ACL • Adding users to SharePoint group causes a full crawl. • When you get create custom permission levels and assign permissions using the object model, the dependencies are not included. Make sure to double check the dependency matrix. • If getting users added/removed in AD groups in a bottleneck, use SharePoint groups as you can delegate control of SharePoint groups to site administrator

  32. Firewall Ports

  33. Planning the extranet implementation • Physical / Logical Architecture • Content Publishing • Shared Services (horizontal services)

  34. Planning the extranet implementation • Should your extranet be its own: • Farm ? • Web application ? • Site collection ?

  35. Content Publishing • Things to think about: • Where does the content get created ? • Internally / Externally / both? • Content sync? • One way/ two way? • Where should the content be? • Copy to multiple locations / links to the original document? • Which is the authoritative source of the content? • Internal / external? What should people see when they search? • Geo replication? • OOB / 3rd party tools ?

  36. Content Publishing (2) • Things to think about: • Content Owner • Should an employee always be the owner? • Compliance • When does the content expire? What happens then? What audit policies should we have? • Security • Whose IP is it anyway? • Do we need rights protection? Across the enterprise? • If there is sensitive data, how do we plan SharePoint groups and permission levels?

  37. Horizontal Services • How should horizontal services like search be configured? • Separate farm? • Separate SSP? • Separate content source indexed by an existing SSP ? • Does Mysites make sense? • Are there personalization needs? • Do you need to surface LOB data(e.g. CRM/ ERP data)?

  38. Best Practices • Plan for defense in depth • Plan your firewall strategy • Plan trust relationships if using AD / ADFS • Evaluating the risks of server failures to plan for server role redundancy • Increase the performance of a server farm by optimizing the farm for applications with similar performance profiles (static content vs collaboration sites) • Think about your caching options

  39. Best Practices • Use AD Groups for authorization • Plan governance for you farm, web app, site collection before the site goes live ! • Use SharePoint zones to have multiple authentication channels to the same content • Look at our licensing structure • Understand your scalability / availability requirements to do the farm sizing. Tools like the SharePoint capacity planner help • Use the Extranet security hardening tool

  40. Best Practices • Functionality • Search • Office Integration – use Basic Authentication • Security • SSL – must be bound to all MOSS servers • Ease of use • http to https redirection

  41. Best Practices • In an extranet environment, ensure that the following design principles are followed: • Configure zones across multiple Web applications to mirror each other. The configuration of authentication and the intended users should be the same. However, the policies associated with zones can differ across Web applications. For example, ensure that the intranet zone is used for the same employees across all Web applications. In other words, do not configure the Intranet zone for internal employees in one Web application and remote employees in another. • Configure alternate access mappings appropriately and accurately for each zone and each resource.

  42. Best Practices • SSP • Use a separate SSP for Extranet or secure your content so that sensitive information cannot be searched on

  43. Best Practices Gotchas • Basic Authentication • Search has issues during crawl in Default Zone • Create another Zone just for Search (e.g. Intranet) • Configuring Content Sources should use port 80, not 443 • HTTP redirection in Windows 2008 • Must extend the web application to port 80 and put in a different zone (e.g. Custom) • Must install IIS Redirect as a Role Service • Will get prompted twice • Set Custom Zone to Allow Anonymous and then clear Basic authentication • Clear Integrated Windows Authentication

More Related