Embed Size (px)
DESCRIPTION
In this session Solutions Architect, James Tramel of Planet Technologies delivers an understanding of various Networking concepts as it relates to the performance, authentication, and internal and external access of SharePoint.
Citation preview
SHAREPOINT AND FOREFRONT UNIFIED ACCESS GATEWAY
James TramelSolutions ArchitectPlanet Technologies
• In other lives:– Network Engineer– Network Admin– WAN admin– Cloud admin
• Now– SharePoint experience and
certification (custom and oob / data and architect)
– Forefront IM and UAG
ABOUT ME
• As a portal• As an intranet• As an extranet
SHAREPOINT
• How is your farm built?• Where does it reside?• Who accesses it and How?• What does it look like in your
network?• What does your network
topology look like?
SHAREPOINT AND NETWORK INFRASTRUCTURE
• Network topology is the layout pattern of interconnections of the various elements (links, nodes, etc.) of a computer or network
• Physical topology refers to the physical design of a network including the devices, location and cable installation.
• Logical topology refers to how data is actually transferred in a network as opposed to its physical design
WHAT IS NETWORK TOPOLOGY
• What is a LAN?INSIDE / OUTSIDE
• A local area network (LAN) is a computer network that connects computers and devices in a limited geographical area such as home, school, computer laboratory or office building. The defining characteristics of LANs includes their usually high data-transfer rates, smaller geographic area, and lack of a need for leased telecommunication lines
LAN
LAN: LOCAL AREA NETWORK - BASIC
LAN: TYPICAL
• What is a LAN?• What is a WAN?
INSIDE / OUTSIDE
• A wide area network(WAN) is a telecommunication network that covers a broad area (i.e., any network that links across metropolitan, regional, or national boundaries). Business and government entities utilize WAN to relay data among employees, clients, buyers, and suppliers from various geographical locations. In essence this mode of telecommunication allows a business to effectively carry out its daily function regardless of location.
WAN
WAN: FRAME
WAN: VPN
• What is a LAN?• What is a WAN?• What is a Host?
INSIDE / OUTSIDE
• A network host is a computer connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network
• A web hosting service is a type of Internet hosting service that allows individuals and organizations to make their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own or lease for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center
HOST
• Inside network protocols• Outside network protocols• How can SP be setup for
outside?
HOW TO USE SHAREPOINT FROM OUTSIDE
SHAREPOINT TOPOLOGY
• Anonymous Access• SSL• Authentication methods
– Windows Based– Token based– Claims based– Forms Based
COMMON OUTSIDE METHODS
AUTHENTICATION DEMO
• AD is not authoritative directory• SAML tokens are not allowed to
be consumed• No guarantee of Internet
Explorer• High security / sensitive data
AUTHENTICATION EXAMPLE
• What is a LAN?• What is a WAN?• What is a Host?• What is a DMZ?
INSIDE / OUTSIDE
• A DMZ, or De Militarized Zone, is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. It is sometimes referred to as a perimeter network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.
DMZ
DMZ: 1 FIREWALL
DMZ: 2 FIREWALLS
• Access Scenarios– Remote employee– External partner or
customer– Branded Internet sites– Web hosting– Mobile phone access
BUILDING A SHAREPOINT EXTRANET
SHAREPOINT AND UAG
• Anywhere access
• Information leakage prevention
• Endpoint health-based authorization
• Web farm load balancing
• Advanced authentication schemes
• Enabling access to SharePoint sites from Microsoft Office Outlook Web Access
• Unified Portal
• Automatic timeouts
• Internet-ready appliances
Secure Sockets Layer (SSL) termination
• Application protection
• Policy-based access
• Single sign on
• Part of ForeFront Suite• Reverse Proxy, Direct Access,
Remote Desktop Services and VPN solution
• Built with/on TMG (firewall, endpoint security)
• Great for LOB apps• Highly customizable, integrates
with a lot
WHAT IS UAG?
FOLLOW THE PROGRAM
• TMG is installed before you install UAG
• TMG can act as a router, an Internet gateway, a virtual private network (VPN) server, a network address translation (NAT) server and a proxy server.
• TMG is a firewall that offers application layer protection, stateful filtering, content filtering and anti-malware protection.
• TMG can compress web traffic and offers web caching
UAG AND TMG
• Publishing Microsoft Exchange Server Applications
• Publishing Remote Desktop Services
• Remote Network Access Using SSTP
• Intra-Site Automatic Tunnel Addressing Protocol
• Endpoint Policies and Network Access Protection
• UAG Arrays• Direct Access
UAG SETUP IN GENERAL
• UAG direct access• Single server endpoint outside
of perimeter• Everything on VM’s• Multiple SP Applications• Multiple Forests
UAG DIRECT ACCESS AND SHAREPOINT
• Edge firewall
UAG – SP EXTRANETS
UAG – SP EXTRANETS
Split back-to-back optimized for content publishing
Back-to-back perimeter with content publishing (and optional TMG caching)
UAG – SP EXTRANETS
• Know the network topology• Know how to get around the
network topology• VM’s and VM topology• Static Routes• Make sure you have access to
local session – you will likely lose ip your first time
THINGS TO NOTE FOR INSTALLING UAG
• Virtual Network Types– Private Virtual Network – Internal Virtual Network – External Virtual Network
• Virtual NIC’s• Physical NIC’s• Static Routes
UNDERSTANDING VM’S
ADDRESSING UAG
• Name your Network Adapters• Configure the External NIC
– Get rid of properties you don’t need
– Default Gateway– Un check register the
connection in DNS– Disable NetBIOS
ADDRESSING UAG
• Configure the Internal NIC– No Gateway– Register the connection in
DNS• Check your static route to
internal nic• Change the binding order• Check routes
ADDRESSING UAG
• You can associate a Web application with a collection of mappings between internal and public URLs.
• Alternate access mappings enable a Web application that receives a request for an internal URL, in one of the five authentication zones, to return pages that contain links to the public URL for the zone.
• The UAG server responds with identical content, even though external users submit a different protocol (HTTPS) and a different host header than internal users.
• Alternate access mappings to allow the SharePoint server to perform URL changes on its own. This ensures that reverse proxies, such as UAG, do not have to change the content of the pages they serve to external sources.
ADDRESSING SHAREPOINT:AAM – ALTERNATE ACCESS MAPPINGS
• The UAG portal is an ASP.Net-based Web application using AJAX, and is the front-end Web application for UAG
• A UAG portal trunk is a transfer channel that allows endpoints to connect to the trunk’s portal home page over HTTP or HTTPS. You can also create a redirect trunk that redirects HTTP endpoint requests to an HTTPS trunk.
• Each trunk has a portal home page to which remote endpoints connect to interact with the trunk, and access published applications.
• For each trunk UAG adds the Portal application to the trunk in order to provide a default home page. Alternatively, you can define a customized home page.
UAG PORTALS AND TRUNKS
• Each Web app is associated with a unique public-facing host name, which is used to access the application remotely.
• A Web app that is published through the Forefront UAG trunk shares the trunk's definitions in addition to some of the trunk's functionality, such as the logon and logoff pages.
• This means that the application's public host name must reside under the same parent domain as the trunk's public host name; that is, the application and the trunk are subdomains of the same parent domain.
ADDRESSING SHAREPOINT:PUBLIC HOST NAMES
Forefront UAG trunk’s public host name
Trunk’s parent domain
Examples of valid public host names for Web app
Examples of non valid public host names for Web app
uag.woodgrovebank.com
woodgrovebank.com
hrportal.woodgrovebank.com
hrportal.a.b.woodgrovebank.com
hrportal.uag.woodgrovebank.com
hrportal.com
uag.ext.example.com
ext.example.com
hrportal.ext.example.com
hrportal.a.b.ext.example.com
hrportal.uag.ext.example.com
hrportal.com
hrportal.example.com
ADDRESSING SHAREPOINT:PUBLIC HOST NAMES
• All the public host names that are used in the trunk should be covered by this certificate, including the trunk's public host name and the public host names of all the applications that are accessed via the trunk.
ADDRESSING SHAREPOINT AND UAG:SERVER CERTIFICATES
DEMO / TOUR
• UAG is a way to go for extranets for a highly secure deployment
• Big ROI for its other uses, as well as SP
• Know your network infrastructure
• Plan your SP install• Access to the local UAG server• Know your risks
CONCLUSION
Q AND A
• MSDN• Technet• Microsoft Press• Wikipedia• http://mikecrowley.files.wordpress.com/
2010/11/• http://www.windowsnetworking.com/
articles_tutorials/Understanding-Virtual-Networking-Microsoft-Hyper-V.html>
• http://mrshannon.wordpress.com/2010/04/30/setting-ip-addresses-on-a-uag-directaccess-server/>
• http://blog.concurrency.com/infrastructure/uag-directaccess-ip-addressing-the-server/>
• http://www.bibble-it.com/2010/02/21/forefront-uag-in-10-minutes
REFERENCES
