An important aspect of deploying
extranet solutions and sites is to choose the proper network topology
for the extranet environment. Different requirements may impact existing
infrastructure and topologies, and may require additional hardware and
configuration. Implementing different topologies can provide additional
benefits, but may require more maintenance and increase the complexity
of the enterprise infrastructure.
Outlining Business
Requirements and Extranet Considerations
The business should
understand the requirements and goals clearly in the early planning
stages before deploying an extranet solutions and environment. The
business requirements will help identify the different design
considerations for their extranet. These are some of the most common
design considerations for extranets:
Network topology
and accessibility— Different
topologies serve different needs and requirements and can greatly affect
the infrastructure used to provide access. The different topologies can
also affect the different types of access requirements used to access
shared network resources.
Identity management (IDM) systems— Used to identify a specific user and to store
additional information related to that user. Different identity
management systems impact how accounts will be managed and how other
systems can interface with the platform.
Content security and isolation— Often content has to be isolated from other external
users in common extranets scenario.
Antivirus solutions— Ensuring that external
users can access secure and virus-free content and data.
Rich client experience
(Office client integration)—
SharePoint offers a rich client experience through Office client
integration, where users can edit Microsoft Word documents directly from
a SharePoint site using different authentication providers while
avoiding multiple authentication prompts.
Understanding Common
Partner, Vendor, and Client Extranet Scenarios
When designing an
extranet solution, understanding the types of users, the collaboration
requirements and the security requirements is important for choosing the
type of topology to implement for the extranet solution. It can also
change the complexity for implementing and maintaining the extranet
solution. Table 1 describes several of the benefits
for each type of external users.
Table 1. Types of Extranet Users and Scenarios
| Type of User | Description |
|---|
| Remote employees | Access
corporate information, line-of-business applications, collaboration
sites, and other shared resources remotely from any location. The types
of remote employees include employees working from home or customer
sites, sales teams, and other geographically dispersed virtual teams.
Remote employees are generally managed as part of the primary identity
management system of the organization. |
| Partners | Participate
in business processes and collaborate via the extranet with employees
of the organization. The types of partners include organizations working
together in joint ventures, shared projects, and other collaborative
scenarios. Partners are usually managed via a separate identity
management system from the organization’s identity management system.
Some of the challenges in working with partners include managing
security and isolating partner data from the internal data, and
isolating partner data from other partners. |
| Vendors and clients | Access branded and targeted information and content
based on product lines or by customer profiles. Generally, content is
segmented by implementing separate site collections within a farm.
Audiences are used to limit content access and reduce the corpus of
search results. Generally, vendors and clients accessing branded and
targeted information only requires an identity management system for the
external users as internal resources aren’t shared directly. |
Examining Common
Deployment Topologies
Before choosing a
specific topology, it is beneficial to understand several deployment
topologies commonly used for extranet solutions. A topology provides a
detailed view of all the servers, devices, links, and ports in your
network, both physical and logical. Understanding and planning an
appropriate deployment topology will help you avoid inconsistencies or
misconfigurations in your physical and logical network and extranet
solution.
Edge Firewall Topology
This topology, illustrated in Figure 1, uses an edge firewall solution such as Microsoft Forefront
UAG or Forefront TMG or third-party firewall as a gateway between
intranet and Internet. This configuration uses the firewall as a reverse
proxy server that intercepts requests from the Internet and forwards
the request to the appropriate web server located and intranet. Using a
set of configurable rules, the proxy server verifies that requested URL
and translates it into the internal URL. This topology has the following
advantages and disadvantages:
Advantages
Most economical
and simplest solution that requires the least amount of hardware and
configuration.
The entire SharePoint farm
resides within the corporate network.
Simplified
server management.
Disadvantages
Back-to-Back Firewall
Topology
The back-to-back extranet topology,
represented in Figure 2, is the recommended network
topology for most organizations. In this topology, all the hardware and
data resides in the perimeter network. Optionally, the server farm roles
and network infrastructure servers such as Active Directory and
Exchange Server can be separated across multiple layers with additional
routers or firewalls. This is a flexible topology that allows for
additional network layers for greater security. External users access
the perimeter network through the external proxy server or firewall, and
internal users access the perimeter network through an internal proxy
server or firewall. This topology has the following advantages and
disadvantages:
Advantages
The corporate
network is more secure. If an external user is compromised, only the
perimeter network is vulnerable.
The entire SharePoint farm resides within the
perimeter network.
External
user access is isolated to the perimeter network.
Management of external user
accounts is simplified and isolated from the internal identity
management system.
Disadvantages
Additional
hardware and resources are required for this configuration.
The content databases are
vulnerable if the perimeter network is compromised.
Additional overhead is
required for managing additional identity management systems.
Split Back-to-Back
Firewall Topology
The split back-to-back network topology, shown in Figure 3, is similar to the back-to-back topology and
further splits the SharePoint farm between the perimeter and corporate
networks. The SharePoint web front ends, some application servers, and
some infrastructure servers, such as the external identity management
system and other resources, reside within the perimeter network. The
remaining SharePoint servers and resources, such as the SQL Server
databases and other infrastructure servers, reside within the corporate
network. This topology has the following advantages and disadvantages:
Advantages
The corporate network
is even more secure. If an external user is compromised, only to
perimeter network is vulnerable and fewer resources are vulnerable.
The content databases are
protected even if the perimeter network is compromised.
External user access is
isolated to the perimeter network.
Management of external user accounts is
simplified and isolated from the internal identity management system.
Disadvantages
The complexity of
the solution is greatly increased.
Additional hardware and resources are required
for this configuration.
The
form is vulnerable if the perimeter network is compromised and the
intruders gain access to the farm accounts.
SharePoint interfarm
communication is split between two domains.
