SharePoint User Group UK

Hi,

One of our departments has a requirement for external access to their site which is set up in Sites and Workspaces under a higher-level site. (It doesn't matter if they have to access the top level site and then browse to the sub-site.) First of all, does it sound like I'm creating this site in the right place? We're still only getting started, so it's easy to change anything at this stage.

I've been reading about external access, and a lot of what I'm coming across is about security. Our installation is on a single server - everything on one server, but different drives, ie. sharepoint is installed on the C drive, but the databases are on the E drive. Security is very much not my thing, so I need to talk to someone else about this, but I'd like to have some knowledge of what I'm talking about!

Some of what I've found says things like "Protect back-end servers by placing at least one firewall between front-end Web servers and the application and database servers." How does this work if it's all on one server?

Also "Plan a dedicated front-end Web server for crawling content. Do not include this front-end Web server in the end-user front-end Web rotation." Again, with one server how can we have a 'dedicated front-end Web server'? And what's the 'end-user front-end Web rotation'??

Many thanks for any input,
J.

There are going to be many different ways you can solve this little problem. I guess it all comes down to exactly what your business needs are (is this a publishing portal, document management system, team collaboration area, will you be need Office Integration etc) and what’s the size of your wallet. What side of the firewall do you want this box to be on? It sounds like your questioning your architecture so are you looking to split it onto separate boxes, not a bad idea if your looking for performance increases and redundancy, but again depends on what you want to use it for. 

You are very correct in stating security is going to be a big concern, glad to hear your facing up to it :-). Based on what you've said, single server implementation (I assume its behind your firewall right now on the corporate network). There are many different ways you can solve this issue and if you want to keep that box in the right side of your firewall the 2 that instantly spring to mind are a) by using some sort of remote access gateway which will do most of the hard work for you (as long as its setup correctly) something like a Juniper box:http://www.networkworld.com/news/2004/062804juniper.html or b) by using a reverse proxy to send traffic through your firewall and onto your SharePoint server, either way remember SSL is your friend.

We have both mechanisms setup here and both have their advantages and disadvantages, mostly around costs and functionality. I'll be honest we haven’t done much remote access gateway testing so I cant say for sure which one is best. With regards to the reverse proxy idea we have implemented this but this method requires us to use Forms Based Authentication which presents a whole new challenge and understanding. Either way your going to face possible reduced functionality certainly with things like Office integration.

That’s our experience, sorry to say based on what we've done so far its not going to be an easy one, unless someone else has the perfect/better solution (which I would be very interested in myself) I hope you'll find something useful in this post.

Not sure we are a good fit but below is some info...

We answer the question..."How can I securely manage extranet users on SharePoint 2007 while effectively addressing audit, compliance and security requirements?"

From advanced audit reporting, integrated compliance features (watermarking, expiration dates, legal disclosures), site & access discovery tool, Epok Edition for SharePoint leverages internal business users and trusted partners to manage external users reducing IT workload.

We have a 2 minute flash presentation @ http://www.epok.net/flash/demo/epokEdition/epok_edition_preso.html

www.Epok.net

 

Hi Graham,

Thanks for your reply. I'm not looking at splitting onto separate boxes - just wondering how to implement what's being recommended when it's all on one box.

It is behind the firewall at the moment. I really don't know anything about remote access gateways or reverse proxies so I'll mention what you've said to the n/w administrator and see what he thinks.

Rgds,
Jennie.