seaspc 2011 - collaborating with extranet partners on sharepoint 2010
Post on 17-May-2015
1.291 Views
Preview:
DESCRIPTION
TRANSCRIPT
PLANNING EXTRANETS WITH SHAREPOINT 2010
Michael Noel
MICHAEL NOEL
• Author of SAMS Publishing titles “SharePoint 2007 Unleashed,” the upcoming “SharePoint 2010 Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles .
• Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco, U.S.A. based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security
WHAT WE’LL COVER• Why an Extranet?
• SharePoint 2010 Extranets
• Extranet Architecture Options
• Claims-based Authentication
• Forefront Unified Access Gateway (UAG) for extranets
• Forefront Identity Manager for Identity Management in an Extranet
WHY AN EXTRANET?
WHY AN EXTRANET?
• Security Isolation• Isolation of Data
• Less Exposure, Perimeter Network Scenarios
• Partner Collaboration• Share SP Content with External Partners
• Control Partner Accounts
Anonymous Customer Scenarios are not really Extranets
SHAREPOINT 2010 EXTRANETS
• Claims-based Authentication Support
• Multiple Authentication Providers
• Better Scalability (Services Architecture)• Goodbye SSP!
• Server Groups
• Services Applications
• Multiple Authentication Types per Web Application
SAMPLE EXTRANET ARCHITECTURE
DESIGN AROUND SECURITY REQUIREMENTS
• Scenario 1: Extranet and Internal Users in Single Farm
• 1A: Single Web App / Single Site Collection
• 1B: Single Web App / Separate Site Collections
• 1C: Multiple Web Apps / Content DBs
• 1D: Separate App Pool / Service App Group
• Scenario 2: Extranet and Internal Users in Single Farm / Separate Trusted Forests
• Scenario 3: Extranet and Internal Users in Multiple Farms / One-Way Trust
• Scenario 4: Extranet an Internal Users in Separate Farms / Claims-based Auth for Internal Access to Extranet
• Scenario 5: Extranet an Internal Users in Separate Farms / No Access for Internal Accounts to Extranet
• Scenario 6: Separate Farms / AD FS Federation for Extranet Auth
LessSecure
MoreSecure
EXTRANET SCENARIO 1:EXTRANET AND INTERNAL USERS IN SINGLE FARM
1A: Single Web App / Single Site Collection1B: Single Web App / Separate Site Collections1C: Multiple Web Apps / Content DBs1D: Separate App Pool / Service App Group
EXTRANET SCENARIO 2:EXTRANET AND INTERNAL USERS IN SINGLE FARM / SEPARATE TRUSTED FORESTS
EXTRANET SCENARIO 3:EXTRANET AND INTERNAL USERS IN MULTIPLE FARMS AND PERIMETER NETWORK / ONE-WAY TRUST
EXTRANET SCENARIO 4:EXTRANET AN INTERNAL USERS IN SEPARATE FARMS / CLAIMS-BASED AUTH PROVIDER FOR INTERNAL AUTH TO EXTRANET
EXTRANET SCENARIO 5:EXTRANET AN INTERNAL USERS IN SEPARATE FARMS / NO ACCESS FOR INTERNAL ACCOUNTS TO EXTRANET
EXTRANET SCENARIO 6:SEPARATE FARMS / AD FS FEDERATION FOR EXTRANET AUTH
EXTRANET NOTES
ONE-WAY TRUST SCENARIOS
• People Picker needs to be configured to crawl domain if it doesn’t trust the domain where the SharePoint farm is installed.
• Only with STSADM (Rare exception when you can’t use PowerShell)
• Example Syntax:
• stsadm.exe -o setapppassword -password AnyPassw0rd
• stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:companyabc.com,COMPANYABC\svc_sppplpick,Password1;domain:extranetabc.com" -url https://extranet.companyabc.com
• stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:companyabc.com,COMPANYABC\svc_sppplpick,Password1;domain:extranetabc.com" -url https://spcaext.companyabc.com
• Syntax is critical
• Run against all web apps
DESIGN FOR CLIENTLESS ACCESS TO SHAREPOINT
• Services Applications for Extranet Clients:• Word Services
• Excel Services
• Visio Services
• Access Services
• InfoPath Forms Services
• Allows ‘Clientless’ access to SharePoint content, for Extranet partners without Office
STANDARD REQUIREMENTS APPLY TO EXTRANETS AS WELL
• SharePoint-aware Antivirus• i.e. Forefront Protection for SharePoint
• SharePoint-aware Backup and Restore• i.e. System Center Data Protection Manager (DPM) 2010
• Rights Management?• Active Directory Rights Management Services (AD RMS)
CONTENT DEPLOYMENT WITH EXTRANETS
CLAIMS-BASED AUTHENTICATION
CLAIMS-BASED AUTH
• SharePoint doesn’t actually Authenticate Users, it relies on IIS or other providers
• SharePoint 2010 Allows for Classic and Claims-based Auth Scenarios
• Classic Authentication is similar to SharePoint 2007
• Claims based Auth adds the following key benefits:• Allows for Multiple Authentication Types per Web Application Zone
• Removes SharePoint from the Authentication Provider
• Allows for federation between organizations (AD FS, etc.) scenarios
• Does not require Kerberos Delegation
• Remember the difference between Authentication and Authorization…
CLASSIC VS. CLAIMS-BASED AUTHType Classic-mode
authentication Claims-based authentication
WindowsNTLMKerberosAnonymousBasicDigest
Yes Yes
Forms-based authenticationLDAPSQL database or other databaseCustom or third-party membership and role providers
No Yes
SAML token-based authenticationAD FS 2.0Third-party identity providerLDAP
No Yes
MIXED-MODE VS. MULTI-AUTHENTICATION
EXAMPLE: PARTNER ENVIRONMENT WITH MULTIPLE AUTH TYPES ON SINGLE W.A.
FOREFRONT UNIFIED ACCESS GATEWAY 2010
UAG ARCHITECTURE
DirectAccess
HTTPS (443)
Layer3 VPN
Data Center / Corporate Network
Business Partners /Sub-Contractors
AD, ADFS, RADIUS, LDAP….
Home / Friend / Kiosk
Employees Managed Machines
Mobile
Exchange
CRM
SharePoint
IIS based
IBM, SAP, Oracle
Terminal / Remote Desktop Services
Non web
HTTPS /
HTTP
NPS, ILM
Internet
WHAT ABOUT TMG? (NEW ISA)
Capability TMG 2010 UAG 2010
Publish Web applications using HTTPS X XPublish internal mobile applications to roaming mobile devices X X
Layer 3 firewall X X*Outbound scenarios support X X*Array support X Globalization and administration console localization X
Wizards and predefined settings to publish SharePoint sites and Exchange X X
Wizards and predefined settings to publish various applications X
Active Directory Federation Services (ADFS) support X
Rich authentication (for example, one-time password, forms-based, smart card) X X
Application protection (Web application firewall) Basic Full
Endpoint health detection XInformation leakage prevention XGranular access policy XUnified Portal X
WHAT IS FOREFRONT IDENTITY MANAGER?
IDENTITY AND ACCESS MANAGEMENT
Identity and Access Management
Secure Messaging Secure EndpointSecure Collaboration
Active Directory® Federation Services
Information Protection
WHY FIM FOR SHAREPOINT?
MANAGE SHAREPOINT IDENTITIES
• Create Multiple Authentication Providers for SharePoint Farms• AD DS Forests (Extranet forests)
• AD LDS Authentication Providers
• SQL Table (FBA) Authentication Sources
• LDAP Providers
• Etc…
• Keep those Authentication Providers Managed
ActiveDirectory
Extranet Forest
Test Forest
FBA Table
LOB App
HR SystemFIM
Workflow
Manager
• Policy-based identity lifecycle management system
• Built-in workflow for identity management
• Automatically synchronize all user information to different directories across the enterprise
• Automates the process of on-boarding users
User Enrollment
Approval
User provisioned on all allowed systems
IDENTITY MANAGEMENTUSER PROVISIONING FOR SHAREPOINT AND OTHER APPLICATIONS
VPN
HR SystemFIM
Workflow
• Automated user de-provisioning
• Built-in workflow for identity management
• Real-time de-provisioning from all systems to prevent unauthorized access and information leakage
User de-provisioned
User de-provisioned or disabled on all systems
IDENTITY MANAGEMENTUSER DE-PROVISIONING
ActiveDirectory
Extranet Forest
TestForest
FBATable
LOBApp
VPN
HRSystem FIM
LDAP
ExtranetAD
InternalAD
givenNamesntitlemailemployeeIDtelephone
SammyDearling
008
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
SamaraDarling
007
givenNamesntitlemailemployeeIDtelephone
SamDearingIntern
007
givenNamesntitlemailemployeeIDtelephone
555-0129
SamanthaDearing
007
Coordinator
someone@example.com
555-0129
SamanthaDearing
Coordinator
007
IdentityData
Aggregation
GivenNamesntitlemailemployeeIDtelephone
someone@example.com
SamanthaDearing
007
Coordinator
555-0129
IDENTITY SYNCHRONIZATION AND CONSISTENCYIDENTITY SYNCHRONIZATION ACROSS MULTIPLE DIRECTORIES
Attribute Ownership
FirstNameLastName
EmployeeID
Title
Telephone
Attribute Ownership
FirstNameLastName
EmployeeID
Title
Telephone
FIMHRSystem
LDAP
ExtranetAD
InternalAD
IdentityData
Brokering(Convergence)
givenNamesntitlemailemployeeIDtelephone
SammyDearling
007
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
SamaraDarling
007
givenNamesntitlemailemployeeIDtelephone
SamDearingIntern
007
givenNamesntitlemailemployeeIDtelephone 555-0129
BobDearing
007
Coordinator
555-0129
SamanthaDearing
Coordinator
someone@example.com
007
someone@example.com
SamanthaDearingCoordinatorsomeone@example.com
555-0129
Coordinatorsomeone@example.com
555-0129
SamanthaDearing
someone@example.com
Samantha
Coordinator
555-0129
IDENTITY SYNCHRONIZATION AND CONSISTENCYIDENTITY CONSISTENCY ACROSS MULTIPLE DIRECTORIES
CUSTOMIZABLE IDENTITY PORTAL
How you extend it
SharePoint-based Identity Portal for Management and Self Service
Add your own portal pages or web partsBuild new custom solutionsExpose new attributes to manage by extending FIM schemaChoose SharePoint theme to customize look and feel
CUSTOMIZABLE IDENTITY PORTAL
• Can be used to allow Extranet Partners to Perform Self-Service Management• Give control of Account Management to users/administrators of
the extranet partner
• Secure access to portal through VPN/Reverse Proxy
• Portal in the DMZ
• Can be used for Self-Service Password Reset (via domain-joined computer)
• Streamline deployment by enrolling user and computer certificates without user intervention
• Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)
• Can be used to automate Certificate management for dual factor auth approaches to SharePoint logins
STRONG AUTHENTICATION—CERTIFICATE AUTHORITY
HR System
Active Directory Certificate Services (AD
CS)
FIM CM
FIM
User Enrollment and Authentication request sent by HR System
FIM policy triggers request for FIM CM to issue certificate or SmartCard
User is validated using multi-factor authentication
FIM Certificate Management (CM) requests certificate creation from AD CS
Certificate is issued to user and written to either machine or smart card
End User
SmartCard
User ID andPassword
SmartCard
End User
REAL WORLD FIM USAGE SCENARIOS
FIM FOR EXTRANET FOREST MGMT
• Internal AD DS Forest
• DMZ Extranet AD DS Forest
• FIM Auto-provisions certain user accounts in Extranet forest and keeps Passwords in Sync to allow Internal users to access/collaborate with Partners
• FIM allows Self-Service Portal Access for Extranet user accounts in the partner forest
• Two-factor Auth scenarios, to automate provisioning of user accounts AND certificates to systems
FIM FOR ROLE BASED ACCESS CONTROL• FIM is central to RBAC Strategy
• Can auto-add users to Groups based on RBAC Criteria
• HR Defines a user’s access based on their role
• FIM auto-adds that user to specific Role Groups in AD DS, which are tied to SharePoint Groups that have the rights that that role group requires.
User1
User2
Role Group
SharePoint Group
SESSION SUMMARY
• Understand the Extranet Design Options for 2010
• Keep Extranet Accounts out of local AD
• Determine how Identities will be Managed
• Use FIM for Identity Management, Self-Service, and Provisioning/Deprovisioning of Extranet Accounts
• Use UAG to secure inbound access to extranets/intranets
Thank you to our Sponsors
Gold Sponsors
Silver Sponsors
Bronze Sponsors
THANKS FOR ATTENDING!QUESTIONS?
Michael Noel
Twitter: @MichaelTNoel
www.cco.com
Slides: slideshare.net/michaeltnoel
top related