SharePoint in the SharePoint in the ExtranetExtranet

Joel Oleson & Charles OforiJoel Oleson & Charles OforiMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

Side by Side Comparison of 3 Side by Side Comparison of 3 SharePoint Extranet DeploymentsSharePoint Extranet Deployments

IT Windows SharePoint Services (WSS) IT Windows SharePoint Services (WSS) Extranet DeploymentExtranet DeploymentIntellectual Capital Exchange (ICE)Intellectual Capital Exchange (ICE)Microsoft Managed Solutions (MMS) – Microsoft Managed Solutions (MMS) – Spsites.microsoft.comSpsites.microsoft.com

Issues & ChallengesIssues & ChallengesWindows R2 Extranet Enhancements Windows R2 Extranet Enhancements & ADFS - Discussion& ADFS - DiscussionResourcesResourcesQ/AQ/A

Side by Side Comparison Side by Side Comparison Microsoft’s SharePoint Microsoft’s SharePoint Extranet DeploymentsExtranet Deployments

Service ComparisonService ComparisonIT WSS IT WSS ExtranetExtranet ICEICE MMS MMS

SPSitesSPSitesWSS HostingWSS Hosting

My Site HostingMy Site Hosting

Portal HostingPortal Hosting

Site DirectorySite Directory

SPS SearchSPS Search

Topics & AreasTopics & Areas

Existing AD AccountsExisting AD Accounts

Custom Web ServicesCustom Web Services

ADFSADFS

Partner Account AccessPartner Account Access

AD Account Creation ModeAD Account Creation Mode

MMS TopologyMMS Topology

MMS ServicesMMS Serviceshttps://https://

spsites.microsoft.comspsites.microsoft.com

10,000’s10,000’sWSS SitesWSS Sites

10,000’s10,000’sMy SitesMy Sites

Site DirectorySite Directory

ICE TopologyICE Topology

ICEICEhttp://icehttp://ice

https://ice.partners.extranet.microsoft.comhttps://ice.partners.extranet.microsoft.com

Topics & AreasTopics & Areas

My ICEMy ICE

Sub AreasSub Areas

CustomWeCustomWeb Serviceb Service

Dublin

Singapore

Redmond

AmericasAmericasTeamTeam

https://*.team.partners.extranet.microsoft.comhttps://*.team.partners.extranet.microsoft.comhttps://https://

*.eteam.partners.extranet.microsoft.com*.eteam.partners.extranet.microsoft.comhttps://https://

*.spteam.partners.extranet.microsoft.com*.spteam.partners.extranet.microsoft.com

Asia/SouthPacificAsia/SouthPacificSPTeamSPTeam

EuropeEuropeETeamETeam

IT WSS Extranet TopologyIT WSS Extranet Topology

HardwareHardware

3 Web

2 Search

1 Index/Job

2 WSS Web

(A/P)SQL

Cluster

2 Web/Search

1 Index/Job

SQL(A/P)SQL

Cluster

ISA 2004/Web Publishing BigIPBigIP

IT WSS ExtranetMMS SPSitesICE

3 Extranet Deployments3 Extranet Deployments

Business & IT RequirementsBusiness & IT RequirementsInfrastructure/Architecture SolutionInfrastructure/Architecture SolutionAdd-onsAdd-onsWorkaroundsWorkaroundsHow’s it going???How’s it going???

IT WSS Extranet IT WSS Extranet DeploymentDeployment

IT WSS Extranet – IT WSS Extranet – RequirementsRequirementsScalable Hosting WSSScalable Hosting WSS

BusinessBusinessEasy to Collaborate with PartnersEasy to Collaborate with PartnersUse Existing Internal AccountsUse Existing Internal AccountsScalable & Highly AvailableScalable & Highly AvailableAccounts for partner collaborationAccounts for partner collaboration

IT & SecurityIT & SecuritySecure Collaboration - 2 Factor AuthSecure Collaboration - 2 Factor Auth

Grandfathered w/ 2000 OWA Model (Basic over SSL)Grandfathered w/ 2000 OWA Model (Basic over SSL)Client certs too much overhead didn’t meet #1Client certs too much overhead didn’t meet #1

No Anonymous AccessNo Anonymous AccessWeb Servers: IP masked, no ICMPWeb Servers: IP masked, no ICMPOnly SSL port allowed (Admin port blocked)Only SSL port allowed (Admin port blocked)No Corp ResourcesNo Corp Resources

IT Extranet WSS SolutionIT Extranet WSS Solution

Auth: Basic over SSLAuth: Basic over SSLAccounts: One way NTLM trust Accounts: One way NTLM trust between partner domain and corp between partner domain and corp child domains (requires AD ports open child domains (requires AD ports open to internal DCs for auth)to internal DCs for auth)Partner account provisioning & Partner account provisioning & management system: Use Existing management system: Use Existing (https://www.partners.extranet.microsoft.co(https://www.partners.extranet.microsoft.com)m)Leverage Existing Extranet Onboarding Leverage Existing Extranet Onboarding processprocessHardware: Stand Alone Deployment in DMZHardware: Stand Alone Deployment in DMZ

Extranet ProvisioningExtranet Provisioning

ICE DeploymentICE Deployment

ICE RequirementsICE Requirements

BusinessBusinessTransparent LoginTransparent Login

Web Single Sign On (not SPS SSO)Web Single Sign On (not SPS SSO)Use existing NT accountsUse existing NT accountsHosted SharePoint like it is on Corp @ Hosted SharePoint like it is on Corp @ Home and on the GoHome and on the Go

IT & SecurityIT & SecurityFirewalled (DMZ)Firewalled (DMZ)Intrusion DetectionIntrusion DetectionIPSec between Corp Clients & Managed IPSec between Corp Clients & Managed ServersServers128 bit SSL128 bit SSLNo Corp Connectivity, no Internet No Corp Connectivity, no Internet ConnectivityConnectivitySeparate Forest from Corp and Other Separate Forest from Corp and Other CustomersCustomers

MMS Spsites DeploymentMMS Spsites Deployment

MMS RequirementsMMS Requirements

BusinessBusinessTransparent LoginTransparent Login

Web Single Sign On (not SPS SSO)Web Single Sign On (not SPS SSO)Use existing NT accountsUse existing NT accountsHosted SharePoint like it is on Corp @ Hosted SharePoint like it is on Corp @ Home and on the GoHome and on the Go

IT & SecurityIT & SecurityFirewalled (DMZ)Firewalled (DMZ)Intrusion DetectionIntrusion DetectionIPSec between Corp Clients & Managed IPSec between Corp Clients & Managed ServersServers128 bit SSL128 bit SSLNo Corp Connectivity, no Internet No Corp Connectivity, no Internet ConnectivityConnectivitySeparate Forest from Corp and Other Separate Forest from Corp and Other CustomersCustomers

Issues and ChallengesIssues and Challenges

Key Issues for MS Key Issues for MS Extranet or Extranet or Internet Enabled DInternet Enabled Deploymentseployments

This is on top of general issues of This is on top of general issues of scaling, high-availability, scaling, high-availability, manageability, etc.manageability, etc.

Four Primary ChallengesFour Primary ChallengesSecuritySecurityCross Forest IssuesCross Forest IssuesAccount ManagementAccount Management Client Facing IssuesClient Facing Issues

SecuritySecurity

Security team wants 2 factor Security team wants 2 factor authenticationauthenticationSecurity wanted Digest authenticationSecurity wanted Digest authenticationSecurity wanted Forms authenticationSecurity wanted Forms authenticationBasic over SSL is not good enough…Basic over SSL is not good enough…Pre-existing security standardsPre-existing security standardsServices/App Pools need to run with Services/App Pools need to run with account in the same domain (MMS)account in the same domain (MMS)Password service account restrictions Password service account restrictions make maintenance painfulmake maintenance painful

Cross Forest Issues (MMS)Cross Forest Issues (MMS)

Manage Users Address book fails to work Manage Users Address book fails to work when email address & NT user name do not when email address & NT user name do not matchmatchLookups fail when User domain does not Lookups fail when User domain does not trust resource domain and Trust is at the trust resource domain and Trust is at the forest level (works with domain (NTLM) forest level (works with domain (NTLM) trust)trust)

Display Name and Email address will not be Display Name and Email address will not be populatedpopulatedRequires user to know NT account or NT Security Requires user to know NT account or NT Security GroupGroup

Document Workspace/Meeting Workspace Document Workspace/Meeting Workspace creation from Outlook/Office doesn’t creation from Outlook/Office doesn’t permission other users (lookup failure)permission other users (lookup failure)Sybari Antigen for SharePoint fails to Sybari Antigen for SharePoint fails to install/function with account in different install/function with account in different forestforest

Account Management Account Management (IT WSS/ICE)(IT WSS/ICE)

AD is the account repository (live or AD is the account repository (live or die by it)die by it)Painful Process for managing partner Painful Process for managing partner accounts – account creation and accounts – account creation and password management (listen to our password management (listen to our story)story)Active Directory Account Creation Active Directory Account Creation ModeMode

Only for Windows SharePoint ServicesOnly for Windows SharePoint ServicesCannot coexist with pre-existing accountsCannot coexist with pre-existing accounts

Client Facing IssuesClient Facing Issues

Web capture web part doesn’t work with Web capture web part doesn’t work with SSLSSLMixed content for online web parts (HTTP Mixed content for online web parts (HTTP vs. HTTPS)vs. HTTPS)Web Folder security promptWeb Folder security promptTransparent Login requires Intranet Zone or Transparent Login requires Intranet Zone or special IE securityspecial IE securityURL Length (256 & 260)URL Length (256 & 260)Internal vs. External URL path issues (Use Internal vs. External URL path issues (Use Alternate Access (Alert links, invalid Alternate Access (Alert links, invalid extranet links, confusion)extranet links, confusion)

What’s ComingWhat’s Coming

Windows 2003 R2 & ADFSWindows 2003 R2 & ADFS

ADFS for Windows 2003 ADFS for Windows 2003 R2 & WSSR2 & WSSWindows Server 2003 R2 servers configured as Windows Server 2003 R2 servers configured as

federation servers can provide access to federation servers can provide access to Windows SharePoint ServicesWindows SharePoint Services sites over the sites over the Internet (Not SPS)Internet (Not SPS)Your network and the network in your partner Your network and the network in your partner organization both need to support ADFSorganization both need to support ADFS

Shadow accounts setup in the resource partner if no forest Shadow accounts setup in the resource partner if no forest trust exists between both partner organizations. trust exists between both partner organizations. Federation trust between both partner organizationsFederation trust between both partner organizationsWeb server configured with prerequisite applicationsWeb server configured with prerequisite applicationsWeb server with valid SSL certificateWeb server with valid SSL certificateADFS Web Service Agent on the Web server hosting ADFS Web Service Agent on the Web server hosting Windows SharePoint ServicesWindows SharePoint ServicesWindows SharePoint Services with Windows Server 2003 Windows SharePoint Services with Windows Server 2003 R2R2Windows SharePoint Services site users in the account Windows SharePoint Services site users in the account partner organization setup with permissionspartner organization setup with permissionshttp://download.microsoft.com/download/9/3/e/93eff406-http://download.microsoft.com/download/9/3/e/93eff406-5dd6-442d-bedd-082ef29a6d22/ADFSStepbyStep.doc5dd6-442d-bedd-082ef29a6d22/ADFSStepbyStep.doc

Windows R2 & Windows Windows R2 & Windows SharePoint Services SharePoint Services Extranet Enhancements!!!Extranet Enhancements!!!

Support for IP-bound virtual serversSupport for IP-bound virtual servers* Support for Advanced Extranet Configurations* Support for Advanced Extranet Configurations

SSL TerminationSSL TerminationHost Header ModificationHost Header ModificationPort TranslationPort Translation

Kerberos enabled by default on single box new installationKerberos enabled by default on single box new installationWindows SharePoint Services running on ASP.NET 2.0 Windows SharePoint Services running on ASP.NET 2.0 (Whidbey)(Whidbey)Windows SharePoint Services support for Windows x64 Windows SharePoint Services support for Windows x64 editionseditions

http://www.microsoft.com/downloads/http://www.microsoft.com/downloads/details.aspx?FamilyIddetails.aspx?FamilyId=ABBA20F2-3625-4C9C-A412-AB9BBEBDB5E8&displaylang==ABBA20F2-3625-4C9C-A412-AB9BBEBDB5E8&displaylang=enen

* Applies only to Non Scalable Hosting Mode Configurations or * Applies only to Non Scalable Hosting Mode Configurations or NonNon Farms that support Multiple Hostnames on a single IIS Farms that support Multiple Hostnames on a single IIS virtual server.virtual server.

Session SummarySession Summary

SharePoint in the Extranet – No SharePoint in the Extranet – No problemproblemScalable and Enterprise Ready – YesScalable and Enterprise Ready – YesSecure – YesSecure – YesWindows R2 – Removes deployment Windows R2 – Removes deployment blockersblockers

Resources: How Microsoft Does ITResources: How Microsoft Does ITResources from Microsoft ITResources from Microsoft IT

See us at our Ask the Experts table!See us at our Ask the Experts table!

Microsoft IT | ShowcaseMicrosoft IT | ShowcaseResources created for the IT Pro on how Microsoft does ITResources created for the IT Pro on how Microsoft does IThttp://itshowcase/ http://itshowcase/

Customer-ready content on DVD—Get one at the IRCCustomer-ready content on DVD—Get one at the IRCOrder for customer events and meetings!Order for customer events and meetings!http://itshowcase/ordercd http://itshowcase/ordercd

Customer Connection—Peer to peer discussions with Microsoft IT Customer Connection—Peer to peer discussions with Microsoft IT professionalsprofessionalshttp://itshowcase/itcustomerconnection http://itshowcase/itcustomerconnection

Content on the Web—TechNet Content on the Web—TechNet http://www.microsoft.com/technet/itshowcase/ http://www.microsoft.com/technet/itshowcase/

Webcasts on how Microsoft does ITWebcasts on how Microsoft does IThttp://itshowcase/webcasts/ http://itshowcase/webcasts/

Microsoft IT | FellowshipMicrosoft IT | FellowshipBringing Microsoft IT and Services together for best practice sharing, Bringing Microsoft IT and Services together for best practice sharing, problem solving workshops, and knowledge transferproblem solving workshops, and knowledge transferhttp://itfellowship http://itfellowship

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.