Considering which approach would be better... we are building a SharePoint farm on internal network private namespace using SharePoint 2013 with Claims, customer has an ADFS 2.0 server with AD on the internal network.Customer has a Perimeter network that external users must go through to reach internal services.Customer requirements are that AD and ADFS 2.0 resources must not be located in the Perimeter network, Proxy access is ok.
1.] SSO for external users (login one time) can hit site collections and links in one site collection referencing another site collection, we don’t want the double prompts like using NTLM and TMG from the outside.
2.] Internal users on the corporate LAN can access the SharePoint 2013 with their domain joined machines, seamlessly, that is, they only login once locally to their machine in the morning and then can hit the SharePoint 2013 resources they have permission
to, and don’t get prompted throughout the day.
3.] Both internal and external users hit the same SharePoint site, (identical URLs internal and external) and users outside and inside need to collaborate in the same site collection.
4.] Would like the architecture to support in the future a federated trust with a Partner who is using claims.So that the remote security objects can be leveraged, rather than duplicating the accounts in the corporate directory.
Option 1;Internal users hit SharePoint 2013 directly on the internal LAN, remote users come in through Perimeter and UAG.
-Configure the internal SharePoint 2013 resources using Claims and the internal ADFS 2.0 server.In doing so, would we need Kerberos configured for the internal users to have seamless access on the internal SharePoint 2013 claims web applications?
- Configure UAG for remote users (corporate users with AD accounts) one time sign in.Publish both the ADFS 2.0 server and the SharePoint 2013 site from the internal network to the DMZ?
Option 2; all users access SharePoint 2013 through the Perimeter network
- Configure Internal SharePoint 2013 resources using Claims and ADFS 2.0 on the internal network but do not permit client access directly from the internal network, force all traffic to access resources through the DMZ.
- Configure UAG for both external and internal users access is from the UAG server in the DMZ.Same question would this approach require us to publish both the ADFS 2.0 server and the SharePoint 2013 site from the internal network to the DMZ?
Seeking input from Architects that have had some experience with similar access requirements, should I be considering other approaches?
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.