Sharepoint Extranet Configuration and ports
-
Wednesday, April 18, 2012 5:36 PM
Hi.... I'm new to share point extranet design,we are creating extranet site and need to host on extranet DMZ.
so basic question is do we need to pull one web front from intranet environment and plug in extranet DMZ ?
If so how does webfront works there ? because it's running on intranet service accounts ? and extranet DMZ will not identify those service accounts ?
I also have list of ports to open to talk with CA. but not sure how and where to start.
Appreciate your help.
Thanks!
SPVIRU
All Replies
-
Wednesday, April 18, 2012 5:56 PMModerator
So this is generally not the best idea. The problem is that you will have to open up so many ports between the DMZ and Internal network to make this work that it is not worth the effort.
If you have a separate Active Directory in the DMZ and want to join the DMZ SharePoint Server to that Active Directory, you'll have to set up a trust between the internal/DMZ ADs. SharePoint must be run with the same accounts as your internal SharePoint Servers are using.
If you want to continue to use internal AD accounts on your DMZ SharePoint Servers, then you'll have to open up all ports required for Active Directory communication (and given DCOM is random by default above 1024, this doesn't make sense).
Your goal should be to move all SharePoint Servers entirely in the DMZ, or leave them entirely in the internal network, depending on your acceptable risk factor.
http://sharepoint.nauplius.net
-
Wednesday, April 18, 2012 6:56 PM
Thank you... Appreciate your help :)
Currently I have share point farm with 4 web fronts,app,index where current intranet portal is hosted.
and I cannot completely move these servers to DMZ because it's for intranet portal usage. and I cannot setup entirely new servers on extra net.
Using these intranet servers I have to configure one extranet site collection for a department...... means
Do i have only one option ?
1) Move one webfront server to DMZ and set up a trust between internal/DMZ AD and open all ports required ?
Thanks!
SPVIRU
-
Wednesday, April 18, 2012 8:07 PMModerator
You could leave everything in the Internal network and just open up tcp/443 from the Internet to the internal SharePoint WFE(s), or use NAT as applicable. There is nothing, SharePoint-wise, that forces you to place a SharePoint Server in a DMZ to serve content in an Internet/Extranet scenario.
However, if you were to place a SharePoint in the DMZ and join that SharePoint Server to the local DMZ AD, yes, you would want to create a two way trust, open up the ports between the internal and DMZ DCs, then also open up the ports between the DMZ SharePoint Server and the internal DCs for the People Picker to function correctly. See http://blogs.technet.com/b/wbaer/archive/2009/01/21/people-picker-port-protocol-requirements.aspx.
http://sharepoint.nauplius.net
-
Wednesday, April 18, 2012 8:30 PM
great Thank you so much.. you made my day. In this case I think first option will be the best one.
let all share point servers be in intranet and just open up tcp/443 from the Internet to the internal SharePoint WFE(s). If I ask my network team to open tcp/443 do you think that should be enough, or do you think I need to share any other details to network team ?
Thanks!
SPVIRU
-
Wednesday, April 18, 2012 8:54 PMModeratorThey should know the rest of the configuration.
http://sharepoint.nauplius.net
-
Thursday, April 26, 2012 11:26 PM
sorry to come back after long time on this,Looks like my network team is interested on going moving two web front servers to dmz may be network team not aware of worth the effort Involved in, or may be they are feeling it's more secured than opening tcp/443 from the Internet to the internal SharePoint WFE(s).
I need to explain them tomoro which one is the secured/reliable/easy one. Can you pls share me any article or put some points related,so that I can understand in detail.
Appreciate your help!
Thanks!
SPVIRU
-
Friday, April 27, 2012 2:32 AMModerator
They'll have to open all of these ports between the SP WFEs and your internal domain controllers:
http://blogs.technet.com/b/wbaer/archive/2009/01/21/people-picker-port-protocol-requirements.aspx
They'll have to open up 1443/tcp (default) to your back end SQL Server.
They'll have to enable full domain connectivity from your SP WFEs to your internal domain (many, many ports here, including, by default, everything >1024).
Do you have any SP servers inside the firewall as well?
http://sharepoint.nauplius.net
- Marked As Answer by Rock Wang– MSFT Saturday, April 28, 2012 5:38 AM
-
Tuesday, May 01, 2012 4:09 AM
Thank you Trevor :)
sorry for a late reply ..... I have some beginner questions,appreciate your help on answering these.
1)why do we need people picker ? and I can see number of ports on your link to make people picker work http://blogs.technet.com/b/wbaer/archive/2009/01/21/people-picker-port-protocol-requirements.aspx
2) do we need to open 1443/tcp ? not sure based on our security they will open tcp1443 for database they have another sql ends point can we open those ?
3)To enable full domain we need open many many ports ? what are those ports I have listed few below can you pls check those.
4)how does external users will be authenticated,we dont have UAG as of now ? is that compulsory , or can external users be authenticated on with intranet sql DB ?
can you please validate if this is required enough ?
Purpose
Ports Need to Open
INBOUND/OUTBOUND
Web browser request and response over SSL or TLS
- SSL 443
Inbound
Web browser request and response
- TCP 80
Inbound
- TCP 443/80
Inbound
Search Crawling
- TCP 443,
Outbound
Search Crawling
- TCP 80
Outbound
Query Propagation
Direct Hosted SMB(TCP/UDP 445)--Recommended
OR
NetBIOS over TCP/IP (NetBT) (TCP/UDP 137, 138,139) (Not as secure) Disable if not used
Outbound
Ports required for communication between Web servers and service applications (the default is HTTP)
Http binding : port 32843
OR
Https binding : port 32844
OR
NET.TCP binding : 32845 (only if 3rd party has implemented third option for a service app
INBOUND
User profile sync
- TCP/5725
- TCP/UDP 389
(LDAPservice)
- TCP/UDP 53(DNS)
Inbound
- SMTP(TCP 25)
Outbound / Inbound if applicable
Alerts or mail enabled lists
Recommendation: Block SQL Default Ports (TCP 1433, UDP 1434) and use a static custom port for Named SQL Instance.
SQL END Point
- TCP Port 62015
- HTTP 63030
- HTTP raw 63041
Outbound
for sandbox solution
TCP/IP 32846
Outbound
SPVIRU
-
Tuesday, May 01, 2012 4:32 AMModerator
1) So you can add people/groups to SharePoint. No people picker will make the use of SharePoint nearly impossible :)
2) You don't need tcp/1433 specifically, but you do need some form of TCP/IP communication (which means a static port) to the SQL backend.
3) And this is how we come to the "this is a terrible idea". See http://support.microsoft.com/kb/179442. Notice we need ports tcp/udp 1024-65535.
4) If you mean "external" as employees with Active Directory accounts accessing SharePoint, they'd access it like any other web-based application; with their Windows accounts. If external means something else to you, please elaborate.
http://sharepoint.nauplius.net
-
Tuesday, May 01, 2012 5:49 AM
Thanks :)
4) Ok I mean how does the extranet uses will be authenticated since they will be not in windows AD ? Normally we create a web application in app server which resides in Intranet environment and normally it will create memershiip providers by which they will authenticated thru intranet DB.
so if we place web front server in DMZ that not change right ?since app server is in intranet and it will manage ?
I heared UAG will play a role of authentication if we place web front servers in DMZ ?
also on 1) so to make people picker work I mean to add extranet users we need to follow http://blogs.technet.com/b/wbaer/archive/2009/01/21/people-picker-port-protocol-requirements.aspx right ?
Thanks!
SPVIRU
-
Tuesday, May 01, 2012 1:02 PMModerator
If you're using the SQL Membership Provider, nothing changes in this layout for those users. Obviously you have to have a tcp port opened to your back end SQL database.
Extranet users (users in the SQL membership database), given the Web App does not need to pick from any Active Directory accounts (this includes administrative accounts) does not need those ports open.
http://sharepoint.nauplius.net
-
Tuesday, May 01, 2012 8:48 PM
Hi Seward,
I was going through this thread and thought of adding more to it.
We are also in the process of setting up an Extranet enviroment which will be used by our customers and our employees. We have our internal network (intranet) which is secured with firewall and Active Directory. We have our web server, Application server, SQL Server database and Active Directory in our internal domain.
For the purpose of Extranet, we are planning to have a DMZ environment, which is outside our network. We have
2 web front end servers, and a Active Directory in this DMZ. This AD do not have contain users right now.
I guess we need to have a one way trust from our internal to the DMZ.1. Can we store all the external users in the SQL database in our internal network and implement forms based
authentication using SharePoint 2010? Our employees should use their usual windows account to login via
windows authentication.
2. What are the ports we need to open in order for this to work?
3. What kind of trust relationship is required between the DMZ and internal network?
4. What is the best way to implement Extranet with this topology?
Appreciate your help.
Thanks,
Sujit- Proposed As Answer by Sujit Sukumaran MCP Thursday, May 03, 2012 8:40 PM
-
Tuesday, May 01, 2012 10:13 PMModerator
1) Yes you can.
2) The port you're communicating on SQL with, e.g. 1433/tcp. And again, see http://support.microsoft.com/kb/179442 for the domain trust port requirements.
3) One-way (DMZ domain trusts the Internal domain). Don't forget the additional requirements if using a one-way trust: http://technet.microsoft.com/en-us/library/cc263460(v=office.12).aspx. Also note that one-way trust has issues with Project Server (namely Project Server needs a full User object, and in a one-way trust scenario, only the Foreign Security Principal is brought into the DMZ domain).
4) You've probably got it, but if your security/network group doesn't require it, I would look at instead leaving SharePoint within the internal network and use a product like Microsoft UAG within the DMZ to act as a reverse proxy for Internet-based connections.
http://sharepoint.nauplius.net
- Proposed As Answer by Sujit Sukumaran MCP Thursday, May 03, 2012 8:39 PM
-
Wednesday, May 02, 2012 9:17 PM
Seward,
Thanks for your reply.
Currently we do not have UAG but we will be getting it down the line. For now we need to live up with the existing firewall.
Once the network folks opens the one way trust between DMZ and internal network, we will be able to access the WFE's in DMZ.
Let me draw the diagram this way:Internet DMZ/Perimeter ---> Firewall ---> Network Corporate LAN
-------- ------------- ------------------------------
Users...---> WFE Internet WFE - Intranet - Active Directory (internalAD users)
Users...---> WFE Extranet SQL Server
Active Directory (empty now) APP Server - for the Extranet/Intranet Search- If we do add WFE servers to the DMZ do we need Ports 1433[SQL], 80[web] and 433[ssl] open between the DMZ and the LAN?
- Right now on the local network, we have SharePoint 2010 server and we have created/configured an Extranet site which uses Forms based authentication. External users will use forms credentials and internal users will be using Windows credentials. Can you let me know how to configure this site to make it accessible via Internet, so that we can access from outside our network?
- I know that the external users will first hit the WFE on the DMZ. So what configuration settings are needed for this to work with the SharePoint extranet site which is created in LAN network? remember, right now we will be using the existing firewall only.
Would appreciate your response.
Thanks!
Sujit -
Monday, May 14, 2012 8:04 PM
Hi Seward ,
i have the same kind of requirement to create intranet ,extrant and internet sharepoint sites. There are two Domains involved one for intranet purpose.Another APP Domain which is in DMZ environment.
Inranet should be secured and internal employee will have access on it. Extranet for Collaboration and internet will be for public with anonymous access.
What kind of architecture plan do you suggest ?
should we create two sharepoint farm for intranet and extranet/internet?
can we create single farm for intranet,extranet and internet? then how to handle to two domains ? what about security ?
Thanks
Mghimire
-
Tuesday, May 21, 2013 10:40 PMModerator
I would recommend two environments.
One for Internet/Partner collaboration, and the other for internal uses. Mainly this is to provide higher uptime to the Internet/Partner-facing farm since you won't need to take the farm down for say deploying custom farm solutions that you may leverage internally.Is there a domain trust in place between the DMZ domain and the internal domain? If not, you'll need one, or you'll need to create user accounts for your internal users in the DMZ domain.
I'd recommend using IPSec to secure communication between the DMZ DC(s) and internal DC(s) and then again using IPSec for People Picker communication between the SharePoint server(s) and the internal DC(s).
SharePoint - Nauplius Applications
Microsoft SharePoint Server MVP
MCITP: SharePoint Administrator 2010
-----------------------
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
.png)
