locked
Extranet Configuration RRS feed

  • Question

  • I have some design questions. If I am using windows authenication for my Extranet should I worry about using SSL? Is it better to create a seperate Web Application then extend it.  Can or should we extend your current Web Application to the Extranet with to much security concerns? I would like for our users to have access to all the SharePoint sites from the Internet.

    Thanks,\

    Eric Dycus 


    Thanks

    Wednesday, May 30, 2012 12:55 PM

Answers

  • Eric --

    If your site's traffic is going to be available over the Internet, then I would strongly recommend using SSL. Windows Authentication will ensure that user names and passwords are encrypted, but will not encrypt the traffic sent from your server to a client browser once the user is authenticated.

    You can extend an existing web application for use as an Extranet, the important decision is determining how much you're putting at risk by doing so and if you're willing to accept that risk.

    At a minimum I would recommend staying away from using your existing Web Application unless you feel like you absolutely have to. If you do that, you have a situation where it is possible for your site admins to add external users to sites that those external users have no business being a part of, such as your HR site. By separating your extranet out to its own web app you can do things like adding Deny All Access security policies to your Intranet web application for those external users, which can guarantee that they can't access your intranet content. Or, if you're using a separate authentication provider to authenticate those external users, you can just not hook it up with your intranet web application, which does the same thing. A separate web app also makes it easier for you to guarantee that external content is stored in different content databases than internal content; you can also do this inside a single web application but it takes more manual effort to ensure the separation.

    The other question is if you need and/or want to go to the trouble of setting up a separate farm to host the Extranet. The benefits are that you have complete separation of internal and external content, you can modify and or update each farm independently of the other, and you can keep your internal farm from being exposed to the Internet, as well as allowing you to ensure that your internal content cannot be compromised if your external content is. The drawbacks are that it doubles your cost to implement SharePoint, means that you have to maintain two separate farms, and that you'll have to train your users on understanding what content goes where.

    I've been through this decision process with customers before and I know it can be tricky and tough, not to mention that its definitely a balancing act no matter how you slice it. If you want to go the route of convenience, that's fine but I feel like you need to make your leadership and your users aware of the risks they're accepting in going that route.

    John


    MCITP and MCTS: SharePoint, Virtualization, Project Server 2007
    My books on Amazon: The SharePoint 2010 Disaster Recovery Guide and The SharePoint 2007 Disaster Recovery Guide.
    My blog: My Central Admin.

    • Marked as answer by dycuse Wednesday, May 30, 2012 2:13 PM
    Wednesday, May 30, 2012 2:10 PM

All replies

  • That very much depends on the information you'll be sending/receiving Eric.  General rule is to use SSL when you're sending information you would not want to be public.

    Paul Turner http://redmanta.co.uk/blog Twitter: @RedMantaUK MCTS:WSS,MOSS,2010 MCITP:2010.
    Please remember to click "Propose As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.

    Wednesday, May 30, 2012 1:14 PM
  • Eric --

    If your site's traffic is going to be available over the Internet, then I would strongly recommend using SSL. Windows Authentication will ensure that user names and passwords are encrypted, but will not encrypt the traffic sent from your server to a client browser once the user is authenticated.

    You can extend an existing web application for use as an Extranet, the important decision is determining how much you're putting at risk by doing so and if you're willing to accept that risk.

    At a minimum I would recommend staying away from using your existing Web Application unless you feel like you absolutely have to. If you do that, you have a situation where it is possible for your site admins to add external users to sites that those external users have no business being a part of, such as your HR site. By separating your extranet out to its own web app you can do things like adding Deny All Access security policies to your Intranet web application for those external users, which can guarantee that they can't access your intranet content. Or, if you're using a separate authentication provider to authenticate those external users, you can just not hook it up with your intranet web application, which does the same thing. A separate web app also makes it easier for you to guarantee that external content is stored in different content databases than internal content; you can also do this inside a single web application but it takes more manual effort to ensure the separation.

    The other question is if you need and/or want to go to the trouble of setting up a separate farm to host the Extranet. The benefits are that you have complete separation of internal and external content, you can modify and or update each farm independently of the other, and you can keep your internal farm from being exposed to the Internet, as well as allowing you to ensure that your internal content cannot be compromised if your external content is. The drawbacks are that it doubles your cost to implement SharePoint, means that you have to maintain two separate farms, and that you'll have to train your users on understanding what content goes where.

    I've been through this decision process with customers before and I know it can be tricky and tough, not to mention that its definitely a balancing act no matter how you slice it. If you want to go the route of convenience, that's fine but I feel like you need to make your leadership and your users aware of the risks they're accepting in going that route.

    John


    MCITP and MCTS: SharePoint, Virtualization, Project Server 2007
    My books on Amazon: The SharePoint 2010 Disaster Recovery Guide and The SharePoint 2007 Disaster Recovery Guide.
    My blog: My Central Admin.

    • Marked as answer by dycuse Wednesday, May 30, 2012 2:13 PM
    Wednesday, May 30, 2012 2:10 PM
  • Thanks John, that was the questions and statements I was looking for.

    Thanks

    Wednesday, May 30, 2012 2:13 PM