none
Using UAG to publish SharePoint 2010 site for external partner collaboration.. RRS feed

  • Question

  • Hi,

    I have been asking to investigate extending a simple, out-of-the-box SharePoint 2010 deployment to external partners for collaboration. Two-factor authentication has been stated as a requirement.

    After weighing up TMG 2010 and UAG 2010, I think UAG would fit the gateway bill quite well. By using SharePoint 2010 we have the option of claims-based authentication if required.

    Without at this point going down the route of partner AD-federation (although that may be an option at some point) could anyone suggest the simplest options available to achieve what we're after?

    I was wondering about classic forms-based and certificates for the 2-factor requirement, although perhaps claims-based authentication and an external, independant secure token service is the way to go as it's likely to offload the external user maintenance overhead? If I went that route, couldn't UAG then provide the 2-factor authentication through OTPs or SmartCards?

    Apologies if this is more of a SharePoint question than a UAG one; it seems to straddle both camps..

    Thanks for any advice..

    Thursday, December 15, 2011 7:15 PM

Answers

  • Hi Darren,

    Yeah, you will still need a user repository for SharePoint credentials...I think ExCM would be a nice solution for you though, so maybe have a look at that ;)

    If not, the other option is to deply a "simple" AD forest to host the external user accounts and then join UAG/SharePoint to that forest, kinda like your own little private protected SharePoint cloud...

    BTW - the RSA appliances are great if you are happy to own in-house, but it is also nice to offload user helpdesk issues and token distribution to a managed service like Signify...especially if they are not your users.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Darren Elmslie Friday, December 16, 2011 2:45 PM
    Friday, December 16, 2011 2:13 PM
    Moderator

All replies

  • Hi Darren,

    If you want the simpler, cheaper short-term solution, TMG is perhaps a better choice than UAG.

    However if you want to do something more strategic and are considering ADFS (claims) then UAG is definitely the way to go (TMG doesn't support ADFS and claims-based auth whereas UAG does).

    The only problem with using certificate 2FA is that you will need to think about how you are going to enrol and issue user certificates to partner users. In my experience, certificate/smartcard auth is better suited to authenticating corporate users. Both TMG and UAG can support client certificate authentication though.

    Perhaps maybe a better approach would be to look at a managed 2FA solution like the Signify SecurID and Passcode on Demand services - you then offload the support and management of tokens to someone else, or let them use their phones as token devices. I've not use any online STS providers yet, so can't comment on that.

    Hope that helps a little...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, December 15, 2011 11:42 PM
    Moderator
  • Thanks for replying JJ, that's really helpful.

    I've kept researching since I posted it and had come to your conclusions regarding 2FA. I was leaning towards an RSA SecurID appliance and authenticator tokens if the desire was to keep it in-house, or to go for a managed 2FA solution as you suggest if we'd rather offload it.

    So far as I understand it, I'm still going to need another STS for external accounts that SharePoint can use. Although federated AD would be nice and the internal AD would be simple I was considering using SQL and FBA (assuming the number of accounts made it practical, although I anticipate there won't be many). I think the internal AD would present an un-necessary security risk and the AD-FS route although attractive from an off-loading perspective again, may ultimately be out because of the added complexity and the configuration onus it puts on the connecting partners.

    Looking at TMG in comparison to UAG, I came down on the side of UAG because I reckoned the app-centric approach would fit us better, although I have no doubt it's likely to be a slightly more complex approach. Ideally, it would probably be quite useful to have both from a strategic perspective.

    Darren

    Friday, December 16, 2011 1:47 PM
  • Hi Darren,

    Yeah, you will still need a user repository for SharePoint credentials...I think ExCM would be a nice solution for you though, so maybe have a look at that ;)

    If not, the other option is to deply a "simple" AD forest to host the external user accounts and then join UAG/SharePoint to that forest, kinda like your own little private protected SharePoint cloud...

    BTW - the RSA appliances are great if you are happy to own in-house, but it is also nice to offload user helpdesk issues and token distribution to a managed service like Signify...especially if they are not your users.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Darren Elmslie Friday, December 16, 2011 2:45 PM
    Friday, December 16, 2011 2:13 PM
    Moderator
  • P.S. To make things easier and save some money you could also look at some of the services that let people use their mobile phones as token devices...or look at some of the 1.5FA solutions that use some form of image to provide the extra 0.5 factor on top of standard user creds. An example here is something like Swivel PINsafe.

    P.P.S. Have you also considered Office 365 SharePoint? Maybe a viable option given your needs???


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, December 16, 2011 2:23 PM
    Moderator
  • Cheers JJ, really useful. Especially ExCM :o)
    Friday, December 16, 2011 2:46 PM