how to create a secure efficient extranet user experience
DESCRIPTION
Jeremy Thake, SharePoint MVP and AvePoint Enterprise Architect, will introduce why organizations leverage extranets, share the common issues found in customers’ extranet environments, and discuss the advantages and disadvantages with the available approaches for authentication and topologies. Jeremy will then illustrate the importance of instilling appropriate governance for extranets built upon SharePoint to ensure that the common issues identified are mitigated, including guidance on what processes can be put in place to ensure a better user experience.TRANSCRIPT
Governing your Extranet for a better user experienceJeremy Thake, Enterprise Architect
Jeremy Thake• Enterprise Architect – AvePoint• SharePoint MVP since July ‘10• Founded SharePointDevWiki.com• Co-founder of NothingButSharePoint.com• Speaker at MS TechEd 2009/10, SPC 11
[email protected]/[email protected]/in/jeremythake
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Agenda
• What is an extranet?• Common issues with extranets• Authentication Sources• Extranet topologies• Enforcing processes
What is an Extranet?
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
What is an extranet?
• Controlled access from external networks• Typically walled areas of content• Access by internal and external users via authentication• Mixture of– published read only content for reference– shared collaboration content accessible
internally/externally to company
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Examples
• Software Partner extranet– manuals, software, blogs– discussion forums
• Engineering Partner extranet– Collaborating on documents– Project plans, meeting minutes, agenda etc.
• Software Customer extranet– Portal for various systems: helpdesk, sales
Common issues with Extranets
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Onboarding
• Creating new users– 1 to 1– Shared accounts
• ECAL licensing
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Managing users
• Forgotten passwords• Access requests• Expiring accounts• Claims
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Internal content
• Content collaborated and managed internally• Making published versions available securely• Internal users aggregated view• Data sensitivity issues• Auditing
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Branding & Navigation
• Purposely looks different from internal content• Cross site collection navigation• Internal users have to look in Intranet & Extranet
Authentication sources
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Active Directory
• Existing AD with in OU with internal users– Most organizations won’t agree with this
• Existing AD but isolated in OU– Some organizations won’t like external users in internal AD
• External AD with one way trust– Some won’t like even trust
• Office 365 federated
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Claims Based Auth
• Forms Based Authentication (FBA)• Azure ACS (Live ID, Google, Facebook)• ADFS 2.0• Office 365 Microsoft Online ID
Extranet topologies
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Edge firewall
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Edge firewall
Pros
• Simplest solution• Inside Corporate network
Cons
• Security model complex• One site for both
internal/external– Sensitive docs visible
• Single firewall separates corporate network from the internet
http://technet.microsoft.com/en-us/library/cc263513.aspx
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Back-to-back perimeter
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Back-to-back perimeter
Pros
• Isolated to single farm• External user access is
isolated to perimeter network
Cons
• Additional n/w gear req.• Single firewall separates
corporate network from the internet
http://technet.microsoft.com/en-us/library/cc263513.aspx
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Back-to-back perimeter with cross-farm services
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Back-to-back perimeter with cross-farm services
Pros
• Isolation from corporate• Network traffic isolation• Prevents sensitive doc leaks• Shared services managed
corporate
Cons
• Additional SP farm req.• Additional n/w gear req.• Two way trusts req. for
some• No mechanism to publish
content internal to external
http://technet.microsoft.com/en-us/library/cc263513.aspx
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Back-to-back perimeter with content publishing
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Back-to-back perimeter with content publishing
Pros
• Isolation from corporate• Network traffic isolation• Prevents sensitive doc leaks• Shared services managed
corporate• Ability to publish content
from internal to external
Cons
• Additional SP farm req.• Additional n/w gear req.• Two way trusts req. for
some• Content management
complex• No two-way content sync
(read-only)
http://technet.microsoft.com/en-us/library/cc263513.aspx
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Split back-to-back
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Split back-to-back or “stretched” farm
Pros
• SQL stored in corporate n/w
Cons
• Domain trust required• Complex architecture• Interfarm comms in 2 n/w• One site for both
internal/external– Sensitive docs visible
http://technet.microsoft.com/en-us/library/cc263513.aspx
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Split back-to-back optimized for content publishing
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Split back-to-back optimized for content publishing
Pros
• SQL stored in corporate n/w• Ability to publish content
from internal to external
Cons
• Domain trust required• Complex architecture• Interfarm comms in 2 n/w• Content management
complex• No two-way content sync
(read-only)
http://technet.microsoft.com/en-us/library/cc263513.aspx
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Office 365 SharePoint Online
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Office 365 SharePoint Online
Pros
• Quick to setup• Provisioning users outside
AD
Cons
• Additional costs of subscriber model
• Some features not available• No supported OOTB content
publishing
Enforcing processes
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
New content area
• Site collection or sub site provisioning– Site templates, service level agreements
• Security model– Grant users direct permissions– Add users to preexisting SharePoint Groups– Add users to preexisting AD Groups– Grant a claim direct permissions
• Chargeback
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Provisioning New User
• SharePoint requires you to create User first– Active Directory requires IT to create user– Open ID sources can be created by user
• Once created– Can authenticate– Request authorization
• Turn on “Manage Access Request” in Site Permissions
• Better approach– Request Form
• “same as User x”• Tick what roles required, or list projects working on
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Security audits
• Viewed content– By user– By third party organization– Transmittals
• Accessible content– See what they “can” see
• Out of the box audit data pruned after 60 days• DocAve Auditor allows retention of audit data
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Publishing content to Extranet
• Content Deployment one-way– Can be set on published flag– Content Deployment APIs history of issues
• AvePoint Replicator– Allows replication of content on business rules
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Decommissioning content area
• Lifecycle of content areas– Project finish– Unused areas based on activity on site
• Records Management compliance• DocAve Archiver can archive site collections
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Decommissioning user
• Audits on whether Users still at company– Enforce external companies notify of people leaving– Enforce a report is signed each month to confirm
• Password expiry enforces “is alive check”– Need add-on to enable this
© 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
References
• Extranet topologies• Planning an Extranet Environment for Office SharePoint
Server• Michael Noels presentation (technical)• Dan Holme– SharePoint Governance, Part I: Architecting SharePoint for
Scalability and Enforceable Governance
– SharePoint Governance, Part II: Automating SharePoint Governance and Management
