sharepoint 2016 sneak peek extranet architectures webinar · extranet architectures webinar may 13,...
TRANSCRIPT
SharePoint 2016 Sneak Peek
Extranet Architectures Webinar
May 13, 2015
Peter Carson
President, Envision IT
SharePoint MVP
Microsoft Canada Partner Seller
http://blog.petercarson.ca
www.envisionit.com
Twitter @carsonpeter
VP Toronto SharePoint User Group
Denesh Sohan
Director of Operations
p: (905) 812-3009 x298
Corey Thokle
Sales and Delivery
p: (905) 812 3009 ext.248
Agenda
Introductions
Extranet Background
Microsoft Ignite Recap
External Sharing Changes
What's New in SharePoint 2016
Extranet User Manager Overview
Extranet Architectures
Demos
Wrap-Up and Q&A
• www.extranetusermanager.com
• Easy delegation of user management to business
• Self-registration, approvals, welcome email, forgotten password reset
• Single sign-on to claims aware systems, including SharePoint and Office 365
Extranet User Manager
Envision IT
www.envisionit.com
Public Web Sites
Intranets
Collaboration Portals
Extranets
What is an Extranet
An Extranet is a web site that is accessible to users outside of the corporate network, which allows organizations to share information and collaborate with their customers, partners, and/or vendors in a secure and easy-to-use environment
It may be delivered in a number of ways
As an extension of the public web site
As a secure portion of the corporate Intranet
As a standalone Extranet
Examples of Extranet Users
Members
Customers
Vendors
Suppliers
Volunteers
Board of Directors
Citizens
Researchers
Tenants
Partners
Considerations
Who is coming into the Extranet?
Does everyone see the same information?
Is there a member database to interface with?
Is it invitation only, or can people self-register
Who approves new registrations?
Is it just the Extranet they will be accessing, or are there other systems?
Microsoft’s collaboration platform that provides portals, document management, web content management, and much more
Microsoft’s cloud hosted versions of Exchange(email), Lync (instant messaging), and SharePoint
Microsoft’s infrastructure and platform hosted services
Envision IT’s tool for managing users outside your organization
Technologies
Poll 1
Which Version of SharePoint are you currently using?
Office 365
SharePoint Server 2013
SharePoint Server 2010
SharePoint Foundation (2010 or 2013)
MOSS 2007 or WSS 3.0
Poll 2
How do you use SharePoint today?
Internal collaboration
Internal web publishing (Intranet)
Extranets
Public facing website
Microsoft Ignite Recap
Office 365 External Sharing Updates
SharePoint 2016 Sneak Peek
Microsoft Ignite Sessions
OneDrive for Business for B2B External Sharing, IT-Lead Cross-Org Collaboration
Sarat Subramaniam
http://channel9.msdn.com/events/Ignite/2015/BRK3135
What's New for IT Professionals in SharePoint Server 2016
Bill Baer
http://channel9.msdn.com/events/Ignite/2015/BRK2188
External Sharing – Current State
Currently only available in Office 365
Office 365 administrator can define sharing rules at the site collection level
Sharing invitations can be accepted by anyone with a Microsoft account or an Office 365 account
No control over what account is used to accept the invitation
Questions Microsoft gets asked all the time
Anyone can forward their invitation to any other user? REALLY, MICROSOFT??
When can I restrict the external domains that my users can share with?
When can I get insight into which external user did what? And who invited them? And when? To which document?
When will I be able to give external users more capabilities? When will Microsoft remove limits on # of external users that can
be invited? There is NO limit on how many external users you can invite into an organization
anymore
Enterprise Ready External collaboration
IT brokered:
IT sets up the collab relationship
between certain orgs. No special
invitations needed.
User brokered, IT controlled:
IT sets up guidelines and
structures for collab and user can
now freely collab within these
guidelines.
IT blocked:
IT has enabled policy that makes it
impossible for a user to perform a
certain kind of sharing action.
Microsoft RoadmapCY 2013-2014 CY 2015 Next up
SPO site, document invitation based collab. with any user with AAD/MSA account
SPO anonymous sharing of docs
SP OnPrem extranet federation
Disable external sharing for entire org
Disable external sharing for site collection
Time-bound anonymous sharing of docs.
Sharing + Data Loss Prevention
Guests can be added to O365 Groups
Restrict sharing to Owners only
Auditing of sharing and external user actions
Allowlist/Denylist can be configured for external sharing
Invited == Accepted
External sharing emails are auditable
External sharing can be turned off for specific OneDrives
Hybrid extranet – ability to have external collab OD in the cloud while rest is on-prem
Org can assign higher value licenses to external users
Org can manage password for external users and enable MultiFactor Auth for these users
Block new invitations, but allow login for external users
Announced Today!
Cloud group-to-group collab
Cloud org-to-org collab
MFA for users using external identities
Time bound external sharing
External user attestation
Evolution of Hybrid Extranet pillar
Host of IT policy controls based on resource, user and other parameters
Challenges with Microsoft’s Strategy
New announcements certainly do address many of the governance concerns
IT brokered may require the partner organization to be an Office 365 tenant as well
Invited = Accepted requirement will also require the invite to go to a Microsoft account or Office 365 tenant
User brokered with general external people still allows acceptance by any account
Microsoft is still front and centre in the login experience
Relationship with the org
Sign in account
How provisioned
Capability
Owned by Org / External to Org
DirSynch / Invited
E1 / E3 / None
Member / Guest
User Property Independence
• Each property is independent
• You should be able to have a Guest whose sign-in account is owned by the org and DirSynched, with no subscription assigned
• This is the missing piece for Extranet User Manager and Office 365
• Currently we have to assign a paid subscription to these external users
• Only makes sense for registered charities (free E1 licenses) and smaller user bases
• Enables the organization to own the login experience
• Allows federation to organizations that are not in Office 365
What’s New in SharePoint 2016
Same hardware requirements as SharePoint 2013 Windows Server 2012 or Server 10 SQL Server 2014 SP1 or vNext No more standalone installations with built-in SQL, requires SQL to be installed
separately Content DB attach from SP2013
No direct attach from SP2010 Backward compatible mode site collections need to be 2013 mode before upgrading
SAML authentication is a first class citizen Normalizes on OAuth and JWT/SAML with WSFED Apps will trust the identity provider Moving away from AD based identity
Performance and Reliability
Isolate requests to the machine that processes that request
MinRole provisioning
Product Configuration Wizard has new Specify Server Role step
Zero downtime patching
Smaller patches
Less MSIs
Boundaries and Limits
Content DB size into TBs
100,000 site collections per content database
List threshold > 5,000
Max file size 10 Gb
Removed character restrictions
2X search scale increase to 500M items
Just the start
Extranet Hybrid Scenario
Site publishing
Publish internal sites to Internet
Leverages Office 365 identity federation services for external sharing
Extranet User Manager
• Easy delegation of user management to business
• Self-registration, approvals, forgotten password reset
• Simplified login for both internal and external users
Extranet User Manager
Extranet User Manager Features
Branded Experience
Maintain your corporate brand throughout the entire user experience
Registration
Login
Approval and welcome emails
All end-user pages
Single Sign-On
• Users sign in once
• As they move to other systems, they are automatically logged in
• Securely managed through SAML tokens
Self-Registration
• Fully customizable registration experience
• Fields can be added or removed
• Can be integrated into back-end systems
• Customizable approval workflow
• Full Visual Studio source code project provided
Forgotten Password
• Request a password reset by email
• Passwords themselves are never sent through email
One-time use, time expiring token sent
Works with SharePoint 2010 and 2013
• Does not need to be installed on the SharePoint Server
• PowerShell script setups up the trust
Office 365
• PowerShell script setups up the trust
• Hosted outside of Office 365
• Office 365 tenant can be set to automatically redirect to the EUM login page
Adaptive Design
• Leverages the Twitter Bootstrap framework
• All end-user pages adapt to smartphone, tablet, or desktop experiences
Delegated User Management
• Management of the Extranet users is delegated to the business
• IT doesn’t need to manage accounts
• Can also be delegated securely to the external organizations themselves
Azure Hosted or On Premise
• Can be installed on an on premises server
SharePoint Server
IIS Server
• Hosted in Azure
Secure multi-tenant hosting
Managed by Envision IT
7x24 monitoring and remediation
Multi-Lingual Support
• Full multi-lingual support for end user pages
• Resource files for easy translation and updating of text
Pricing
Full pricing details available at https://www.extranetusermanager.com/Pricing Standard edition $8,000 USD per production farm
Four hours of Premium Software Support
Enterprise Edition $13,000 USD Unlimited SSO authentication to claims aware applications Eight hours of Premium Software Support
20% annual Software Assurance provides all product updates Dev and QA farm licenses provided with up to date Software Assurance Additional support packages available Azure hosted monthly subscription plans
Standard $850 USD / month Enterprise $1,070 USD / month
Extranet Clients
Extranet Architectures
Extranet Architectures
SharePoint on premises with EUM for external user management and login
SharePoint on premises with EUM for external user management and reverse proxy for login
Office 365 with EUM for external user management and login
On Premises - EUM for External User Management and Login
External users can be stored in SQL or AD EUM can be hosted or on premise Optimal user experience for login
Full branding and user experience control Internal users auto-login when inside the network
SAML based single sign-on to any claims aware application Requires re-mapping of internal user credentials to new SAML identities
Can be PowerShell scripted Adds complexity around user profile import, My Sites, etc. for large existing
Intranets being extended to an Extranet Best for net new Extranets independent of the Intranet
Demowww.extranetusermanager.com
Demo Scenario
Live web site hosted at https://www.extranetusermanager.com
EUM installed at https://login.extranetusermanager.com/landing
AD FS for internal users
External users
In a separate AD
Authenticating through Thinktecture Identity Server
Managed with the Envision IT Extranet User Manager
On Premises - EUM for External User Management - Reverse Proxy
External users need to be in AD Can be a separate external user AD
EUM needs to be on premise
Reverse proxy provides the login form Customization options depend on the appliance vendor
Internal users can still auto-login when inside the network
All users appear as Windows authenticated users to SharePoint No change to internal users permissions, profile import, My Sites, etc.
Best for Extranets layered on top of an existing Intranet
Demohttps://securedev.envisionit.com
Demo Scenario
Dev collaboration site hosted at https://securedev.envisionit.com
EUM installed at https://login.extranetusermanager.com/landing
AD FS for internal users
External users
In a separate AD
Authenticate through Windows Server 2012’s Web Application Proxy and AD FS
Managed with the Envision IT Extranet User Manager
Windows Server 2012’s Web Application Proxy
New Remote Access role service in Windows Server® 2012 R2
Provides reverse proxy functionality for web applications
Preauthenticates access to web applications using Active Directory Federation Services (AD FS)
Also functions as an AD FS proxy
AD FS look and feel can be customized
https://technet.microsoft.com/en-ca/library/dn280950.aspx
WAP Challenges
By default puts a session cookie down to authenticate the application Not passed between browser and rich clients, such as Word and Excel Causes a second authentication prompt when opening documents for each application
being launched https://support.microsoft.com/en-us/kb/2019105
Hotfix available Adds a PersistentAccessCookieExpirationTimeSec switch to persist the WAP edge access
cookie https://support.microsoft.com/en-us/kb/3020813
No signout available User is logged in for as long as the timeout is valid Closing and re-opening the browser does not log out, not does logging out of SharePoint Looking at a custom solution to delete the persistent cookie when signing out
Reverse Proxy Considerations
Virtual, physical, or both?
Provides an HTML login form that can be customized?
Puts a permanent cookie that can be shared across rich client applications like Office
Supports a logout URL that can force the logout of the session
Price
Reverse Proxy Options
Vendor Satisfies Considerations Price Range
F5 Big IP Yes $18K - $200K
Cisco NetScaler Yes
A10 Networks Thunder ADC Yes $4K – $200K
Kemp Technologies Load Master Yes
Barracuda Web Application Firewall No
Fortinet FortiWeb Yes $5K - $10K
Dell SonicWALL Yes
Sophos UTM Yes $2K
Brocade ADX
Office 365 with EUM
External users can be stored in SQL or AD
EUM can be hosted or on premise
Optimal user experience for login
Full branding and user experience control
Internal users auto-login when inside the network
SAML based single sign-on to any claims aware application, including Office 365
Demo – Office 365https://oacas.sharepoint.com
Demo Scenario
Office 365 live site at https://oacas.sharepoint.com EUM hosted in Azure at https://login.oacas.org/landing Microsoft login for internal users using DirSynced passwords External users
In a separate SQL Database Authenticating through Thinktecture Identity Server Managed with the Envision IT Extranet User Manager
Case study available at https://www.extranetusermanager.com/Product-Info/Case-Studies/ontario-association-of-childrens-aid-societies
Client Demos
Public Health Ontario‒ www.publichealthontario.ca
Boys and Girls Clubs of Canada Members Portal‒ www.bgccan.com
Oakland County Government to Government Marketplace‒ www.g2gmarket.com
Supreme Court of Victoria Case Management‒ www.redcrest.com.au
Transamerica Life Canada Public Web Site and Advisors Portal‒ www.transamerica.ca
Kinross Gold Supplier Portal‒ suppliers.kinross.com
CAMH Problem Gambling Professionals‒ www.problemgambling.ca
Next Steps
Reach out to Erika Moll, Sales
p: (905) 812-3009 x222
More product information
A technical demo with our team
Request a hosted trial or evaluation copy of EUM
Upcoming Events
Repeat of this webinar
May 21 9-10 AM EST
Customer case studies webinars in June
Links
www.envisionit.com blog.petercarson.ca www.envisionit.com/eum
Video and presentation deck will be at www.envisionit.com/events
Customer sites www.publichealthontario.ca www.bgccan.com www.g2gmarket.com www.redcrest.com.au www.transamerica.ca suppliers.kinross.com www.problemgambling.ca
Questions?