Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

DMZ SSO Firewall Ports

  Asked By: Jonah    Date: Feb 11    Category: Sharepoint    Views: 2735

We're trying to deploy a medium server farm with a Web/Search, Job/Index, & SQL server within the corporate network with 1 Web/Search in a DMZ. Everything is working fine except SSO. Does anyone know what firewall ports need to be opened to allow SSO to work through this scenario?



5 Answers Found

Answer #1    Answered By: Agustin Miranda     Answered On: Feb 11

I think we've got the ports  figured out...

SSO initiates RPC over Port 135, but then communicates using RPC over a random port. There are registry entries you can change to make it use a specific range which we have done.

Now we don't seem to have a firewall  issue any longer.. It appears to be an issue with the 2 domains - 1 WFE in the DMZ using the SSO service on the Job Server in the corporate  network..

The WFE in the Corporate network  works fine, but the one in the DMZ does not. This leads us to believe that SSO is configured correctly, but in the diagnostic logs for SSO we see the following error: (along with others, but this one stands out)
Net{User|Group}GetInfo said Account SharePoint Admin does not exist

"SharePoint Admin" is the name of the corporate domain group that the SSO Admin Account is set to, and that the Service Account is a member of. I notice that in the error message that is is not prefixed with the domain such as "DOMAIN\SharePoint Admin" like is set in the SSO configuration page.

Any Ideas?

Anyone using SSO with an extranet deployment that has a WFE on each network?

Answer #2    Answered By: Arron Middleton     Answered On: Feb 11

Any news on this Monty? Unfortunately, I can't share any insight.

Answer #3    Answered By: Vance Hardin     Answered On: Feb 11

We've had a call in to Microsoft Support on this, but they've finally come back saying that the architecture is unsupported, so I thought I'd let you all know that.. The Unsupported part is that we have 2 networks involved.. A corporate  network where all the servers except 1 front end are running as well as a DMZ network  which trusts the corporate network. This is where the 1 front-end server  is running to provide Extranet access. EVERYTHING works fine  except SSO from the DMZ front-end. There has been discussion in this group to lead us to the belief that this scenario  is supported. Apparently it is not -- Microsoft says that all server farm  machines must be a member of the same domain.

Again... If anyone has been successful with SSO in this type of architecture please let me know.. For those others who are considering this type of architecture - consider yourself warned..

Answer #4    Answered By: Kareem Flynn     Answered On: Feb 11

why do you have your extranet server  on a different domain?

it makes sense that any server in a topology must be in the same domain -

Answer #5    Answered By: Tyron Calderon     Answered On: Feb 11

I follow a basic information domain model that identifies three separate
regions - Internet, Intranet, and Extranet. There are good reasons why you
would want to develop these separately, and why they might not be in the
same domain.

The Internet region is for dissemination of information to the public, so
you want wide-open access to it, either anonymous or challenge/response with
cookies, etc. This is how the vast majority of web sites operate today. This
should be in your DMZ or more likely in your ISP's DMZ to allow access while
protecting the corporate  network.

The Intranet is for internal corporate interaction, and should be based on
integrated or pass-through authentication of named users. This would operate
behind the firewall.

The Extranet is like the Internet, in that public access is required, but it
should have greater controls placed on it because you are limiting access to
specific areas to specific groups of users or IP addresses, etc. It also
sits in the DMZ.

SharePoint Portal and Windows SharePoint Services are designed mainly for
Intranet operations, Portal providing company-wide access, and WSS providing
a back-end team workspace. I wouldn't recommend that you use either product
for the Internet. I would also keep any Extranet server  in a separate
security domain. The need for security outweighs the convenience of single
sign-on in this case.

My two pence worth...

Didn't find what you were looking for? Find more on DMZ SSO Firewall Ports Or get search suggestion and latest updates.