MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

Extending our sites to another farm outside the firewall.

  Asked By: Jamison    Date: Dec 16    Category: MOSS    Views: 6025

I thought I understood this, but now the more I think about it, the less
I think I understand it.

We (finally) got MOSS up and running on an internal WFE. It points to
our SQL server internal as well.

I now have to install MOSS on our 3 WFE servers that site OUTSIDE our
firewall and point them at the same SQL server.

Instead of explaining my convoluted way of thinking how things might
work, I think I'll ask a more generic question:

If you had 3WFE outside your firewall, 1WFE inside your firewall, and
want all of them to be seeing the same web apps/portals/sitecollections,
how would you go about the install process?



6 Answers Found

Answer #1    Answered By: Himanshu Gohil     Answered On: Dec 16

I have just been proof testing this exact idea at a client
of mine. We have a SQL server  inside the LAN with 2 WFE and an IDX Server.
In the DMZ we have 2 more WFE servers. There is a firewall  for the LAN and
also a firewall for the DMZ. In order for the WFE servers  in the DMZ to see
the others I only needed to initially open the SQL TCP Port 1433 and UDP
1434. This gave access to the SQL Instance. I was able to install  SharePoint
and hook it up to the farm. Obviously this involved having an Active
Directory in the DMZ set in a trusting relationship. In the one I worked on
we actually chose to break it out even further using specific SQL instances
to host specific content as well. It isn't as easy as that I have to say, as
there will be little other things  you may need to open such as port 80 but
only between the WFE to the rest of the farm. My advice is either use server
to server policies or use IPSec between the servers. Hope this helps.

Answer #2    Answered By: Ashton Schroeder     Answered On: Dec 16

I appreciate the response. Unfortunately, this all gets into the world
of networking which is outside my realm of expertise. ;o)

Maybe to take one step back and ask a simpler question: When you
installed MOSS on the servers  on the outside, when installing, did you
choose 'connect to existing farm' or 'create a new farm'? If the former,
it sounds like to do that, one only needs access to the SQL server,
correct? And not necessarily the internal  WFE server? (As it's the DB
that really stores everything).

In otherwords, do all the WFE servers on both sides of the Firewall need
to see each other, or is the only key issue that all WFE server  be able
to see the DB?

Answer #3    Answered By: Joanne Greer     Answered On: Dec 16

No worries. The front end servers  really do ultimately need
to see each other but in the testing I did, they could not them. They simply
had access to the database services only. Hope this helps.

Answer #4    Answered By: Cathy Cameron     Answered On: Dec 16

May I add?

If you want to move/add ECS or Query roles to the WFEs in the DMZ, you
will need to enable NetBIOS ports as well.

I agree with the fully meshed IPSec idea below, but just opening
firewall ports is simpler, and IMHO, accomplishes the same level of

Answer #5    Answered By: Kerri Steele     Answered On: Dec 16

One more thing that maybe I didn't clarify, all of the WFE both external
and in the DMZ will have the exact same content. We're not restricting
the content or sites  available in any way based on where the servers  are

As such, does it matter where central admin is installed? For now, we
put it on the internal  WFE feeling it was a tad more secure that way.
Will we/should we have no problems managing the DMZ WFEs from the
internal Central Admin?

Answer #6    Answered By: Alisha Itagi     Answered On: Dec 16

I would keep the central administration inside  the firewall.
You should not have any issues looking after the servers  from there.

Didn't find what you were looking for? Find more on Extending our sites to another farm outside the firewall. Or get search suggestion and latest updates.