Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

extranet configuration

  Asked By: Harley    Date: May 06    Category: Sharepoint    Views: 1250

Here is my configuration for intranet and extranet single server farm.

1. Use seperate AD for partners.
2. One way trust to partner domain from internal domain.
3. SPS 2003 as Small Server Farm in DMZ, installed on Partner Domain.
4. SQL Server is inside LAN.
5. SPS 2003 in DMZ uses internal domain accounts for SQL access.
6. Intranet SPS site configured to use 80 port and All Unassigned.
7. Extranet SPS site configured to use 443 port and All Unassigned
extended to existing virtual server on port 80.
8. Alternate access settings are configured for extranet on SPS.
9. Use of embedded Team Sites Collection
10. Partners are (should be) given access to only required team sites
site owners.
11. Partners will not be given access to portal and (may or may not
be) able
to create My Sites (should be possible by creating custom role for
12. Ports opened in firewall are:
Microsoft Directory Service traffic (Transmission Control Protocol
Port 445, user Datagram Protocol (UDP) Port 445)
- Kerberos authentication protocol (TCP Port 88, UDP Port 88)
- Lightweight Directory Access Protocol (LDAP) PING (UDP Port 389)
- Domain Name System (DNS) (TCP Port 53, UDP Port 53)
- SQL Server (TCP Port 1433; open on the Back End network only)

My Technical & Security concerns:
1. Having portal site in DMZ raises any security issues?
2. Should I use internal domain account for sharepoint accounts
configuration (app pool, content access account)?
3. Any security issues of partners being able to access portal site
(they will be given access to certain embedded site collection sites)



7 Answers Found

Answer #1    Answered By: Agustin Miranda     Answered On: May 06

Is there anything on the portal that you want your partners 1) to see but
not be able to access 2)to be able to access other than the embedded team
If the answer is yes, then your site / portal configuration  is ok.
If the answer is no, then I would not use embedded team sites, I would use
standalone WSS sites in the screened subnets (I hate the term DMZ which is a
totally inaccurate description of a protected area). You could authenticate
the partners with a separate domain  for access to the WSS sites, then create
a content source at the portal to crawl the WSS sites. In this scenario, the
partners have no knowledge of the internal  portal nor its contents and yet
portal users can search and (if you create links) link to the WSS sites for
Since you are using SSL, you can require your partners to authenticate with

Hopefully, when you discuss the open firewall ports that is the internal
firewall of the screened subnet and not the Internet facing firewall.

BTW, SP1 on W2K3 now permits binding SSL to host headers. Requires Command
Line, no GUI available.

Answer #2    Answered By: Arron Middleton     Answered On: May 06

By giving partners 'contributor' access to only required sub sites of
a embedded site collection; I believe they would not be able to
authorize to any other sites, importantly portal site. Am I wrong?

Requirements are not yet clear whether partners should never be able
to view portal site.

Answer #3    Answered By: Vance Hardin     Answered On: May 06

You would have to be careful with your listings that they did not see
information that they should not know even if the hyperlink would not work
for them due to lack of access. Would they have access to the portal home

Answer #4    Answered By: Kareem Flynn     Answered On: May 06

Yes, they do not have access to portal home page, they have access
only certain sub sites as needed..

Answer #5    Answered By: Tyron Calderon     Answered On: May 06

Just thinking like a hacker here:
Sub sites have a link "Up to portal." That plus the URL reveals the location of
more, possibly really good, stuff.

Stand alone WSS sites do not reveal that information as easily.

Answer #6    Answered By: Irvin Foley     Answered On: May 06

they do see along other authorized users.. but they get challenged
once they click it.
Yes.. path some times might reveal some information. but my team
sites design is not too deep. its wider and new site collection for
unique collaboration efforts. (project, proposal, reports)
this is not a seecurity concern...

Answer #7    Answered By: Deonte Stein     Answered On: May 06

I misled you when I told you that we were successful in sending the disclaimer through exchange. The blat utility we used bypasses exchange.

Didn't find what you were looking for? Find more on extranet configuration Or get search suggestion and latest updates.