Design extranet farm topology (Office SharePoint Server)
Applies To: Office SharePoint Server 2007
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2017-01-24
In this article:
About extranet environments
Planning for extranet environments
Edge firewall topology
Back-to-back perimeter topology
Back-to-back perimeter topology with content publishing
Back-to-back perimeter topology optimized for hosting static content
Split back-to-back topology
About extranet environments
An extranet environment is a private network that is securely extended to share part of an organization's information or processes with remote employees, external partners, or customers. By using an extranet, you can share any type of content that is hosted by Microsoft Office SharePoint Server 2007, including:
Branded informational content.
Personalized content based on user accounts.
Collaborative content, including documents, lists, libraries, calendars, blogs, and wikis.
Document repositories.
The following table describes the benefits that the extranet provides for each group.
Remote employees |
Remote employees can access corporate information and electronic resources anywhere, anytime, and any place, without requiring a virtual private network (VPN). Remote employees include:
|
External partners |
External partners can participate in business processes and collaborate with employees of your organization. You can use an extranet to help enhance the security of data in the following ways:
You can optimize processes and sites for partner collaboration in the following ways:
|
Customers |
Publish branded, targeted content to partners and customers in the following ways:
|
Office SharePoint Server 2007 provides flexible options for configuring extranet access to sites. You can provide Internet-facing access to a subset of sites on a server farm, or make all content on a server farm accessible from the Internet. You can host extranet content inside your corporate network and make it available through an edge firewall, or you can isolate the server farm inside a perimeter network.
Planning for extranet environments
The rest of this article discusses specific extranet topologies that have been tested with Office SharePoint Server 2007. The topologies that are discussed in this article can help you to understand the options that are available with Office SharePoint Server 2007, including requirements and tradeoffs.
The following sections highlight additional planning activities for an extranet environment.
Plan network edge technology
In each topology, the network edge technology illustrated is one or both of the following products from the Microsoft Forefront Edge suite of products: Microsoft Internet Security and Acceleration (ISA) Server and Intelligent Application Gateway (IAG) 2007. For more information about these Microsoft Forefront Edge products, see the following resources:
ISA Server home page (https://go.microsoft.com/fwlink/?LinkId=86495&clcid=0x409)
Network Concepts in ISA Server 2006 (https://go.microsoft.com/fwlink/?LinkId=86497&clcid=0x409)
Note
You can substitute a different network edge technology.
IAG Server provides these additional features:
Information leakage prevention: No residues are left on the client computer, and all cache, temporary files, and cookies are deleted.
Endpoint, health-based authorization: Administrators can define an access policy that is based not only on the identity of the user and the information that is exposed but also on the condition of the client computer.
Access SharePoint sites from Outlook Web Access: Users can access SharePoint sites from links sent in e-mail through Outlook Web Access. IAG provides the link translation for links that refer to internal URLs.
Unified portal: Upon logon, IAG presents to each user the list of SharePoint sites and other applications that are available and authorized for that user.
The following table summarizes the difference between the servers.
| Capability | ISA 2006 | IAG 2007 |
|---|---|---|
Publish Web applications using HTTPS |
X |
X |
Publish internal mobile applications to roaming mobile devices |
X |
X |
Layer 3 firewall |
X |
X* |
Outbound scenarios support |
X |
X* |
Array support |
X |
|
Globalization and administration console localization |
X |
|
Wizards and predefined settings to publish SharePoint sites and Exchange |
X |
X |
Wizards and predefined settings to publish various applications |
X |
|
Active Directory Federation Services (ADFS) support |
X |
|
Rich authentication (for example, one-time password, forms-based, smart card) |
X |
X |
Application protection (Web application firewall) |
Basic |
Full |
Endpoint health detection |
X |
|
Information leakage prevention |
X |
|
Granular access policy |
X |
|
Unified Portal |
X |
* Supported by ISA, which is included with IAG 2007.
Plan for authentication and logical architecture
In addition to choosing or designing an extranet topology, you will need to design an authentication strategy and logical architecture to enable access to the intended users outside the internal network and to secure sites and content on the server farm. For more information, see the following resources:
Plan domain trust relationships
When the server farm is located inside a perimeter network, this network requires its own Active Directory directory service infrastructure and domain. Typically, a perimeter domain and a corporate domain are not configured to trust each other. However, there are several scenarios in which a trust relationship might be required. The following table summarizes scenarios that affect requirements for a trust relationship.
| Scenario | Description |
|---|---|
Windows authentication |
If the perimeter domain trusts the corporate network domain, you can authenticate both internal and remote employees by using their corporate domain credentials. For information about designing an authentication strategy and logical architecture for this scenario, see Logical architecture model: Corporate deployment. |
Forms authentication and Web single sign-on (SSO) |
You can use forms authentication and Web SSO to authenticate both internal employees and remote employees against an internal Active Directory environment. For example you can use Web SSO to connect to Active Directory Federation Services (ADFS). Using forms authentication or Web SSO does not require a trust relationship between domains. However, several features of Office SharePoint Server 2007 might not available, depending on the authentication provider. For more information about features that might be affected when forms authentication or Web SSO is used, see Plan authentication settings for Web applications in Office SharePoint Server. |
Content publishing |
A trust relationship between domains is not required to publish content from one domain to the other. To avoid a requirement for a trust relationship, ensure that you use the appropriate account for publishing content. For more information, see "Hardening for content publishing" in Plan security hardening for extranet environments. |
For more information about configuring a one-way trust relationship in an extranet environment, see Plan security hardening for extranet environments.
Plan for availability
The extranet topologies described in this article are intended to illustrate:
Where a server farm is located within an overall network.
Where each of the server roles is located within an extranet environment.
This article is not intended to help you plan which server roles you need to deploy or how many servers for each role you need to deploy to achieve redundancy. After you determine how many server farms are required for your environment, use the following article to plan the topology for each server farm: Plan for redundancy (Office SharePoint Server).
Plan for security hardening
After you have designed your extranet topology, use the following resources to plan for security hardening:
Edge firewall topology
This configuration uses a reverse proxy server on the border between the Internet and the corporate network to intercept and then forward requests to the appropriate Web server located in the intranet. Using a set of configurable rules, the proxy server verifies that the requested URLs are allowed based on the zone from which the request originated. The requested URLs are then translated into internal URLs. The following illustration shows an edge firewall topology.
.gif "Extranet farm topology - edge firewall")
Advantages
Simplest solution that requires the least amount of hardware and configuration.
Entire server farm is located within the corporate network.
Single point of data:
Data is located within the trusted network.
Data maintenance occurs in one place.
Single farm used for both internal and external requests ensures that all authorized users view the same content.
Internal user requests are not passed through a proxy server.
Disadvantages
- Results in a single firewall that separates the corporate internal network from the Internet.
Back-to-back perimeter topology
A back-to-back perimeter topology isolates the server farm in a separate perimeter network, as shown in the following illustration.
.gif "Office SharePoint Server network - back to back")
This topology has the following characteristics:
All hardware and data reside in the perimeter network.
The server farm roles and network infrastructure servers can be separated across multiple layers. Combining the network layers can reduce the complexity and cost
Each layer can be separated by additional routers or firewalls to ensure that only requests from specific layers are allowed.
Requests from the internal network can be directed through the internal-facing ISA server or routed through the public interface of the perimeter network.
The illustration shows all application server roles located in Layer 2 as dedicated servers. In a real deployment, multiple application server roles can reside on a single application server. Also, some farms are better optimized by deploying the query role on the Web servers in Layer 1 instead of as application servers inside Layer 2.
Advantages
Content is isolated to a single farm on the extranet, simplifying sharing and maintenance of content across the intranet and the extranet.
External user access is isolated to the perimeter network.
If the extranet is compromised, damage is potentially limited to the affected layer or to the perimeter network.
By using a separate Active Directory infrastructure, external user accounts can be created without affecting the internal corporate directory.
Disadvantages
- Requires additional network infrastructure and configuration.
Back-to-back perimeter topology with content publishing
This topology adds content publishing to the back-to-back perimeter topology. By adding content publishing, sites and content that are developed inside the corporate network can be published to the server farm that is located in the perimeter network.
The following illustration shows the back-to-back perimeter topology with content publishing.
.gif "Office SharePoint Server extranet farm topology")
Note the following characteristics of this topology:
Requires two separate farms — one in the corporate network and the other in the perimeter network.
Publishing is one-way. Any content created or modified in the perimeter network is unique.
The illustration shows the path of content deployment from the Central Administration site on the content staging farm to the Central Administration site on the destination farm. The Central Administration site is typically installed on one of the application servers. The illustration separately calls out the Central Administration site to show the role of this site in content deployment.
Advantages
Isolates customer-facing and partner-facing content to a separate perimeter network.
Content publishing can be automated.
If content in the perimeter network is compromised or corrupted as a result of Internet access, the integrity of the content in the corporate network is retained.
Disadvantages
Requires more hardware to maintain two separate farms.
Data overhead is greater. Content is maintained and coordinated in two different farms and networks.
Changes to content in the perimeter network are not reflected in the corporate network. Consequently, content publishing to the perimeter domain is not a workable choice for extranet sites that are collaborative.
Back-to-back perimeter topology optimized for hosting static content
In environments where content is static or mostly static, you can optimize performance by implementing caching features of IAG 2007 or ISA Server 2006. IAG or ISA caching can be configured in addition to the caching features in Office SharePoint Server 2007.
For example, ISA Server provides the following two types of caching:
Forward caching Forward caching provides cached Web objects to internal users who make Web requests to the Internet.
Reverse caching Reverse caching provides cached content to external Internet clients who make requests to internal Web servers published by ISA Server.
For more information about ISA caching, see Caching and CARP in ISA Server 2006 (https://go.microsoft.com/fwlink/?LinkId=86531&clcid=0x409).
Use IAG or ISA caching in addition to Office SharePoint Server 2007 caching only if the following are true:
Content is static. Post-cache substitution, in which parts of a page are not cached, is not used. URLs are not modified.
Content is 100% anonymous.
IAG and ISA caching enables you to scale out beyond the limits of a single farm by improving performance where Web servers might be a bottleneck. This enables you to improve performance when the maximum number of Web servers has been reached or to reduce the number of Web servers that are required.
The following illustration shows multiple IAG or ISA servers used to cache content.
.gif "Extranet farm topology - back to back publishing")
The illustration shows the following choices:
The query role is installed on the Web servers.
The Central Administration site is installed on the index server.
Advantages
Greatly improves performance when hosting static or nearly-static content.
Reduces the number of requests on Web servers and database servers.
Provides a method of scaling out the extranet solution.
Disadvantages
- ISA caching can reduce overall performance in environments that have dynamic or frequently changing content.
Split back-to-back topology
This topology splits the farm between the perimeter and corporate networks. The computers running Microsoft SQL Server database software are hosted inside the corporate network. Web servers are located in the perimeter network. The application server computers can be hosted in either the perimeter network or the corporate network.
.gif "Split back-to-back perimeter network topology")
In the preceding illustration:
The application servers are hosted inside the perimeter network. This option is illustrated by blue servers inside the dashed line.
Application servers can optionally be deployed inside the corporate network, with the database servers. This option is illustrated by the gray servers inside the dashed line. If you deploy application servers inside the corporate network with the database servers, you must also have an Active Directory environment to support these servers (illustrated as gray servers inside the corporate network).
If the server farm is split between the perimeter network and the corporate network with the database servers located inside the corporate network, a domain trust relationship is required if Windows accounts are used to access SQL Server. In this scenario, the perimeter domain must trust the corporate domain. If SQL authentication is used, a domain trust relationship is not required. For more information about configuring accounts for this topology, see "Domain trust relationships" in the following article: Plan security hardening for extranet environments.
To optimize search performance and crawling, place the application servers inside the corporate network with the database servers. You can also add the Web server role to the index server inside the corporate network and configure this Web server for dedicated use by the index server for content crawling. However, do not add the query role to the index server if the query role also is located on other servers in the farm. If you place Web servers in the perimeter network and application servers inside the corporate network, you must configure a one-way trust relationship in which the perimeter network domain trusts the corporate network domain. This one-way trust relationship is required in this scenario to support inter-server communication within the farm, regardless of whether you are using Windows authentication or SQL authentication to access SQL Server.
You can place one or more Web servers inside the corporate network to serve internal requests. This results in splitting the Web servers between the perimeter network and the corporate network. If you do this, ensure that traffic from the Internet is load-balanced to the Web servers in the perimeter network and that traffic from inside the corporate network is independently load-balanced to the Web servers inside the corporate network. You must also set up different alternate access mapping zones and firewall publishing rules for each network segment.
If you plan to publish content from a staging farm inside the corporate network to the database servers that host content for the extranet (also located inside the corporate network), you can optimize the farm by hosting the application servers, including the Central Administration site, inside the corporate network for the following reasons:
The data stream for content publishing travels from the Central Administration site on the staging farm to the Central Administration site on the destination farm. If the Central Administration site is inside the corporate network, the content publishing data stream does not travel through the firewall between the perimeter network and the corporate network. On the other hand, if the Central Administration site is inside the perimeter network, the data stream travels through the firewall in both directions before it reaches the content databases of the destination farm.
Indexing takes place inside the corporate network.
The following illustration shows a split back-to-back topology environment that is optimized for content publishing.
.gif "SharePoint Services extranet farm topology")
The illustration shows the following choices:
The query role is installed on the Web servers in the perimeter network.
Application servers reside in the corporate network with the database servers. This requires a one-way trust relationship in which the perimeter domain trusts the corporate domain.
The Central Administration site for the production farm is installed on the index server.
The Web server role is installed on the index server and is dedicated to crawling content.
Advantages
Computers running SQL Server are not hosted inside the perimeter network.
Farm components both within the corporate network and the perimeter network can share the same databases.
Content can be isolated to a single farm inside the corporate network, which simplifies sharing and maintaining content across the corporate network and the perimeter network.
With a separate Active Directory infrastructure, external user accounts can be created without affecting the internal corporate directory.
Disadvantages
Complexity of the solution is greatly increased.
Intruders who compromise perimeter network resources might gain access to farm content stored in the corporate network by using the server farm accounts.
Inter-farm communication is typically split across two domains.
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for Office SharePoint Server 2007