How to create a secure efficient extranet user experience

Download How to create a secure efficient extranet user experience

Post on 11-Nov-2014

2.690 views

Category:

Technology

3 download

Embed Size (px)

DESCRIPTION

Jeremy Thake, SharePoint MVP and AvePoint Enterprise Architect, will introduce why organizations leverage extranets, share the common issues found in customers extranet environments, and discuss the advantages and disadvantages with the available approaches for authentication and topologies. Jeremy will then illustrate the importance of instilling appropriate governance for extranets built upon SharePoint to ensure that the common issues identified are mitigated, including guidance on what processes can be put in place to ensure a better user experience.

TRANSCRIPT

  • 1. Governing your Extranet for a better userexperienceJeremy Thake, Enterprise Architect

2. Jeremy Thake Enterprise Architect AvePoint SharePoint MVP since July 10 Founded SharePointDevWiki.com Co-founder of NothingButSharePoint.com Speaker at MS TechEd 2009/10, SPC 11 jeremy.thake@avepoint.com gplus.to/jthake @jthake www.linkedin.com/in/jeremythake 3. Agenda What is an extranet? Common issues with extranets Authentication Sources Extranet topologies Enforcing processes 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 4. What is an Extranet? 5. What is an extranet? Controlled access from external networks Typically walled areas of content Access by internal and external users via authentication Mixture of published read only content for reference shared collaboration content accessibleinternally/externally to company 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 6. Examples Software Partner extranet manuals, software, blogs discussion forums Engineering Partner extranet Collaborating on documents Project plans, meeting minutes, agenda etc. Software Customer extranet Portal for various systems: helpdesk, sales 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 7. Common issues with Extranets 8. Onboarding Creating new users 1 to 1 Shared accounts ECAL licensing 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 9. Managing users Forgotten passwords Access requests Expiring accounts Claims 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 10. Internal content Content collaborated and managed internally Making published versions available securely Internal users aggregated view Data sensitivity issues Auditing 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 11. Branding & Navigation Purposely looks different from internal content Cross site collection navigation Internal users have to look in Intranet & Extranet 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 12. Authentication sources 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 13. Active Directory Existing AD with in OU with internal users Most organizations wont agree with this Existing AD but isolated in OU Some organizations wont like external users in internal AD External AD with one way trust Some wont like even trust Office 365 federated 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 14. Claims Based Auth Forms Based Authentication (FBA) Azure ACS (Live ID, Google, Facebook) ADFS 2.0 Office 365 Microsoft Online ID 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 15. Extranet topologies 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 16. Edge firewall 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 17. Edge firewallPros Cons Simplest solution Security model complex Inside Corporate network One site for both internal/external Sensitive docs visible Single firewall separates corporate network from the internethttp://technet.microsoft.com/en-us/library/cc263513.aspx 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 18. Back-to-back perimeter 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 19. Back-to-back perimeterPros Cons Isolated to single farm Additional n/w gear req. External user access is Single firewall separatesisolated to perimetercorporate network from thenetworkinternethttp://technet.microsoft.com/en-us/library/cc263513.aspx 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 20. Back-to-back perimeter with cross-farm services 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 21. Back-to-back perimeter with cross-farm servicesPros Cons Isolation from corporate Additional SP farm req. Network traffic isolation Additional n/w gear req. Prevents sensitive doc leaks Two way trusts req. for Shared services managedsomecorporate No mechanism to publish content internal to externalhttp://technet.microsoft.com/en-us/library/cc263513.aspx 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 22. Back-to-back perimeter with content publishing 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 23. Back-to-back perimeter with content publishingPros Cons Isolation from corporate Additional SP farm req. Network traffic isolation Additional n/w gear req. Prevents sensitive doc leaks Two way trusts req. for Shared services managedsomecorporate Content management Ability to publish content complexfrom internal to external No two-way content sync (read-only)http://technet.microsoft.com/en-us/library/cc263513.aspx 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 24. Split back-to-back 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 25. Split back-to-back or stretched farmPros Cons SQL stored in corporate n/wDomain trust required Complex architecture Interfarm comms in 2 n/w One site for bothinternal/external Sensitive docs visiblehttp://technet.microsoft.com/en-us/library/cc263513.aspx 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 26. Split back-to-back optimized for content publishing 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 27. Split back-to-back optimized for content publishingPros Cons SQL stored in corporate n/w Domain trust required Ability to publish content Complex architecturefrom internal to external Interfarm comms in 2 n/w Content management complex No two-way content sync (read-only)http://technet.microsoft.com/en-us/library/cc263513.aspx 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 28. Office 365 SharePoint Online 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 29. Office 365 SharePoint OnlineProsCons Quick to setup Additional costs of Provisioning users outsidesubscriber modelAD Some features not available No supported OOTB contentpublishing 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 30. Enforcing processes 31. New content area Site collection or sub site provisioning Site templates, service level agreements Security model Grant users direct permissions Add users to preexisting SharePoint Groups Add users to preexisting AD Groups Grant a claim direct permissions Chargeback 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint