Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DMZ and Sharepoint

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ and Sharepoint Page: [1]
Login
Message << Older Topic   Newer Topic >>
DMZ and Sharepoint - 6.May2004 12:53:00 PM   
MACRO33

 

Posts: 11
Joined: 7.May2003
From: Sydney
Status: offline 		Hi All,

Got a new client with a web server and a sharepoint extranet. Have an existing Sonic wall doing VPN and routing to these two web servers but would like to protect the private network a little better. Thought of putting the Sharepoint and Web server on a DMZ between the sonicwall and an have an ISA Server protecting internal domain

sonic---
l l
l Web/Sharepoint
l
l
ISA
l
Private domain

Question: is this a good setup as the sharepoint has to be updated regularly and is it fairly simple to configure as I have limited experience with type of scenario

Thanks in advance

Paul
Post #: 1
RE: DMZ and Sharepoint - 7.May2004 11:54:00 AM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Paul,

It'll work, but the level or protection the sonicwall can provide is pretty small. What type of access to you need to your SharePoint site? Have you tried publishing your SharePoint site yet by placing it behind the ISA Server?

Thanks!
Tom

(in reply to MACRO33)
Post #: 2
RE: DMZ and Sharepoint - 7.May2004 2:55:00 PM   
MACRO33

 

Posts: 11
Joined: 7.May2003
From: Sydney
Status: offline 		Hi Tom,

ISA not purchased yet as we are doing a pitch for this client.( Their Budget a bit limited I am afraid). The sonic wall is the existing firewall and routing through to the web server Extranet and domain.
The extranet is required by staff where the website is well, a website.
The sonicwall hosts VPN between two city sites and I thought the ISA would be good for the internal domain protection.
Are you suggesting that a DMZ would be more trouble than its worth in this scenario?

Cheers

Paul

(in reply to MACRO33)
Post #: 3
RE: DMZ and Sharepoint - 9.May2004 5:48:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Paul,

The DMZ would actually be easy. The issue is security. What does the sonicwall bring to the table in terms of security? If its just packet filtering, then the site should really be behind the ISA firewall, because the sonicwall isn't doing any protecting other than a packet filtering router (like a pix).

HTH,
Tom

(in reply to MACRO33)
Post #: 4
RE: DMZ and Sharepoint - 14.May2004 1:44:00 PM   
MACRO33

 

Posts: 11
Joined: 7.May2003
From: Sydney
Status: offline 		Thanks Tom,

Will need to study up a bit(what's new) to get all working behind ISA.

(in reply to MACRO33)
Post #: 5
RE: DMZ and Sharepoint - 16.May2004 6:16:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Paul,

No problem. Post when you have questions on the new features.

Thanks!
Tom

(in reply to MACRO33)
Post #: 6
RE: DMZ and Sharepoint - 29.May2004 10:44:00 PM   
twscottIII

 

Posts: 28
Joined: 6.Apr.2004
From: Birmingham, AL
Status: offline 		Tom,

If you need to enable users external to your company access to this sharepoint site would you not want to set the sharepoint server up in its own domain inside the DMZ?

Thanks,

Tom

(in reply to MACRO33)
Post #: 7
RE: DMZ and Sharepoint - 30.May2004 2:43:00 AM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Tom,

Yes, if this is purely an extranet site and you don't need access to domain accounts.

HTH,
Tom

(in reply to MACRO33)
Post #: 8
RE: DMZ and Sharepoint - 2.Jun.2004 7:57:00 PM   
twscottIII

 

Posts: 28
Joined: 6.Apr.2004
From: Birmingham, AL
Status: offline 		What if you need both external users and internal domain users to access the site? Is there a way to do that without adding the external users to your internal Active Directory? Or is that the only way to support both?

(in reply to MACRO33)
Post #: 9
RE: DMZ and Sharepoint - 3.Jun.2004 2:40:00 AM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Tom,

If the site isn't on a domain controller, you can create user accounts in the local SAM of that machine.

HTH,
Tom

(in reply to MACRO33)
Post #: 10
RE: DMZ and Sharepoint - 3.Jun.2004 3:45:00 AM   
twscottIII

 

Posts: 28
Joined: 6.Apr.2004
From: Birmingham, AL
Status: offline 		Tom,

I appreciate all of the good information. Would this solution, putting users in the local SAM, scale well?

Thanks,

Tom

(in reply to MACRO33)
Post #: 11
RE: DMZ and Sharepoint - 3.Jun.2004 2:51:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Tom,

Unfortunately no. But how many machines are you talking about? If you need a good scaling solution, you can always create a domain in the DMZ, and then create a one-way trust so that the DMZ domain trusts the Internal network domain, but not the other way around.

HTH,
Tom

(in reply to MACRO33)
Post #: 12
RE: DMZ and Sharepoint - 4.Jun.2004 3:02:00 PM   
twscottIII

 

Posts: 28
Joined: 6.Apr.2004
From: Birmingham, AL
Status: offline 		Ok now we are gettting somewhere!

This is what I wanted you to tell me. The two domains and a one way trust is how I have this setup right now. For the most part it is working really well. Users from both domains are able to log into the sharepoint sites and the major benefit is that you can import both internal and external users into the profile database (you cannot import the local SAM users into the profile database). The major problem that I am having now is that the webserver sits in the domain (dmz.local) inside the dmz and when a user from the lan domain (company.com) hits the sharepoint machine it will not grab there windows logon information through integrated authentication. I am sure that this is because the server and the user are in different domains. Is there a way to tell the server to attempt integrated authentication for users from domains other than the one that the webserver sits in?

I hope this is clear but if you need more information please let me know.

Thanks,
Tom

[ June 04, 2004, 05:19 PM: Message edited by: Tom Scott ]

(in reply to MACRO33)
Post #: 13
RE: DMZ and Sharepoint - 5.Jun.2004 12:00:00 AM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Tom,

Have you created the trust between the domains?

If so, then there should be no problem using integrated authentication, unless there is some peculiarity with Sharepoint that I'm not aware of.

Are you using SSL on the sites? If so, just force basic auth and SSL and forget Integrated auth.

Are the remote users using integrated or basic?

Do you see any domain communication errors in the Event logs?

Thanks!
Tom

(in reply to MACRO33)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ and Sharepoint Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts