Designing a Secure Extranet with Sharepoint Russ Basiura Principal Consultant RJB Technical Consulting www.rjbtech.com russ@rjbtech.com

1
Designing a Secure Extranet with SharepointRuss
BasiuraPrincipal ConsultantRJB Technical
Consultingwww.rjbtech.comruss_at_rjbtech.com

• Extranets

2
Agenda

• Deployment Scenario
• Configuration
• Challenges
• Security and Authentication

3
Scenario
4
Scenario

• Active Directory in the DMZ
• No Trusts
• Single Server or small farm
• All servers in the DMZ
• All Services in the DMZ
• Mail
• IM
• Basic Authentication over HTTPS
• Digest Authentication (Not Supported)

5
Scenario

• All Users must logon
• Management via Remote Desktop
• All content stored in portal
• Ports
• TCP 3389 open to intranet for RDP
• TCP 80 open to intranet for HTTP
• TCP 443 open to extranet for HTTPS

6
User Challenges

• Authentication
• Users dont like being asked for identity
• Use Portal SSO to access other resources
• URLS
• Store content on the portal
• Put content links on the portal

7
Technical Challenges

• Authentication
• SSL

8
Authentication

• Basic over https
• Integrated
• NTLM
• Kerberos
• Digest
• Single web server or web farm with affinity
• Not Supported
• Custom
• ISAPI Filter with persistent cookie
• Not Supported

9
Custom Authentication

• Must create a valid Windows Principal
• Must attach context to thread before entering
  .Net pipeline
• Ows.dll is an ISAPI extension
• ISAPI extensions cannot be chained
• Build an ISAPI filter
• Create and manage Windows Principal
• Embed basic authentication headers in request

10
Discussion