This article can also be found in the Premium Editorial Download "SharePoint Insider: How dispersed organizations benefit from SharePoint 2010 infrastructure planning."
Download it now to read this article plus other related content.
Let’s face it, the usual method of using email to request information from a business partner for a joint project is inefficient. Someone in one organization typically sends a message to someone in the other, then must wait for a response and hope that it contains all of the information they needed.
In today’s fast-expanding information environment, there are better ways for enterprises to collaborate. Among SharePoint users, extending SharePoint 2010 capabilities beyond organizational walls can enable partners, customers, suppliers and even remote employees to easily and efficiently access the content they require to join forces effectively.
One approach is to set up an extranet environment as part of your SharePoint strategy. Authorized users from other organizations can navigate to a SharePoint site on the extranet and retrieve the information themselves. Furthermore, because the entire process is Web-based, it’s possible to build SharePoint applications that are designed to make business-to-business collaboration easier. For example, a customer might use a dedicated SharePoint application to access your product inventory to determine what he or she can order.
But while opening SharePoint 2010 capabilities and content to customers and other external users can ease workflow issues in collaborative processes, enabling extranet-level collaboration for all concerned comes with challenges. Among them are security issues such as user authentication and access control.
Authentication, Web applications
Authentication, of course, is the process of confirming a user’s identity. SharePoint does not perform its own authentication. Normally, the authentication process is tied to the Kerberos protocol and Microsoft’s Active Directory service. That made providing extranet access very challenging in SharePoint 2007, but the entire authentication model was changed in SharePoint 2010, making it easier to extend access to users via an extranet.
Find out more about deploying and implementing enterprise SharePoint 2010 capabilities
Learn about the importance of governing SharePoint 2010 capabilities from experts who say it is the starting point for best practices
Read a brief interview with SharePoint governance guru Susan Hanley about deploying SharePoint capabilities
Discover the six key steps suggested by consultants and analysts for successfully deploying SharePoint 2010 capabilities
Read about the three key aspects of creating a successful SharePoint 2010 deployment plan
SharePoint 2010 was designed to use claims-based authentication (though legacy SharePoint 2007 authentication is still supported). The primary benefit of this new authentication model is that it means SharePoint can support multiple authentication providers, an external mechanism that proves the identity of users. That makes it possible to authenticate external users without requiring them to sign in to your Active Directory and without requiring a federated trust, which is a trust relationship between two Active Directory forests.
There often will be reasons to make certain content available to external users without exposing an entire SharePoint site to them. For example, a project partner might only need access to a subset of the information that is available on a site. Another common situation is that there might be multiple external users (e.g., different partners, customers or suppliers) who need access to the same content and yet should be shielded from one another.
In such situations, the best thing to do is to extend a SharePoint Web application to support different users in different domains. When you develop a Web application in SharePoint, you either create an Internet Information Services (IIS) website that acts as a gateway to the application for users or you choose to use an existing IIS site for that purpose. Since each Web application has its own content database, you can’t just build a separate application for every external user that requires access to a particular database. Instead, extend your Web application by linking a single content database to multiple IIS sites. That enables you to set up a separate site for each external user but in a way that lets him or her all access the same content.
The process of extending a Web application is relatively straightforward. The SharePoint Central Administration site contains a “Create or extend Web application” option that can be found in the SharePoint Web Application Management section; full instructions on how to use that option are available in the Microsoft TechNet library.
Network topology requirements
Microsoft recommends that you make SharePoint resources available to external users by placing its Forefront Unified Access Gateway (UAG) remote access control server at the network perimeter. Forefront UAG allows for the secure publishing of internal Web resources using the Secure Sockets Layer protocol. While it is possible to publish SharePoint resources through other types of firewalls, Forefront UAG offers a few distinct advantages when it comes to SharePoint extranet access.
The most important of these advantages is something that Microsoft calls “information leakage mitigation.” Forefront UAG cleans up client devices by flushing cached content and removing temporary files and cookies in an effort to protect your SharePoint data. Additionally, Forefront UAG supports the use of “health-based endpoint authorization,” enabling administrators to define a series of security requirements that client systems must adhere to before being granted access to SharePoint resources. For example, it is common to require users to install updated antivirus software on their systems and the Windows Firewall.
There are at least six different network topologies available for providing external users with access to SharePoint. The simplest architecture involves placing a Forefront UAG server in the network perimeter and operating all of your SharePoint servers within the corporate network.
Although that architecture is cost-effective and easy to deploy, using it means that authenticated external users will access SharePoint servers inside your corporate network. Some organizations prefer to move some SharePoint resources to their perimeter network to prevent external users from connecting directly to corporate servers.
Extending SharePoint content to outside users on an extranet creates security issues that each organization must assess and plan for as part of its ongoing collaboration process. Don’t get caught without adequate safeguards and protections when you make your data available beyond the confines of your company.
ABOUT THE AUTHOR
Brien M. Posey is a Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Posey was chief information officer for a national chain of hospitals and health care facilities and a network administrator for insurance companies and the Department of Defense.
This was first published in March 2012