Sharepoint Extranet Configuration and ports

Question

Hi.... I'm new to share point extranet design,we are creating extranet site and need to host on extranet DMZ.

so basic question is do we need to pull one web front from intranet environment and plug in extranet DMZ ?

If so how does webfront works there ? because it's running on intranet service accounts ? and extranet DMZ will  not identify those service accounts ?

I also have list of ports to open to talk with CA. but not sure how and where to start.

Appreciate your help.

Thanks!

---

SPVIRU

Answer 1

So this is generally not the best idea.  The problem is that you will have to open up so many ports between the DMZ and Internal network to make this work that it is not worth the effort.

If you have a separate Active Directory in the DMZ and want to join the DMZ SharePoint Server to that Active Directory, you'll have to set up a trust between the internal/DMZ ADs.  SharePoint must be run with the same accounts as your internal SharePoint Servers are using.

If you want to continue to use internal AD accounts on your DMZ SharePoint Servers, then you'll have to open up all ports required for Active Directory communication (and given DCOM is random by default above 1024, this doesn't make sense).

Your goal should be to move all SharePoint Servers entirely in the DMZ, or leave them entirely in the internal network, depending on your acceptable risk factor.

---

http://sharepoint.nauplius.net

Answer 2

Thank you... Appreciate your help :)

Currently  I have share point farm with 4 web fronts,app,index where current intranet portal is hosted.

and I cannot completely move these servers to DMZ because it's for intranet portal usage. and I cannot setup entirely new servers on extra net.

Using these intranet servers I have to configure one extranet site collection for a department...... means

Do i have only one option ? 

1) Move one webfront server to DMZ and set up a trust between internal/DMZ AD and open all ports required ?

Thanks!

---

SPVIRU

Answer 3

You could leave everything in the Internal network and just open up tcp/443 from the Internet to the internal SharePoint WFE(s), or use NAT as applicable.  There is nothing, SharePoint-wise, that forces you to place a SharePoint Server in a DMZ to serve content in an Internet/Extranet scenario.

However, if you were to place a SharePoint in the DMZ and join that SharePoint Server to the local DMZ AD, yes, you would want to create a two way trust, open up the ports between the internal and DMZ DCs, then also open up the ports between the DMZ SharePoint Server and the internal DCs for the People Picker to function correctly.  See http://blogs.technet.com/b/wbaer/archive/2009/01/21/people-picker-port-protocol-requirements.aspx.

---

http://sharepoint.nauplius.net

Answer 4

great Thank you so much.. you made my day. In this case I think first option will be the best one.

let all share point servers be in intranet and  just open up tcp/443 from the Internet to the internal SharePoint WFE(s). If I ask my network team to open tcp/443 do you think that should be enough, or do you think I need to share any other details to network team ?

Thanks!

---

SPVIRU

Answer 5

They should know the rest of the configuration.

---

http://sharepoint.nauplius.net

Answer 6

sorry to come back after long time on this,Looks like my network team is interested on going moving two web front servers to dmz may be network team not aware of worth the effort Involved in, or may be they are feeling it's more secured than opening tcp/443 from the Internet to the internal SharePoint WFE(s).

I need to explain them tomoro which one is the secured/reliable/easy one. Can you pls share me any article or put some points related,so that I can understand in detail.

Appreciate your help!

Thanks!

---

SPVIRU

Answer 7

They'll have to open all of these ports between the SP WFEs and your internal domain controllers:

http://blogs.technet.com/b/wbaer/archive/2009/01/21/people-picker-port-protocol-requirements.aspx

They'll have to open up 1443/tcp (default) to your back end SQL Server.

They'll have to enable full domain connectivity from your SP WFEs to your internal domain (many, many ports here, including, by default, everything >1024).

Do you have any SP servers inside the firewall as well?

---

http://sharepoint.nauplius.net

Answer 8

Thank you Trevor :) 

sorry for a late reply ..... I have some beginner questions,appreciate your help on answering these.

1)why do we need people picker ? and I can see number of ports on your link  to make people picker work http://blogs.technet.com/b/wbaer/archive/2009/01/21/people-picker-port-protocol-requirements.aspx 

2) do we need to open 1443/tcp ? not sure based on our security they will open tcp1443 for database they have another sql ends point can we open those ?

3)To enable full domain we need open many many ports ? what are those ports I have listed few below can you pls check those.

4)how does external users will be authenticated,we dont have UAG as of now ? is that compulsory , or can external users be authenticated on with intranet sql DB ?

can you please validate if this is required enough ?

Purpose	Ports Need to Open	INBOUND/OUTBOUND
Web browser request and response over SSL or TLS	SSL 443	Inbound
Web browser request and response	TCP 80	Inbound
	TCP 443/80	Inbound
Search Crawling	TCP 443,	Outbound
Search Crawling	TCP 80	Outbound
Query Propagation	Direct Hosted SMB(TCP/UDP 445)--Recommended OR NetBIOS over TCP/IP (NetBT) (TCP/UDP 137, 138,139) (Not as secure) Disable if not used	Outbound
Ports required for communication between Web servers and service applications (the default is HTTP)	Http binding : port 32843  OR  Https binding : port 32844  OR NET.TCP binding : 32845 (only if 3rd party has implemented third option for a service app	INBOUND
User profile sync	TCP/5725 TCP/UDP 389             (LDAPservice) TCP/UDP 53(DNS)	Inbound
	SMTP(TCP 25)	Outbound / Inbound if applicable
Alerts or mail enabled lists	Recommendation: Block SQL Default Ports (TCP 1433, UDP 1434) and use a static custom port for Named SQL Instance.  SQL END Point TCP Port  62015 HTTP   63030 HTTP raw         63041	Outbound
for sandbox solution	TCP/IP 32846	Outbound

---

SPVIRU

Answer 9

1) So you can add people/groups to SharePoint.  No people picker will make the use of SharePoint nearly impossible :)

2) You don't need tcp/1433 specifically, but you do need some form of TCP/IP communication (which means a static port) to the SQL backend.

3) And this is how we come to the "this is a terrible idea".  See http://support.microsoft.com/kb/179442.  Notice we need ports tcp/udp 1024-65535.

4) If you mean "external" as employees with Active Directory accounts accessing SharePoint, they'd access it like any other web-based application; with their Windows accounts.  If external means something else to you, please elaborate.

---

http://sharepoint.nauplius.net

Answer 10

Thanks :)

4) Ok I mean how does the extranet uses will be authenticated since they will be not in windows AD ? Normally we create a web application in app server which resides in Intranet environment and  normally it will create memershiip providers by which they will authenticated thru intranet DB.

so if we place web front server in DMZ that not change right ?since app server is in intranet and it will manage ?

I heared UAG will play a role of authentication if we place web front servers in DMZ ?

also on 1) so to make people picker work I mean to add  extranet users we need to follow http://blogs.technet.com/b/wbaer/archive/2009/01/21/people-picker-port-protocol-requirements.aspx  right ?

Thanks!

---

SPVIRU

Answer 11

If you're using the SQL Membership Provider, nothing changes in this layout for those users.  Obviously you have to have a tcp port opened to your back end SQL database.

Extranet users (users in the SQL membership database), given the Web App does not need to pick from any Active Directory accounts (this includes administrative accounts) does not need those ports open.

---

http://sharepoint.nauplius.net

Answer 12

Hi Seward,

I was going through this thread and thought of adding more to it.

We are also in the process of setting up an Extranet enviroment which will be used by our customers and our employees. We have our internal network (intranet) which is secured with firewall and Active Directory. We have our web server, Application server, SQL Server database and Active Directory in our internal domain.

For the purpose of Extranet, we are planning to have a DMZ environment, which is outside our network. We have

2 web front end servers, and a Active Directory in this DMZ. This AD do not have contain users right now.
I guess we need to have a one way trust from our internal to the DMZ.

1. Can we store all the external users in the SQL database in our internal network and implement forms based

authentication using SharePoint 2010? Our employees should use their usual windows account to login via

windows authentication.

2. What are the ports we need to open in order for this to work?

3. What kind of trust relationship is required between the DMZ and internal network?

4. What is the best way to implement Extranet with this topology?

Appreciate your help.

Thanks,
Sujit

Answer 13

1) Yes you can.

2) The port you're communicating on SQL with, e.g. 1433/tcp.  And again, see http://support.microsoft.com/kb/179442 for the domain trust port requirements.

3) One-way (DMZ domain trusts the Internal domain).  Don't forget the additional requirements if using a one-way trust: http://technet.microsoft.com/en-us/library/cc263460(v=office.12).aspx.  Also note that one-way trust has issues with Project Server (namely Project Server needs a full User object, and in a one-way trust scenario, only the Foreign Security Principal is brought into the DMZ domain).

4) You've probably got it, but if your security/network group doesn't require it, I would look at instead leaving SharePoint within the internal network and use a product like Microsoft UAG within the DMZ to act as a reverse proxy for Internet-based connections.

---

http://sharepoint.nauplius.net

Answer 14

Seward,

Thanks for your reply.

Currently we do not have UAG but we will be getting it down the line. For now we need to live up with the existing firewall.
Once the network folks opens the one way trust between DMZ and internal network, we will be able to access the WFE's in DMZ.
Let me draw the diagram this way:

Internet                  DMZ/Perimeter           ---> Firewall --->              Network Corporate LAN
--------                     -------------                                                         ------------------------------
Users...--->             WFE Internet                                                     WFE - Intranet - Active Directory (internalAD users)
Users...--->             WFE Extranet                                                     SQL Server 
                               Active Directory (empty now)                             APP Server - for the Extranet/Intranet Search

1. If we do add WFE servers to the DMZ do we need Ports 1433[SQL], 80[web] and 433[ssl] open between the DMZ and the LAN?
2. Right now on the local network, we have SharePoint 2010 server and we have created/configured an Extranet site which uses Forms based authentication. External users will use forms credentials and internal users will be using Windows credentials. Can you let me know how to configure this site to make it accessible via Internet, so that we can access from outside our network?
3. I know that the external users will first hit the WFE on the DMZ. So what configuration settings are needed for this to work with the SharePoint extranet site which is created in LAN network? remember, right now we will be using the existing firewall only.

Would appreciate your response.

Thanks!
Sujit

Answer 15

Hi Seward ,

i have the same kind of requirement to create intranet ,extrant and internet sharepoint sites. There are two Domains involved one for intranet purpose.Another APP Domain which is in DMZ environment.

Inranet should be secured and internal employee will have access on it. Extranet for Collaboration and internet will be for public with anonymous access.

What kind of architecture plan do you suggest ?

should we create two sharepoint farm for intranet and extranet/internet?

can we create single farm for intranet,extranet and internet? then how to handle to two domains ? what about security ?

Thanks

Mghimire

Answer 16

I would recommend two environments.

One for Internet/Partner collaboration, and the other for internal uses.  Mainly this is to provide higher uptime to the Internet/Partner-facing farm since you won't need to take the farm down for say deploying custom farm solutions that you may leverage internally.

Is there a domain trust in place between the DMZ domain and the internal domain?  If not, you'll need one, or you'll need to create user accounts for your internal users in the DMZ domain.

I'd recommend using IPSec to secure communication between the DMZ DC(s) and internal DC(s) and then again using IPSec for People Picker communication between the SharePoint server(s) and the internal DC(s).

---

SharePoint - Nauplius Applications
Microsoft SharePoint Server MVP
MCITP: SharePoint Administrator 2010

-----------------------
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.