SharePoint Network Topology RRS feed

  • Question

  • Maybe a dumb question...

    I'm looking in to a SP 2010 installation/topology for a company intranet and later on, they also want the installation to support extranets and the roadmap are also to let the SP 2010 act as the companys internet portal (all of cause on different webapplications)  

     - but what's the best practice for placing the SP 2010 and the SQL server on a network topology?

    • in the Internet zone (think not) 
    • In the DMZ zone/Perimeter Network (mayby SP here and SQL on the LAN and then make a AD trust?)
    • Is it in the DMZ/Extranet zone (SP and SQL here?)
    • or all in the Corporate LAN zone?  

    There are internal AD Users... 

    I know that I from the LAN side can scheduled a automatic content deployment - to the extranet/DMZ/internet zone if there are a SP 2010 in that zone...

    Hope it makes any sense and aren't dumb...

    I really want to send the "ship" the right way.


    • Edited by JmATK Friday, June 24, 2011 2:58 PM
    Friday, June 24, 2011 2:13 PM


  • Hi Simon

    Ok - I'll keep it on the LAN then...(know/experience with this)... ;0)

    thank you again for your time and effort.. ;)

    • Marked as answer by JmATK Tuesday, June 28, 2011 12:35 PM
    • Unmarked as answer by JmATK Tuesday, July 5, 2011 11:21 AM
    • Marked as answer by JmATK Wednesday, July 20, 2011 3:57 AM
    Tuesday, June 28, 2011 12:35 PM

All replies

  • Intranet  - LAN WFE's

    Internet, Extranet - DMZ - WFE's

    SQL - LAN

    App Server's - Search - DMZ

    App Server's = BI ie Excel Services - DMZ - maybe LAN


    Hope this helps

    Simon Rennocks | LinkedIn
    Friday, June 24, 2011 2:51 PM
  • Hi Simon 

    Thanks for your reply...it helps... ;)

    So the SQL in every scenario always on the LAN?

    mayby I can Draw it:

    Internet DMZ/Perimeter Network Corporate LAN
    Users...---> WFE Internet WFE - Intranet - AD users
    Users...---> WFE Extranet SQL - here for all scenarios
      APP - Search for extranet/internet APP Server - for the Intranet Search

    Friday, June 24, 2011 3:12 PM
  • Yes, That looks good.
    Simon Rennocks | LinkedIn
    Saturday, June 25, 2011 12:40 AM
  • Hi Simon

    My initially idea was: On the Coporate LAN SP 2010 installation - to create 3 different Webapplications and then "push" the Internet Webapp and the Extranet Webapp "out" - e.g by alternate access mapping?

    Otherwise as I understand it - I need to establish a physical server in every zone and then install the WFE's on each? - and they just have the SQL (placed on the LAN) as common DB server? 

    The thing I'm looking for in this post are:
    Where do I place the "main" installation of SP2010 (best practice) (including the central admin site) to achieve that I on the same WFE server can host all 3 sites (Internet, Extranet, Intranet) taking into the consideration that it's the Intranet and the AD users that are the 1 step?  (just so I don't "lock down" the installation and any new options in the future)   

    Mayby I'm not clear in my communications...

    What are your thoughts?

    Sunday, June 26, 2011 1:21 PM
  • I think the key thing here is - if you were to place all the SP servers in the DMZ would they have access to your company AD? (Or even should they all have access to the AD). You may have to ask some of these questions to those which manage the security for your company.

    How will the Extranet users access SP - AD, claims ?? If AD is this the same as the internal users.

    Will the internet site be completely anonymous?

    Typically the first SP installation will contain the Central Admin Site which will be an App Server - in the LAN

    How many servers do you have for SP - or is there not a fixed limit.

    Finally - SharePoint is very flexible - you can add other servers latter (for the extranet). 

    The Internet could also go in its own Farm, but share some of the services from the first farm - like Search etc.

    Hope this helps.

    Simon Rennocks | LinkedIn
    Sunday, June 26, 2011 11:19 PM
  • Hi Simon

    Thanks.... and yes - the security guys alo have something to say.. ;)

    The SP servers in the DMZ could all be trusted so they would have access to the internal AD - or am I wrong on this?

    The Internet site users will be anonymous users - combined with editors that all are in the Internal AD... 
    The Extranet users are Partners/employes from other locations... and also the editors from the Internal AD 
    The Intranet of cause are all AD users

    There not a fixed limit on the SP servers...

    Thank you for you time and effort on this ;)


    Monday, June 27, 2011 3:43 AM
  • So long as the SP Servers in the DMZ have permission to access the the internal AD (2 way trust is best - 1 way is suppose to work too) you should be fine having the WFE SP servers in the DMZ.
    Simon Rennocks | LinkedIn
    Monday, June 27, 2011 10:59 AM
  • Hi Simon

    Ok - thank you... ;)

    So to sum it'll up:

    In the DMZ - I establish the physical servers - makes a 2 way trust between them (own domain) and the Corporate Domain/AD on the LAN - then I install the SP2010 WFE + App server (to central admin) and then point it to the SQL server on the LAN? In that way I'll have no problem establish a Internet site and Extranet by their own Webapplications later on?

    Do you have any link to a cases to a company - that has implementet SP2010 as Intranet, extranet, Internet on the same servers in the DMZ?  

    Or do you have any idea what's the most common way to do it?

    Monday, June 27, 2011 5:05 PM
  • There's a pretty poster w/ a variety of reference topologies at



    Dave Weinstein (MCS)
    Monday, June 27, 2011 5:07 PM
  • HI Daweins

    I know - and I've already looked at this ... and it's the "Split back-to-back" solution I'm aiming for

    - but have much doubt if this are the "right" way to do it .. I know there's a lot of "if's" to cover that can impact the final choice...     

    My reference/experience are to a Company where all the SP resided on the LAN - and because of various security issues they wouldn't expand this installation to act as extranet - instead they made a new server/domain with form based login to host the extranet - it made a lot of (redundant) user administration etc.   

     So "how" have other companies done/solved it?

    Monday, June 27, 2011 5:30 PM
  • Hi,


    The way you have it configured looks good. I don't have any links to any previous cases - none I am able to list at least. If you are permitted to have a two way trust between servers in the LAN and the DMZ then you will not have any problems.

    Simon Rennocks | LinkedIn
    Monday, June 27, 2011 7:17 PM
  • Hi Simon

    As I mention I've seen at all the topology drawings...

    • Back-to-back perimeter with content publishing
    • Back-to-back perimeter with cross-farm services
    • Split back-to-back
    • Split back-to-back optimized for content publishing
    • Content Deployment Topologi 
    • Extranet Deployment Topologi

    Do I establish the hole on LAN and then extend the web apps? 

    A you can see - I'm still very much in doubt - and I'd rather do it right the first time...but a bit lost and don't know which one to choose.


    Tuesday, June 28, 2011 11:28 AM
  • If you are in doubt, may be you should keep everything in the LAN for now.  You can always extend into the DMZ when you need the extranet and internet sites - also for the latter you will need a different license - SharePoint 2010 Standard for Internet Sites. The bottom line is SQL Server and at least the first SharePoint Server (App Server) will live in the LAN. 

    If you do add servers to the DMZ you will need Ports 1433[SQL], 80[web] and 433[ssl] open between the DMZ and the LAN.

    Simon Rennocks | LinkedIn
    • Marked as answer by JmATK Tuesday, June 28, 2011 12:34 PM
    • Unmarked as answer by JmATK Tuesday, June 28, 2011 12:35 PM
    Tuesday, June 28, 2011 12:28 PM
  • Hi Simon

    Ok - I'll keep it on the LAN then...(know/experience with this)... ;0)

    thank you again for your time and effort.. ;)

    • Marked as answer by JmATK Tuesday, June 28, 2011 12:35 PM
    • Unmarked as answer by JmATK Tuesday, July 5, 2011 11:21 AM
    • Marked as answer by JmATK Wednesday, July 20, 2011 3:57 AM
    Tuesday, June 28, 2011 12:35 PM
  • Re-opening this one.. ;)

    The one design sample found here:  http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=2979  confuses me even further...

    Can someone tell me where on the network the 2 farms are installed??  

    The internet farm has own servers and are all "out there" incl. the SQL server - right ?

    If I install the (first) farm on the LAN - how do I then make the extranet web-app available for external partners and the Internet Web-app ?


    Tuesday, July 5, 2011 11:30 AM