locked
External Access To SharePoint Internal Intranet RRS feed

  • Question

  • We want our 200 employees to have access to our intranet externally (Only users in the AD). We have SharePoint 2010. Please advise of the options in order to achive this.


    MCITP: Enterprise Administrator |MCITP: Server Administrator MCITP: Enterprise Support | MCTS: Exchange 2007, 2010, OCS2007 | UC Specilized


    • Edited by Khalidra Thursday, June 7, 2012 11:09 AM
    Thursday, June 7, 2012 11:09 AM

Answers

  • Microsoft have published many documents around Extranet scenarios. I'd start with the Best practices one. http://technet.microsoft.com/en-us/library/hh204611.aspx and the Publishing SharePoint one http://technet.microsoft.com/en-us/library/dd857299.aspx

    Bearing in mind that you're exposing your data outside of your perimeter, I'd give good thought to using something like UAG and two factor authentication on top of the AD log-in as additional security. (Detailed in the Publishing SharePoint guide under reverse proxy.)

    Paul.


    Please ensure that you mark a question as Answered once you receive a satisfactory response. This helps people in future when searching and prevents the same questions being asked multiple times.


    Thursday, June 7, 2012 12:24 PM
  • I have a similar scenario in my company.

    I think that if you just talk about a SharePoint site, you have a lot of choices as you can find in the papers listed by other people, but if you need some interaction other than SharePoint I would suggest a VPN.

    I have mobile VPN users that access some SharePoint sites and I have internet facing sites (with anonimous and AD auth.). In some cases you can think about content deployment solutions so you will have your internal intranet farm shaped for all users and an external intranet farm shaped for your 200 users with the same content.

    Anyway for security reasons I would not let external user access your internal intranet SP farm.

    Nicola.


    • Edited by Nicola77 Thursday, June 7, 2012 1:13 PM
    • Proposed as answer by Patel Rik Thursday, June 7, 2012 1:52 PM
    • Marked as answer by Khalidra Sunday, June 10, 2012 4:56 AM
    Thursday, June 7, 2012 1:12 PM
  • You can deploy the sharepoint site on live IP and use the AAM to have the live URL.

    Once the configuration done, all 200 employee can access the live site using windows authentication.


    Regards, Dharnendra Shah, MCTS,MCPD - Sharepoint 2010 Application Development Blog: http://ds-sharepoint2010blogs.blogspot.in/ Email: shahdg2003@gmail.com

    • Marked as answer by Khalidra Sunday, June 10, 2012 4:57 AM
    Thursday, June 7, 2012 11:26 AM
  • I would recommend to use Microsoft firewalls like TMG or UAG, where you can safely publish SharePoint 2010 to external users. You can use forms-based authentication with domain accounts or http authentication. You need to configure also Alternate access mappings for your SharePoint web applications. And nevertheless I would definitely recommend to use certificate for SSL.

    http://blog.arjanfraaij.com/2011/01/configure-microsoft-tmg-2010-sharepoint.html


    Marek Chmel, WBI Systems (MCTS, MCITP, MCT, CCNA)
    Please Mark As Answer if my post solves your problem or Vote As Helpful if a post has been helpful for you.

    • Marked as answer by Khalidra Sunday, June 10, 2012 4:56 AM
    Thursday, June 7, 2012 12:35 PM

All replies

  • You can deploy the sharepoint site on live IP and use the AAM to have the live URL.

    Once the configuration done, all 200 employee can access the live site using windows authentication.


    Regards, Dharnendra Shah, MCTS,MCPD - Sharepoint 2010 Application Development Blog: http://ds-sharepoint2010blogs.blogspot.in/ Email: shahdg2003@gmail.com

    • Marked as answer by Khalidra Sunday, June 10, 2012 4:57 AM
    Thursday, June 7, 2012 11:26 AM
  • In addition to Dharnendra Shah , I recommend you using nested groups for those employees (AD Group in SP Group)

    Regards,

    Victor

    Thursday, June 7, 2012 11:56 AM
  • Microsoft have published many documents around Extranet scenarios. I'd start with the Best practices one. http://technet.microsoft.com/en-us/library/hh204611.aspx and the Publishing SharePoint one http://technet.microsoft.com/en-us/library/dd857299.aspx

    Bearing in mind that you're exposing your data outside of your perimeter, I'd give good thought to using something like UAG and two factor authentication on top of the AD log-in as additional security. (Detailed in the Publishing SharePoint guide under reverse proxy.)

    Paul.


    Please ensure that you mark a question as Answered once you receive a satisfactory response. This helps people in future when searching and prevents the same questions being asked multiple times.


    Thursday, June 7, 2012 12:24 PM
  • I would recommend to use Microsoft firewalls like TMG or UAG, where you can safely publish SharePoint 2010 to external users. You can use forms-based authentication with domain accounts or http authentication. You need to configure also Alternate access mappings for your SharePoint web applications. And nevertheless I would definitely recommend to use certificate for SSL.

    http://blog.arjanfraaij.com/2011/01/configure-microsoft-tmg-2010-sharepoint.html


    Marek Chmel, WBI Systems (MCTS, MCITP, MCT, CCNA)
    Please Mark As Answer if my post solves your problem or Vote As Helpful if a post has been helpful for you.

    • Marked as answer by Khalidra Sunday, June 10, 2012 4:56 AM
    Thursday, June 7, 2012 12:35 PM
  • In our company we use 3rd party solution (DocAve) for replication a content database and claims-based identity for users (ADFS v2).
    Thursday, June 7, 2012 12:57 PM
  • I have a similar scenario in my company.

    I think that if you just talk about a SharePoint site, you have a lot of choices as you can find in the papers listed by other people, but if you need some interaction other than SharePoint I would suggest a VPN.

    I have mobile VPN users that access some SharePoint sites and I have internet facing sites (with anonimous and AD auth.). In some cases you can think about content deployment solutions so you will have your internal intranet farm shaped for all users and an external intranet farm shaped for your 200 users with the same content.

    Anyway for security reasons I would not let external user access your internal intranet SP farm.

    Nicola.


    • Edited by Nicola77 Thursday, June 7, 2012 1:13 PM
    • Proposed as answer by Patel Rik Thursday, June 7, 2012 1:52 PM
    • Marked as answer by Khalidra Sunday, June 10, 2012 4:56 AM
    Thursday, June 7, 2012 1:12 PM
  • As Nicola points out, a VPN is also a good way of accessing SharePoint from external networks. it really depends on what type of access you need. As you've stated all 200 are employees then a VPN is a good method as it opens up access to none SharePoint services.

    If your mobile workforce are using Windows 7 Company provided laptops, then UAG gives you the oppurtunity to use Direct Access, a seamless VPN technology that doesn't require you to do anything other than log onto the laptop. If they're using their own equipment, then UAG gives you the ability for endpoint protection and scanning, helping you prevent information leakage and protect your internal network by restricting the type of access a user gains base don the equipment they're using.

    However any form of access that breaches the perimeter comes with a risk, Even with direct access the loss of a laptop could give someone access to the network if they were able to log on using credentials left carelessly by the user, so a physical access protection such as smart cards on mobile devices may be considered.

    Paul.


    Please ensure that you mark a question as Answered once you receive a satisfactory response. This helps people in future when searching and prevents the same questions being asked multiple times.

    Friday, June 8, 2012 7:59 AM
  • Thank you all, I think we will go for VPN as I believe it is more secured for our environment. Furthermore, I will take a look at the links provided here in order to have the best wise choice. 

    Thanks again,

    Regards

     

    MCITP: Enterprise Administrator |MCITP: Server Administrator MCITP: Enterprise Support | MCTS: Exchange 2007, 2010, OCS2007 | UC Specilized

    Sunday, June 10, 2012 4:58 AM