none
MinRole Topology question RRS feed

  • Question

  • Hello,

    We are upgrading to sharepoint server 2019 from sharepoint server 2010.

    In the new 2019 environment we planned for 5 sharepoint servers plus one sql server.

    Out of 5 servers 4 servers will be internal and 1 server is in DMZ for external sites.

    For implementing MinRole topology we are thinking

    4 internal servers -  2 servers with shared role (Frontend with Distributed Cache) and 2 servers with shared role (application with search).

    1 external server with custom role with all the services running on it.

    Is that a good? please let me know.


    rani

    Thursday, December 5, 2019 6:02 PM

All replies

  • Don't use the DMZ. Put a [pre-auth] reverse proxy in the DMZ and place all SharePoint servers internally. This will increase security via reducing the port count to 1 between the DMZ and internal network.

    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, December 5, 2019 6:44 PM
    Moderator
  • Hi RaniSK, 

    If a reply helps you, please remember to mark it as an answer.

    Thanks for your understanding. 

    Best Regards, 

    Lisa Chen 

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Friday, December 6, 2019 2:18 AM
    Moderator
  • The server is already in DMZ, is it something we can do later, like after implementing sharepoint?

    If not,

    Are there any article to guide me in this process. We already have a server that is in DMZ in sharepoint 2010 and it has some external sites that are SSL enabled. I need to upgrade them to sharepoint 2019.

    How can I implement the upgrade process in a non-dmz situation?


    rani

    Friday, December 6, 2019 12:10 PM
  • any guidance?

    rani

    Friday, December 6, 2019 8:04 PM
  • You would simply do your normal upgrade process (content migration or database attach) to 2019 but keep the servers internal. You should be SSL'ing all of your Web Apps, including Central Admin in today's environment.

    You would simply add a reverse proxy (AD FS + WAP using a non-claims aware relying party, Azure AD App Proxy, HA Proxy, nginx or a variety of others) within the DMZ. Route your traffic destined for SharePoint through the RP and the RP forwards it onto SharePoint.

    How you do this will depend on the particular RP.


    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, December 6, 2019 8:13 PM
    Moderator
  • Hi RaniSK, 

    If Trevor's reply helps you, please remember to mark it as an answer.

    Thanks for your understanding. 

    Best Regards, 

    Lisa Chen 

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Friday, December 20, 2019 9:11 AM
    Moderator