?
Solved

Sharepoint Portal Web server on DMZ

Posted on 2006-06-12
5
Medium Priority
?
1,040 Views
Last Modified: 2008-02-26
Is it possible to have the Sharepoint Portal Web server on the DMZ with the other Sharepoint servers on the internal network? We will be using the 3-server configuration.

Microsoft mentions in the documentation that the web server must be part of the domain to allow for content crawling on the Intranet.

I am trying to balance that with my fear of allowing connections from any IP (Internet) to the internal network.

I have seen some posts on EE that suggest this may be inevitable.

I guess the other alternative is to configure the firewall to allow domain traffic to the DMZ, but this also seems to defeat the purpose.

Thanks for your input.
0
Comment
Question by:banjo1960
  • 2
  • 2
5 Comments
 
LVL 3

Expert Comment

by:livedrive777
ID: 16889670
Microsoft's recomended solution for such a configuration is to use ISA server.  The ISA server then goes in the DMZ and the Sharepoint portal server goes on your LAN with the other SHpoint servers and the rest of the domain.  The ISA server then proxies the web traffic for you and does application level security scanning since it is an application firewall.  The firewall rules then look like this:  80 and 443 open from the internet to the ISA server in the DMZ, and port 80 and 443 open from the DMZ to the Shpoint portal server on the LAN.  The only other solution that wouldn't use ISA server would be the two you already referenced in your question:  Open up web traffic from the internet to the LAN for Shpoint portal server or open up domain traffic from the DMZ.

Hope this clears it up!
0
 
LVL 6

Expert Comment

by:DCreature
ID: 16891024
Another vote for ISA server, if you can't afford ISA server, try searching information on different Linux distros, which can perform basically the same jobs, though without proper or any supports from Microsoft.
0
 
LVL 1

Author Comment

by:banjo1960
ID: 16894012
Thanks for the quick response. We are resigned that we need to employ ISA Server 2004.

I have an existing PIX firewall, so I am trying to determine where to put the ISA box. I assume it must have 2 NICs, one Internet facing and one on the internal LAN with the domain.

I prefer not to have 2 parallel paths from the Internet to the inside.  What are your thoughts?
0
 
LVL 3

Accepted Solution

by:
livedrive777 earned 750 total points
ID: 16896119
I have not personally set this up; however, I've done some investigation and it seems that you can in fact setup ISA server in a uni-homed fashion, so that you don't have two parallel paths.  We use a PIX for our corporate firewall as well, and if I were setting this config up I would be inclined to setup the ISA in a unihomed config as well and use the PIX for the outside firewall and DMZ.  Check out this thread and about half way down read the post from Jason Jones:
http://forums.isaserver.org/m_21139300/tm.htm
0
 
LVL 1

Author Comment

by:banjo1960
ID: 16896171
Thanks for the help. I too was looking at unihomed today. The forum link is helpul and I can easily try this.

Have a great day.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question