Solved

Sharepoint Portal Web server on DMZ

Posted on 2006-06-12
5
1,007 Views
Last Modified: 2008-02-26
Is it possible to have the Sharepoint Portal Web server on the DMZ with the other Sharepoint servers on the internal network? We will be using the 3-server configuration.

Microsoft mentions in the documentation that the web server must be part of the domain to allow for content crawling on the Intranet.

I am trying to balance that with my fear of allowing connections from any IP (Internet) to the internal network.

I have seen some posts on EE that suggest this may be inevitable.

I guess the other alternative is to configure the firewall to allow domain traffic to the DMZ, but this also seems to defeat the purpose.

Thanks for your input.
0
Comment
Question by:banjo1960
  • 2
  • 2
5 Comments
 
LVL 3

Expert Comment

by:livedrive777
ID: 16889670
Microsoft's recomended solution for such a configuration is to use ISA server.  The ISA server then goes in the DMZ and the Sharepoint portal server goes on your LAN with the other SHpoint servers and the rest of the domain.  The ISA server then proxies the web traffic for you and does application level security scanning since it is an application firewall.  The firewall rules then look like this:  80 and 443 open from the internet to the ISA server in the DMZ, and port 80 and 443 open from the DMZ to the Shpoint portal server on the LAN.  The only other solution that wouldn't use ISA server would be the two you already referenced in your question:  Open up web traffic from the internet to the LAN for Shpoint portal server or open up domain traffic from the DMZ.

Hope this clears it up!
0
 
LVL 6

Expert Comment

by:DCreature
ID: 16891024
Another vote for ISA server, if you can't afford ISA server, try searching information on different Linux distros, which can perform basically the same jobs, though without proper or any supports from Microsoft.
0
 
LVL 1

Author Comment

by:banjo1960
ID: 16894012
Thanks for the quick response. We are resigned that we need to employ ISA Server 2004.

I have an existing PIX firewall, so I am trying to determine where to put the ISA box. I assume it must have 2 NICs, one Internet facing and one on the internal LAN with the domain.

I prefer not to have 2 parallel paths from the Internet to the inside.  What are your thoughts?
0
 
LVL 3

Accepted Solution

by:
livedrive777 earned 250 total points
ID: 16896119
I have not personally set this up; however, I've done some investigation and it seems that you can in fact setup ISA server in a uni-homed fashion, so that you don't have two parallel paths.  We use a PIX for our corporate firewall as well, and if I were setting this config up I would be inclined to setup the ISA in a unihomed config as well and use the PIX for the outside firewall and DMZ.  Check out this thread and about half way down read the post from Jason Jones:
http://forums.isaserver.org/m_21139300/tm.htm
0
 
LVL 1

Author Comment

by:banjo1960
ID: 16896171
Thanks for the help. I too was looking at unihomed today. The forum link is helpul and I can easily try this.

Have a great day.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now