Solved

Sharepoint Portal Web server on DMZ

Posted on 2006-06-12
5
1,017 Views
Last Modified: 2008-02-26
Is it possible to have the Sharepoint Portal Web server on the DMZ with the other Sharepoint servers on the internal network? We will be using the 3-server configuration.

Microsoft mentions in the documentation that the web server must be part of the domain to allow for content crawling on the Intranet.

I am trying to balance that with my fear of allowing connections from any IP (Internet) to the internal network.

I have seen some posts on EE that suggest this may be inevitable.

I guess the other alternative is to configure the firewall to allow domain traffic to the DMZ, but this also seems to defeat the purpose.

Thanks for your input.
0
Comment
Question by:banjo1960
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 3

Expert Comment

by:livedrive777
ID: 16889670
Microsoft's recomended solution for such a configuration is to use ISA server.  The ISA server then goes in the DMZ and the Sharepoint portal server goes on your LAN with the other SHpoint servers and the rest of the domain.  The ISA server then proxies the web traffic for you and does application level security scanning since it is an application firewall.  The firewall rules then look like this:  80 and 443 open from the internet to the ISA server in the DMZ, and port 80 and 443 open from the DMZ to the Shpoint portal server on the LAN.  The only other solution that wouldn't use ISA server would be the two you already referenced in your question:  Open up web traffic from the internet to the LAN for Shpoint portal server or open up domain traffic from the DMZ.

Hope this clears it up!
0
 
LVL 6

Expert Comment

by:DCreature
ID: 16891024
Another vote for ISA server, if you can't afford ISA server, try searching information on different Linux distros, which can perform basically the same jobs, though without proper or any supports from Microsoft.
0
 
LVL 1

Author Comment

by:banjo1960
ID: 16894012
Thanks for the quick response. We are resigned that we need to employ ISA Server 2004.

I have an existing PIX firewall, so I am trying to determine where to put the ISA box. I assume it must have 2 NICs, one Internet facing and one on the internal LAN with the domain.

I prefer not to have 2 parallel paths from the Internet to the inside.  What are your thoughts?
0
 
LVL 3

Accepted Solution

by:
livedrive777 earned 250 total points
ID: 16896119
I have not personally set this up; however, I've done some investigation and it seems that you can in fact setup ISA server in a uni-homed fashion, so that you don't have two parallel paths.  We use a PIX for our corporate firewall as well, and if I were setting this config up I would be inclined to setup the ISA in a unihomed config as well and use the PIX for the outside firewall and DMZ.  Check out this thread and about half way down read the post from Jason Jones:
http://forums.isaserver.org/m_21139300/tm.htm
0
 
LVL 1

Author Comment

by:banjo1960
ID: 16896171
Thanks for the help. I too was looking at unihomed today. The forum link is helpul and I can easily try this.

Have a great day.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question