Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Sharepoint Portal Web server on DMZ

Posted on 2006-06-12
5
1,015 Views
Last Modified: 2008-02-26
Is it possible to have the Sharepoint Portal Web server on the DMZ with the other Sharepoint servers on the internal network? We will be using the 3-server configuration.

Microsoft mentions in the documentation that the web server must be part of the domain to allow for content crawling on the Intranet.

I am trying to balance that with my fear of allowing connections from any IP (Internet) to the internal network.

I have seen some posts on EE that suggest this may be inevitable.

I guess the other alternative is to configure the firewall to allow domain traffic to the DMZ, but this also seems to defeat the purpose.

Thanks for your input.
0
Comment
Question by:banjo1960
  • 2
  • 2
5 Comments
 
LVL 3

Expert Comment

by:livedrive777
ID: 16889670
Microsoft's recomended solution for such a configuration is to use ISA server.  The ISA server then goes in the DMZ and the Sharepoint portal server goes on your LAN with the other SHpoint servers and the rest of the domain.  The ISA server then proxies the web traffic for you and does application level security scanning since it is an application firewall.  The firewall rules then look like this:  80 and 443 open from the internet to the ISA server in the DMZ, and port 80 and 443 open from the DMZ to the Shpoint portal server on the LAN.  The only other solution that wouldn't use ISA server would be the two you already referenced in your question:  Open up web traffic from the internet to the LAN for Shpoint portal server or open up domain traffic from the DMZ.

Hope this clears it up!
0
 
LVL 6

Expert Comment

by:DCreature
ID: 16891024
Another vote for ISA server, if you can't afford ISA server, try searching information on different Linux distros, which can perform basically the same jobs, though without proper or any supports from Microsoft.
0
 
LVL 1

Author Comment

by:banjo1960
ID: 16894012
Thanks for the quick response. We are resigned that we need to employ ISA Server 2004.

I have an existing PIX firewall, so I am trying to determine where to put the ISA box. I assume it must have 2 NICs, one Internet facing and one on the internal LAN with the domain.

I prefer not to have 2 parallel paths from the Internet to the inside.  What are your thoughts?
0
 
LVL 3

Accepted Solution

by:
livedrive777 earned 250 total points
ID: 16896119
I have not personally set this up; however, I've done some investigation and it seems that you can in fact setup ISA server in a uni-homed fashion, so that you don't have two parallel paths.  We use a PIX for our corporate firewall as well, and if I were setting this config up I would be inclined to setup the ISA in a unihomed config as well and use the PIX for the outside firewall and DMZ.  Check out this thread and about half way down read the post from Jason Jones:
http://forums.isaserver.org/m_21139300/tm.htm
0
 
LVL 1

Author Comment

by:banjo1960
ID: 16896171
Thanks for the help. I too was looking at unihomed today. The forum link is helpul and I can easily try this.

Have a great day.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question