[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Sharepoint Portal Web server on DMZ

Posted on 2006-06-12
5
Medium Priority
?
1,036 Views
Last Modified: 2008-02-26
Is it possible to have the Sharepoint Portal Web server on the DMZ with the other Sharepoint servers on the internal network? We will be using the 3-server configuration.

Microsoft mentions in the documentation that the web server must be part of the domain to allow for content crawling on the Intranet.

I am trying to balance that with my fear of allowing connections from any IP (Internet) to the internal network.

I have seen some posts on EE that suggest this may be inevitable.

I guess the other alternative is to configure the firewall to allow domain traffic to the DMZ, but this also seems to defeat the purpose.

Thanks for your input.
0
Comment
Question by:banjo1960
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 3

Expert Comment

by:livedrive777
ID: 16889670
Microsoft's recomended solution for such a configuration is to use ISA server.  The ISA server then goes in the DMZ and the Sharepoint portal server goes on your LAN with the other SHpoint servers and the rest of the domain.  The ISA server then proxies the web traffic for you and does application level security scanning since it is an application firewall.  The firewall rules then look like this:  80 and 443 open from the internet to the ISA server in the DMZ, and port 80 and 443 open from the DMZ to the Shpoint portal server on the LAN.  The only other solution that wouldn't use ISA server would be the two you already referenced in your question:  Open up web traffic from the internet to the LAN for Shpoint portal server or open up domain traffic from the DMZ.

Hope this clears it up!
0
 
LVL 6

Expert Comment

by:DCreature
ID: 16891024
Another vote for ISA server, if you can't afford ISA server, try searching information on different Linux distros, which can perform basically the same jobs, though without proper or any supports from Microsoft.
0
 
LVL 1

Author Comment

by:banjo1960
ID: 16894012
Thanks for the quick response. We are resigned that we need to employ ISA Server 2004.

I have an existing PIX firewall, so I am trying to determine where to put the ISA box. I assume it must have 2 NICs, one Internet facing and one on the internal LAN with the domain.

I prefer not to have 2 parallel paths from the Internet to the inside.  What are your thoughts?
0
 
LVL 3

Accepted Solution

by:
livedrive777 earned 750 total points
ID: 16896119
I have not personally set this up; however, I've done some investigation and it seems that you can in fact setup ISA server in a uni-homed fashion, so that you don't have two parallel paths.  We use a PIX for our corporate firewall as well, and if I were setting this config up I would be inclined to setup the ISA in a unihomed config as well and use the PIX for the outside firewall and DMZ.  Check out this thread and about half way down read the post from Jason Jones:
http://forums.isaserver.org/m_21139300/tm.htm
0
 
LVL 1

Author Comment

by:banjo1960
ID: 16896171
Thanks for the help. I too was looking at unihomed today. The forum link is helpul and I can easily try this.

Have a great day.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question