Setting up an extranet

Posted on 2010-11-30
Last Modified: 2012-06-27
we are looking to set up an extranet using Sharepoint foundation 2010. We currently have a WSS 3.0 server as our intranet (will be upgraded to foundation 2010 soon), this server pulls information from our SQL server (sql 2008 express), and then people connected to the network can see this information using either laptops, pcs or blackberry's.

We now need to put this information that the sharepoint server is publishing on to an extranet so that it can be accessed from any connection. I have attached a screenshot of a simple network diagram that i have designed for how i believe we would have to set it up. However money is an issue and we need to make this as cheap as possible.

In the picture i have 2 different domains, internal and DMZ, these will be 2 different forests with a trust relationship.
There are 2 different SQL servers, the internal one will be a copy of SQL 2008 std, working as a distributor and publisher, pushing the information we need displayed to a copy of sql 2008 express on the DMZ. The sharepoint server on the DMZ will be used to display the SQL information, and the sharepoint server on the internal server will continue to serve normally as the intranet.

We also need to collect information from the SQL server on the DMZ, and store it back on the SQL server in the internal domain which i am not sure how to do without risking security

So basically what i am looking for is
A - a way to accomplish what i am looking for.
B - Making sure that the internal domain is secure.
C - keeping costs down, we would prefer not to buy a copy of sql 2008 if it is not needed.

i appreciate any help on this and all suggestions will be looked at in detail.
Question by:CaptainGiblets
  • 4
LVL 29

Expert Comment

ID: 34248877
The second Forest/Domain does not even need to exist. It is needless excessive over complexity.

Security is not going to be something that you "arrive at" and now you are "there", and sticking obstacles in the way of Layers1-4 communication isn't going to define the security,...because the traffic that you do allow for everything to function is going to be the attack channel.  Most of the security is going to come from the Applications being used,...primarily Sharepoint in this case. So if Sharepoint is an insecure product,...then security is impossible.  But I think Sharepoint is fine,...and that is where your security is going to come from.

The Domain would neither be insecure nor secure either way. It is almost not relevant.  Domains are secured (or insecured) based on what Security Objects (users groups, etc) are given or not given premission to.  The LAN is at Layers 1-4,...the Domain exists completely beyond the Layers,...apples & oranges,...two different things.

The DMZ does not even need to exist and the SQL and the Sharepoint can be used right from the Internal LAN by publishing the Sharepoint to the External using ISA2004.  The security comes from Sharepoint itself.


The “De-perimeterization” of Networks
LVL 29

Expert Comment

ID: 34249014
The Domain would neither be insecure nor secure either way. It is almost not relevant.  Domains are secured (or insecured) based on what Security Objects (users groups, etc) are given or not given premission to.  The LAN is at Layers 1-4,...the Domain exists completely beyond the Layers,...apples & oranges,...two different things.

To illustrate that futher.  A guest comes in,..say a Rep from another company. They bring a laptop and plug in into one of your wall jacks. The laptop now has full access to the LAN,...but absolutely zero access to the Domain because his laptop is not a member of your domain and he is not in possession of a Domain Level Security Object (aka a User Account).  Therefore your Domain is reasonably secure from him while the LAN at Layer 1-4 are open to him.

What idea I am trying to shoot down here is the common conception that: "I have no firewall,...therefore I am insecure",...along with the flip-side of that,..."I have a firewall,...therefore I am secure".   Both concepts are not correct.
LVL 29

Expert Comment

ID: 34249207
Share point:

A Fresh Look at Compliance in SharePoint Server 2007

Author Comment

ID: 34255606
i thought the whole idea of a DMZ was that if somebody *did* compromise your server, they are then not on a computer that is a member of your internal network, limiting what they can have access to, hiding your internal AD infrastructure, as the web server they will be using AD authentication.
LVL 29

Accepted Solution

pwindell earned 500 total points
ID: 34257974
There is some amount of validity to that,..and you are right, that is the typical "Why".  But some of it falls into industry superstition.  Compromised can mean anything (or nothing),...most of the time it does not mean the guy has access to anything at all other than he may have damaged the OS or the software running on the one individual machine, rarely if ever means he suddenly has full "Terminal Server style" desktop control with full Domain Administrator privledges and can run willy-nilly around on the LAN and Domain as he wishes.

I'm not telling you to not have a DMZ and to not have what your diagram shows,...what your diagram suggests is legit.  I'm only saying that I think it is excessively complex and would not stop a successful attack anyway.

A successful attack would be an attack on Sharepoint and accomplishing that would provide him with all the data available to and via Sharepoint,...and that data reaches all the way back to the internal LAN & Domain, he gets what he came for and the DMZ would have meant nothing.  The attack "channel" is not kicking down the front door through the DMZ,...the attack channel is the data path Sharepoint uses to get data from the LAN, and you can't block that or Sharepoint becomes useless.  Hackers use the resources and tools you give them,...not the ones you don't give them.

So the bottom line here is that 99% of your security focus in this case needs to focus on Sharepoint itself and what information is allowed to be retrieved by Sharepoint and subsequently presented to the one "asking" for it.

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question