Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 751
  • Last Modified:

Extend Site or New AAM In SharePoint 2010

We resent had a MS Sharepoint Risk Assesment done and one of thre many items that was pointed out was the fact all of our sites are in the "Default" zone which is how sharepoint was setup when i started.

Both internal and external users access our small sharepoint site using the same URL. I have been asked to break us our sites into two seperate zone but still use the same name. Also all sites use SSL

1) Should I create a new AAM or extend or existing site? I have read that some users have extended their sites to do something similar.

2) Any problems DNS / routing wise having the name URL name for internal and external users?

3) Also our sharepoint environment has three sites one main site and two other which are referenced with in the main site. How would changing the AAM affect accessing these sites?

Any other suggestions on what i should look out for since I have not done this before and looking for some advise from those who are more skilled than I in sharepoint
0
compdigit44
Asked:
compdigit44
  • 3
1 Solution
 
compdigit44Author Commented:
Actually I am a bit confused since all of our sites are in one zone and are accessed by the same name internally and externally do I not need a new AAM mapping but just different zone or are these really one in the same?
0
 
Walter CurtisSharePoint AEDCommented:
Quick explanation about extended web applications (zones)

A default SharePoint site, or web application has a URL that is an IIS web site. Bindings are configured to listen to a particular URL (host header) on a particular port. On the SharePoint site, that web application is configured to use the incoming URL (via AAM) but more importantly to use a particular authentication provider, such as Active Integrated which in IIS is Window Integrated authentication.

A SharePoint web application (site) extension is when a second IIS site is created, meaning a separate URL will be used and different bindings are possible. This extension is created via SharePoint Central Administration. Being created in CA means that you can have a different authentication provider for this extended web app. Most importantly, remember the extension connects to the exact same content database as the IIS web site in the default zone.

That all means that you can have people coming in via different methods but hitting the same content. As an example, intranet people can use an internal URL and their active directory to log in and access the SharePoint site and external people can use a separate or externally available URL (if you have external public access) and a different authentication provider, (for example a SQL based user management system) and access the same content as the internal people.

So having said all that, unless you have an appliance such as an F5 or some other type of routing load balancer, it will be difficult to use the same URL for external and internal. You could be creative with DNS maybe to pull it off, but without more detail not sure. The issue is that in IIS you can't listen for the same host name on separate web sites.  If by external  you mean people access via company VPN then you will be okay.

To your question specifically - at this stage modifying AAM will not do anything for you. Simply adding an AAM has nothing to do with how IIS will work. As far as DNS, yes you will have problems having the same URL (host name) going to different IP's. (Unless you multi-home your server, but that is totally different.) Checking AAM or extending the Web app will not effect the sub sites. (they should be relative to the Web App URL.)

Hope that helps
0
 
compdigit44Author Commented:
Wow, great response!!!
 One thing I failed to mention is the fact we are already using the same URL internally and externally and our sharepoint WFE's are load balanced via a Citrix Netscaler

Sorry for the millions of questions but I was asked to fix the issues point out in our MS Sharepoint Risk Assessment and the part about AAM's and having hostname directly listed is what I need to correct.

for examaple
central admin site
http://server1   -> public http://server1
http://server2   -> public http://server1

etc..

Also for the Zone everything is listed under the default zone is this good or bad. I know the person who setup sharepoint orginally setup claim but our site is really using NTLM since SPN nor delegrate was never setup. Could this or poor AAM/Zone mappings cause poor performance?
0
 
compdigit44Author Commented:
thank you again for all of your help. Since I had so may questions and want to do things correctly I ended up opening  a support case with MS.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now