Reverse proxy in the DMZ, WAP + ADFS

Jaime Campos
Jaime Campos used Ask the Experts™
on
Hello - I am running SharePoint 2016 and I've been task to setup a way to have external access to SharePoint.

Front-End Servers = 2 Servers
Distributed Cache Servers = 2 Servers
Application Servers = 2 Servers
SQL Servers = 1

What I have read is that the best practice is to leave our SharePoint farm entirely within the Intranet and use a reverse proxy in the DMZ, like WAP + ADFS. We’ll need to open far too many ports between SharePoint and Domain Controllers which will reduce the security of the environment. A reverse proxy is a single port -- tcp/443.

I am looking for a step-by-step guide on how I can set this up for SharePoint. I truly appreciate your help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
we use sophos UTM (Firewall) as reverseproxy with preauthentication for sharepoint access.
it is possible to place this UTM within an existing DMZ and use reverse-proxy only.
It depends on what level of protection you want to provide to connections that are from the Internet.

From just using inbound NAT to one of the front end servers, to having a reverse proxy with WAF (Web Application Firewall)  in a DMZ that requires AD (LDAP) authentication....

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial