Announcement

Collapse
No announcement yet.

WSS 3.0/Sharepoint 2007 Domain Authentication Architecture Query

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • WSS 3.0/Sharepoint 2007 Domain Authentication Architecture Query

    Hello
    WSS 3.0/Sharepoint2007 Domain Authentication Architecture Query.

    I'm currently building a WSS 3.0 system for the use of providing Extranet services to clients. I have read the MS Document: Planning an Extranet Environment for Windows SharePoint Services.

    Using this material, i decided i would like to use a simple "split back to back topology" for the system architecture.
    This would be mean the SQL server is within the Corporate network and the DC and Web Front end would be in a DMZ.

    The system will be based on a following setup.
    DMZ server - VMWare ESXi server, hosting the DC and Web Front End, running W2K3 R2 os.
    SQL Server - Within the Corp Network, running SQL 2005 x64, 2003 r2 os.

    A new child domain within the forest would be created to allow for external authentication.

    My question(s) are:
    1. Is there a specific reasons, if anyone knows, why the DC has to be within the DMZ ? as shown in the MS documentation. A domain controller in a DMZ is security risk, and whilst this DC would only have a 1 way trust and be hardended and access restricted by the Firewall(s), it would still be a candidate for attack.
    2. Has anyone kept the DC within the corporate network and configured the architecture to reflect this and expericenced any issue/problems?

    Many Thanks for all responses.
    ie1e0955

  • #2
    Re: WSS 3.0/Sharepoint 2007 Domain Authentication Architecture Query

    Personally I would put all of the servers in the corporate network. That way you only need to open port 80 through the firewall to the web server on the inside network.

    If you put the web server and DC in the DMZ, then you'll have to open many more ports (389, 433, etc.) through the firewall which IMHO puts you at greater risk.

    Comment


    • #3
      Re: WSS 3.0/Sharepoint 2007 Domain Authentication Architecture Query

      Your best looking at 'Forms authentication and Web SSO' for your scenario. It is mentioned in the doucmentation that you refer to.

      Comment


      • #4
        Re: WSS 3.0/Sharepoint 2007 Domain Authentication Architecture Query

        Hi virtual,
        thanks for the post.
        Unfortunately Web forms is not an option in this situation, as the dev guys have specifically mentioned they wish to use AD and single sign-on/pass through authenication.

        I can see the benefits of the separate DC and child domain, keeping the 2 entities separate, so in theory easier to manage.

        I did consider moving all servers within the corp. network, but a Firewall between the web server in the DMZ and internal servers and one between the web and the internet, provides more security, than allowing access straight through.

        ie1e0955

        Comment

        Working...
        X