Hi All,
I know there are number of solutions out there which can allow you to expose SharePoint On-Premise externally. All solution come with some limitation. I am looking for someone who has implemented such a solution and lesson learned.
Here is the high level requirement:
– SharePoint Portal (Some web application not all) from on-premise SharePoint Farm to be available outside company network
– We should limit devices and track those devices accessing portal
– User should be able to authenticate by using their active directory credentials so no additional authentication should be required.
– If a user moves between web application, he/she should not be challenged to enter his/her domain credentials
Thanks
Adnan
Hi Adnan,
I’ve come across multiple instances where organizations have needed to deploy SharePoint sites externally while providing 2-factor authentication and single sign-on to multiple web apps.Â
Looking at the high-level requirements you’ve provided, it sounds like PortalGuard would be a good fit for this environment.Â
Leveraging the users’ Active Directory credentials, it essentially acts as a “secure front door” and “single point-of-access” with multiple ways to manage access control, user activity monitoring/reporting, and self-service password reset.
http://www.portalguard.com/sharepoint.html
Hi Adnan,
About track devices/ access control, IRM can do it on file level based on document content, attributes, and user attributes. It can monitor the document activities on the end point or on the server, with full details about who is accessing the document, when, what file, from which computer. RM solution can automatically trigger rights protection when documents are uploaded to SharePoint, or to documents already stored in SharePoint.
If you’re interested in learning IRM solution, you may want read a whitepaper on SlideShare at http://www.slideshare.net/nextlabs/managing-information-risk-for-mi….
Would you like to share some thoughts? Is there any solutions you like to recommend?
Thanks,
Kate.
Adnan,
That is interesting scenario that needs thorough testing.
You can use a wildcard SSL certificate with the SAN (Subject Alternative Names) option and have web app URLs as part of it. For example:
webapp1.domain.com
webapp2.domain.com
With a wild card SSL cert that offers SAN option, you can have *.domain.com. Besides the *, you can add the abve two url in the SAN. I’ve used www.Digicert.com wildcard certificates with SAN options. Makes life easy at least for this requirement.
Have you looked at the ADFS (Active Directory Federation Services) and/or ADCS (Active Directory Certificate Services) as a solution? How about using ADFS with the Azure AD to have seamless authentication across multiple web apps? Just like Office 365 has the authentication option with corporate ADFS.
Configure client certificate authentication for SharePoint 2013
2FA (Two Factor Authentication) is the way to limit who will be accessing the portal. But then you don’t want users to enter additional credentials!
Review some of these resources:
- Multi-Factor Authentication on SharePoint using AD DS
- Test drive Comodo’s Two-Factor Authentication Solution for Free
- ADFS and Windows Azure AD Resources
Limiting devices and track those devices using SharePoint seems a little more challenging.
At the end, review my blog post on external hosting and some of the pieces involved. The current version of that article is not a solution to all the scenarios. But it might give you few ideas.
Primer on SharePoint Hosting for External Collaboration
Regards
Faisal Masood –
Adnan,
Please take a look at Marc’s post on this very subject.. I have posted how we currently accomplish this along with many other post from the SP Community members. This should give you starting points at the least. Hope this helps..  http://sharepoint-community.net/forum/topics/how-to-sharepoint-as-an-extranet?xg_source=activity
We’ve not tried with the WAP but for the UAG we used a public SAN cert (containing 3 names)Â hitting the single public IP of the UAG which then routed on the internal generated certs to one of 3 web applications.
It was all on a single trunk so no need for us to re-authenticate – the proxy takes care of that for us.
