Plan security hardening for extranet environments
Applies To: Office SharePoint Server 2007
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2016-11-14
In this article:
Extranet hardening planning tool
Network topology
Domain trust relationships
Communication with server-farm roles
Communication with infrastructure server roles
Requirements to support document conversions
Communication between network domains
Connections to external servers
This article details the hardening requirements for an extranet environment in which a Microsoft Office SharePoint Server 2007 server farm is placed inside a perimeter network and content is available from the Internet or from the corporate network.
For more information on supported extranet topologies, see Design extranet farm topology (Office SharePoint Server).
Extranet hardening planning tool
The following planning tool is available for use with this article: Extranet hardening planning tool: back-to-back perimeter (https://go.microsoft.com/fwlink/?LinkId=85533&clcid=0x409). Based on the back-to-back perimeter topology, this tool articulates the port requirements for each of the computers running Microsoft Internet Security and Acceleration (ISA) Server and each of the routers or firewalls. This tool is an editable Microsoft Office Visio file that you can revise for your environment. For example, you can:
Add your custom port numbers, where applicable.
Where a choice of protocols or ports is provided, indicate which ports you will use.
Indicate the specific ports that are used for database communication in your environment.
Add or remove requirements for ports based on:
Whether you are configuring e-mail integration.
Which layer you deploy the query role to.
If you are configuring a domain trust relationship between the perimeter domain and the corporate domain.
If you would like to see additional planning tools for other supported extranet topologies, submit a comment on this article to let us know.
Network topology
The hardening guidance in this article can be applied to many different extranet configurations. The following back-to-back perimeter network topology diagram shows an example implementation and illustrates the server and client roles across an extranet environment. The purpose of the diagram is to articulate each of the possible roles and their relationship to the overall environment. Consequently the query role appears twice. In a real implementation, the query role is deployed either on Web servers or as an application server, but not both. And, if the query role is deployed to the Web servers, it is deployed to all Web servers in a farm. For the purpose of communicating security hardening requirements, the diagram illustrates all options. The routers illustrated can be exchanged for firewalls.
.gif "Extranet security hardening diagram")
Domain trust relationships
The requirement for a domain trust relationship depends on how the server farm is configured. This section discusses two possible configurations.
Server farm resides in the perimeter network
The perimeter network requires its own Active Directory directory service infrastructure and domain. Typically, the perimeter domain and the corporate domain are not configured to trust each other. However, to authenticate intranet users and remote employees who are using their domain credentials (Windows authentication), you must configure a one-way trust relationship in which the perimeter domain trusts the corporate domain. Forms authentication and Web SSO do not require a domain trust relationship.
Server farm is split between the perimeter network and the corporate network
If the server farm is split between the perimeter network and the corporate network with the database servers residing inside the corporate network, a domain trust relationship is required if Windows accounts are used. In this scenario, the perimeter network must trust the corporate network. If SQL authentication is used, a domain trust relationship is not required. The following table summarizes the differences between these two approaches.
| Windows authentication | SQL authentication | |
|---|---|---|
Description |
Corporate domain accounts are used for all Office SharePoint Server 2007 service and administration accounts, including application pool accounts. A one-way trust relationship, in which the perimeter network trusts the corporate network, is required. |
Office SharePoint Server 2007 accounts are configured in the following ways:
A trust relationship is not required but can be configured to support client authentication against an internal domain controller. Note If the application servers reside in the corporate domain, a one-way trust relationship, in which the perimeter network trusts the corporate network, is required. |
Setup |
Setup includes the following:
|
Setup includes the following:
|
Additional information |
The one-way trust relationship allows the Web servers and application servers that are joined to the extranet domain to resolve accounts that are in the corporate domain. |
|
The information in the preceding table assumes the following:
Both the Web servers and the application servers reside in the perimeter network.
All accounts are created with the least privileges necessary, including the following recommendations:
Separate accounts are created for all administrative and service accounts.
No account is a member of the Administrators group on any computer, including the server computer that hosts SQL Server.
If you are using SQL authentication, the following SQL logins must be created with the following permissions:
SQL login for the account used to run the Psconfig command-line tool The account must be a member of the following SQL roles: dbcreator and securityadmin. The account must be a member of the Administrators group on each server on which Setup is run (not the database server).
SQL login for the server farm account This login is used to create the configuration database and the SharePoint_AdminContent database. The login must include the dbcreator role. The login does not need to be a member of the securityadmin role. The login must be created using SQL authentication. Configure the server farm account to use SQL authentication with the password that is specified when you create the SQL login.
SQL login for all other databases The login must be created using SQL authentication. The login must be a member of the following SQL roles: dbcreator and securityadmin.
For more information about Office SharePoint Server 2007 accounts, see Plan for administrative and service accounts (Office SharePoint Server).
For more information about creating databases by using the Psconfig command-line tool, see Command-line reference for the SharePoint Products and Technologies Configuration Wizard (Office SharePoint Server).
Communication with server-farm roles
When configuring an extranet environment, it is important to understand how the various server roles communicate within the server farm.
Communication between server roles
The following figure illustrates the communication channels within a server farm. The table directly after the figure indicates the ports and protocols that are represented in the figure. The black solid arrows indicate which server role initiates communication. For example, the Excel Calculation Services role initiates communication with the database server. The database server does not initiate communication with the Excel Calculation Services role. A red dotted arrow indicates that either server initiates communication. This is important to know when configuring inbound and outbound communication on a firewall.
.gif "Interfarm server communication")
| Callout | Ports and protocols |
|---|---|
1 |
Client access (including Information Rights Management (IRM) and search queries), one or more of the following:
|
2 |
File and printer sharing service — Either of the following:
|
3 |
Office Server Web Services — Both:
|
4 |
Database communication:
|
5 |
Search crawling — Depending on how authentication is configured, SharePoint sites might be extended with an additional zone or Internet Information Services (IIS) site to ensure that the index component can access content. This configuration can result in custom ports.
|
6 |
Single Sign-on Service — Any server role that has the SSO service running must be able to communicate with the encryption key server using remote procedure call (RPC). This includes all Web servers, the Excel Calculation Services role, and the Index role. Additionally, if a custom security trimmer is installed on the query server and this security trimmer requires access to SSO data, the SSO service is running on this server role as well. RPC requires TCP port 135 and either:
For more information about the encryption key server and which server roles require the SSO service, see Plan for single sign-on. |
Web servers automatically load-balance query requests to the available query servers. Consequently, if the query role is deployed across Web server computers, these servers communicate with each other using the File and Printer Sharing service and the Office Server Web services. The following figure illustrates the communication channels between these servers.
.gif "Web server to query server")
Communication between administrative sites and server roles
Administrative sites include:
Central Administration site This site can be installed on an application server or a Web server.
Shared Services Administration sites These sites are mirrored across Web servers.
This section details the port and protocol requirements for communication between an administrator workstation and server roles within the farm. The Central Administration site can be installed on any Web server or application server. Configuration changes that are made through the Central Administration site are communicated to the configuration database. Other server roles in the farm pick up configuration changes that are registered in the configuration database during their polling cycles. Consequently, the Central Administration site does not introduce any new communication requirements to other server roles in the server farm.
The following figure illustrates the communication channels from an administrator workstation to the administrative sites and the configuration database.
.gif "Administrator Site Administration topology")
The following table describes the ports and protocols that are illustrated in the preceding figure.
| Callout | Ports and protocols |
|---|---|
A |
Shared Services Administration site — One or more of the following:
|
B |
Central Administration site — One or more of the following:
|
C |
Database communication:
|
Communication with infrastructure server roles
When configuring an extranet environment, it is important to understand how the various server roles communicate within infrastructure server computers.
Active Directory domain controller
The following table lists the port requirements for inbound connections from each server role to an Active Directory domain controller.
| Item | Web Server | Query Server | Index Server | Excel Calculation Services | Database Server |
|---|---|---|---|---|---|
TCP/UDP 445 (Directory Services) |
X |
X |
X |
X |
X |
TCP/UDP 88 (Kerberos authentication) |
X |
X |
X |
X |
X |
Lightweight Directory Access Protocol (LDAP)/LDAPS ports 389/636 by default, customizable |
X |
X |
X |
LDAP/LDAPS ports are required for server roles based on the following conditions:
Web servers Use LDAP/LDAPS ports if LDAP authentication is configured.
Index server Role requires LDAP/LDAPS ports for importing profiles from the domain controllers that are configured as profile import sources, wherever these reside.
Excel Calculation Services Uses LDAP/LDAPS ports only if data source connections are configured to authenticate using LDAP.
DNS server
The following table lists the port requirements for inbound connections from each server role to a Domain Name System (DNS) server. In many extranet environments, one server computer hosts both the Active Directory domain controller and the DNS server.
| Item | Web Server | Query Server | Index Server | Excel Calculation Services | Database Server |
|---|---|---|---|---|---|
DNS, TCP/UDP 53 |
X |
X |
X |
X |
X |
SMTP service
E-mail integration requires the use of the Simple Mail Transport Protocol (SMTP) service using TCP port 25 on at least one of the front-end Web servers in the server farm. The SMTP service is required for incoming e-mail (inbound connections). For outgoing e-mail, you can either use the SMTP service or route outgoing e-mail through a dedicated e-mail server in your organization, such as a computer running Microsoft Exchange Server.
| Item | Web Server | Query Server | Index Server | Excel Calculation Services | Database Server |
|---|---|---|---|---|---|
TCP port 25 |
X |
Requirements to support document conversions
If you are using document converters on the server, the following services must be installed and started on an application server:
Document Conversions Launcher Service
Document Conversions Load Balancer Service
Typically, these services are installed on the same application server or on separate application servers, depending on the topology that best suits your needs. These services can also be installed on one or more Web servers, if needed. If these services are installed on separate servers, communication between these separate servers must enable these services to communicate with each other.
The following table lists the port and protocol requirements for these services. These requirements do not apply to server roles in the farm that do not have these services installed.
| Service | Requirement |
|---|---|
Document Conversions Launcher Service |
TCP port 8082, customizable for either TCP or SSL |
Document Conversions Load Balancer Service |
TCP port 8093, customizable for either TCP or SSL |
For information about how to configure these services in a server farm, see Design document conversions topology.
Communication between network domains
Active Directory communication
Active Directory communication between domains to support authentication with a domain controller inside the corporate network requires at least a one-way trust relationship in which the perimeter network trusts the corporate network.
In the example illustrated in the first figure in this article, the following ports are required as inbound connections to ISA Server B to support a one-way trust relationship:
TCP/UDP 135 (RPC)
TCP/UDP 389 by default, customizable (LDAP)
TCP 636 by default, customizable (LDAP SSL)
TCP 3268 (LDAP GC)
TCP 3269 (LDAP GC SSL)
TCP/UDP 53 (DNS)
TCP/UDP 88 (Kerberos)
TCP/UDP 445 (Directory Services)
TCP/UDP 749 (Kerberos-Adm)
TCP port 750 (Kerberos-IV)
When configuring ISA Server B (or an alternate device between the perimeter network and the corporate network), the network relationship must be defined as routed. Do not define the network relationship as Network Address Translation (NAT).
For more information about security hardening requirements related to trust relationships, see the following resources:
How to configure a firewall for domains and trusts (https://go.microsoft.com/fwlink/?LinkId=83470&clcid=0x409).
Active Directory in Networks Segmented by Firewalls (https://go.microsoft.com/fwlink/?LinkID=76147&clcid=0x409)
Hardening for content publishing
Content publishing requires one-way communication between the Central Administration site on the source server farm and the Central Administration site on the destination server farm. Hardening requirements are:
Port number that is used for the Central Administration site on the destination server farm.
TCP 80 or 443 outbound from the source farm (for Simple Object Access Protocol (SOAP) and HTTP Post).
When you configure content deployment on the source farm, you specify the account to use to authenticate with the destination farm. A trust relationship between domains is not required to publish content from one domain to the other. However, there are the following two account options for deploying content — one of which does require a domain trust relationship:
If the application pool account of the source farm has permissions to Central Administration on the destination farm, select the Use application pool account option. This requires a one-way trust relationship in which the domain of the destination farm trusts the domain of the source farm.
You can specify an account manually rather than using the source application pool account. In this case, the account does not have to exist in the network domain of the source farm. Typically, the account is unique to the destination farm. The account can authenticate using Integrated Windows authentication or basic authentication.
Connections to external servers
Several features of Office SharePoint Server 2007 can be configured to access data that resides on server computers outside of the server farm. If you configure access to data on external server computers, ensure that you enable communication between the appropriate computers. In most cases, the ports, protocols, and services that are used depend on the external resource. For example:
Connections to file shares use the File and Printer Sharing service.
Connections to external SQL Server databases use the default or customized ports for SQL Server communication.
Connections to Oracle typically use OLE DB.
Connections to Web services use both HTTP and HTTPS.
The following table lists features that can be configured to access data that resides on server computers outside the server farm.
| Feature | Description |
|---|---|
Content crawling |
You can configure crawl rules to crawl data that resides on external resources, including Web sites, file shares, Exchange public folders, and business data applications. When crawling external data sources, the index role communicates directly with these external resources. For more information, see Plan to crawl content (Office SharePoint Server). |
Business Data Catalog connections |
Web servers and application servers communicate directly with computers that are configured for Business Data Catalog connections. For more information, see Plan for business data connections with the Business Data Catalog. |
Receiving Microsoft Office Excel workbooks |
If workbooks opened on Excel Services connect to any external data sources (for example, Analysis Services and SQL Server), appropriate TCP/IP ports need to be opened for connecting to these external data sources. For more information, see Plan external data connections for Excel Services. If Universal Naming Convention (UNC) paths are configured as trusted locations in Excel Services, the Excel Calculation Services application role uses the protocols and ports used by the File and Printer Sharing service to receive Office Excel workbooks over a UNC path. Workbooks that are stored in content databases or that are uploaded or downloaded from sites by users are not affected by this communication. |
Download this book
This topic is included in the following downloadable book for easier reading and printing:
Planning and architecture for Office SharePoint Server 2007, part 2
Planning an Extranet Environment for Office SharePoint Server
See the full list of available books at Downloadable content for Office SharePoint Server 2007