Share via

Exposing SharePoint to the Internet

  • Article

Hey Guys,

This is a very high level view of how to expose SharePoint to the internet.

Methods:

  1.       Place all of SharePoint or SharePoint WFE in DMZ.
  2.       Allow traffic thru DMZ passing into internal network (Using router or Load balancer).
  3.       Place TMG or similar product in DMZ.

Pro's and Con's:

1. Place all of SharePoint or SharePoint WFE in DMZ.

Pro's - This is a simple setup where you would have one or more member server in the DMZ allowing client communication to hit the server directly.

Con's - This is considered insecure as you have to do several things to make this happen that is against best practices 1) Member server in DMZ, 2) Many Firewall ports open this would include RPC, DNS, emphereal ports, etc. Also this would add steps for internet users to access the SharePoint Farm.

2. Allow traffic thru DMZ passing into internal network (Using router or Load balancer).

Pro's - Simple design and easy to manage.

Con's - Many security groups will not allow this. As it allows unsecured traffic to pass into the internal network without be scanned or monitored in anyway. Also is not very flexible, not able to do offbox SSL with this setup.

3. Place TMG or similar product in DMZ

Pro's - As long as TMG or similar item is not a member server this is the ideal solution. It is secure since you are not using domain credentials and generally allows for minimal number of ports being opened (Usually only HTTP/HTTPS). Also allows for more advanced setup like SSL offloading, Traffic monitoring, etc. Keeps SharePoint farm on the internal network where it belongs.

Con's - Adds to budget since you require more servers and load balancers, adds a level of complexity to the environment when it comes to management, configuration, and troubleshooting. If not sized properly it can cause a performance hit

Comments

  • Anonymous
    January 01, 2003
    You would need to work with your network/firewall group to have it connected to that particular network between the outer and inner firewalls, however this would require many ports on the back firewall to be opened.
    I would recommend you look at method #3 if you are able to
  • Anonymous
    January 16, 2015
    The comment has been removed
    • Anonymous
      August 19, 2016
      Shaq,I really don't recommend that you do, but if you must that would be a job for your network team as you will need to plug it into the correct network and then set the correct IP, Subnet, and Gateway.Chris