Lately there has been quite a lot of discussions concerning Internet facing MOSS sites and content deployment. Quite often there’s misconception that MOSS cannot be used as Internet facing platform without separate authoring farm and utilizing content deployment. Assumption is understandable, but completely wrong.
By utilizing possibility to have multiple zones for single SharePoint application, we can setup an environment, which is can be accessed by both anonymous users from Internet and content editors from corporate network using windows authentication.
Zone in the SharePoint basically means different access points to access the same content. Each of these access points can have their individual configuration for the network and for the authentication. When we create a new zone, we actually create new IIS application, which is pointing to the same SharePoint application.
This model is often used in extranet scenarios, where the external users are authenticated using forms based authentication (FBA) and internal users are authenticated using windows authentication (NTLM). Same model can of course be used to provide content editing functionality for Internet facing site.
Following picture defines the elements more detailed.
External users are seeing only the www.[sitename].com address. This is physically one IIS application, which accesses the MOSS application.
Anonymous access is configured to the zone and the ViewFormPagesLockDown feature is activated for site collection to enhance security.
Internal users will have access to http://internet , which is exposed only to the internal network.
This secondary IIS application is used for creating the content in windows authentication mode to same MOSS application
Actual SharePoint application is in the database and both zones access the same content.
Following picture defines the model in infrastructure level. There are multiple different variations of this kind of setup depending on the network policies and possibilities. Each of the elements and few possibilities are declared also in detail.
Internet facing network zone for external people to access the service. Anonymous zone(s) are accessed from this direction.
Internet facing firewall and network load balancer, which permits only necessary ports to be used when accessing the portal.
Web front end servers actually serving the content for the external url, which is configured to the NLB and to the alternate access mapping.
Depending on the networks and the security setup, these can actually also be in the corporate network.
Since all of the zones created to the MOSS applications are synchronized between the servers, the IIS application for NTLM zone exists in these servers, but there’s no way to external people access this IIS application.
Optional firewall depending on the network, if the web front ends are in DMZ zone and the farm is divided between network segments.
This is so called split-back-to-back farm.
Optional internal servers, which can be used to access the internal zone configured to use Windows authentication. Zone is only available for corporate network using internal DNS entries.
Depending on the requirements and network, the NTLM zone could actually also exists in the WFE servers as declared partly already in step 3.
This is not usually seen as a valid option, but actually the model is justified with security considerations and with cost saving since we would not need separate authoring farm.
Internal access point to the portal using NTLM. From here the content editors can access the portal and make necessary changes.
Database cluster for the MOSS farm.
Index server crawling the sites. Depending on the content and load, the index server can actually also be acting as the WFE server and there for it can access the content directly from itself, rather than causing load to the other WFE servers.
There are however multiple different options on this one, so it’s a different discussion.
When separate staging or authoring farm is used, there’s more detailed processes to follow to keep the farms in sync, so that the content publishing work properly. In this option, there’s only one farm, so the deployment practices are more simplified (separate QA farm of course though recommended).
Other advance on the single farm setup is more simplified possibilities for custom solutions. Let’s have an example concerning simple feedback functionality.
Since there’s only one farm to manage and monitor, the overall costs of the MOSS deployment are considerable smaller than having two farms. Also keeping the separate farms in sync is more complex than having single farm to configure. Model also decreases the storage requirements, since there’s no duplications concerning the databases of the individual MOSS farms.
All the concepts declared in this article are dependent on the network configurations and security settings. Especially when we are exposing the services to the Internet, we really need to ensure that the network and farm is properly configured.
Also all the customizations developed have to follow the security recommendations so that any sensitive information is not exposed.
Since publishing of the content is instant when the Publish –button is clicked, the content can be easily modified and managed. There’s no delays of getting the information released to the internet, except the possible caching configurations.
It’s of course important to notice the model in prepared training mater, like instructing the content editors to use relative addresses for resources, like images and for the links within the portal.
We have used this model in multiple Internet facing sites during past few years successfully. Administrators have been pleased on the fact that there’s only one farm to manage and monitor, content editors have been pleased on the simplified model of authoring the content and generally customer directors have been pleased on the fact that the model saves investments done to hardware and to the possible customization.
Hopefully this provides more insight on the flexibility of the SharePoint and for the different possibilities it provides. Each enterprise architecture is independent and they all have their own environmental characters. Therefore the guidance provided from TechNet or from numerous blogs should be always adapt to specific engagement.