SharePoint 2013 Intranet, Extranet & Internet architecture
For quite some time there has been a picture in my mind of one on-premise SharePoint 2013 farm used for hosting company’s Intranet, Extranet & Internet sites. Whenever there was any discussion of this shared farm idea, the immediate question raised was about security. Would you host your public website on infrastructure located inside corporate firewall? What are the security implications of an attack on Internet site, would that bring down Intranet too?
In this post, I would try to address all of these concerns to give you some guidance about whether using one farm solution is a good option.
Let’s formulate a typical business request using a fictional company name “Contoso” for building their Intranet, Extranet & Internet on SharePoint.
Intranet: It comprises of corporate portal, team sites & employee personal sites. Employees working at company offices use their desktop computers to access these sites. Company has 2000 employees & currently use SharePoint 2007 based Intranet which they plan to upgrade to SharePoint 2013. Total data stored in 2007 farm is 1TB.
Extranet – Remote Access (E-RA): Company promotes a flexible work environment & would like to enable remote access for Intranet sites for all of its employees. E.g. Kyle from accounts can work from home provided he can access the finance documents, he is working on, by logging remotely to SharePoint Finance team site.
Extranet – Partner Access (E-PA): Company has lot of contractors working in the field & would like to setup a shared space for collaboration. These contractors aren’t given logins on company network & so far company has simply used memory sticks to share data. Company would like to setup SharePoint sites for external contractors & allow them access without creating any accounts in corporate Active Directory.
Internet: Company Internet site is currently hosted on a legacy CMS whose support is about to end. Company is keen to explore options whereby their investments in SharePoint can be utilised to host their public facing site as well. Company website currently has 1000+ web pages & odd web forms. It gets around 100,000 hits per week overall.
Given the requirements above, what would be the architecture design?
Should we build one SharePoint farm inside corporate network & use it for hosting all sites – Intranet, Extranet & Internet? Technically such a design is possible. We could build a 6 server (excluding SQL) farm with 4 web front ends & 2 application servers.
However, I wouldn’t recommend a shared farm solution because of following reasons
- Security: Even if you use separate web applications, you are still bringing anonymous traffic from the Internet to your internally hosted servers. You would have to consider all the security scenarios – denial of service attacks, hackers getting hold of your farm account, data leakage.
- Maintenance: Routine maintenance such as patching would need outages on both your Internet & Intranet sites. What if there is a clash between the times you are allowed an outage on Internet & Intranet.
- Complexity: Your solution will become more complex as Service Applications will have to be partitioned or a separate set of Service Applications will need to be created for Internet & Intranet to maintain data isolation.
The amount of money you plan to save with a shared solution like this may not be worth it when you consider all the factors – increased security risk, increased maintenance & ongoing support requirements due to complex design.
Two SharePoint farms
I would suggest a solution that keeps Internet & Intranet/Extranet farms at arms length to each other. There should be no connection whatsoever between both of these farms.
If your usage profile is like the one stated in Usage Scenarios above then your best design would be of 4 SharePoint servers – 2 x WFE & 2 x APP. SharePoint farm will sit inside corporate network. Each server should have multi core CPU, minimum of 20GB RAM & 100GB local disk.
Two reverse proxy servers sitting in perimeter network i.e. inside the outer internet facing firewall but outside the corporate firewall. You should use Windows Server 2012 Web App Proxy for your reverse proxy. The other alternative Microsoft Unified Access Gateway appears to have be been discontinued.
Use Azure Access Control Services to provide access to external users who don’t have company logins (contractors in our Use Case example). You can configure ACS to use free web based identity providers like Google or Microsoft or use Azure Active Directory.
Two SharePoint servers covering all roles should be sufficient for an Internet site mostly made up of publishing pages. There won’t be much backend processes running on your Internet site unless you are doing lot more than simply publishing content.
If your business is looking to use SharePoint for their entire Intranet, Extranet & Internet needs then look beyond the immediate idea of sharing resources to save money. A design that keeps your Intranet/Extranet & Internet separate from each other will be simple, easier to maintain, more secure & overtime will save you more money than a shared one farm solution.