Thursday, 17 June 2010

Extranets: SharePoint 2010 Gateway and Firewall Products

While there is already an abundance of information available online regarding SharePoint 2010, I had not seen much related information on gateway products until this afternoon. Considering the improvements made to Web hosting in SharePoint 2010, I thought it worth taking a look at the various supported options available and determine whether there is much difference when compared to those available at the time MOSS was released back in 2007. The most notable changes since then are that TMG 2010 is effectively the replacement for ISA server 2006 (although ISA 2006 is still tested and supported in SharePoint 2010), and ForeFront UAG 2010 replaces IAG 2007.

Wikipedia defines an extranet by stating that "An extranet can be viewed as part of a company's intranet that is extended to users outside the company, usually via the Internet". In the context of SharePoint, I interpret this as the ability to securely publish SharePoint resources over the Internet in order to provide access to users outside of the company infrastructure.

There are numerous reasons that companies may wish to use a firewall or gateway product to publish SharePoint resources; in my experience this has typically been to provide secure remote access to external staff and customers including those using mobile devices. One product that I have worked with in the past to facilitate this is ISA Server. As with MOSS, Microsoft have tested ISA server with SharePoint 2010 and provide a useful comparison between this, ForeFront TMG and ForeFront UAG here. One area that caught my attention was Web hosting: in SP2010, hosting providers are supposedly "first class citizens" with the introduction of data partitioning and service subscriptions to facilitate multi-tenancy. With this in mind, it seems likely that hosted service provides will want to consider a secure method of publishing their server farm to remote users using a gateway product such as Forefront UAG 2010.

Looking at the comparison provided by Microsoft in the above document, one might wonder why businesses would bother upgrading to Forefront TMG when they are already using ISA server 2006. After all, the only additional feature advertised appears to be "DirectAccess" - and even that is only partially supported for TMG 2010.

John Wettern made some some interesting points back in 2009 that might lead us to think that perhaps TMG is a significant release, as opposed to the difference between ISA server 2004 and 2006 which (as John rightly points out) was little more than a service pack in terms of new features. Looking on the Forefront TMG Technet Blog reveals a couple of other documented benefits of TMG over ISA server 2006 - integrated anti malware protection and encrypted traffic inspection. DirectAccess is a new feature in Windows 7 and Windows Server 2008 R2 that reportedly allows access to shared resources such as folders, e-mail servers and intranets without the need for a VPN.

Although the benefits here in using TMG over ISA are not really that relevant to securing a Web hosting service (which would likely benefit from the use of a reverse proxy server deployed in an edge firewall topology), I think the new features described in the above articles would certainly be useful to companies looking to deploy a gateway product in a back to back perimeter scenario for securing internal resources against the dangers faced online and improve accessibility to internal resources through DirectAccess. Indeed, Microsoft describe TMG as "a comprehensive, secure Web gateway that helps protect employees from Web-based threats" as opposed to UAG which "delivers secure, anywhere access to messaging, collaboration, and other resources, increasing productivity while maintaining compliance with policy".

So aside from the obvious benefit of an extended support period, there appear to be few compelling reasons for MOSS Web hosting providers to move from an existing reverse proxy scenario using ISA server 2006 to TMG 2010 when it comes to upgrading to SharePoint 2010 - indeed, you would only use TMG to protect internal users from Web based threats.

Lets move on to Forefront UAG 2010 - Microsoft's flagship gateway product that extends the features offered by TMG to include dedicated interfaces for mobile devices, health based authorisation and information leakage mitigation.

Microsoft provide a useful lists of benefits UAG brings to SharePoint here. This time the feature comparison appears to offer a more compelling reason to upgrade from ISA server 2006 in order to publish SharePoint 2010 resources - lets take a look at these features in the context of a provider looking to publish an extranet in a remote access scenario.

First up - information leakage mitigation. Having been through numerous penetration tests with prospective clients recently this one certainly sparked my interest. UAG deletes all cached files, temporary files and cookies which from a security perspective offers a compelling new feature when compared to ISA and TMG. Similarly, endpoint health-based authorisation offers an interesting corporate security improvement - particularly the capability to prevent unsupported (and potentially insecure) browser versions from accessing a published SharePoint site. It seems that these new security features will allow hosting service providers to proactively protect their sites in more ways than ever before.

Microsoft's inclusion of "Granular access policies" as an exclusive UAG feature in the comparison threw me slightly - having used ISA server 2006 extensively as an edge firewall I didn't see this is a new feature given that the ISA policy manager is extensive. I dug a little further on technet and can conclude that this feature mainly refers to the ability to target policies at specific platforms - such as Windows, Macintosh or Linux. I think that Microsoft's consideration for platforms other than Windows here demonstrates their change in approach toward competitors - a welcome change for customers that is consistent with the cross-browser support for SharePoint 2010.

In conclusion, customers planning to move to SharePoint 2010 that are looking to implement a gateway product to securely publish their server farm have more choice than ever before. While there are few obvious reasons to move from an existing ISA server 2006 based topology to TMG 2010, the extended features offered by UAG 2010 are a definite improvement and will allow providers to offer a very secure, policy based SharePoint installation to customers. Customers wishing to upgrade should note that UAG 2010 requires Windows Server 2008 R2 64-bit.

Subscribe to the RSS feed

Follow me on Twitter

Follow my Networked Blog on Facebook


  1. Hi Benjamin

    Question is of course whether you want to administer all of your customers, suppliers, consultants and other partners in your AD? If this is not the case, you still need a good SharePoint Extranet Manager Solution. This doesn't mean that a firewall product is superflous, but still you need an appealing alternative to manage users, give them the option to reset their passwort, give them access to SharePoint sites etc. I've written a post about it here:

    Many thanks for your post. It was helpful when implementing a SharePoint 2010 extranet where the customer actually did create remote users in his AD and we weren't sure on whether this would be supported by ISA 2006. However, Microsoft's Extranet Topologies diagram also now provides some infos in relation to that.



  2. Marco - I'm glad that you found the post helpful.

    Obviously things have changed a bit since the post and I would now suggest ForeFront TMG as a modern alternative to ISA Server 2006.

    You are correct in that having all users within AD is not for everyone and I will make a point of reading through your post when I return from New Zealand (I'm currently there on vacation).