Wednesday, April 25, 2007

SharePoint V3: A MOSS 2007 Extranet Scenario of an Internal Parent Site Having Multiple Extranet Sub-Sites

One common extranet configuration of MOSS 2007 is when an organization sets up an internal-only site collection but has multiple external facing sub-sites (perhaps for clients or projects). I have created a sample configuration for this design using a fictitious company called “Wharf Technologies.” This example assumes the following:

* There is one set of internal users (e.g. Wharf employees)
* There are multiple sets of external users (e.g. clients)
* Users and groups are managed in Active Directory
* There is one root site collection called “Wharf Technologies Portal”
* There are many client sub-sites, one per client
* Wharf employees are supposed to have access to the Wharf Technologies Portal, plus all of the client sub-sites
* Wharf clients are not supposed to have access to the Wharf Technologies Portal; they should only have access to their client site
* For demonstration purposes, one of the client organizations is called Awesome Computers
* The Site Collection Administrators and Portal Owners have already been provisioned on the Wharf Technologies Portal
* The URL for the Wharf Technologies Portal is
* The Awesome Computers sub-site has already been created, the URL is http://portal.wharf.com/sites/awesomecomputers
* Each client site should have its own URL, available outsidse the Wharf network

Setting up something like this requires several network and SharePoint configurations. Below are steps outlining one approach to achieving these configurations in a sample environment. Keep in mind that there are many different approaches achieving the requirements and this is just one example. In real life you need to consider information security and corporate compliance policies and procedures of both the company hosting the web site and the client companies.

From Active Directory Users and Computers:
Create an AD security group called Wharf Technologies Users
Create an AD security group called Awesome Computers Users

From the Wharf Technologies Portal Site:
Actions > Site Settings > Modify All Site Settings > Advanced Permissions > New > Add Users
Add the Wharf Technologies Users AD group
Give Permissions Directly (Contribute)
Uncheck the option to send welcome e-mail to the new users
Click OK

From the Awesome Computers Sub-Site:
Site Actions > Site Settings > Advanced Permissions > Actions > Edit Permissions
Click OK to the warning message regarding unique permissions
New > Add Users
Add the Awesome Computers Users AD groupGive Permissions Directly (Contribute)
Uncheck the option to send welcome e-mail to the new users
Click OK

At this point the Awesome Computers have access to their site, but not the root site collection.

From Internet Information Services Manager:
Create a new web site called Awesome Computers
On the Web Site tab, provide a host header, awesomecomputers

On the web site tab, set the “content for this resource should come from:” option to “A redirection to URL”
For the “client will be sent to” option, check off “the exact URL entered above”
Set the “redirect to:” field to

From Active Directory DNS:
Create an alias record mapping awesomecomputers host name to the host name of the Wharf Technologies Portal (e.g. portal.wharf.com)

From Internet Explorer:
Test the redirection web site, awesomecomputers.wharf.com should resolve to the Awesome Computers sub-site

From SharePoint:
If any custom branding has been applied, ensure that NT Authenticated Users group or a similar group has permission to the master page and css files. This will ensure that the branding is visible to the client users.

At this point users should be able to point their browser to
http://awesomecomputers.wharf.com and be redirected directly to the Awesome Computers sub-site of the Wharf Technologies Portal.

The next configuration is to establish public facing access to the Wharf Technologies Portal ip address, port number, and establish external name resolution to the Awesome Computers host name. The configuration requirements of public ip address and name depend on the network hardware that is being used on the network perimeter and therefore vary from organization to organization. External DNS Name propagation make take several hours to complete since it must be updated at the service provider.

The end result is that each client site that is configured is accessible from outside the network, each having their own unique URL, and SharePoint permissions is set up such that client users can only access their own sites.

1 comment:

Jeff said...

We are about to something very similar with MOSS 2007 (Internet, intranet, extranet scenario). Thanks for the advice.

Blog Archive