Open the site, not the portal

[ouzojd]

Hi, I was wondering if it was possible to open up a site to a few external users. We have SPS2003 as our Intranet but would like to open up 1 site on the portal

http://servername/sites/sitesname

to the internet.

I was thinking of using certificates but I dont know how to have an individual site in sharepoint show up as a virtual directory in IIS?

Otherwise I will need to install the certicate on all users machines here for the entire portal I think.

Does anyone have any thoughts or a better option for securely opening one site. PS: I dont have ISA

Thanks.

 

[Thomas2000]

Hi,

If you will open up this to users that are not employed by your company you will have to buy both Windows Server External Connector Licenses and SharePoint Portal External Connector licenses and thos are pretty darn expensive. Without using somekind of proxy you will have a huge security issue. Using SSL/HTTPS is definately a must, and using SSL/HTTPS you will have to use basic authentication, and also you will have to use an SSL certificate.
The certificates are based on URL names so it would actually affect all your sites and your portal aswell (since you will install it on servername.com).

If you have a VPN solution in place and only have a few external users that you need to open access to, then I would recommend giving them VPN access instead of opening up a site to the Internet, since that will generate a lot of costs.

Also you will have to create accounts for your users, which possibly means opening up outside traffic to your internal AD (unless you are able to create local user accounts on the SharePoint server, this does not work if you have a loadbalanced environment though).

Another way would be for you to create a new virtual website with a new hostname (and a separate DNS name and IP) and simply use WSS and make it a stand alone site. This will allow you to get around the SharePoint Portal Server External Connector License issue, you only need Windows Server External Connector license. You will also be able to use local user accounts, instead of opening up traffic to your internal AD.

As you can see, it is not a very simple and quick task to open up external access and keeping the security at a high level.

I do not think I actually answered your question, but tried to shed some light over it

Cheers,
Thomas

http://www.thompa.se

 

[ouzojd]

You did come pretty close, it is for employees of the company so licensing isnt an issue. VPN is my preffered option but not acceptable to the powers that be. What do you mean by virtual website.. does that mean creating a new website with a different port in IIS with a CNAME in DNS?

 

[philhege]

If the SPS portal is at all open to the public Internet, licensing is definitely an issue. You can't just tell MS "Oh, no, just a few company users will connect."

Tell "the powers that be" that it's VPN or 30 Gs plus all of the other licensing considerations. That'll get their attention.

I don't get the aversion to VPN. We use it all the time and it is, quite frankly, a lifesaver for remote users.

Phil Hegedusich
Senior Programmer/Analyst
IIMAK

http://www.iimak.com

-----------
I'll have the roast duck with the mango salsa.

 

[Thomas2000]

Yes it means creating a new website with a different port in IIS and with a CNAME host record in the DNS.

And as philhege says, VPN is a lifesaver for remote users, we are using it a lot here too.

Cheers,
Thomas

http://www.thompa.se

 

[ouzojd]

Yes, we also use a VPN for IT and Executive staff but they dont want it for this purpose, so I'm thinking https with client side certificates and possibly also only accepting connections through https from the static IPS of these users. I dont think I need an external connector licence if I can show it is limited and those users have the Sharepoint and WIN2k3 CALS?

 

[Thomas2000]

I had a long talk with Microsoft regarding our extranet solution and licensing. Since this licensing issue is a complete jungle and not even Microsoft themselves really knew how it worked. The answer I got from them was that if it will only be Internal persons accessing the environment you do not need the External Connector License, since those connections are covered by your CAL's. You only need the external connector license if there are external persons (that are not employed at your company) that will also access this environment.

My suggestions is that you get intouch with Microsoft and explain your setup and what you intend to do.

Cheers,
Thomas

http://www.thompa.se

 

[ouzojd]

Thanks

 

[Burninator]

One other solution would be to not even touch your initial portal as regards SSL.

- Create another IIS virtual Server, and from the WSS options in central admin do an 'extend and map' to the portal virtual server.

- Then on the 'New' virtual server implement your SSL. Leaving the initial portal intact. Also you could create a third IIS virtual server, which would or could redirect a URL to the actual portal site or team subsite.

Would that be a possible workaround for you?

Later
Jay

Later,
Jay

 

[ouzojd]

Sounds like it might be, I'm having a chat with the boss next week. Will let you all know what we end up doing. Thanks for your help so far everyone.