intranet/extranet topology with search?
https://sharepoint.stackexchange.com/questions/15532
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
I have a project which have the following requirements :
- two functional areas : intranet and extranet
- two type of users : corporate users and partners (via claims authentication, AD for corporate users, and FBA for partners)
- corporate users have access to both areas
- partners users have access to extranet area only
My principal question concerns the query topology. I have the following requirements :
- corporate users can search globally from any place (intranet or extranet search will produce results from both areas)
- partners users can search only for extranet content
- externals apps and file share are indexed
Security is an important part of my customer requirements, so I'd like to put the extranet web server in a DMZ.
Do you have advice for such scenario ?
If I create only one farm, I think I can't have one web front-end in the dmz that serves only the extranet content, isn't it ?
If I create two farms, each with search services, I can set up the intranet search to crawl extranet content. But in this case, if a corporate user search form the extranet, he will have only results from the extranet, right ?
If I create two farms, and use the intranet farm's search services from the extranet farm, how can I ensure the partners users will get results only from extranet area, while corporate users get results from any place ? What about file share with no security set ?
thx
المحلول
Search is security trimmed. That means that an intranet user will see hits that he has access to, and extranet users will get hits trimmed with what they have access to see. This also goes for file shares as they have ACL set on the file system.
Be aware that indexing extranet content, that uses FBA, will need to be done by extending that web application with a new zone that uses NTLM or the indexer wont be able to index it. Since extending web apps is really just a new IIS and an AAM, your path for extranet hits will be to your extranet site, not the extended internal address.
نصائح أخرى
Running a dedicated enviroment in the DMZ is not a desirable option. I would build the following topology:
- Web Application (Intranet)
- Web Application (Extranet)
- Web Application (Search)
Use a reverse proxy like TMG to publish the url's to the internet. In general i would recommend to publish also the intranet and use only on url that is working inside of the company and outside of the comany. http://msdn.microsoft.com/en-us/library/gg430121(v=office.12).aspx
The search application will be valid for all users (claims ad and claims forms). The indexed content from the fileshares will not showup for the claims froms users because they are not treated abainst ad acl so there is no chance the users will see results from the share.
If more seperation is need you could split up search and create different search scopes to isolate content and configure the correponding search center to only use the needed scope. http://technet.microsoft.com/en-us/library/ee792872.aspx
If you don't want a dedicated search web application you can host the search center on the corresponding web app, but the user may be confused by the fact 2 search centers will exist. I would recommend using one primary search center for all.
