Problem: What is the best approach for an extranet?
Hypothesis:
You are implement SharePoint 2010 and you need users to have remote access, the 2 key technology impact areas are:
• Authentication to SharePoint 2010; and
• Remote access mechanism (External users).
I will deal with each question separately for simplicity.
Authentication
SharePoint 2010 has 2 mechanisms for authentication: classic (MOSS approach) and claims based. I would almost always recommend using Claims based authentication as this allows you to hook into any credential provider such as LDAP, AD, SQL or a custom provider. For example a recent project involved authentication from Active Directory & an IBM LDAP provider, this was relatively easy to do using claims based authentication. If you have a custom Single Sign-On (SSO) solution you can write your own claims provider.
Remote Access
The answer for where to deploy SharePoint is … “It depends on what you have currently, your licencing and security requirements.”
Option 1
You can put SharePoint in your DMZ (public area) and use a reverse proxy and allow users access to you SharePoint farm. You will probably want to use SSL between the external end users and the reverse proxy. The traffic between the SharePoint Farm the proxy won’t be under SSL. This approach is good for easy access, high performance and easy setup. This approach is not as secure as getting users to login to your network using VPN access. The advantage is you merely need SSL setup (my preference is firewall SSL termination i.e BlueCoat, most hardware firewalls offer this including F5’s Big-IP, you can also use the latest ISA/UMG proxy software to do SSL termination. Microsoft’s ISA 2006 has SSL termination built and is a pretty good solution. I believe UMG is the update to ISA. SharePoint requires sticky sessions so if you are using a hardware or software based load balanced, you must have sticky sessions enabled.
Option 2
Another option is to use SSL NIC’s or my least favourite but most commonly used option is SSL on the server. You can still have your firewall in place but you don’t use a reverse proxy. I would definitely go for a reverse proxy with external access over SSL but this options is available on smaller SharePoint farms. You can also load balance using NLB. SSL adds about a 35% overhead to CPU resources on the server and SSL NIC cards can drastically improve CPU utilisation, however I would prefer to terminate at the firewall if possible.
Option 3
VPN solutions – Either IPSec or SSL-VPN’s are a good option but it depends on your infrastructure as setting up a VPN is a program in itself. Remote offices are already on VPN or some tunnelling technology but this doesn’t work for home users or 3rd parties as you need to give them remote access which generally involves RSA token or some sort of security token. This is the most secure option and once a user is on the network they will access your private SharePoint farm over http.
Resolution: The general answer as always in SharePoint is "It depends ...".
I would recommend profiling all type of possible users something like
Role: Head Office User
Description: Http access from the LAN authenticating using AD.
Role: Satellite Office User
Description: Remote office has a VPN tunnel/MPLS to the head office, employees are authenticated using AD and will use http to access the SharePoint farm.
Role: Employee at home
Description: http (SSL-VPN) AD Employees have SSL-VPN access and once connected used http to view the SharePoint farm. Authenticated using AD.
Role: 3rd Party users https SQL database or AD
Description: Suppliers need to with SharePoint, they will access 2 SharePoint load balanced servers in the DMZ using https. The firewall is an ISA server 2006 which offers SSL termination and host header redirection.....
You can also surface the same site using different urls, so have an internal site and then a site in the DMZ.
When doing your farm architecture other points to bear in mind are redundancy, performance & licencing. This coupled with your existing technology status and your SharePoint will provide a accessible, stable, scalable, preformant, secure SharePoint farm. Designing your farm will reduce you licencing costs dramatically while providing the best solution to the business.
Friday 22 October 2010
Thursday 21 October 2010
Feature is always activated for features targeted at a web site (web)
Finding: Feature scoped at "web" is always activated when deploying using Visual Studio 2010. Regardless of the "Activate on default" setting, - thanks Matthew.
Monday 18 October 2010
Tuesday 12 October 2010
CKSDev tool issue - The custom tool SPMetalGenerator failed
Problem: When adding a SPMetal Definition (CKSDev) item in visual studio, the SPMetal proxy generation fails with the error message: The custom tool 'SPMetalGenerator' failed. Object reference not set to an instance of an object.
Hypothesis: CKSDev item template is failing, next I tried SPMetal from the command line and received the "Invalid File Name" error. I had previously fixed this issue and here is the link.
I check the issue using the browser:
More Info:
http://sp2010uk.blogspot.com/2010/08/issues-with-site-columns-content-types.html
Resolution: Delete the list showing the Invalid file name error. I could not do it from the UI so I used PowerShell.
More Info:
http://sp2010uk.blogspot.com/2010/08/issues-with-site-columns-content-types.html
NullReferenceExcepetion when viewing/editing an existing list item after the list instance has been deployed
Problem: When viewing or editing and item in a list, I receive an application error (NullReferenceException). This happens when I redeploy a list, my list is defined using site columns, content type and the list definition is based on the content type.
System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.SharePoint.Publishing.FieldCache.TryGetValue
Initial Hypothesis: ULS logs show me that a lookup list is not being found. By examining the columns on the list instance I can see they are not being created correctly. My initial thought was my xml was wrong, once it was reviewed and I found it to be correct I realised it was a caching issue.
Resolution: Clear the Visual Studio Cache
My ULS logs contained the following information:
Failed to cache field with id
Unable to open Lookup list 'Lists/xxxList'.[Error was 0x8007....]System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.SharePoint.Publishing.FieldCache.TryGetValue
Initial Hypothesis: ULS logs show me that a lookup list is not being found. By examining the columns on the list instance I can see they are not being created correctly. My initial thought was my xml was wrong, once it was reviewed and I found it to be correct I realised it was a caching issue.
Resolution: Clear the Visual Studio Cache
- Right click on "Project" in Solution Explorer and click "Retract";
- Close Visual Studio 2010; and
- Open the "Project" in Visual Studio 2010 and "Deploy" the solution.
Monday 11 October 2010
SPMetal naming conventions - good practice
Problem: The Linq to SharePoint proxy generates properties using the display name of the column, additionally spaces are removed. If you use a friendly short name you get duplicates. The 2nd instance is appended a integer. If you add a column with the internal name "Advert Title" and it's display name is "Title", SPMetal generates 2 properties namely: Title (the default column in all lists) and Title0, not ideal to differeintiate in code.
Resolution: Make the display name more specific to avoid the scenario. I.e. "Publication Title" would become the property "PublicationTitle".
Resolution: Make the display name more specific to avoid the scenario. I.e. "Publication Title" would become the property "PublicationTitle".
Tip: Update 18 Oct 2010 - SPMetal does not like spaces in the url to the site that it generates off. Error the web at 'http://demo.dev/sites/my site' could not be found
Friday 8 October 2010
Extending SPMetal - Retrieving Attachments from SharePoint Lists
Problem: LINQ to SharePoint does not support attachments by default.
2) Get a specific item using the LINQ to SharePoint model and using the String array returned by the extended class, get the file objects using SharePoint’s server side object model.
Tip: I upload attachments using the Dialog framework point to attachfile.aspx as it does all the work for me.
_layouts/attachfile.aspx?ListId={5555D16F-5559-4CE4-555E-F5B0E9DC5555}&IsDlg=1&ItemId=
Hypothesis: Traditional Server Object Model approach to retrieving a specific list item’s attachments. Approach is shown below:
Resolution: Use a partial class as described by Andrew Connell to use Linq to SharePoint to work with attachments. You could hydrate the attachment (SPFile objects) in the parital class but I choose not to, in case someone in the development team used the extended mapped property for retrieving a large list. This uses the Server object model and the hydration process is extremely heavy. This method allows me to know if there are attachments, how many and where I can get them. With this information I only get the specific SPFile objects if I need to work with the object. Outlined are the steps to extend LINQ to SharePoint to retrieve attachment associated to items in a list.
1) Extend the SPMetal generated proxy class
Tip: attachments is a string array, not an array of SPFile objects. The attachements.UrlPrefix property can be used to hydrate the SPFile objects for the list item.
Tip: I upload attachments using the Dialog framework point to attachfile.aspx as it does all the work for me.
_layouts/attachfile.aspx?ListId={5555D16F-5559-4CE4-555E-F5B0E9DC5555}&IsDlg=1&ItemId=
Subscribe to:
Posts (Atom)