- First lesson is you should not be optimistic and greedy on Microsoft latest SharePoint technologies for extranet implementation. During extranet implementation, ADFS was brought to our attention and it seems like an excellent solution for internal and external SharePoint. We have spend almost two months to successfully setup the ADFS and convert all window based authentication to ADFS claim based authentication on a non production environment. However, we have identified dozen major issues that some of the out of box SharePoint functions will not work as it is. There is no clear roadmap from Microsoft to clear identify the roadmap to resolve those. One example is audience targeting is no longer working based on users. Several services need C2WTS services to work. BCS can not use C2WTS service and you could not setup BDC through designer. Of cause, we have identified workaround on some of the issues identified that will be posted in the near future. Another information you should know is ADFS 2.0 is NOT supported for ForeFront UAG at this time. You have to dowgrade ADFS to 1.0 if you plan to use UAG now. Based on Microsoft insider that it should be supported around September 2011.
- Second lesson is you should pay extra attention connections and ports used between SharePoint each servers and contact your security and network team to evaluate the Microsoft extranet topology before final architecture design. We had originally evaluated both Split back-to-back optimization for content publishing and edge firewall architecture. It seems the first one make sense not pay additional license for Forefront UAG license. However, if you looked at the Microsoft extranet topology, the notes are sending us to the discussion with corporate security and network teams. The significant note is it requires a one-way trust relationship in which the perimeter domain trusts the corporate domain. This immediately brought attention from the security team since this is not allowed in our company policy.In additional, the front servers in DMZ also need to connect to internal AD for internal users and SQL server for search crawling! There will be multiple ports need to opened besides the one-way domain trust. You should check with your security team on the policy and avoid such pitfall.
- Third lesson is you would need to double check the cost of the extranet implementation based on different architecture. At beginning, we did not select edge firewall architecture since it will require Forefront UAG license and Forefront UAG SharePoint extranet adapter license in additional to WFE extranet adapter and SQL extranet license. You will need to check cost if you need additional servers and any third party server based license cost.
Please check back to see our progress and good luck with you implementation.