Supported extranet topologies for Office SharePoint Server 2007 and Project Server 2007

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.


Topic Last Modified: 2015-03-09

About extranet environments

An extranet environment is a private network that is securely extended to share part of an organization's information or processes with remote employees, external partners, or customers. By using an extranet, you can share any kind of content that is hosted by Microsoft Office Project Server 2007, including the following:

  • Project Web Access information (assignments, tasks, projects, and so on)

  • Collaborative information available through Project workspaces

The following table describes the benefits that the extranet provides for each group.

Group Benefits

Remote employees

Can access corporate information and electronic resources anywhere, at any time, and in any place, without requiring a virtual private network (VPN). Remote employees include the following:

  • Traveling sales employees

  • Employees working from home offices or customer sites.

  • Geographically dispersed virtual teams.

External partners

Can participate in business processes and collaborate with employees of your organization. You can use an extranet to help improve the security of data in the following ways:

  • Apply appropriate security and user-interface components to isolate partners and to segregate internal data.

  • Authorize partners to use only sites and data that are necessary for their contributions.

  • Restrict partners from viewing other partners' data.

You can optimize processes and sites for partner collaboration in the following ways:

  • Enable employees of your organization and partner employees to view, change, add, and delete content to promote successful results for both organizations.

  • Configure alerts to notify users when content changes or to start a workflow.

Microsoft Office SharePoint Server 2007 and Office Project Server 2007 provide flexible options for configuring extranet access to sites. You can provide Internet-facing access to a subset of sites on a server farm, or make all content on a server farm available from the Internet. You can host extranet content inside your corporate network and make it available through an edge firewall, or you can isolate the server farm inside a perimeter network.

Supported extranet topologies

This section discusses specific extranet topologies that have been tested with Microsoft Office SharePoint Server 2007 and Office Project Server 2007. The topologies that are discussed in this article can help you understand the options that are available with Office SharePoint Server 2007 and Office Project Server 2007. This includes requirements and tradeoffs.

Office SharePoint Server 2007 and Office Project Server 2007 support the following three topologies:

  • Edge firewall

  • Back-to-back perimeter

  • Split back-to-back

Edge firewall topology

This configuration uses a reverse proxy server on the border between the Internet and the corporate network to intercept and then forward requests to the appropriate Web server that is located in the intranet. By using a set of configurable rules, the proxy server verifies whether the requested URLs are enabled, based on the zone from which the request originated. The requested URLs are then translated into internal URLs. The following illustration shows an edge firewall topology.

Extranet farm topology - edge firewall


  • It is the simplest solution, requiring the least amount of hardware and configuration.

  • The whole server farm is located within the corporate network.

  • Single point of data:

    • Data is located within the trusted network.

    • Data maintenance occurs in one place.

    • Having a single farm that is used for both internal and external requests ensures that all authorized users view the same content.

  • Internal user requests are not passed through a proxy server.


  • Results in a single firewall that separates the corporate internal network from the Internet.

Back-to-back perimeter topology

A back-to-back perimeter topology isolates the server farm in a separate perimeter network, as shown in the following illustration.

Back-to-back perimeter

This topology has the following characteristics:

  • All hardware and data reside in the perimeter network.

  • The server farm roles and network infrastructure servers can be separated across multiple layers. Combining the network layers can reduce the complexity and cost.

  • Each layer can be separated by additional routers or firewalls to ensure that only requests from specific layers are allowed.

  • Requests from the internal network can be directed through the internal-facing ISA server or routed through the public interface of the perimeter network.


  • Content is isolated to a single farm on the extranet, simplifying sharing and maintenance of content across the intranet and the extranet.

  • External user access is isolated to the perimeter network.

  • If the extranet is compromised, damage is potentially limited to the affected layer or to the perimeter network.

  • By using a separate infrastructure for the Active Directory directory service, external user accounts can be created without affecting the internal corporate directory.


  • It requires additional network infrastructure and configuration.

Split back-to-back topology

This topology splits the farm between the perimeter and corporate networks. The computers that are running Microsoft SQL Server database software are hosted inside the corporate network. Web servers are located in the perimeter network. The application server computers can be hosted in either the perimeter network or the corporate network.

Split back-to-back perimeter

In the previous illustration:

  • The application servers are hosted inside the perimeter network. This option is illustrated by blue servers inside the dashed line.

  • Application servers can also be deployed inside the corporate network, with the database servers. This option is illustrated by the gray servers inside the dashed line. If you deploy application servers inside the corporate network together with the database servers, you must also have an Active Directory environment to support these servers (illustrated as gray servers inside the corporate network).

If the server farm is split between the perimeter network and the corporate network while the database servers are located inside the corporate network, a domain trust relationship is required if Windows accounts are used to access SQL Server. In this scenario, the perimeter domain must trust the corporate domain. If SQL Authentication is used, a domain trust relationship is not required.


  • Computers that are running SQL Server are not hosted inside the perimeter network.

  • Farm components both within the corporate network and the perimeter network can share the same databases.

  • Content can be isolated to a single farm inside the corporate network, which simplifies sharing and maintaining content across the corporate network and the perimeter network.

  • With a separate Active Directory infrastructure, external user accounts can be created without affecting the internal corporate directory.


  • The complexity of the solution is greatly increased.

  • Intruders who compromise perimeter network resources might gain access to farm content that is stored in the corporate network by using the server farm accounts.

  • Inter-farm communication is typically split across two domains.