Design extranet farm topology (Windows SharePoint Services)

Applies To: Windows SharePoint Services 3.0


Topic Last Modified: 2010-01-05

In this article:

  • About extranet environments

  • Planning for extranet environments

  • Edge firewall topology

  • Back-to-back perimeter topology

  • Split back-to-back topology

This article can be used with the following model: Extranet Topologies for SharePoint Products and Technologies (

About extranet environments

An extranet environment is a private network that is securely extended to share part of an organization's information or processes with remote employees, external partners, or customers. By using an extranet, you can share any type of content that is hosted by Windows SharePoint Services 3.0, including documents, lists, libraries, calendars, blogs, and wikis.

The following table describes the benefits that the extranet provides for each group.

Remote employees

Remote employees can access corporate information and electronic resources anywhere, anytime, and any place, without requiring a virtual private network (VPN). Remote employees include:

  • Traveling sales employees.

  • Employees working from home offices or customer sites.

  • Geographically dispersed virtual teams.

External partners

External partners can participate in business processes and collaborate with employees of your organization. You can use an extranet to help enhance the security of data in the following ways:

  • Apply appropriate security and user-interface components to isolate partners and to segregate internal data.

  • Authorize partners to use only sites and data that are necessary for their contributions.

  • Restrict partners from viewing other partners’ data.

You can optimize processes and sites for partner collaboration in the following ways:

  • Enable employees of your organization and partner employees to view, change, add, and delete content to promote successful results for both companies.

  • Configure alerts to notify users when content changes or to start a workflow.


Makes sites available to customers:

  • Provide anonymous access to information about your business.

  • Allow clients to log on and participate in a workflow.

Windows SharePoint Services 3.0 provides flexible options for configuring extranet access to sites. You can provide Internet-facing access to a subset of sites on a server farm or make all content on a server farm accessible from the Internet. You can host extranet content inside your corporate network and make it available through an edge firewall, or you can isolate the server farm inside a perimeter network.

Planning for extranet environments

The rest of this article discusses specific extranet topologies that have been tested with Windows SharePoint Services 3.0. The topologies that are discussed in this article can help you to understand the options that are available with Windows SharePoint Services 3.0, including requirements and tradeoffs.

The following sections highlight additional planning activities for an extranet environment.

Plan network edge technology

In each topology, the network edge technology illustrated is one or both of the following products from the Microsoft Forefront Edge suite of products: Microsoft Internet Security and Acceleration (ISA) Server and Intelligent Application Gateway (IAG) 2007. For more information about these Microsoft Forefront Edge products, see the following resources:


You can substitute a different network edge technology.

IAG Server provides these additional features:

  • Information leakage prevention: No residues are left on the client computer, and all cache, temporary files, and cookies are deleted.

  • Endpoint, health-based authorization: Administrators can define an access policy that is based not only on the identity of the user and the information that is exposed but also on the condition of the client computer.

  • Access SharePoint sites from Outlook Web Access: Users can access SharePoint sites from links sent in e-mail through Outlook Web Access. IAG provides the link translation for links that refer to internal URLs.

  • Unified portal: Upon logon, IAG presents to each user the list of SharePoint sites and other applications that are available and authorized for that user.

The following table summarizes the difference between the servers.

Capability ISA 2006 IAG 2007

Publish Web applications using HTTPS



Publish internal mobile applications to roaming mobile devices



Layer 3 firewall



Outbound scenarios support



Array support


Globalization and administration console localization


Wizards and predefined settings to publish SharePoint sites and Exchange



Wizards and predefined settings to publish various applications


Active Directory Federation Services (ADFS) support


Rich authentication (for example, one-time password, forms-based, smart card)



Application protection (Web application firewall)



Endpoint health detection


Information leakage prevention


Granular access policy


Unified Portal


* Supported by ISA, which is included with IAG 2007.

Plan for authentication and logical architecture

In addition to choosing or designing an extranet topology, you will need to design an authentication strategy and logical architecture to enable access to the intended users outside the internal network and to secure sites and content on the server farm. For more information, see the following articles:

Plan domain trust relationships

When the server farm is located inside a perimeter network, this network requires its own Active Directory directory service infrastructure and domain. Typically, a perimeter domain and a corporate domain are not configured to trust each other. However, if you configure a one-way trust, in which the perimeter domain trusts the corporate domain, you can use Windows authentication to authenticate both internal and remote employees by using corporate domain credentials. Another option is to authenticate employees using forms authentication or Web single sign-on (SSO). You can also use these methods to authenticate against an internal domain directory service.

The following table summarizes these authentication options and indicates whether a trust relationship is required.

Scenario Description

Windows authentication

If the perimeter domain trusts the corporate network domain, you can authenticate both internal and remote employees by using their corporate domain credentials.

Forms authentication and Web SSO

You can use forms authentication and Web SSO to authenticate both internal employees and remote employees against an internal Active Directory environment. For example you can use Web SSO to connect to Active Directory Federation Services (ADFS). Using forms authentication or Web SSO does not require a trust relationship between domains.

However, several features of Windows SharePoint Services 3.0 might not available, depending on the authentication provider. For more information about features that might be affected when forms authentication or Web SSO is used, see Plan authentication settings for Web applications (Windows SharePoint Services).

For more information about configuring a one-way trust relationship in an extranet environment, see Plan security hardening for extranet environments (Windows SharePoint Services).

Plan for availability

The extranet topologies described in this article are intended to illustrate:

  • Where a server farm is located within an overall network.

  • Where each of the server roles is located within an extranet environment.

This article is not intended to help you plan which server roles you need to deploy or how many servers for each role you need to deploy to achieve redundancy. After you determine how many server farms are required for your environment, use the following article to plan the topology for each server farm: Plan for redundancy (Windows SharePoint Services).

Plan for security hardening

After you have designed your extranet topology, use the following resources to plan for security hardening:

Edge firewall topology

This configuration uses a reverse proxy server on the border between the Internet and the corporate network to intercept and then forward requests to the appropriate Web server located in the intranet. Using a set of configurable rules, the proxy server verifies that the requested URLs are allowed based on the zone from which the request originated. The requested URLs are then translated into internal URLs. The following illustration shows an edge firewall topology.

Extranet farm topology - edge firewall


  • Simplest solution that requires the least amount of hardware and configuration.

  • Entire server farm is located within the corporate network.

  • Single point of data:

    • Data is located within the trusted network.

    • Data maintenance occurs in one place.

    • Single farm used for both internal and external requests ensures that all authorized users view the same content.

  • Internal user requests are not passed through a proxy server.


  • Results in a single firewall that separates the corporate internal network from the Internet.

Back-to-back perimeter topology

A back-to-back perimeter topology isolates the server farm in a separate perimeter network, as shown in the following illustration.

Back-to-back perimiter topology

This topology has the following characteristics:

  • All hardware and data reside in the perimeter network.

  • The server farm roles and network infrastructure servers can be separated across multiple layers. Combining the network layers can reduce the complexity and cost.

  • Each layer can be separated by additional routers or firewalls to ensure that only requests from specific layers are allowed.

  • Requests from the internal network can be directed through the internal-facing ISA server or routed through the public interface of the perimeter network.


  • Content is isolated to a single farm on the extranet, simplifying sharing and maintenance of content across the intranet and the extranet.

  • External user access is isolated to the perimeter network.

  • If the extranet is compromised, damage is potentially limited to the affected layer or to the perimeter network.

  • By using a separate Active Directory infrastructure, external user accounts can be created without affecting the internal corporate directory.


  • Requires additional network infrastructure and configuration.

Split back-to-back topology

This topology splits the farm between the perimeter and corporate networks. The computers running Microsoft SQL Server database software are hosted inside the corporate network. Web servers are located in the perimeter network. Search servers can be hosted in either the perimeter network or the corporate network.

Split back-to-back topology

In the preceding illustration:

  • The search server is hosted inside the perimeter network. This option is illustrated by the blue server inside the dashed line.

  • Search servers can optionally be deployed inside the corporate network, with the database servers. This option is illustrated by the gray server inside the dashed line. If you deploy search servers inside the corporate network with the database servers, you must also have an Active Directory environment to support these servers (illustrated as gray servers inside the corporate network).

If the server farm is split between the perimeter network and the corporate network with the database servers located inside the corporate network, a domain trust relationship is required if Windows accounts are used to access SQL Server. In this scenario, the perimeter domain must trust the corporate domain. If SQL authentication is used, a domain trust relationship is not required. For more information about configuring accounts for this topology, see "Domain trust relationships" in the following article: Plan security hardening for extranet environments (Windows SharePoint Services).

To optimize search performance and crawling, place the search server role inside the corporate network with the database servers. You can also add the Web server role to a search server inside the corporate network and configure this Web server for dedicated use by the search role for content crawling. If you place Web servers in the perimeter network and the search role inside the corporate network, you must configure a one-way trust relationship in which the perimeter network domain trusts the corporate network domain. This one-way trust relationship is required in this scenario to support inter-server communication within the farm, regardless of whether you are using Windows authentication or SQL authentication to access SQL Server.


Advantages of the split back-to-back topology include the following:

  • Computers running SQL Server are not hosted inside the perimeter network.

  • Farm components both within the corporate network and the perimeter network can share the same databases.

  • With a separate Active Directory infrastructure, external user accounts can be created without affecting the internal corporate directory.


  • Complexity of the solution is greatly increased.

  • Intruders who compromise perimeter network resources might gain access to farm content stored in the corporate network by using the server farm accounts.

  • Inter-farm communication is typically split across two domains.

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable books for Windows SharePoint Services.