Thursday, 14 June 2012

SharePoint 2010 Port Numbers in DMZ

SharePoint 2010 Port Numbers in DMZ
There is TechNet article to plan security hardening for SharePoint which talks at great length about what port numbers used, for which protocol and for what type of communication.
In this case, we have a single Web Front End server in DMZ/perimeter zone and a database server in the database layer /network. I hope this picture can be a starting point but it’s a must to read Securtiy Hardening article on TechNet before you decide to place your WFE/s in DMZ.
Placing the WFE servers can have an impact especially in performance as there are some limits set for the bandwidth in most of the organizations i.e. for inbound and outbound communication using some packet shaping tools or some other mechanism. And also considerations should be made whether you intend to have your query component of search on WFE’s (in DMZ) or have them on dedicated application servers depending upon the usage. There are various thing from file size , how many times its accessed on a daily basis, updates happening etc.

Ideally, Forefront TMG can change the rules of the game. Forefront TMG will be placed in DMZ and you mayn't need to place WFE/s in DMZ which may improve the performance specially accessing the portal.  
There is a Visio on external access topology for SharePoint which you can download from here but end of the day it all depends on what are the IT policies you have in your company whether a tool like Forefront TMG is affordable or use of it restricted to SharePoint.
Start a discussion around the table with Network/Firewall Consultant, Security Consultant, SharePoint infrastructure, Application manager to start the proceedings.

No comments:

Post a Comment