Best Practices for SharePoint 2010 Public Facing Sites Q & A

 
This webinar included several live demonstrations and discussed:

  • Developing a Strategy for Leveraging SharePoint Inside-Out
  • New Internet Friendly Licensing in SharePoint 2010
  • Branding for Success
  • Authentication and Anonymous Access
  • Selecting the Right Extranet Topology
  • Forefront Threat Management and Unified Access Gateways
  • Best Practices & Avoiding Pitfalls


Webinar presented by:
SharePoint MVP Paul P. Stork

  • Question: Will a recorded version of the webinar be made available

Answer: Yes, it is available here and slides here
Note, if you experience issues with the low-res recording, please try the hi-res version for best viewing

  • Question: How can I reach your Sales staff?

Answer: Send an email Info@ShareSquared.com or call 1-800-445-1279 x300.

  • Question: How do I register for the next webinar?


  • Question: We currently run our external facing web site on SharePoint 2007 (MOSS). I'm interested in the advantages to our customers as well as content editors in upgrading to 2010.

Answer: The new features in SharePoint 2010 are too numerous to list here. However, a few that might be of interest to you in an external facing web site are: 1. Managed metadata to make taxonomies more consistent and searchable 2. Built in support for Rich media like short videos 3. Better less expensive licensing for many external facing environments 4. Availability of Business Connectivity Services in all levels of the product for access to non-SharePoint business data Check out additional improvements here: http://tinyurl.com/WhatsNewIn2010

  • Question: How is licensing handled for test/staging environments?

Answer: Licensing for a production environment does not cover your test/staging environment. You will need to purchase separate licensing. However, for development and test environments you can purchase an MSDN subscription. There are a few different levels so be sure you purchase the subscription that includes SharePoint (it should be included in the premium subscription or higher) Link: http://tinyurl.com/MSDNSubscription

  • Question: We have SharePoint 2010 installed; how do I determine which version we're running (I.e. Enterprise, Standard, etc.)?

Answer: The easiest way is to go to Central Administration -> Upgrade And Migration -> Convert License Type. On that screen you will see a label with your current license information.

  • Question: If I already license FAST for internal sites and have Enterprise CALs, do I still need to FAST license for Internet Site?

Answer: Only if you are going to be making the search available to external users that are not already covered by a CAL in your organization. However it would be best to contact us or a licensing professional to review your architecture to be sure you are licensed properly.

  • Question: What about claims-based authentication?

Answer: Claims-based authentication is now the foundation on which all authentication is built in SharePoint 2010. When you create a new web application it can be designated as either claims based or classic mode. If you choose classic mode then you will be limited to either Kerberos or NTLM windows Authentication. To do Forms based authentication you must choose claims based authentication. Claims based authentication systems can also be leveraged directly by SharePoint.

  • Question: Can you use Active Directory Lightweight Directory Services (ADLDS) for forms-based authentication?

Answer: Absolutely. It is very similar setup to using the ASP.NET database as a user store. The only real difference in the setup is that you need to use an LDAP provider in place of an SQL provider in your web.config files.

  • Question: Does My Site social networking features support forms-based Authentication Users?

Answer: By default the permissions required to make use of MySites are given to All Authenticated Users. That group includes Forms based users, so the only users who would not be able to use MySites and the social networking features they support would be anonymous users.

  • Question: Is forms-based authentication now claims-based Authentication in 2010?

Answer: Yes. Claims-based authentication is a very general topic. Claims-based authentication includes forms-based authentication, but it doesn’t ONLY include forms-based authentication. You can use Token Servers and other types of Claims Providers to authenticate against to support Claims based authentication.

  • Question: Can you provide a link or how-to for the forms-based XML file?

Answer: The following Technet article provides a walk-through on how to configure a forms-based authentication provider in SharePoint 2010 that makes use of an LDAP user store. http://tinyurl.com/LDAPforms

  • Question: Can you do the web.config changes automatically via a deployed SharePoint solution?

Answer: Yes. You can utilize the SharePoint object model and use the SPWebConfigurationModification class. However, this is an advanced coding activity and it should not be taken lightly. Be sure to have good backups of you config files in case of error. In addition, there are 3rd party tools that can assist you with the configuration modification if you decide that manual update is not your style or within your corporate policy.

  • Question: How do you implement both Anonymous access and forms-based authentication together? In other words, I want company site contributors to be able to update content, but want the public to be able to hit the site without having to login?

Answer: You have a couple of choices. You can setup a single web application that uses forms-based authentication and Anonymous Access by enabling Anonymous Access on that web application. Alternatively, you can extend your forms-based authentication site to another zone and set it up specifically for Anonymous Access. Either would work. This mostly depends if you would like your anonymous users to access the site via the same URL as the FBA users or have a separate URL for security reasons.

  • Question: In an Edge Firewall Topology, how can you configure your people picker to only allow partners to search for partner resources, but not see internal AD users?

Answer: Unfortunately, the people picker cannot be configured based on the security of the user using the control.

  • Question: In the second disadvantage, users can have only one account, using AD trust?

Answer: I assume you are referring to the disadvantage listed in the back to back perimeter topology. In that topology the internal firewall is locked down too tightly to allow establishment of an AD trust between the perimeter AD and the internal AD. This is one of the features of the Split Back to Back topology where a one way AD trust is established between the perimeter AD (Trusting) and the internal AD (Trusted) domains. So if you open up the firewall to establish such a trust you have really moved to a hybrid of the Split Back to Back topology.

  • Question: If you are using back to back topology, can you use Server 2008 read-only domain controller in the perimeter to let internal users connect without a separate login?

Answer: As was mentioned in the pitfalls slide, using a Read-only domain controller breaks some of the functionality in SharePoint 2010, particularly the People Picker. The configuration of the firewall in that topology would also keep the Read-only domain controller from synchronizing with the domain, so changes made in the internal domain would not be reflected on the perimeter domain controller. For these reasons this is not a recommended scenario.

  • Question: What do you recommend to publish MySites to the Internet?

Answer: There is nothing that prevents you from using MySites in an Internet facing environment. However, MySites is designed to provide Social Networking for an intranet where governance can be done based on corporate policies. Since each user owns their own MySite governing their usage in an Internet model would be a problem. So we generally don’t recommend using MySites on the Internet.

  • Question: Why Forefront Threat Management Gateway (TMG), and not Forefront Unified Access Gateway (UAG)?

Answer: TMG and UAG are both suitable for use in Internet facing scenarios. UAG provides more functionality for authenticated users accessing SharePoint and other applications. But UAG is also more expensive. In many Internet facing designs that focus on anonymous access or publishing individual web sites TMG is a suitable solution.

  • Question: Any improvements on the content deployment?

Answer: Content Deployment has remained essentially unchanged since SharePoint 2007. However, there have been some stability improvements since the last Cumulative updates in SharePoint 2007. The most important is that the Content Deployment process now uses a database snapshot to assemble content to be deployed. This prevents conflicts from developing when pages are being edited while the content deployment job is running.

  • Question: I am not seeing why I must use SharePoint 2010 for Internet sites for this task, rather than just using the same SharePoint we use for our Intranet sites and use the security models you noted?

Answer: You would need to use SharePoint 2010 for Internet licensing because your current server licenses and CALs do not cover external users. Generally it comes down to licensing costs, who will be accessing content, and what type of content is being stored. If you are just exposing SharePoint as an extranet for your employees to access remotely then you are correct that you don’t need additional licenses. However, if you were allowing external users who were not employees or Anonymous Access users to use your site/content then you would have to license SharePoint as such.

  • Question: What is the best way to transfer data from MOSS2007 to SharePoint 2010?

Answer: This is a tricky question. If you are referring to upgrading your SharePoint 2007 to SharePoint 2010 that is a whole other topic that needs some specific review. The answer to this really depends on what you mean by “transfer data”. If you are planning to move from a MOSS 2007 environment to SharePoint Server 2010 then depending on factors like customization you can either upgrade in place or copy your content databases and attach them to a new 2010 environment. If you are just migrating data once from one system to another, then there are quite a few 3rd party tools that will allow you to “transfer” content. But if by “transfer data” you mean to duplicate content from a MOSS 2007 server to a SharePoint 2010 server on an ongoing basis, then there is no way to do that without extensive custom programming. Please contact us so we can better understand your needs and point you in the right direction.

  • Question: In SharePoint 2007, extended web application zones were served off of a different port. Is that no longer the case in SharePoint 2010?

Answer: Web applications CAN be extended to multiple zones in SharePoint 2007 using the same port as long as you use host headers. Without using host headers you would need either different ports or multiple IP addresses for the different zones. That is still the case in SharePoint 2010 because it is a requirement of Internet Information Management Server (IIS) not SharePoint.

  • Question: In split back-to-back network scenario, if I want to use Team Foundation Server (TFS) Portal Sites with internal & external users with windows authentication and forms-based authentication, where would TFS be installed? Internally? In perimeter network? External users need to be able to contribute content via TFS query web parts and thus need to be authenticated in TFS as well.

Answer: In a split back-to-back scenario external users only have access to resources in the perimeter network. So if you want to make TFS portal sites available to external users you would need to place the TFS portal sites on a SharePoint server in the perimeter network.

  • Question: Are you aware if users in an AD LDS instance require a license specific to AD LDS (e.g. Windows CAL) when those users are authenticating to SharePoint 2010 Enterprise?

Answer: Any user accessing SharePoint needs the equivalent of a Windows CAL. That includes Forms-based users wherever their user account is stored, even ADLDS. Depending on specific circumstances ADLDS users can be covered either by a Windows External connector license or by purchasing Windows CALs. This is a complex scenario that you should address with your Microsoft licensing professional.

  • Question: Is there a tool to migrate a SharePoint 2007 farm to a new SharePoint 2010 server?

Answer: There are a few 3rd party tools out there that will migrate your content from one server to another. However if you are just going to want to migrate to the same structure your data/content is in now it would be better to just upgrade to SharePoint 2010. Contact us and we can discuss what would be the best solution to fit your needs.

  • Question: If not all service accounts in SharePoint 2010 are managed, what are the best practices for those accounts in regards to account settings (ie pwd never expires, user cannot change pwd) and maintenance?

Answer: That is dependent on your own internal security policies. If you set those accounts up to have expiring passwords you will need to remember to change the passwords from inside SharePoint to make sure that the Farm configuration records the change. Setting this normally small group of accounts to have non-expiring passwords is also an option. But some corporate security groups won’t allow that.

  • Question: What is the cost for unlimited anonymous users for Internet sites?

Answer: The cost depends on various different licensing aspects such as if you are a Microsoft Partner, If you have a specific licensing agreement through Microsoft, and more. Please contact us and we can help you figure out how to get an accurate price for your company.

  • Question: Can you use workflows with anonymous access sites?

Answer: By default anonymous users can not start workflows. The workaround in SharePoint 2007 was to email enable the list and let anonymous users start the workflow by send an email to the list. By default even this has been disabled in SharePoint 2010. However, you can enable autostarted workflows on lists that are email enabled by setting the ‘declarativeworkflowautostartonemailenabled’ property of the farm. You can set it using either PowerShell or STSADM. The STSADM command is provided below: stsadm -o setproperty -pn declarativeworkflowautostartonemailenabled -pv true

  • Question: Why do anonymous access users need license? If anonymous users need license, then how does it work?

Answer: With the new Internet License external users didn’t need a Client Access License. This includes both authenticated and anonymous users. However if you are authenticating your users and not allowing anonymous access to your internet exposed site AND your external user is already covered by a CAL then you will not have to purchase additional licenses to cover that user.

  • Question: If planning on leveraging FAST in a split back-to-back topology (using UAG and TMG), can you leverage your FAST farm if placed on the internal network?

Answer: Yes, but you would still need to buy an Internet license for the internal FAST server to be able to leverage it with external users.

  • Question: Why cant you use themes with anonymous access on a SharePoint 2010 Foundation deployment? is it because "_layouts" access is denied?

Answer: No, access to _layouts isn’t the root of the problem. It’s a bug that wasn’t discovered during the beta. At this point it has not been fixed by any service pack. Themes works appropriately in SharePoint Foundation for Authenticated users and it works for both anonymous and authenticated users in SharePoint Server.

  • Question: With forms-based authentication, you mentioned full support for client application integration. Is this only with Office 2010?

Answer: Client Integration is the same in SharePoint 2010 for both Windows Authenticated and Forms-based Authentication users. Full integration is provided for Office 2010, but some limitations exist as you move to earlier versions. The change from SharePoint 2007 is that the limitations are now the same whether you are a windows or Forms based user.

  • Question: Forms-based Authentication is a powerful tool to extend the SharePoint platform and its capabilities for external users, but management of these users and load into the database is rather difficult. Are there any tools that you are aware of to handle the loading and management of the forms-based authentication accounts?

Answer: There are a few third party tools and open source projects available that allow you to manage the database user store. It is also possible to create your own administration pages in SharePoint that will allow you to do that management. However, there is nothing that ships with SharePoint that provides this functionality.

  • Question: We've been told ClickOnce (PerfPoint/SSRS) doesn't work behind TMG which we are using to host externally (public) facing sites. Any changes we can look forward to in SharePoint 2010 integration with ClickOnce -- specifically in regards to externally (public) facing sites?

Answer: Unfortunately, SharePoint can’t fix that. The problem lies between ClickOnce and TMG server, not SharePoint. Enhancements made in SharePoint 2010 won’t have any effect on this problem.

  • Question: It seems that some of the resource links in the presentation require a login to MSDN – true?

Answer: We’ve retested all the links in the presentation and were able to access them without logging in. You should be able to access them also. If you are having trouble with a particular resource please send us the link at info@sharesquared.com.