Symantec Access Management

Hi Team,

I have a question on how to do this requirement and what would it take to have this done?

Internal users accessing SP should go straight to SP, since SP is configured in such a way that it does the authentication using its own mechanism by using the internet options/security and check on the windows authentication with current user loggedin. So the requirement is that this shouldn't be disturbed by SiteMinder.

However if the same user is accessing SP from external n/w without VPN, then that request should be interpreted by SiteMinder and should challenge the user.

So my question is,

1@@, how to separate the request from internal and external, though we could do through firewall, is it possible to right rule in SharePoint Agent to redirect the request depending on the ip or some other mechanism? in such way that if the request is from ?Internal it should redirect directly to SP and if its from External without VPN, it should hit SMPS for authentication.

Please advice how could I achieve this efficiently.

Christie

Refreshing my sharepoint memories.

Firstly we would need to have an extended zone in SharePoint. Zone typically extends the same SharePoint Portal as a duplicate WebSite on IIS.

We could then assign a different authentication model (E.g. WSFED) for the extended zone. Have this extended zone frontended by SPAgent and build the SPAgent SSO Solution for this zone.

The Default zone remains untouched as it.

Let know if these thoughts help.

Regards

Hubert

Hi Hubert,

The problem here is, external and internal will be using the same DNS, for example, both external request and internal request will hit example.corp.com to access SP, however the internal request from the user who are in the network have authentication based on the current user. We need siteminder to challenge the internal users accessing SP from external network.

So your point of extending the zone, i am not sure whether that would be possible by the client and may not be ready to do that in their SharePoint.

What i thought of was "Split-DNS", so that the exposed SP will have to go through firewall and route it from there, instead of going through agent, which makes integration simpler than to use federation.

is this a better idea?

Please advice.

Christie

What is the version of SharePoint being discussed, if it SP2010 or SP2013, then it is done via "CA SharePoint Agent 2010" which under the cover uses WSFED to SSO into SharePoint. This Solution Model was Microsoft's preferred integration model from SP2010 and above; unlike the SP2007 which is an IIS Agent Based solution which is deployed on the IIS WebSite which hosts SharePoint front end.

Circling back to the question of how to access using a single DNS for both Internal and External users.

The best suggested solution (please refer Microsoft SharePoint Documentation) is by extending zones; thus enabling segregation of identities and access mechanism.

How to: Expose a SharePoint Application to the Extranet and Use Forms-Based Authentication

The other alternative is to use Credential selection page. This effectively means to enable multiple authentication models on the same website. Thus every time a User (internal or external) accesses the single DNS they'd be first present with a Credential selector page. On the credential selector page the user is able to select the relevant authentication model.

Multiple Authentication Methods in SharePoint 2010 - while (alive) { writeCode(); } - Site Home - MSDN Blogs

I am unsure of how Split-DNS would help here. Nevertheless, even if we deploy anything if SharePoint 2010 or above needs to be integrated with CA SSO, then it is a WSFED based Solution.

Hence my suggestion would be to understand the SharePoint 2010 / 2013 CA SSO Solution better before suggesting any customization. If we do it the other way round i.e. first look at customization and then the CA SSO offering with SharePoint - it is going to be a step towards disaster.

I am happy to share thoughts if you have any doubts OR questions.

Regards

Hubert