For a customer we had to set up a Microsoft Office SharePoint Server 2007 (MOSS 2007) Multiple Server Farm. The customer uses the Content Management Server (CMS) possibilities of SharePoint 2007 to manage the company’s Internet site.
Before we started setting up the servers and building the farm, web applications and sites we had to consider the company’s network architecture. This consists of an Intranet zone and a perimeter network (also called a DMZ), split into two sections: the Inner DMZ and the Outer DMZ. One of the challenges during the assignment was to keep this setup and all the security properties of the networks intact, and still make it work.
For security reasons the Internet users may not connect to any site on the Intranet directly and also it would not be a good idea to let (internal) Intranet users manage content directly on a webserver in a DMZ. Therefore we set up two farms: one Intranet Farm and one DMZ Farm. Moreso, we split the Internet Farm between a Web Frontend server in the Outer DMZ and the Database and Services (Search, SSP and Central Admin) in the Inner DMZ. Between the two DMZs resides an ISA server for access security.
The editors work on the website inside the company’s Intranet. Content is synchronized to the Internet (DMZ farm) with Web Content Deployment Content (Paths and Jobs) and all changed and published content is sent to the DMZ every 15 minutes. You can read about Content Deployment in our next post.
So there was ‘just’ one problem. Since the DMZ Farm is a real farm (not a single server setup), it is required to use domain accounts for the service accounts. This automatically means you need a separate AD domain controller inside the DMZ. Sharing the DMZ domain with the intranet domain would be possible too, however the whole purpose of a DMZ is not to put your authentication at risk. So we needed a separate AD Domain controller just for the service accounts. If that controller is compromised, the internal domain is not affected.
So we ended up with 4 Servers in two Farms for a minimum configuration. From this point on it’s a matter of extending Database, Services and/or Web Frontend Servers. We could start installing the software and configuring them:
Intranet Farm > Database Server
· Windows Server 2003 SE SP1
· Internet Information Services (IIS)
· SQL Server 2005 (installs also the .NET Framework 2.0)
DMZ Farm > Database and Web Server
· Windows Server 2003 SE SP1
· Internet Information Services (IIS)
· SQL Server 2005 (installs also the .NET Framework 2.0)
· .NET Framework 3.0
· Windows Server Support Tools
· MOSS 2007 with SP1 (WSS SP1 and MOSS 2007 SP1 included)
(· MOSS 2007 additional language packs)
· Run the SharePoint Configuration Wizard
(· MOSS 2007 language pack SP1)
(· WSS 3.0 post SP1 hotfix for content deployment [KB950279])
Intranet and DMZ Farm > Web Servers (2 Servers)
· Windows Server 2003 SE SP1
· Internet Information Services (IIS)
· .NET Framework 2.0
· .NET Framework 3.0
· Windows Server Support Tools
· MOSS 2007 with SP1 (WSS SP1 and MOSS 2007 SP1 included)
(· MOSS 2007 additional language packs)
· Run the SharePoint Configuration Wizard
(· MOSS 2007 language pack SP1)
(· WSS 3.0 post SP1 hotfix for content deployment [KB950279])
And also run the windows updates for the Operating System (OS), SQL Server 2005 and the .Net Framework updates etc.
There is one *really* important thing to keep in mind here: always keep all servers in the farm (f.i. all Web Front End Servers) and the software completely identical. So either install service releases on all systems, or onto none at all.
