Give employees, partners and suppliers secure anywhere access from mobile devices such as smart phones and laptops to applications while on the road or at home
2. Anywhere Access: UAG vs DMZ Business drivers Give employees secure anywhere access from mobile devices such as smart phones and laptops to applications while on the road or at home Give partner and suppliers secure access to a controlled set of applications and web-sites for cross-organization collaboration Forefront Unified Access Gateway Secure application-by-application remote access to internal solutions Also for controlled application access for partners and suppliers Classic DMZ extranet or VPN Access to web-sites in DMZ for employees, partners and suppliers No access to internal solutions with DMZ extranet Full access to internal solutions with VPN SharePoint 2010 Anywhere Access
3. UAG Pros & Cons Secure remote access to specific applications For remote employees with mobile devices For partners and suppliers based on identity (IAM) Rich Office client integration supported No VPN connection required, uses IPsec tunneling Client integrity check Health check of client device using Network Access Protection (NAP) Traditional DMZ and VPN is exposed to security risks through compromised client Information leakage mitigation Cleanup of the client endpoint, including cache, temporary files, and cookies Single firewall disadvantage This configuration results in a single firewall that separates the corporate internal network from the Internet SharePoint 2010 Anywhere Access
5. DMZ Pros & Cons Well-known infrastructure and operational policies High level of solution and information isolation Separated by design from internal solutions and information Opens public HTTP/S access to entire SharePoint server Must also open outer firewall for Office client integration Requires an extra farm to host the DMZ extranet Double the number of servers Double the license costs Double operations efforts DMZ back-to-back perimeter effects Database backups to internal storage more difficult Integrations with internal systems more difficult AD trusting or double all applicable user accounts Split back-to-back perimeter possible More complex infrastructure when split between DMZ and LAN Must open inner firewall for access to internal app-servers, DB-servers SharePoint 2010 Anywhere Access
7. IAM for Partners & Suppliers Identity & Access Management (IAM) Authenticate external users to establish their identity Delegate user account management to partner / supplier Based on STS & SAML standards for federated IAM and claims-based security Active Directory Federation Services (ADFS) Microsoft’s federated identity solution is ADFS 2.0 Forefront UAG integrates with ADFS SharePoint 2010 integrates with ADFS UAG must be used to control access to specific applications Integrated with SharePoint 2010 Integrated with Office 2007 and 2010 SharePoint 2010 Anywhere Access
8. Other Security Aspects Anti-virus for SharePoint documents and content Forefront for SharePoint 2010 Client security integrity checking NAP is a Forefront UAG feature Client cache cleanup Forefront UAG feature Two-factor authentication (2FA) Supported by Forefront UAG SharePoint 2010 Anywhere Access
10. Office 2010 & Web Apps Office Web Apps allows employees to view and edit document on mobile devices with no Office installed Office Web Apps allows external users to view and edit documents, even if they don’t have Office Office 2010 new file-transfer protocol provides faster open and save of documents, even on poor bandwidth networks Office 2010 allows for co-authoring documents, across multiple locations and device types SharePoint 2010 Anywhere Access