Adding a new DMZ WFE server to an existing internal SharePoint/Project Server 2010 farm (Tips and Tricks)

Environment: SharePoint / Project Server 2010 /SQL Server 2008 R2

Scenario:

My client requested to expose our existing internal SharePoint/Project Server (EPM) environment outside of the firewall to access the environment from internet. The proposed solution should be addressed not only for our internal corporate users but also for our external members or partners. Those external members should not have the same internal domain (Domain1) designated for internal employees.

Infrastructure:

Our infrastructure is composed of one WFE sever, one Application server and a SQL server cluster environment. Both WFE and App server are virtual servers. SQL Server is a physical server.

We are adding a new WFE server that resides on DMZ (outside of the firewall) on different domain (Domain2). We established one way trust from Domain 2 to Domain 1 so the additional DMZ WFE server will recognize Domain 1 user’s authentication. Our users will access the environment with https (SSL certificate)

Steps:

Following steps are very important (with the sequence) to get it setup based on my successful implementation experience.

1-    Install all the pre-requisite software components including SQL Management studio, Configuration Manager, Analysis Mgmt object (AMO) for OLAP cube etc.

2-    Work with your Firewall team to open the following ports before starting the actual installation

Source                       Destination                    Rule

DMZ WFE Server             SQL Server                      TCP/IP: 9914   (as per DBA)

IP address                         IP address

DMZ WFE Server             APP Server                      TCP: 32844 (https)

IP address                        IP address                        TCP: 32843 (http)

DMZ WFE Server             APP Server                      TCP: 445 (https) (for SMB)

IP address                        IP address                        UDP: 445 (http)

Internet                             DMZ WFE Server             TCP: 443 (SSL)

                                         IP address

3-    Make sure your server support department has created a DNS that is pointing to external IP address (DMZ WFE Server)

4-    Install both SharePoint and Project Server binaries (don’t SharePoint Wizard now)

5-    Install Service pack (SP1) and exactly the same Cumulative updates (CU) you have on the other existing internal WFE and APP server (don’t run SharePoint Wizard)

6-    In SQL Configuration manager, create DB client Alias. Make sure you use the same Alias name what you have used in the current existing environment. It is very important otherwise your setup SharePoint Wizard will be failed in step # 3.

7-    You can use SharePoint Auto-installer script to automate step 4 – 6. The script can be found in Codeplex (but not required).

8-    Once the new DMZ WFE server is joined to an existing farm, complete the following process

·         Go to SharePoint Central Admin site

·         Extend the Web Application you want to expose outside. This is very important step otherwise you can’t access any sites except the main root site.

·         Make sure you put correct host name (AppName.companydomain.com) and port 443 to access application site via https.

·         Go to DMZ WFE server, open IIS and apply SSL certificate. Make sure you apply SSL certificate on ALL the internal WFE server. It is important.

9-    After completing all the above steps, you should be able to access your application from outside with both domains (Domain1 and Domain2).

Issues/ Limitations /Solutions:

1-   Project Server 2010 Synchronization Failed:

To establish one way trust between two domains, can only resolve SharePoint authentication issue but Project server Sync will not work and not recognize Domain2 AD groups or users. SharePoint and Project server are totally different logic. SharePoint depends on NT account, but Project Server needs Display name of the user’s account so if the nearest global catalog does not have all info; it will not be able to fetch all the information. You must establish two way trust to make it work.

In my case, my company policy does not allow to establish two way trusts for security reasons. In that way, PWA sync process can’t work. We had very limited external users (with Domain2) who plan to use PWA access. The work around is as below

·         Go to Central Admin site

·         Go to Services on server

·         Select your new added DMZ WFE Server

·         Start the Project Application service

·         Now you can add Domain2 Users in PWA manually.

2-   Search is not working when accessing SharePoint sites from Internet:

To make it work, follow the below steps…

·         Go to Central Admin site

·         Click Manage Service application

·         Click Search Service application

·         Under ‘Search Application Topology’ section, click ‘Modify’ button

·         Click ‘New’ >> ‘Indexed partition and query component’ option

·         Select DMZ WFE Server, associated existing search database, update the query path and click OK.

·         The above steps will run ‘SharePoint Server Search” service on DMZ WFE server

·         You should be able to search your contents now.

I hope all the above steps will help to setup your infrastructure properly and error free. Please leave any comments if you want to share.