Extranet Topology Help

Similar Messages

• Vpc topology help for nexus 7k

  hi team,
  i have attached topology 1 and topology 2 for nexus 7k for vpc scenario.
  Access switches got only 2 x 10 g capacity to Nexus switches.
  What are the benefits in topology 1 and topology?
  In topology 2, inter-switch links can be possible only through gigabit link rather than 10G links.

  Hi Sampath,
  Both topology looks good.
  The only thing which i can say is that the topology 2 is awesome as you would have the Access switch redundancy available, Were as in Top1 you dont have that.
  Incase something breaks down(Example: Links to the Nexus goes down from Switch1 you would have the backup way to reach the external network using switch 2.)
  HTH
  Regards
  Inayath.

• AD topology help

  Hi everyone,
  Please do help me to design directory services.
  We are planning to come up with 2 datacenters.
  We are planning to place 2 Domain controllers in each Datacenter
  DC1,DC2 will be in datacenter1(DC1 is physical and DC2 is virtual)
  DC3,DC4 will be in datacenter2.(DC3 is physical and DC4 is virtual)
  Servers        Roles                                   Global catalog
  DC1        Schema master and domain naming master         Yes
  DC2        RID master and PDC Emulator                    Yes
  DC3        Infrastructure Master                          Yes
  DC4                                                                 Yes
  Is this the best way to approach or please do suggest the best way i can approach

  > Is this the best way to approach
  No. Each DC should be a GC, too - that's ok so far. But for ease of
  administration, designate ONE DC to hold all FSMO roles. And let this be
  a physical DC.
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• How to properly create and configure SharePoint 2013 Search service with PowerShell?

  Hello Forum,
  I have installed SharePoint 2013 across three tier servers:
  WFE Server  (Of course, SharePoint is installed here. Bsically this is just a Web server)
  APP Server  (Of course, SharePoint is installed here + Central Admin + Service Apps).
  SQL Server  
  I now want to create and configure the Search service, obviously on the APP Server, But of course the search functionality should work correctly on the WFE server to.
  I want to do this via a proper PowerShell script. I found Spence Harbar's script on: (http://www.harbar.net/articles/sp2013mt.aspx), But it has three problems, and they are as follows:
  1) Spence Harbar himself literally stated on his article that this script is for: "deploying on a single server farm", But what if I have three tier servers? Could anyone please help me out in suggesting the required tweaks in the
  script?
  2) By default Search uses the SP_Farm account, So, How can I change the script to use other dedicated account for the search service e.g. SP_SearchAcc ?
  3) How can I modify the script to specify a default Search center?
  4) Apart from all the three aforementioned point - Is the script missing anything? 
  I would greatly appreciate your inputs - Thanks !

  the only differences are where you place the components.  if you are doing a small server farm with a 1-1-1, most likely you just need to change the script so that you set the index and query processing component on the front end, but the others on
  the app server.  just a 2 second update... just keep in mind this will work, but I am making several assumptions without any knowledge of your farm, users, capabilities. 
  generally, there would be more of a breakout on the topology than that, but im guessing for this farm that you wont have dedicated search servers.  also, a lot depends on # users (rps really), # items in index, size of VMs (RAM for query processing,
  Disk for index, etc, etc), and making sure the topology works for your particular environment and needs. 
  if you want more detailed topology help, which aligns as closely as possible to "best practices" (not that those exist in SharePoint, go ahead and provide the total # users, average/peak RPS for search, current index size, content source types,
  VM specs RAM, CPU, #/Size of drives, HA concerns/priority (obviously isn't, since only 1-1-1)
  Christopher Webb | MCM: SharePoint 2010 | MCSM: SharePoint Charter | MCT | http://christophermichaelwebb.com

• Howto or best practice guide

  I am ready to start testing NSM, mainly for management of home
  directories but I cannot seem to find anything about the network
  design/requirements for this product. I can see the install guides but
  nothing about server requirements.
  Do I need a dedicated server for this or would it be fine on an existing
  OES server?
  How much RAM etc does it need?
  How many servers do I need? We have about 3000 users currently.
  Does the server(s) need a replica? I really don't want to add more
  replicas if it can be prevented.
  Is there a best practices guide somewhere?
  Thanks
  Buster

  I cannot find the server requirements in the docs. I'm sure it's there
  somewhere but I cannot find it. When looking at the "prerequisites" page
  at
  http://www.novell.com/documentation/...a/a20gkue.html
  it doesn't mention anything about actual software/server requirements.
  On 7/25/2012 11:36 AM, Novell File Management Suite Team wrote:
  > On 7/25/2012 9:37 AM, Buster wrote:
  >> I am ready to start testing NSM, mainly for management of home
  >> directories but I cannot seem to find anything about the network
  >> design/requirements for this product. I can see the install guides but
  >> nothing about server requirements.
  >>
  >> Do I need a dedicated server for this or would it be fine on an existing
  >> OES server?
  >>
  >> How much RAM etc does it need?
  >>
  >> How many servers do I need? We have about 3000 users currently.
  >>
  >> Does the server(s) need a replica? I really don't want to add more
  >> replicas if it can be prevented.
  >>
  >> Is there a best practices guide somewhere?
  >>
  >> Thanks
  >> Buster
  > Buster,
  >
  > Our server requirements can be found here:
  > http://www.novell.com/documentation/...a/a20gkue.html
  >
  >
  > You'll note that we do not have extensive server requirements; we
  > generally recommend at least 4GB of RAM and at least two processor cores
  > (assuming virtualization). More is always better, especially if you
  > expect a heavy load with many events being processed constantly.
  >
  > It is not necessary to install the NSM Engine on a dedicated server,
  > though be aware that the Engine can be moderately expensive. We do
  > recommend installing an Agent on each file server if possible, though
  > they can be configured to proxy for other servers as well.
  >
  > It is not necessary to have a replica on the Engine or Event Monitor
  > server, though having them 'close' to a replica server in your network
  > topology helps to improve performance.
  >

• Test POP3 error: 550 5.7.1 client unable to relay

  My outlook connect exchange 2013 server via POP3,  it is connecting popup error message: 550 5.7.1 unable to relay. Some users can connect exchange 2013 server via pop3, but some users cannot connect. I same also checked the permission of exchange server
  receive connector , It should be is good. I also checked the permission of AD user, Please view the following:
  NT AUTHORITY\SELF             False                         {GenericRead}                            
  NT AUTHORITY\SELF             False                         {ExtendedRight}               {Send-As}          
  NT AUTHORITY\SELF             False                         {ReadProperty, WriteProperty}                      
  NT AUTHORITY\SELF             False                         {ExtendedRight}               {Receive-As}          
  NT AUTHORITY\SELF             False                         {ExtendedRight}               {User-Change-Password}       
  NT AUTHORITY\SELF             False                         {ReadProperty, WriteProperty}                      
  NT AUTHORITY\SELF             False                         {ReadProperty, WriteProperty}                      
  NT AUTHORITY\SELF             False                         {ReadProperty, WriteProper... {Private-Information} 
  Excuse me, how to solve the problem, thank you !
  北京老马

  I  have solved the problem for some users, Reference of the following:
  get-mailbox -identity <username> | remove-adpermission -User "NT AUTHORITY\SELF" -AccessRights extendedright -ExtendedRights "Send As"
  get-mailbox -identity <username> | add-adpermission -User "NT AUTHORITY\SELF" -AccessRights extendedright -ExtendedRights "Send As"
  but some users still cannot relay mail to extranet, please help me.
  北京老马

• Help accessing an extranet?

  I've been given some login details for an extranet yet I get this error when going to the url:
  https://www.xxxxxxx/website/Amber.nsf
  Safari can’t open the page “https://www.xxxxxxx/website/Amber.nsf”. The error is: “The server “www.xxxxxx” did not accept the certificate.”
  (NSURLErrorDomain:-1205) Please choose Safari > Report Bugs to Apple, note the error number, and describe what you did before you saw this message.
  I can access the site using Chrome and Firefox, can anybody help me to get Safari working?

  This will get you a handle on the two Xml nodes with that
  address-id: <cfset results = XmlSearch(myXml,
  '//:result[@address-id="739030698069958"]') />

• New to Network - Is this topology and understanding correct ? (please help)

  Hi all,
  I am new to network and is currently taking my ICDN1 course, but have no actual hands-on experience beside the short labs lesson in class..
  Hence, I will like to take this opportunity to check with gurus here for their advices and to see if my understanding is correct or wrong.
  Please pardon me if I ask/make any silly questions or wrong theories.
  =========================================================
  Refer to below diagram (which I drawn)
  Assumptions
  Node 1 and Node 2 need to have public IPs assigned by ISP.
  Internal and mangement network not reflected Security not a concern, NAT/DMZ not required
  Firewall and Router are 2 separate physical device
  Questions
  Q1) is my toplogy and IPs assignment correct base on the assumption above ?
  Q2) do we need to assign IPs to Fe0/0 for both firewall and MyRouter ? Must it be using the ISP issued IPs or can it be internal IPs ?
  Q3) Can we consider MyRouter Fe0/0 and below = 1 broadcast domain/network segment or
  MyRouter Fe0/0 to Fe0/0 firewall = 1 network segment and Firewall Fe0/1 and below = another network segment ? and why ?
  I am thinking of how does a IP packet transfer from node1 to the internet. Let's say node1 send a packet to 8.8.8.8
  [src ip=202.156.1.4][dst ip=8.8.8.8][src mac=a.b.c.d][dst mac=a.b.c.f] (packet going from Node1 to the gateway/firewall)
  [src ip=202.156.1.4][dst ip=8.8.8.8][src mac=a.b.c.g][dst mac=a.b.c.h] (packet going from the Firewall to the MyRouter)
  Q4) How does firewall know which interface it must exit on the next hop ?
  Is there a routing table in Firewall ? Does the Firewall has a default gateway , or it has a default route ?
  Q5) Since the firewall is connected to MyRouter directly, how does it know the MAC address of MyRouter and vice versa ? Can we do ARP request without going through switch ? Is the MyRouter physically connected to the switch or to the Firewall ?
  Hope some kind gurus here can enlightened me.
  Thanks

  Hi Jon,
  Thanks for shedding some light on my questions
  In terms of IP addressing it depends on what the ISP has given you. Often you get two blocks, one for the link between the outside of your router and the ISP router and one for use for the connection between the outside interface of your firewall and the inside interface of your firewall.
  The ISP router would then have a route for the block in use between your firewall and router pointing to the outside interface of your router.
  Q1) Let's say the 1st block will be 202.123.123.1 and 202.123.123.2 that will be the IP between my external interface of MyRouter and the ISP router -> am I right ?
  Q2) For the 2nd block based on my example, it will be 202.156.1.0/24, am i right ?
  Q3) Can i further subnet this block (202.156.1.0/24) so that I can have a different subnet between MyRouter internal interface fe0/0 <-> MyFirewall external interface fe0/0 and another subnet for MyFirewall internal interface fe0/1 and below ?
  In this case, I can have 2 different subnet so that routing and occur between MyRouter to MyFirewall ?
  Q4) Actually with regards to the question on whether MyRouter needs to be connected to the switch is because from what I have understand, a packet need to have both the L3 ip addresses and L2 mac addresses to be send out.
  Since the firewall is forwarding a packet from node1 to the MyRouter, it needs to know MyRouter mac address, so I am asking if an ARP request can be done directly from the connection from MyFirewall to MyRouter..
  Actually, is there a routing table inside the Firewall as well ? how does it knows where to forward the packet out ?
  Q5) I understand that it will be good to do NAT and I have been hearing from people that assigning public IPs on the nodes are bad. But why ?
  If I have assigned public IPs on the nodes, doesn't the packets still go through the firewall for whatever inspection that is needed as compared to NAT ?
  Jon, just a shoutout and thanks on the replies that you have given me as I do not really have anyone to ask except for the forums around.
  Thank you.
  Regards,
  Noob

• Creating Extranet and Intranet in a single web application?

  I'm confused ... again! Maybe you can help.
  Microsoft's best practices for setting up SharePoint 2013 is to utilize a single web application in a single web application pool.
  My Network Topology
  I am setting up my intranet AND extranet in a back-to-back perimeter network topology using Claims and Kerberos Constrained Delegation. I will have a dedicated AD instance on the DMZ which my clients will be added to. My corporate users will access the site
  via ADFS using their credentials on our internal network. There will be only a One Way Trust wherein the extranet AD will trust the corporate AD. We will be using Host named site collections and giving clients their own URL. They will basically be accessing
  a single list and perhaps a page that gives them some reports about tasks across a few sub-sites and the a status of a single workflow on the root site of their site collection.
  My SharePoint Topology
  I would like to follow MS' Best Practice as stated above but I'm not clear on a few things.
  1. Does it matter whether my extranet or intranet is on the Default Zone? I'm thinking that the intranet should be on the default since that is where Search crawls and that's the only place where search will be used in any way.
  Is it possible to have two sets of permissions on a single web application, one for internal and one for external, without extending the default zone to create the extranet and thereby creating a new IIS website (webapp) in the process?
  Thank you!
  Love them all...regardless. - Buddha

  Hi,
  Please refer below.
  https://social.msdn.microsoft.com/Forums/sharepoint/en-US/47081f77-fccb-4bc3-906b-76d187861f8c/intranet-and-extranet-web-applications-on-same-port?forum=sharepointadminlegacy
  http://blogs.technet.com/b/speschka/archive/2013/06/26/logical-architecture-guidance-for-sharepoint-2013-part-1.aspx
  https://social.msdn.microsoft.com/Forums/sharepoint/en-US/c0702003-8d53-46cf-ac09-49cbd270a43e/extranet-access-to-the-intranet-web-application-sharepoint-2010?forum=sharepointgeneralprevious
  Krishana Kumar http://www.mosstechnet-kk.com
  Please mark the replies and Proposed as answer if they help and solve your issue

• What is the best solution to create SharePoint Extranet Application for existing windows web application ?

  Hello,
  At present my SharePoint farm is having following domains:
  1) Internal Domain - Domain1
  2) External Trusted Domain - Domain2
  And Following Intranet WebApplications having Windows Mode Authentication:
  1) http://mywebapp1.Domain1.com - Single site collection
  2) http://mywebapp2.Domain1.com - Multiple site collections
  3) http://mywebapp3.Domain1.com - Multiple site collections
  Both Domain1 and Domain2 users are able to access above web applications.
  Now , we have requirement to add other trusted domains Domain3 , Domain4...etc. and create Extranet Application and I have following questions :
  What kind of topology and Authentication is required ?
  AD as User Identity storage location is better way for all other domains since there is trust ?
  Do I need to just extend all the web applications in extra net zone and create site collection for different domains to isolate security and content as per the need ?
  Is there any other best solution to implement extranet application under current environment ?
  what kind of other factors are important to consider in order to create extranet application ?
  Your help will be highly appreciated.
  Thanks and Kind Regards,
  Dipti Chhatrapati

  Hi Tom,
  I have following information till now:
  External domain will be trusted with parent domain where SharePoint is installed. 
  Authentication of external domain will be Windows Authentication.
  User Identity storage location will be Active Directory of external  domain.
  Site to be accessed by external domain will be http://mywebapp1.Domain1.com
  Now question is :
  Should I assign external AD group ( Domain2ADGroups ) to SP Web Application  http://mywebapp1.Domain1.com
  OR
  Should I extend the application in extranet zone for external domain and then assign permission to extended
  application ?
  I guess , if authentication is same then no need to extend the application - correct ?
  Thank you to look at this thread !
  Dipti Chhatrapati

• Need help with Sharepoint foundation web application stuck on "STOPPING" error job-service-instance-GUID Number already exists

  Hi All,
       I cant get to stop SharePoint foundation web app service. Its stuck on status stopping
  I have tried the following:
  reset IIS
  restarted the Timer Service
  When I try to use powershell command to stop I get the following error:
  Can anyone who went through this help PLEASE
  Stop-SPServiceInstance : An object of the type
  Microsoft.SharePoint.Administration.SPServiceInstanceJobDefinition named
  "job-service-instance-1ff39eb2-12d2-457d-a749-265e350eb1b1" already exists
  under the parent Microsoft.SharePoint.Administration.SPTimerService named
  "SPTimerV4". Rename your object or delete the existing object.
  At line:1 char:127
  + ... pplication"} | Stop-SPServiceInstance
  + ~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo : InvalidData: (Microsoft.Share...ServiceInstance:
  SPCmdletStopServiceInstance) [Stop-SPServiceInstance], SPDuplicateObjectEx
  ception
  + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletStopServ
  iceInstance

  Hi,
  It seems that the issue is in the timer job definition for executing this operation.
  My suggestion is to start the service again and delete the job definition from the error and again try to stop it.
  This might be helpful:
  http://sharepoint.stackexchange.com/questions/22368/is-there-a-powershell-cmdlet-to-delete-a-timer-job 
  I had a lot of issues in the past when try to stop this instance after the Web apps are provisioned.
  As general rule now If I have multi-server Farm topology that has servers that should not serve Web App requests I turn off the service prior to provisioning any Web Apps in the Farm. 
  BR,
  Ivan

• Urgent help needed BARS

  Guys i have a v simple question but i cnat get my head around it.....i have a running environment (cluster) of call managers....now i want to relplicate it in my lab same topology....now i m using BARS as well....i have already build the call managers (in lab)...now i dont remenber the SQL passwords or other passwords for the live CCM cluster....now if i take a back up and put it in the lab will it work??? or the the passwords have to be same on lab to th elive environment......guys urgent help is needed.....reagrds

  You can restore the node in the lab with the tar file you got from the back up. The restore will override the passwords and assign the ones taken from the back up. I hope that helps!

• Urgent Help Required for Unified wireless network help

  Dear Community
  i need urget help for a wireless unified network setup to deploy it in a college
  actually what is the senario for this network that i have a WLC 5500 and 12 lwapp 1252 series APs for this deployment ant there is allready an existing lan
  network to connect with it the new wireless unified setup.
  here is above proposed topology .
  i need help for this setup like
  i know the basic configuration on controller to do but i really do not know that from GUI what steps i need to configure on controller for each access points as you can see above i have three floors for building and i want to configur three SSIDs like Employ,contractors and Guest for each floor and how to configure encryption type and shared key for each SSiD.
  and what i have to configure for APs to join them with controller
  and hoe to configure RF grouping for each floor.
  please i need urgent reply because i have tp finish this all setup in one weekonly
  thans in advance.

  Hi,
  Wat ever you want.. the below link has everything.. Just click on the stuff that you neeed fro mthe menu and this will do it for you!!
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70.html
  1>> Configure WLANs.
  2>> Configure AP Grouping.
  Regards
  Surendra

• Help required with ADFS 3.0 client certificate authentication

  Hi,
  I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
  federate user credentials to 3rd party trust for single-sign-on.
  I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
  use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
  The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
  Thanks!
  -Chinmaya Karve

  Hi Yan,
  Thanks for your response. I have gone through the posts that you have suggested, and my setup looks pretty much as expected.
  So, as I mentioned earlier, I have 2 parallel setups with 3rd party service(SalesForce). Once of them is running ADFS 2.0 and another one has ADFS 3.0. I can logon to the third-party services, from both the setups using username/format. I can logon to SF
  using client authentication certificate from ADFS 2.0 setup, but from the same client machine, when I try to logon SF via ADFS 3.0, the browser just does not pick up any certificate. The page just shows message of "Select a certificate that you want to use
  for authentication. If you cancel the operation, please close your browser and try again.".
  I have checked the browser, and it has the right certificates. Also, the same browser/machine is used to logon to SF through ADFS 2.0 via client certificate, which works just fine !
  I am really confused now, as to whose issue this really is...
  Just to confirm, I am using Certificate Authentication from ADFS 3.0 Authentication Methods for both Intranet and Extranet.
  Any suggestion or inputs where I could have gone wrong in the setup?
  Thanks!

• Help DBA and Programmers shut out after site Move.

  I am hoping that somebody will help me with this problem.
  This week we Moved a group of application programmers to a new site due to
  office space needs.
  However we have a DMZ that is accessible from the internet for our customers
  B2B business. Problem is we dont route that DMZ inside our Frame Relay
  cloud.
  And right now, the remote site cannot access the servers to manage, drop
  code or maintan the apps.
  For security reasons we do not want to route the internet facing DMZ through
  our Global WAN. i have tried several solutions and none is working.
  Before they were able to access their servers because we could use a static
  gateway in one of our internal firewalls. So you still were in the WAN FR
  but it was also local in the sense that the firewall has an interface in our
  LOCAL LAN. We then PATTED the whole internal range. This time address
  translation will not work because you still need to route the destination
  address.
  Can anyone suggest a solution.?

  I want to make sure that I understand your new topology correctly, reflecting the new site where the app dev staff resides. I assume that the servers did not move, and the remote site that you refer to is not a customer B2B site, but rather the new site where the app dev staff resides. Is that correct? If so, then run an IPSec vpn between the router has an interface in the new site and the router that has an interface where the servers reside. This way you can keep the subnets you want hidden from the global routing table by protecting them by configuring the router that is in front to use IPSec for any traffic to and from that subnet.
  Let me know if this was of any help.