Hello,I am trying to configure a WSS server for a company which has typical needs as an extranet for external people (outside domain)and this extranetshould be accessible from corparate users (from domain).After some research on the web, solution is not clear.I would like to know the best solution for that configuration which can be listed like this : Windows integrated authentication for corporate users(they should not log on twice) Form based authentication for external users (custom provider) No security problems SQL server is noton WSS Server Some solutions I've found : Opening ports on the firewall to let WSS server (DMZ)communicate with AD --> many security risks ?? Put WSS on LAN and use a web application firewall Create local AD for WSS server and make it trusted by company AD ? --> still have opened ports... Create local AD for WSS server and synchronize both ADs with dedicated application --> dirty... ? If you have a better solution, I would appreciate.Thank youadrian

Hi Adrian, "Some solutions I've found : Opening ports on the firewall to let WSS server (DMZ)communicate with AD --> many security risks ?? Put WSS on LAN and use a web application firewall Create local AD for WSS server and make it trusted by company AD ? --> still have opened ports... Create local AD for WSS server and synchronize both ADs with dedicated application --> dirty... ? If you have a better solution, I would appreciate." 1. Not recommended at all and exposes alot of security risks 2. Works good and Microsoft recommends using ISA server to publish the Web Sites. 3. Same as 1 4. same as 1 The "best" solution could be: 1.integrated authentication for corporate users 2. Publish SharePoint using ISA server for external users (you could use ISA Form based authentication for remote users) 3. Extend the SharePoint Web Application and configure it to e.g. external zone and use form based authentication using either SqlMemberShipProvidern or a custom. (publish using ISA Server) If you need to use an LDAP catalog to authenticate external users, then check out FBA with AD LDS(ADAM). Hope this helps! Cheers, Daniel Bugday Web: SharePoint Forum Blog: Daniel Bugday's SharePoint Blog

Hello Daniel,Thanks for your precise answer.Is there alternative to avoid usingISA Server ? I would like to use Split Back-to-Back topology without ISA (http://technet.microsoft.com/en-us/library/cc263513.aspx#section7).Thank you.adrian

"Is there alternative to avoid usingISA Server ?" -You could probably use any "proxy" server, as long as the product knows how to "publish" web sites.-What you loose without using ISA server is the built in functionality for web site and SharePoint publishing.Cheers, Daniel Bugday Web: SharePoint Forum Blog: Daniel Bugday's SharePoint Blog

Hi, This is probably a bit late for a followup on this thread but here goes. What if your possible solution number 2 is not an option? My corporate domain cannot be accessed and a one-way trust relationship is not possible. What would be the best solution in this scenario? The essential part here is that there would be no need to reauthenticate. Best regards Pål Eilertsen