Moss Maliit na Farm Pag-install at Configuration War Story

Sa linggong ito, I’ve struggled a bit with my team to get MOSS installed in a simple two-server farm. Having gone through it, Mayroon akong isang mas malawak na pagpapahalaga para sa mga uri ng mga problema sa mga tao na mag-ulat sa MSDN mga forum at sa ibang lugar.

Ang huling configuration bukid:

  • SQL / Index / intranet WFE sa loob ng firewall.
  • WFE sa DMZ.
  • Ang ilang mga uri ng firewall sa pagitan ng DMZ at ang panloob na server.

Bago kami makapagsimula ng proyekto, we let the client know which ports needed to be open. During the give and take, pabalik-balik na sa paglipas ng, kami ay hindi kailanman tahasang sinabi ng dalawang mahahalagang bagay:

  1. SSL ay nangangahulugan na kailangan mo ng certificate.
  2. The DMZ server must be part of a domain.

Araw ng isa, we showed up to install MOSS and learned that the domain accounts for database and MOSS hadn’t been created. To move things along, we went ahead and installed everything with a local account on the intranet server.

Sa puntong ito, nadiskubre namin ang pagkalito sa ibabaw ng SSL certificate at, sadly, decided to have our infrastructure guy come back later that week to continue installing the DMZ server. Sa Pansamantala, kami solusyon arkitekto inilipat maaga gamit ang mga bagay na negosyo.

Ang isang weekend napupunta sa pamamagitan ng client at ang kukunin ang certificate.

Ang aming imprastraktura ng tao ay nagpapakita up at nadiskubre na ang DMZ server ay hindi sumali sa anumang domain (alinman sa perimeter domain na may limitadong tiwala o intranet ng domain). We wasted nearly a 1/2 day on that. If we hadn’t let the missing SSL certificate bog us down, we would have discovered this earlier. Oh well….

Isa pang araw pass at ang iba't-ibang seguridad komite, interesadong partido at (hindi gaano) inosenteng bystanders ang lahat ng sumang-ayon na ito ay ang OK upang sumali sa DMZ server gamit ang mga domain intranet (ito ay isang POC, sa wakas, hindi isang produksyon na solusyon).

Infrastructure guy comes in to wrap things up. This time we successfully pass through the the modern-day gauntlet affectionately known as the "SharePoint Configuration Wizard." We have a peek in central administration and … yee haw! … DMZ server is listed in the farm. We look a little closer and realize we broke open the Champaign a mite bit early. WSS services is stuck in a "starting" katayuan.

Long kuwento maikli, it turns out that we forgot to change the identity of the service account via central administration from the original local account to the new domain account. We did that, muling tumakbo ang configuration wizard at voila! We were in business.

</dulo>

Mag-subscribe sa aking blog.

Technorati Tags:

5 ano sa tingin mo "Moss Maliit na Farm Pag-install at Configuration War Story

  1. Cimares
    Ito ay ganap na ganap ok na magkaroon ng iyong SQL sa ibang subnet Vlan / kaysa sa iyong WFEs. Sa katunayan ito ay inirerekomenda, pagkatapos ng lahat ng mga gaya ng nabanggit bago, ano Security eksperto ay pagpunta upang hayaan kang dumikit SQL sa dmz? The recommendation is that your SQL traffic does NOT use the same interface cards as the user traffic, however even this connection may pas through a firewall for additional protection.
    The restriction related to multiple WFEs in a farm environment relates to if you’re using Microsoft load balancing, then these must all be in the same VLan.
    Sumagot
  2. Paul

    I can almost beat your SSL certificate issue. We had everything created and were ready to extend the web app with SSL (then redirect port 80 in IIS). The administrator had a .cer file ready to go. But NONE of the options or crazy contortions to apply it in IIS will work–the site always displays a blank page like the site collection doesn’t exist.

    After much banging of heads, we learned this was caused by the cert request not coming from that server. The administrator simply asked for a cert and was emailed the resulting key. With no private key, the SSL tunnel could not get built between the WFE and the browser. We wasted 1/2 day on that.

    Sumagot
  3. Christian wrote:
    Very interesting! I highly doubt that it shouldn’t be supported to host the WFE’s in one VLAN/DMZ and APP/SQL in another VLAN/DMZ.
    The TechNet articles about supported Extranet scenarios doesn’t have any reservations, either – but TechNet could be incorrect 🙂 None of our clients would allow their SQL Servers to sit on the same VLAN/DMZ as the WFE, so I sincerely hope the MS got it wrong.
    Can you elaborate on what should be the problem with spitting the configuration? Performance reasons only? Or do they in fact mean that the WFE’s should be on the same VLAN/DMZ? That would make more sense to me.
    Sincerely,
    Kristyano
    Sumagot
  4. Paul Galvin
    That’s a very good question.
    We are tracking very closely to the MS documentation, so I can’t imagine how they would refuse to support it. Na sinabi, I am not an infrastructure person, so it’s possible that I’m abusing terms in my post.
    As I understand it, the correct approach is to have (kahit) two AD domains. One internal domain and one in the perimeter network. The perimeter network’s AD would have a "limited trust" relationship with the internal AD.
    But you probably already know all that 🙂
    Ika-line, Hindi ko alam. We did not receive or look directly to Microsoft for guidance on this one.
    –Paul G
    Sumagot
  5. Tom Dietz
    Ay configuration na ito suportado? At the SharePoint Conference in Seattle in March, I was chatting with some Microsoft Engineers and they said that supported configurations do not allow WFEs to cross VLANs or routers. I assume that since the WFE is in a DMZ, it is crossing some sort of firewall/router or is in its own VLAN.
    Kaya talaga ang DB at WFE / App Server ng lahat na kailangang nasa parehong VLAN.
    Sila ay talagang matibay ang tungkol dito–it’s actually a slide in the ‘Geographical’ deployment session kung mayroon kang access sa deck.
    Ko na basahin ang mga artikulo TechNet na ilarawan configuration ng sample na sumalungat sa kanilang mga pahayag, ngunit ang MS guys talaga sinabi na TechNet ang mali.
    Sumagot

-Iwan ng sagot

Ang iyong email address ay hindi nai-publish. Mga kinakailangang patlang ay minarkahan *