130 likes | 314 Vues
SP2013 app infrastructure and configuration and isolation. Vesa Juvonen Principal Consultant Microsoft. Infrastructure configuration for SP Apps. Wild card DNS entry for app domain Apps service application and subscription service created in environment hosting SP apps
E N D
SP2013 app infrastructure and configuration and isolation Vesa Juvonen Principal Consultant Microsoft
Infrastructure configuration for SP Apps • Wild card DNS entry for app domain • Apps service application and subscription service created in environment hosting SP apps • SharePoint application for routing the incoming requests to app DNS entry • App catalog created for Apps for SharePoint to enable end users to utilize apps http://*.apps192.168.x.x
DNS configuration on-premises • Define wildcard DNS entry for apps • *.appscontoso.com or something similar • Notice that it’s recommended to create own domain, not use just sub domain due security reasons • Configure app address in SP side using Central Admin or PowerShell • One address per farm • PowerShell cmdlet’s • Get-SPAppDomain • Set-SPAppDomain
App configuration for on-premises farm • Ensure that App service application and subscription service are created and running in farm • Apps will be hosted on own domain • Leverages web browser same-origin policy for script isolation • URL naming – each app has unique URL – one app – one = URL • http://default-appUID.appscontoso.com • appUID – combination of unique identifier for site collection and particular SPWeb where app is installed app1 SharePoint site main SharePoint site tenant-uniqueID.appdomain http:// /appname/etc http://intranet.contoso.com http://default-9ac5d88f52de26.appscontoso.com/TrafficCameras/pages/default.aspx
Enterprise deployments – Single Farm Setup SharePoint Farm http://my.contoso.com192.168.1.2 http://intranet.contoso.com192.168.1.2 http://teams.contoso.com192.168.1.2 192.168.1.2 No Host Header192.168.1.2 NLB APP DNS:*.contosoapps.com = 192.168.1.2 http://default-87e90ada14c175.contosoapps.com
4 • 5 • 1 • 3 • 2 Enterprise deployments – Follow The Request SharePoint Farm Request Gets Picked Up • 192.168.1.2 • Not using a Host Header so listens to all requests • SharePoint routes and serves from appropriate web app 192.168.1.2 5 *.contosoapps.com = 192.168.1.2 NLB ? APP DNS http://default-87e90ada14c175.contosoapps.com
https://*.contosoapps.com192.168.1.2 https://*.teamapps.com192.168.1.2 Enterprise deployments – Multi-farm options Corporate Farm Collaboration Farm http://intranet.contoso.com192.168.1.2 http://mysite.contoso.com192.168.1.3 http://teams.contoso.com192.168.1.3 192.168.1.2 192.168.1.3 NLB NLB APP APP
DNS vs. IIS configuration http://my.contoso.com192.168.0.3 http://intranet.contoso.com192.168.0.3 http://teams.contoso.com192.168.0.3 Host name – intranet.contoso.com IP Address – unassigned Host name – teams.contoso.com IP Address – unassigned Host name – unassigned IP Address – unassigned Host name – mysite.contoso.com IP Address – unassigned http://*.contosoapps.com192.168.0.3 192.168.0.3 APP
Extranet with split-back-to-back with split DNS SharePoint Farm NLB DMZ Corporate SSL Certification *.appcontoso.com App domain: appscontoso.com Example: https://default-10d7ae858e96d0.appscontoso.com/eventapp
Get app to site collection • All site content provides functionalityto add apps • Both SharePoint store and corporate catalog visible from single place • Users can add Apps to be available at the site • Apps can request permissions, which depending on implementation for operations using oAuth
Design Considerations for App infrastructure • You should always use SSL on web applications if you are using SharePoint Apps • Access tokens are included with requests, blocks cookie replay attacks • Your app domains should not be child domains • If your web apps are *.contoso.com, do not make app domain *.apps.contoso.com, instead make it something like *.contosoapps.com • Dedicated app domain is more secure with certain browsers • Apps for SharePoint on web applications using SAML authentication have special requirements on the FedAuth server/identity provider that most don’t support today • SharePoint Apps do not support multiple zones (i.e. AAM); all requests are served out of the default zone • Apps for SharePoint are however fully supported in Secure Site Access and host header site collections model which is the recommended approach for all deployments • You need to ensure that application pool account used for ”routing” application has sufficient permissions to other SharePoint applications • Easiest way to achieve this is to use same application pool account cross web applications
Demo Apps in details Installation, deployment, usage, configuration…
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.