Introduction
Depending on the environment you are configuring you might need not only open ports between client and your Web Front End(WFE) servers, but you might have internal topology where your SharePoint servers are separated by layers and are isolated by firewalls. In such situation you need to know the inner-process communication ports and direction, to open the ports on firewall.
The following table describes all ports SharePoint 2007 uses for the communications. Take into account that only 2 posts are used between client PC and WFE (the indenting line). All other ports are for internal and external communications between SharePoint servers.
The advantage of this document is that I summarized all ports together that are described in different documents, and included directions. Microsoft doesn’t provide you the summary info for ports and directions.
SharePoint 2007 Ports
| Inbound/Outbound | From | Port | Type | To |
| Inbound | Client IPs (as applicable) | TCP 80 or 443 (SSL) | HTTP | ISA Web Pub or WFE |
| Inbound | TS Jump point | RDP (TCP 3389) For Remote Admin | | APP (Central Admin /SSP Admin) |
| Inbound | All SharePoint Server (Depends on Central Admin configuration) | Office Server Web Services, TCP 56737, SSL 56738 | HTTP | App - Central Admin /SSP Admin (Web Service Control) |
| Inbound | Index | TCP 80 or 443 | | WFE |
| Outbound | ALL SharePoint Servers (Based on Authentication) | DS (TCP 445) RPC (TCP 135) DNS (TCP/UDP 53) Kerberos (UDP 88) LDAP/S (UDP 389/636) | | DC (AD) /DNS (LDAP) |
| Outbound | External Content | DNS (TCP/UDP 53) | | DNS |
| Outbound/(Inbound if applicable) | WFE (alerts or mail enabled list) | SMTP (TCP 25) | | SMTP/Exchange |
| Outbound | ALL SharePoint Servers | SQL (TCP 1433) or custom port for Named SQL Instance | SQL Server Tabular Data Stream (TDS) | SQL Server |
| Outbound | WFE (Search Request) | Search Query, either NBT (TCP/UDP 137, 138,139) or Direct-hosted SMB (TCP/UDP 445) | Server Message Block (SMB) | Query |
| Outbound | Index (Propagation) | Search Query, either NBT (TCP/UDP 137, 138,139) or Direct-hosted SMB (TCP/UDP 445) | | Query |
| Outbound | Index (File Shares) | Either NBT (TCP/UDP 137, 138,139) or Direct-hosted SMB (TCP/UDP 445) | Server Message Block (SMB) | External Content |
| Outbound | Index (BDC) | SQL (TCP 1433) or custom port | | External Content |
| Outbound | WFE (SSO) | RPC for SSO – (TCP 135), plus random high ports (Dynamic RPC) or restricted high ports (Static RPC) | | APP Servers |
| Outbound | WFE | TPC 80, TCP 443, TCP (custom) | HTTP | Index Server (search crawling) |
| Outbound | Index (Search Crawling) | TPC 80, TCP 443, TCP (custom) | HTTP | WDE |
| Outbound | Index (Sites) | TPC 80, TCP 443, TCP (custom) | | External Content |
Inter-server communications of SharePoint 2007
Extra -server communications of SharePoint 2007
Firewalls
Depending on you farm design you might require firewall between your farm’s servers. In case of separate networks you should know that one-way trust relationship is required between WFE and Applications Servers, Application Servers and Database, if they are separated by network.
You need to configure firewall properly for domains and trusts http://support.microsoft.com/kb/179442/
Sources:
Introduction
In the current series I’d like to describe how to analyse the SharePoint Farm and prepare it for the SharePoint 2010 migration. We will review the following 3 sections:
- Farm Architecture and Configuration Analysis
- User and Group Analysis (current)
- Farm Migration
This section describes the user analysis and permission analysis. But first of all – why do we need to analyze users and permissions when we only migrating data?! Can’t our users be migrated automatically?!
The answer is yes and no - users will be migrated automatically, but migration is hardly planning for the sake of migration and usually you are building a new application and trying to fix existing issues. Users, Groups and Permissions are needed to be reorganized and to be fixed before moving content to new environment.
The areas we need to look at are the following:
- number of users and group
- how users are organized in groups
- permissions – users, groups, broken inheritance
- dead users
SharePoint OOTB functionality doesn’t cover all our needs, so we are going to use several 3rd partly tools to gather the necessary information.
Tools
Additionally, you need to use the following STSADM commands
There are two approaches to collect required information – using commercial “ARK for SharePoint 2007” reporting tool that covers almost all our needs or using several free tools to get the same information. We can achieve almost the same via “enumuser/enumgroups/enumroles” command of STSADM, but we need to count the items manually.
The limitation of the majority of free tools is that they don’t provide web-application level information across all site collections. The advantage of “ARK for SharePoint” is that it generates reports for all web applications in our farm.
In this post I’d like to describe the steps of how to get all information without using commercial tools.
Number of Users & Groups
- Users & Groups number – “Bamboo SharePoint Analyser" –> Farm->Servers->Web Applications->Site Collections –> Web sites and the values are in parentheses for “Users”, “Groups” and “Administrators”
- Site Administrators – use “Bamboo SharePoint Analyzer” of Central Administration
- Groups across site collections - use “Xavor SharePoint Admin tool” –> Show Group Security
Users & Groups Association
- Farm Administrators – Use Central Administration –>Operations-> Update Farm Administrators Group or “Bamboo SharePoint Analyzer”
- Users by Group – ARK for SharePoint provides full info across all web applications. Alternative free solution is to use “Permission Report” tool functionality (Site Settings -> “Broken Inheritance Reports Jobs”) that generates Excel spreadsheet for the Site with the user’s and its groups.
Permissions
- Broken inheritance can be found via “Access Checked” tool that shows SharePoint items where permission is broken, but tool doesn’t show what exactly is broken and list of changes. Reports are supported.
- Broken inheritance Diff can be viewed with “SharePoint Administration Toolkit” and its “Compare Permissions Sets” report that shows the permissions difference between the current and root items, and also the details about permission changes . Reports are supported.
- User rights – “Check User Access” report of “Access Checker” show the rights for the users across SharePoint elements, including the items where user don’t have access
- Group rights - “Check Effective Permissions” of “SharePoint Administration Toolkit” shows the items accessible by this group
Unfortunately, all previous tools don’t provide web-applications scope reports and item-level reports. It means that you can’t iterate through all site collections and find the List items or specific pages where user has no access. To get such information use “Xavor SharePoint Admit Tool” that provides reports across web application (but no functionality to save them)
(red – user has no permissions)
Dead Users
When you install and configure the new farm you probably create several test users and groups that should be deleted in the end. Sometimes administrators create such users and then forget to delete them. So, “dead” accounts is a quite common scenario. When you start a new migration you don’t want such users/groups in your new farm and you need to find all of them and delete.
I don’t know any free tools that provide such functionality. And there are only a couple of the commercial tools that allow to do this: DeliverPoint and ControlPoint
Creating the report
The logical outcome of the Security Analysis is the Word document that highlights the security issues, but unfortunately this is not always feasible. Consider the medium farm with 5000 users 300 groups and 400 sites with 30% of broken inheritance. You can physically create the word document but how are you going to analyse the 200 pages document?!
The real Analysis is usually a “multithreaded” task, when you check users’ rights, discuss the grouping with DC admins, fix the broken permissions and etc.
Depending on the content size documenting the following quantative information is recommended:
- Farm Administrators
- Number of users
- Number of groups across web application and per site collection
- Broken inheritance report per site collections and items (depends how much broken items you have)
- Users/AD per Groups (definitely for AD, but depends on number of users)
Unfortunately, it’s hard to define the template for this step, because security analysis is very individual for the farm, and usually you end up with several files – documents describing quantative info, excel spreadsheets with users, groups and permissions, html files describing the broken permission inheritance.
Resume
Security analysis might be a daunting task depending on the level of your permissions customization and user’s assignment to groups. The recommendation is to perform the draft analysis on backup instance where you can experiment with different tools and find all security breaches, and after that fix issues on production.
I finally published my SharePoint 2010 content I discovered for the last 5 months.
Welcome to www.sharepoint-sandbox.com to share and to contribute! New articles and tips are coming
On one of the recent projects we built the monthly based reporting system. We provided users the freedom of choice of the reporting indicators, from the predefined list, and allowed them changing values of selected indicators.
From the very beginning we couldn’t decide which template to use as a baseline for our project and considered using “Meeting Workspaces” (MW). The advantages of them were that you can create number of calendar-driven Workspace sites with custom recurrence. It fitted our conceptual model ideally – you create the content ones and it’s available across all months + you can add custom content for the specific month.
But the reality of Meeting Workspaces is too far from grace, limiting its usage.
First of all, you can’t save Meeting Workspace as template including the content. As I understand it’s “behaviour-by-design”, because the MW is based on the single huge list, where content is splitted by “InstanceID”. You can’t just save the template for the specific month - SharePoint can’t save only part of your list. Secondly, you can’t set different permissions for the lists per month, due to the same behaviour – it’s the same list not different once. Third, calendar URLs are not “InstanceID” driven and Meeting workspaces don’t provide collaboration behaviour, because when you open the new month the list content is based on active month selection (see this post)
Such limitation changed our decision towards using the Blank site and customized list, saving the site as template to be used for the new period.
I really wonder to know the usage of Meeting Workspace when you can ignore such limitations.
Introduction
In the current series I’d like to describe how to analyse the SharePoint Farm and prepare it for the SharePoint 2010 migration. We will review the following 3 sections:
- Farm Architecture and Configuration Analysis (current)
- User and Group Analysis
- Farm Migration
The first and the most important step in SharePoint 2007 –>SharePoint 2010 migration is the understanding of existing SharePoint environment to get enough information to design the new Farm.
Let’s review in details the following template that I’m using to document the farm settings and tools that allow to gather all necessary information (we don't describe search, excel and other services settings here)
- Farm Information
- Farm Servers and Services
- Web Applications
- Content Database and Site Collections
- Alternative Access Mapping
- Farm Solutions
- Enabled Farm Features
- Search Settings
- Site Information
- Web Parts
- Web.config changes
- Site Definitions
- Customized & Checked-out Items
- Sites Topology
- Sites
- Sites Structure Diagram
- Site Collections with Diagrams
- Issues
1. Farm Information
Content: This section enlists farm servers, components from the farm and general information about farm configuration (email settings)
Tools: STSADM –o “preupgradecheck” (Upgrade Planning Information section for servers and components) & Central Administration to get the mail settings
a) Farm Servers and Services
Content: table with the farm servers and assigned roles
Tool: Use the Central Administration & SharePoint Manager 2007 to get this information
b) Web Applications
Content: List of web applications and its URS
Tool: Central Administration
c) Content Database and Site Collections
Content: Table with the following info – content database name, number of sites, size, list of site collections
Tool: SharePoint Diagnostic tool for the Content DB size; Central Administration and SharePoint Administration Toolkit (Batch Site Manager Solution)
d) Alternative Access Mapping
Content: Table with AAM Internal/External URLs and Zones
Tool: “preupgradecheck” log & SharePoint Diagnostic
e) Farm Solutions
Content: Table with the installed solutions and sites where they are active
Tool: SharePoint Manager 2007 / Bamboo SharePoint Analyser
1.f) Enabled Farm Features
Content: List of enabled features on the farm level
Tool: Central Administration
1.f) Search settings
Content: SSP settings (servers, databases name, crawling settings)
Tool: Central Administration & SharePoint Diagnostic
2. Site Information
a) Web Parts
Content: list of installed web parts
Tool: Bamboo SharePoint Analyzer
b) Web.config changes
Content: list what was changed in web.config for SharePoint sites
Tool: SharePoint Diagnostic shows web.config for each web application, but developer/admins own the knowledge about the changes
c) Customized & Checked-out Items
Content: list of customized & checked-out items
Tool: SharePoint Designer, choose Sites menu –> Reports –> Shared Content –> Customized Pages / Checked-out items
3. Sites Topology
a) Sites
Content: list of sites
Tool: Site Settings of the root site –> “Site hierarchy” item
a) Site Structure Diagram
Content: diagram of the root site
Tool: SWAT tool –> right mouse click on the site name and Show Site Diagram
4. Sites Topology
- Use “preupgradecheck” log to document all found issues
- use SharePoint Designer Diagnostic tab, to discover the potential issues
Tools
To get the necessary information I recommend to use the following tools:
Resources: http://www.sharepointjoel.com/Lists/Posts/Post.aspx?ID=245