Project Server 2007 - configuring for internal and external access

[RichardG]

Hi,

I am working on a project where we need to make Project Server 2007
available to employees that might be either located on the internal network
or working remotely (and might move between the two). This means that
Project Server needs to be accessible from the internet as well as the
internal network. The internal network is segregated and there is no
connection to the internet from it, so internal users cannot access anything
on the internet.

My questions is: is it possible to set up Project Server so that it has two
web front end servers on separate networks? One would be in the internal
network (for internal users) and the other would be in the DMZ (for remote
users coming in via the internet). An added complication is that the
internal network’s domain controllers are not (and must not be) available to
the DMZ. There is a separate AD domain that can be used for authentication
in the DMZ, but there is no trust between this and the internal AD.

My current thinking is that the way to handle this would be to have
database, application, and one WFE server in the internal network and another
WFE server in the DMZ. I think the restriction with the AD controllers would
mean that we would have to use forms authentication.

Has anyone out there set up Project Server like this? Is it even possible?
Is there a better way?

Thanks,
Richard

 

[Gary L. Chefetz]

Richard:

It is entirely possible to setup the system like this. You will be limited
to using Forms Authentication for all users who need access from both local
and DMZ servers. I would stick with Windows Auth for users who need only
inside access.

 

[RichardG]

Hi Gary,

Thanks for the quick response!

The problem I'm expecting to find (I haven't tried this yet), is how to
configure the security accounts on the WFE in the DMZ. It is in a different
AD domain than the other WFE (and all the other servers), without a trust
between the domains. Don't I need to use domain accounts for the farm
services? If that's the case, how can the WFE in the DMZ authenticate with
the other servers? I know that I can use SQL authentication for the database
connections, but I thought everything else had to use windows domain
accounts...

I'm really hoping I'm wrong and you're right...

Thanks,
Richard

 

[Gary L. Chefetz]

Richard:

I think you can use a workaround by mirroring local accounts, but I'm not
going to be able to pull this one out of my hat without spending quite a bit
of time on it. This is certainly not a common or simple approach! I would
strongly advise you to seek the support of a competent Microsoft Project
partner to help you with this.