This is a very high level view of how to expose SharePoint to the internet.
- Place all of SharePoint or SharePoint WFE in DMZ.
- Allow traffic thru DMZ passing into internal network (Using router or Load balancer).
- Place TMG or similar product in DMZ.
Pro's and Con's:
1. Place all of SharePoint or SharePoint WFE in DMZ.
Pro's – This is a simple setup where you would have one or more member server in the DMZ allowing client communication to hit the server directly.
Con's – This is considered insecure as you have to do several things to make this happen that is against best practices 1) Member server in DMZ, 2) Many Firewall ports open this would include RPC, DNS, emphereal ports, etc. Also this would add steps for internet users to access the SharePoint Farm.
2. Allow traffic thru DMZ passing into internal network (Using router or Load balancer).
Pro's – Simple design and easy to manage.
Con's – Many security groups will not allow this. As it allows unsecured traffic to pass into the internal network without be scanned or monitored in anyway. Also is not very flexible, not able to do offbox SSL with this setup.
3. Place TMG or similar product in DMZ
Pro's – As long as TMG or similar item is not a member server this is the ideal solution. It is secure since you are not using domain credentials and generally allows for minimal number of ports being opened (Usually only HTTP/HTTPS). Also allows for more advanced setup like SSL offloading, Traffic monitoring, etc. Keeps SharePoint farm on the internal network where it belongs.
Con's – Adds to budget since you require more servers and load balancers, adds a level of complexity to the environment when it comes to management, configuration, and troubleshooting. If not sized properly it can cause a performance hit