Securing a Deployment with TLS
PPS uses three different legs
to the communication to render a dashboard. All of them can be secured
by applying Transport Layer Security (TLS). Securing them with TLS
prevents information from being sent in clear text. (With clear text, a
malicious user with a network packet monitor can see traffic sent
between servers and potentially see confidential information.)
Configuring TLS on web applications
Configuring TLS on PPS web services
Secure connections to data sources
Tip
TLS is also frequently referred to as Secure Sockets Layer (SSL) or Hypertext Transfer Protocol Secure (HTTPS).
Caution
Using
SSL and secure connections to ensure that the data cannot be viewed by
third parties comes at a cost to performance, however, so configure this
only if the data is sensitive enough to warrant it. For instance, it
makes sense to secure network traffic to a data source that contains
employee Social Security numbers, but it might not make sense to secure
network traffic to a data source that contains already publicly
disclosed product information.
Configuring TLS on Web Applications
By configuring TLS for
any SharePoint web applications hosting PPS content or dashboards, all
traffic between the end user and the SharePoint system will be
encrypted. In most scenarios, securing traffic to and from web
applications is sufficient. If the SharePoint servers, data source
servers, and network switches and routers between them are all
physically secure, firewalled, and using current information security
best practices, it is unnecessary to apply security past this level.
Configuring TLS for
SharePoint is a fairly straightforward and well-documented process.
There are multiple ways to accomplish this. The following steps outline
how to apply TLS to an existing SharePoint web application:
Tip
Don’t forget to
configure SharePoint Central Administration with TLS! Doing so will keep
the Unattended Service Account password secure.
1. | Obtain a certificate for all SharePoint servers in the farm.
|
2. | Create a secure binding on the Internet Information Services (IIS) website for the web application.
|
3. | Enable the Require SSL property for the IIS website.
|
4. | Delete any non-SSL bindings.
|
5. | Update alternative access mappings to reflect new HTTPS URL. |
Configuring TLS on PPS Web Services
SharePoint
service applications, such as PPS, frequently must communicate within
the farm to retrieve information. This traffic never leaves the confines
of the SharePoint farm. If you have a geographically dispersed farm
with servers in multiple different locations, it might be a good idea to
secure this chatter.
Changing from unsecure to secure traffic is a setting available in Central Administration for the service application.
1. | Open SharePoint Central Administration.
|
2. | Click the Manage Service Applications link under the Application Management heading.
|
3. | Select
the PerformancePoint service application, and click the Publish in the
Sharing section of the Service Applications ribbon.
Tip
Make sure you do not click the
name of the service application. Instead, click just next to it so that
you highlight the row. Clicking the name opens the Manage
PerformancePoint Services page, and this is not the page you want.
|
4. | In the Publish Service Application dialog that appears, change the Connection Type from HTTP to HTTPS, as shown in Figure 1, and click OK.
|
Secure Connections to Data Sources
The
final leg of communications that PPS performs is the connection to the
data source. This is the PPS web service connecting directly to the data
source either as the Unattended Service Account or the current user’s
credentials if per-user authentication is configured.
Note
The communication goes from
the PPS web service to the data source, not from the end user’s machine.
At no point do users directly access the data source from their
machine.
For data sources that
require a URL, such as Excel services and SharePoint lists, this is done
through configuring SSL to the web applications. If the web application
the data source is connecting to has an HTTPS address, traffic will be
secure.
For Analysis Services
data sources, all communication is encrypted by default. This is a
configurable setting disabled in scenarios in which high performance is
required. The setting is configured in Analysis Services, and PPS
respects the setting.
For SQL data sources, all communication is not
encrypted by default. There are different ways to configure this, and
the SQL online documentation on Microsoft TechNet has more information
on how to accomplish this.
The Excel Workbook data
source is all managed from within PPS, so no external connections are
made when using the Excel Workbook data source.
