Directories, IAM systems, applications and firewalls
A typical Extranet web portal is accessed over the public Internet and is often deployed to a "DMZ" network segment. Users typically have records in just one system and this system is either a directory (i.e., LDAP) or a database (e.g., MSSQL, Oracle, MySQL, etc.).
Best PracticeUse a directory rather than a database to store user objects, if at all possible. Modern directory products support excellent, WAN-friendly data replication and many applications can externalize authentication to a directory (but not a database).
To scale up, the user store should be replicated across servers. To ensure service availability in the event of a facility disaster, the user store should be replicated across data centers. The latter -- WAN replication -- is more easily supported by some products than others. In particular, some LDAP directories (such as AD LDS) are easy to configure in a multi-master, multi-site arrangement. Database servers often do support replication but can be quite complex to configure with cross-site replication.
Best PracticeReplicate the directory and IAM system across servers and data centers, to provide more local service to users and to survive disasters.
Best PracticeLoad balance user traffic across multiple, concurrently active IAM systems, with a preference for nearest-server.
For the same reasons, the IAM system should be distributed across servers and data centers.
Combining the above requirements, we get a network architecture such as that shown in Figure [link].
Extranet web portal network architecture