Plan for SharePoint Workspace 2010
Applies to: Office 2010
Topic Last Modified: 2011-08-05
When you plan a Microsoft SharePoint Workspace 2010 deployment, consider your organization’s needs and objectives, especially in the context of the deployment options that are discussed here.
The following references may also be helpful:
For information about how to deploy SharePoint Workspace 2010 after planning your objectives, see Configure and customize SharePoint Workspace 2010.
For information about how to deploy SharePoint Workspace 2010 for a Microsoft Groove Server-managed environment, see Deployment for Groove Server 2010.
In this article:
Topology options for SharePoint Workspace 2010
Network settings for SharePoint Workspace 2010
Scalability and performance considerations
Security considerations
SharePoint Workspace user authentication
Alternate access mapping
SharePoint list and library actions and settings
Search options
SharePoint Workspace backup and recovery
Topology options for SharePoint Workspace 2010
SharePoint Workspace 2010 is a client for Microsoft SharePoint Server 2010 and Microsoft SharePoint Foundation 2010 that supports online and offline collaboration. SharePoint Workspace enables anytime synchronization of local content with documents and lists on a SharePoint site. SharePoint Workspace also provides options that support peer collaboration through the creation of Groove workspaces and shared folders that do not require SharePoint connections. SharePoint Workspace is included with Microsoft Office Professional Plus 2010. See SharePoint Workspace 2010 overview for more information about SharePoint Workspace.
Planning a SharePoint Workspace 2010 deployment begins with selecting a topology that best supports your collaboration strategy. To start, consider the operating environment and your organization’s requirements. The following table lists key decision factors:
Capability | Requirement |
---|---|
Is SharePoint Server 2010 or SharePoint Foundation 2010 used in the organization? |
Yes|No |
Do some team contributors have to work offline? |
Yes|No |
Do you have to support flexible, agile peer collaboration, where users have to connect from different locales and time zones? |
Yes|No |
Does the organization permit the use of peer collaboration software? |
Yes|No |
Does team collaboration have to extend outside a private network or LAN to trusted partners and field sites? |
Yes|No |
Is Active Directory used in your organization? |
Yes|No |
Are valuable contributions expected from clients that have no access to the organization’s SharePoint sites? |
Yes|No |
Is centralized management of peer collaboration necessary for the organization’s security and management infrastructure? |
Yes|No |
The following table shows how various SharePoint Workspace topologies address these requirements:
SharePoint Workspace topologies and capabilities
Topology | Capabilities |
---|---|
SharePoint Workspace as a SharePoint client |
This topology supports or builds upon:
|
SharePoint Workspace as a peer collaboration client |
This topology supports or builds upon:
|
SharePoint Workspace as a SharePoint and peer collaboration client |
This topology supports or builds upon:
|
SharePoint Workspace and Groove Server as a managed collaboration system |
This topology supports or builds upon:
For more information about this deployment topology, see Groove Server 2010. |
The next four sections of this article describe how the listed SharePoint Workspace deployment topologies map to collaboration needs.
SharePoint Workspace as a SharePoint client
SharePoint Workspace as a SharePoint client is most suitable for organizations with SharePoint team members and partners who have to contribute content from outside the corporate infrastructure — from data that is collected in the field or from locations that do not have a SharePoint server connection. This topology provides SharePoint Workspace users with the following collaboration option:
- The ability to easily create a SharePoint workspace that establishes a connection between a SharePoint server and a SharePoint Workspace client. This enables a single SharePoint team member or partner to take SharePoint site content onto a local computer. By using a SharePoint workspace, a contributor can add, change, and delete content for a SharePoint document library or list whether online or offline, regardless of connectivity to a SharePoint server. Synchronization of content updates between the SharePoint Workspace client and SharePoint sites occurs automatically when the client is online so that contributors can share the work that they performed while offline as easily as they can share the work that they generate while connected to the Internet.
Note
The SharePoint Workspace client lets users create SharePoint workspaces and peer workspaces. Peer workspace types can be Groove workspaces or Shared Folders, as described in SharePoint Workspace as a SharePoint and peer collaboration client. To deploy SharePoint Workspace exclusively as a SharePoint client, supporting SharePoint workspaces only, you can include with your deployment a policy that prohibits peer workspace options, as described in Configure and customize SharePoint Workspace 2010.
For this configuration, a basic level of client management can be achieved by using Windows and Active Directory tools.
SharePoint workspaces rely on SharePoint Workspace communications and dynamics technology to support individual client-to-SharePoint connections that enable SharePoint Workspace users to work with and synchronize SharePoint document and list content on their local computers. Figure 1 shows a basic setup of SharePoint Workspace to Microsoft SharePoint Server 2010.
Figure 1. SharePoint Workspace connection to SharePoint
SharePoint Workspace as a peer collaboration client
SharePoint Workspace as a peer collaboration client is most suitable for organizations that have to provide information workers with a well-equipped, easy-to-use collaboration environment where neither Microsoft SharePoint Server 2010 nor Microsoft SharePoint Foundation 2010 is available. This topology gives SharePoint Workspace users two peer collaboration options:
The ability to easily and quickly create Groove workspaces where information workers can collaborate safely with trusted peers without the need of a virtual private network (VPN) and with access to a full set of local online and offline collaboration tools. Groove workspace collaboration tools support document creation and sharing, online discussions, meeting management, and Microsoft InfoPath forms, in an environment of real-time collaboration among team members and partners located inside or outside the corporate firewall.
The ability to create Shared Folders where SharePoint Workspace users can collaborate on content within designated Windows folders on workspace member desktops.
For this configuration, a basic level of client management can be achieved by using Windows and Active Directory tools.
For peer collaboration through Groove workspaces and Shared Folders, SharePoint Workspace builds on its communications and dynamics foundation and provides a workspace manager module with a set of tools, a contacts manager, a message manager, and an implementation of standards-based Public Key Infrastructure (PKI) to help secure Groove workspaces and authenticate workspace members. Groove workspace data resides on client computers and built-in security provisions ensure that workspace member data is encrypted over the network. The core capabilities of SharePoint Workspace tools and components can be used on two client computers that are directly connected over a local area network (LAN), as shown in Figure 2.
Figure 2. Groove workspace peer connections on a LAN
To sustain peer communications for Groove workspaces and Shared Folders, when a client is connected to a wide area network (WAN), offline, or behind a firewall, SharePoint Workspace relies on supporting Microsoft Groove Server Manager and Relay services, as shown in Figure 3. These servers, Microsoft-hosted or installed onsite, help ensure timely communication regardless of user context or Internet-wide environmental conditions.
Figure 3. Groove workspace connections beyond a LAN
SharePoint Workspace as a SharePoint and peer collaboration client
SharePoint Workspace as a SharePoint and peer collaboration client is most suitable for organizations that have to synchronize client desktop content with SharePoint document libraries and lists while extending collaboration to ad hoc teams that work outside the SharePoint document framework. This option merges the previously described topologies to give SharePoint Workspace users the following collaboration options:
The ability to create a SharePoint workspace that establishes a connection between a SharePoint server and a SharePoint Workspace client. This enables a single SharePoint team member or partner to take SharePoint site content onto a local computer, as described in SharePoint Workspace as a SharePoint client.
The ability to easily create Groove workspaces where trusted peers can collaborate safely without the need of a VPN, as described in SharePoint Workspace 2010 overview.
The ability to create Shared Folder workspaces where SharePoint Workspace users can collaborate on content within designated Windows folders on workspace member desktops.
For this configuration, a basic level of client management can be achieved by using Windows and Active Directory tools.
SharePoint Workspace communications and dynamics modules, together with TCP/IP protocols summarized in Plan network settings for SharePoint Workspace 2010, support message transport and content synchronization between individual clients and SharePoint servers, and between client peers. Figure 4 shows a SharePoint Workspace client/server system that involves a SharePoint server, Groove Server Relay and management services, and four SharePoint Workspace clients:
Figure 4. SharePoint Workspace with SharePoint and Groove servers
SharePoint Workspace and Groove Server as a managed collaboration system
When Groove workspaces and Shared Folders are used, installation of Microsoft Groove Server 2010 onsite as part of SharePoint Workspace deployment provides optimal client administration. Groove Server provides two applications that facilitate SharePoint Workspace deployment and operation in an enterprise: Groove Server Manager provides management, reporting, and policy distribution services, and Groove Server Relay facilitates client communications. This system can function with or without SharePoint Server and can be extended to partners outside corporate firewalls. For more information about Groove Server 2010, see Groove Server 2010.
The following table shows how SharePoint Workspace topology options can serve a range of scenarios.
SharePoint Workspace scenarios and topologies
Scenario | Description | Chosen topology and required components |
---|---|---|
Financial services company |
|
SharePoint Workspace as SharePoint client only Required components:
|
State higher-education system |
|
SharePoint Workspace as a peer collaboration client Required components:
|
Regional healthcare system |
|
SharePoint Workspace as a SharePoint and peer collaboration client Required components:
|
Multinational corporation |
|
Groove Server and SharePoint Workspace as a SharePoint managed collaboration system Required components:
|
Network settings for SharePoint Workspace 2010
Microsoft SharePoint Workspace 2010 automatically configures Windows Firewall network ports for optimal operation. To verify client port connections or to configure Microsoft SharePoint Server and SharePoint Workspace ports for SharePoint workspaces only, start the Windows Firewall Control Panel add-in and configure settings as necessary.
For more information about SharePoint Workspace protocols, see Microsoft protocol documents (https://go.microsoft.com/fwlink/p/?LinkId=162294).
The following table describes which ports are required for which protocols in SharePoint Workspace.
Client port settings for SharePoint Workspace 2010
SharePoint Workspace client port settings | Protocols supported | Description |
---|---|---|
80/TCP - Outgoing |
Microsoft File Synchronization by SOAP over HTTP Protocol (MS-FSSHTTP) Microsoft Groove HTTP Encapsulation of Simple Symmetric Transport Protocol (MS-GRVHENC) |
Supports the following communications:
|
443/TCP - Outgoing |
HTTPS Microsoft Groove HTTP Encapsulation of Simple Symmetric Transport Protocol Security Protocol (MS-GRVSSTPS) |
Supports the following communications:
|
2492/TCP - Incoming and outgoing |
Microsoft Groove Simple Symmetric Transport Protocol (MS-GRVSSTP) |
Supports the following communications:
|
1211/UDP - Incoming and outgoing |
Local Area Network Device Presence Protocol (LANDPP) |
Supports following communications:
|
Scalability and performance considerations
This section provides system capacity information to help you plan for optimal system performance within the scope of expected SharePoint workspace usage in your organization. In this discussion, performance refers to document open, save, and update times, as well as upload and download times.
Performance and scalability
SharePoint Workspace stores downloaded SharePoint library documents in the common Office Document Cache (ODC) on the client device. The number of SharePoint Workspace documents that are stored in this cache has a direct impact on client system memory and performance. Because the ODC supports multiple Office applications, the implications of cache utilization by one Office application can extend to other Office applications on the system. In the case of SharePoint Workspace 2010, as more documents are stored in the ODC for synchronization, system memory fills up and performance decreases. As the number of cached SharePoint documents approaches 10,000, depending on file size, types, and contents, available memory and performance may decrease significantly. This approximate upper limit is based on tests in a controlled environment. The limit may be higher or lower in actual scenarios with documents of different sizes, types, and contents.
The size and number of documents that are synchronized with SharePoint can vary widely, even in a single organization. To anticipate and mitigate client performance and operational problems, try to plan for the expected maximum use case by implementing usage guidelines to prevent overloading the cache and related resources.
SharePoint Workspace 2010 hardware requirements are intended for most basic use cases, where the cache may contain fewer than 500 files and file size averages no more than 300 KB. These requirements specify client installation on a single-core processor of 256 MHz, with 256 MB of RAM and a 1.5 GB drive. To optimize for a better user experience in a heavier use environment, the following equipment is recommended as a minimum:
Dual core processor, 2GHz
4 GB RAM
200 GB hard disk drive
If you expect to support client document caches that hold more than 500 documents on average, and some of them contain more than 300 KB of text, possibly with complex graphics and video clips, you should consider the higher-level hardware requirements.
The suggested limits are the result of tests conducted on the following hardware:
Intel Xeon CPU E5410 @ 2.33GHz, 4GB RAM, Single Disk 200GB
If necessary, you can take the following step to help control SharePoint Workspace performance:
Limit file downloads to headers only by setting the following DWORD value in the Registry: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Groove\DefaultDocumentLibraryContentDownloadSettingHeadersOnly
Warning
Serious problems might occur if you modify the registry incorrectly. These problems could require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. Always make sure that you back up the registry before you modify it, and that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see the Microsoft Knowledge Base article Windows registry information for advanced users.
For information about baseline SharePoint Workspace hardware requirements, see System requirements for Office 2010.
For information about the built-in mechanisms provided by SharePoint Server 2010 and SharePoint Workspace 2010, see Performance monitoring and throttling.
For information about SharePoint Server system requirements, see Deployment for SharePoint Server 2010 (https://go.microsoft.com/fwlink/p/?LinkId=188459).
Performance monitoring and throttling
SharePoint Server 2010 moderates the flow of client communications by throttling requests when built-in server health monitors indicate that server performance is lagging because of heavy workload. When SharePoint workspaces are used, SharePoint Workspace clients respond to SharePoint Server back-off signals by adjusting the frequency of server requests. SharePoint Workspace synchronization frequency adjustments reflect SharePoint workspace activity and SharePoint site changes, in such a way that the periodicity is lower when activity is minimal than when activity is greater. These adjustments reduce overall client bandwidth usage while they improve server performance.
In the case of Groove workspaces, SharePoint Workspace provides built-in performance provisions and relies on Groove Server Relay services, hosted by Microsoft or installed onsite, to optimize communications. To optimize performance, SharePoint Workspace transmits Groove workspace data directly from client to client when network conditions allow it. When data is addressed to a client that cannot be reached directly, SharePoint Workspace sends data over relay servers that optimize message transmission. Total bandwidth use under conditions of high traffic is often less when relay servers help in message transmission.
For more information about SharePoint performance monitoring and throttling, see Plan for caching and performance.
Security considerations
SharePoint Workspace client exchanges with SharePoint sites rely on synchronization protocol and external mechanisms for security, such as those provided by VPNs or Secure Socket Layer (SSL) technology. Therefore, we recommend SSL encryption for SharePoint connections from outside a corporate domain. You can configure Group Policy settings that apply across an Active Directory organizational unit, as described in Configure and customize SharePoint Workspace 2010. In addition, you can secure the SharePoint site from unauthorized access by setting access control lists appropriately. For guidance about how to set access control for users to synchronize with SharePoint libraries and lists, see Security and protection for SharePoint Foundation 2010 or Security and protection for SharePoint Server 2010.
SharePoint Workspace uses strong cryptographic and encryption technologies to protect SharePoint Workspace accounts, which are the secure repositories for each user’s cryptographic keys, identity, contacts, messages, and unique workspace identifiers. Windows authentication and users’ Windows logon credentials are used to unlock SharePoint Workspace accounts.
SharePoint Workspace 2010 does not encrypt SharePoint Workspace 2010 documents and other binary files, including SharePoint workspace content, on disk. Therefore, consider using BitLocker Drive Encryption to encrypt all content on client data drives. For more information see BitLocker Drive Encryption (https://go.microsoft.com/fwlink/p/?LinkId=163122). You can strengthen protection by blocking Windows Search in the SharePoint Workspace Data directory, to prevent generation of Search indexes that are not encrypted. However, be aware that content shared with other clients that are not equally protected will remain not encrypted and searchable.
For Groove workspaces and Shared Folders, SharePoint Workspace uses native symmetric and public key cryptographic technologies to authenticate, encrypt, and protect transmissions between clients over the network. Strong encryption protects the following content on-disk: Groove instant messages, Groove invitations, Groove Discussion and Notepad entries, archived Groove workspaces, and Forms tool templates.
SharePoint Workspace user authentication
SharePoint Workspace 2010 uses Windows logon and the Data Protection API (DPAPI) to authenticate the user and access the SharePoint Workspace account. This single sign-on user (SSO) logon means that additional SharePoint Workspace-specific credentials are not required.
For authenticating SharePoint Workspace users to SharePoint Server, SharePoint Workspace supports the following SharePoint Server methods: Windows authentication and forms-based authentication. Typically, Windows authentication is used for internal SharePoint Workspace user access to SharePoint sites. Forms-based authentication can be used for external SharePoint Workspace user access to SharePoint sites.
For authenticating SharePoint Workspace users to one another (for Groove workspaces, Shared Folders, and messaging), SharePoint Workspace relies on its native public key infrastructure (PKI).
For more information about Single Sign-On for SharePoint Server, see Enterprise Single Sign-On (https://go.microsoft.com/fwlink/p/?LinkId=162302).
For more information about forms-based authentication, see Configure Forms Based Authentication (https://go.microsoft.com/fwlink/p/?LinkID=149721).
Alternate access mapping
SharePoint Server supports alternate access mapping, which lets you define multiple URLs per site. When SharePoint workspaces are used, you can take advantage of this capability to ensure that SharePoint Workspace can synchronize with multiple SharePoint Server site URLs. Defining multiple URLs is useful for deployment scenarios in which the URL of a web request received by Internet Information Services (IIS) differs from the URL that was typed by a SharePoint user; for example, in scenarios that include reverse proxy publishing and load balancing.
If you have defined Alternate Access Mappings (AAM) for Microsoft SharePoint Server or SharePoint Foundation in the context of a Unified Access Gateway (UAG) server, you must configure the UAG server so that the correct alternate access mappings for target SharePoint server URLs are retained when remote SharePoint Workspace users try to access and synchronize content on a SharePoint site through the UAG.
To avoid synchronization problems for offline SharePoint Workspace 2010 clients who reconnect to SharePoint through UAG after working offline, upgrade UAG to Service Pack 1. Otherwise, disable address link translation for the following pages on the Unified Access Gateway server:
/_vti_bin/Lists.asmx
/_vti_bin/Webs.asmx
For more information about alternate access mapping, see Planning alternate access mappings (https://go.microsoft.com/fwlink/p/?LinkID=114854).
SharePoint list and library actions and settings
The following SharePoint Server 2010 actions and settings apply to SharePoint Workspace 2010:
File Synchronization via SOAP over HTTP Protocol — This protocol must be enabled to support synchronization of SharePoint library and list content with SharePoint workspaces on SharePoint Workspace clients.
Remote Differential Compression (RDC) — This Windows feature should be enabled to support File Synchronization via SOAP over HTTP Protocol.
Site Actions: Sync to SharePoint Workspace — SharePoint Workspace users connected to the SharePoint site can click Sync to SharePoint Workspace to create a SharePoint workspace on a local computer, or to synchronize content if a local SharePoint workspace already exists for the site. From the local workspace, the user can add, change, or delete content regardless of connectivity to the SharePoint site. Synchronization with the SharePoint site occurs automatically at set intervals while the user is connected, or the user can click the Sync tab in the SharePoint workspace to force synchronization.
Note
Sync to SharePoint Workspace is also available as a ribbon option from a SharePoint document library or list.
Site Actions/Site Settings/Site Administration/Search and offline availability/Offline Client Availability — SharePoint site administrators must select this setting to enable SharePoint Workspace clients to access the site.
Secure Socket Layer (SSL) protection — SSL protection is recommended for the incoming port 80 interface that will support SharePoint communications with SharePoint Workspace clients.
Search options
SharePoint Workspace content can be searched by using Windows Search 4.0 or later versions. By default, Windows Search crawling (index creation) is enabled for some SharePoint Workspace content. SharePoint Workspace users can access Windows Search 4.0 by clicking Search on the Home tab of the ribbon, unless prevented from doing this by a Windows policy.
Administrators can block Windows Search of SharePoint Workspace content and can override any user search setting by deploying an Active Directory GPO, as described in Configure and customize SharePoint Workspace 2010. For information about how to use Windows Search, see the Windows Search Administrator Guides (https://go.microsoft.com/fwlink/?LinkID=164567).
SharePoint Workspace backup and recovery
All SharePoint Workspace account information resides on client computers. Account information includes cryptographic keys and user identity information. SharePoint Workspace provides mechanisms for user account backup and recovery. In addition, users can back up Groove workspaces as workspace archives.
To help safeguard SharePoint Workspace user accounts, encourage SharePoint Workspace users to observe the following best practices:
Enable SharePoint Workspace account recovery. The Enable account recovery setting can be accessed in SharePoint Workspace 2010 through the Account Preferences option and gives users a secure method for regaining access to accounts if a Windows logon must be reset. The Enable account recovery check box should remain selected on all clients, because it enables account recovery. Consider warning users against clearing this setting.
Note
Enable account recovery also supports account portability and the ability to use the account on multiple computers. For organizations that must prevent users from porting their account to another computer, Microsoft Groove Server 2010 provides a policy that restricts managed accounts to a single computer. For information about how to deploy Groove Server at your site, see Deployment for Groove Server 2010.
Back up SharePoint Workspace user accounts to a file in a secure location. SharePoint Workspace supports account recovery in the event of a lost or corrupted account, by providing an option that enables users to save their accounts to a .grv file. Encourage users to regularly save their accounts to file in a secure location. Users can save their account by clicking the File tab on the ribbon and, in the Manage Account drop-down menu, selecting Account Preferences. Then they select Save Account as File on the Account tab, entering a file name and a password, for initial account recovery, when they are prompted. Note that Enable account recovery must be selected in the user’s account preferences for a reset code to be sent and the account to be recovered if the password is forgotten. When this setting is enabled SharePoint Workspace sends a reset code to the e-mail address that was provided in the Account Configuration Wizard when the account was created. Users can then reset a recovered account.
To help safeguard Groove workspaces, encourage users to periodically back up each Groove workspace by clicking the File tab on the ribbon, selecting Share, and then configuring the Workspace as Archive option. For more information about how to back up and recover Groove workspaces, see SharePoint Workspace product help at Microsoft products online (https://go.microsoft.com/fwlink/p/?LinkId=162269).
Note
Groove workspace data and tools reside on client computers. Therefore, if other team members share a Groove workspace, the lost workspace can be retrieved from another client computer.