Two-Tier Commerce SharePoint 2010 Deployment Architecture
This topic contains a topology diagram showing the main logical components of a two-tier Microsoft SharePoint 2010 commerce deployment for the internal and the external zone.
For detailed information about the flow of user and service identities specific to each deployment scenario, see Understanding the Flow of Identity.
For configuration details specific to each zone, see
By default, when you deploy the SharePoint 2010 Solution Storefront (the site that business users access to perform management tasks through the Commerce Server Business Administration Ribbon), a routing service is configured on the internal zone. The default configuration for the Solution Storefront site uses basicHttpBinding between the routing service endpoint (SP1) and the Silverlight client (CEP1). When a routing service is deployed, WCF ASP.NET compatibility must be enabled on the SharePoint 2010 Web application. For secure deployment in a production environment, the use of transport security is recommended.
In a SharePoint 2010 commerce deployment, a security token service (STS) is used by the commerce application in the internal zone to populate a business user's identity with claims which assert his permissions in Commerce Server 2009 R2. The default configuration for the operation service endpoint (SEP2) uses wsHttp binding to handle requests coming from the STS (CEP2).
For a secure deployment, the use of encryption between the presentation tier servers and the SQL Server commerce databases is recommended.
By default, the SharePoint 2010 Solution Storefront does not implement a routing service on the external zone. In the default configuration for two-tier SharePoint 2010 commerce deployment, the Commerce Foundation and the SharePoint 2010 Web application exchange information in process.
The STS is used by a SharePoint 2010 commerce application in the external zone to validate the profile credentials (membership) for shoppers when they connect to an e-commerce site. An operation service endpoint (SEP2) uses wsHttpBinding to process requests that come from the security token service (STS) (CEP2).
The above diagram shows a rich Internet application (Silverlight) in the client tier. This is a possible scenario, but it not a configuration that is supported out-of-the-box. The SharePoint 2010 Solution Storefront site includes a rich Internet application (RIA) on the internal zone for business management users. Commerce Server 2009 R2 does not deliver a RIA on the Internet-facing zone.
Deploying a RIA on the external zone of an e-commerce deployment is not without risk. For more information about how you can help mitigate the risk associated with this scenario, see Considerations for Secure Deployment of Rich Internet Applications (RIAs).
The use of encryption between the presentation tier servers and the SQL Server commerce databases is recommended.