Extranet Setup: Security Checklist + Partner Portal Guide

How to Set One Up (5 Steps)

An extranet lets you work with partners, vendors, and customers without giving them access to your internal systems. Here’s how to set one up securely.

Step 1: Figure Out What You Need

Who Needs Extranet Access?

Figure out who needs access:

External Party Type	Typical Needs	Security Level	Example Use Cases
Business Partners	Marketing materials, deal registration, training, support	Medium-High	Channel partners accessing sales resources
Suppliers/Vendors	Purchase orders, inventory data, invoices, specifications	High	Suppliers viewing demand forecasts and submitting invoices
Customers (B2B)	Order status, account info, support tickets, documentation	Medium	Customers tracking orders and accessing product manuals
Distributors	Product catalog, pricing, inventory, commission reports	Medium-High	Distributors placing orders and checking inventory
Contractors/Consultants	Project documents, communication, deliverables	High	External consultants collaborating on projects
Regulatory Bodies	Compliance documentation, audit materials, reports	High	Regulators accessing required documentation

For each group, write down:

What info they need
What they should be able to do (view, download, upload, submit)
How sensitive the info is
How often they’ll log in
How long they need access (ongoing, project-only, temporary)

What Access Control Model Should You Use?

Organization-level segmentation:

Company A sees completely different content than Company B. Competitors never see each other’s information, customers don’t see supplier data.

Role-based access within organizations:

Within Partner Company A, different roles see different things:

Sales reps see marketing materials and deal registration
Technical support sees product documentation and case management
Managers see performance reports and analytics

Individual-level permissions:

Specific users get additional restricted access:

Partner executive sees strategic roadmap
Key supplier sees future demand forecasts
Major customer sees beta product access

Time-based access:

Project access expires when project completes
Vendor access deactivates when contract ends
Partner certification requires annual renewal

Organizations managing external workforce like temporary staffing agencies can configure time-based extranet access automatically syncing with assignment dates and contract terms through automated provisioning workflows. While intranets serve internal employees, extranets extend controlled access to external partners requiring collaboration without full network access.

What Security Requirements Apply?

Security assessment checklist:

What data classification levels will extranet handle? (Public, Internal, Confidential, Restricted)
What compliance requirements apply? (GDPR, HIPAA, SOC 2, industry-specific)
What are consequences of data breach involving this information?
What encryption standards are required?
What authentication strength is needed?
What logging and monitoring requirements exist?
What geographic restrictions apply to data or access?
What incident response procedures are needed?

Step 2: Pick Your Platform

What Are Your Platform Options?

Platform comparison:

Approach	Best For	Cost Range	Timeline	Pros	Cons
CRM/ERP Portal Add-On	Extending existing systems (Salesforce, SAP, Microsoft Dynamics)	$5K-30K setup + $3-10/user/month	1-3 months	Uses what you already have, data already connected	Limited by platform, might feel corporate
Third-Party Portal Platform	Purpose-built external portals (Liferay, OpenText, Confluence)	$10K-50K + $5-20/user/month	2-4 months	Built for external collaboration, modern features	Subscription costs, integration effort
Custom Development	Unique requirements, full control	$50K-250K+ one-time	4-8+ months	Complete customization, no licensing	High cost, ongoing maintenance burden
Secure File Sharing	Document-focused collaboration (Box, Citrix ShareFile)	$15-35/user/month	1-2 months	Fast setup, familiar file model	Limited to file sharing, less structured

Selection criteria:

Choose portal add-on if:

Already using CRM/ERP with portal capabilities
Need tight integration with existing data
Primarily extending current system to external users
Budget and timeline are constrained

Choose third-party platform if:

Need purpose-built extranet features
Don’t have suitable existing systems
Want modern UX designed for external users
Require multi-system integration

Choose custom development if:

Have truly unique requirements not met by platforms
Need specific branding, UX, or functionality
Have development resources and ongoing maintenance capability
Security requirements demand full control

Choose secure file sharing if:

Primary need is document exchange and collaboration
Don’t need complex workflows or processes
Want fastest, simplest deployment
Limited budget

How Much Does Extranet Setup Cost?

Implementation cost breakdown:

Platform and licensing:

Portal add-on licensing: $3-10 per external user monthly
Third-party platform: $5-20 per user monthly + $10K-50K implementation
Custom development: $50K-250K+ build cost
Secure file sharing: $15-35 per user monthly

Security and infrastructure:

SSL certificates and encryption: $500-2,000 annually
Multi-factor authentication system: Included or $1-3 per user monthly
Security monitoring and SIEM: $2,000-10,000+ annually
Penetration testing: $5,000-20,000 initially + annual retests
Network isolation and firewall configuration: $5,000-30,000

Implementation services:

Platform configuration and customization: $10,000-50,000
Security implementation and testing: $10,000-40,000
Content migration and organization: $5,000-20,000
Integration with internal systems: $10,000-60,000
Training and documentation: $5,000-15,000

Ongoing costs:

Administration and user management: 0.25-0.5 FTE ($15K-40K annually)
Content management and updates: 0.25-0.5 FTE ($15K-40K annually)
Security monitoring and incident response: $5,000-30,000 annually
Platform updates and maintenance: 15-20% of implementation cost annually

Realistic budget examples:

Small extranet (20-50 external users): $20K-40K setup + $3K-8K annually
Mid-size extranet (100-500 users): $50K-100K setup + $15K-50K annually
Enterprise extranet (1,000+ users): $150K-400K+ setup + $75K-200K+ annually

Step 3: Lock It Down

How Do You Configure Authentication?

Multi-factor authentication (MFA) setup:

Require MFA for all external users. This stops 99% of account takeovers.

MFA options:

SMS codes: Simple but least secure (SIM swapping risk)
Authenticator apps: Good balance (Google Authenticator, Microsoft Authenticator, Authy)
Hardware tokens: Most secure (YubiKey, physical security keys)
Push notifications: Convenient (Duo, Okta Verify)

Best practice: Require authenticator app minimum. Offer hardware tokens for high-privilege users.

Password policies:

Minimum 12 characters (not 8—too short in 2026)
Mix of upper, lower, numbers, symbols
No reused passwords from other accounts
Expiration every 90 days for high-security extranets
Account lockout after 5 failed attempts

Single sign-on (SSO) for partners:

Allow partners to use their corporate SSO (SAML/OAuth) instead of separate credentials. Reduces password fatigue and improves security. Requires setup with each partner organization.

How Do You Design Role-Based Access Control?

Access control matrix example:

Role	Partner Sales Rep	Partner Manager	Supplier Contact	Customer Admin	Customer User
Marketing materials	View, Download	View, Download	No access	No access	No access
Deal registration	Create, View own	View all, Approve	No access	No access	No access
Purchase orders	No access	No access	View, Submit invoices	No access	No access
Order status	No access	No access	No access	View all orders	View own orders
Support tickets	Create, View own	View all	Create, View own	View all tickets	Create, View own
Product documentation	View	View	View specifications	View	View user guides
Financial data	No access	View own commissions	View own invoices	View invoices	No access

Best practices:

Start restrictive—expand later. Give minimum necessary access. Manage roles, not individual permissions. Document role permissions. Review quarterly.

What Security Monitoring Do You Need?

Essential logging:

Track and alert on:

All login attempts (successful and failed)
Permission changes and role assignments
Document downloads (especially bulk downloads)
Failed access attempts (indicates reconnaissance)
Unusual access patterns (login from new country, excessive downloads)
User account creations and deletions
Configuration changes to extranet

Automated alerts:

Failed login attempts exceeding threshold
Access from suspicious locations or IPs
Bulk document downloads
Access outside normal hours (if pattern exists)
Permissions elevation
Account sharing indicators (simultaneous logins from different locations)

Regular security reviews:

Monthly: Review access logs for anomalies
Quarterly: Audit all active user accounts, remove stale access
Annually: Penetration testing and security assessment
After incidents: Detailed investigation and remediation

Step 4: Build It

What Content Belongs on Extranet?

Partner portals: Marketing collateral, product docs, training, deal registration, dashboards, support tickets

Supplier portals: Purchase orders, forecasts, invoice submission, inventory levels, contracts, scorecards

Customer portals: Order tracking, account info, billing, support tickets, documentation, returns

How Do You Organize Extranet Content?

Design principles: Task-oriented navigation, 2-3 clicks maximum, prominent search, clear labels (no jargon), mobile-first.

What Integrations Are Critical?

Integrations: ERP (purchase orders, invoices), CRM (partner data), order management, document management, SSO, notifications

Security: Rotate API keys, least privilege, audit logging, rate limiting

Data validation on all inputs (prevent injection attacks)
Encryption for data in transit and at rest

Step 5: Onboard Users and Stay Secure

How Do You Onboard External Users?

Account provisioning workflow:

Request approval: Internal sponsor requests external user access with justification
Verification: Confirm user identity and organization (email verification, business verification)
Access assignment: Grant appropriate role based on user’s function and needs
Credential setup: Send secure invitation, user sets password and configures MFA
Training: Provide quick start guide and optional training session
Confirmation: User acknowledges acceptable use policy

Onboarding documentation:

Quick start guide (1-2 pages, visual, task-focused)
Video walkthrough (3-5 minutes showing key features)
FAQ document addressing common questions
Contact information for support
Acceptable use policy (what’s allowed, what isn’t)

Ongoing support:

Dedicated support contact or ticketing system for extranet issues
Regular communication about updates and new features
Feedback mechanism for improvement suggestions
Periodic training sessions for new features

How Do You Maintain Extranet Security?

Access review process (quarterly):

Export all active user accounts
Validate each user still requires access (confirm with internal sponsors)
Verify role assignments still appropriate
Remove accounts for users no longer with organization
Remove accounts inactive for 90+ days
Document review and removals

Security update process:

Patch management: Apply security updates within 30 days of release
Vulnerability scanning: Monthly automated scans for known vulnerabilities
Penetration testing: Annual testing by external security firm
Security training: Quarterly training for extranet administrators
Incident response plan: Documented procedures for security incidents

Performance monitoring:

Page load times and availability (track uptime)
Error rates and user issues
Usage patterns and adoption rates
Search effectiveness and content gaps
User satisfaction surveys (biannual)

Mistakes You’re Probably Making

Mistake 1: Insufficient security from the start Fix: Implement strong authentication, encryption, and monitoring from day one. Retrofitting security is expensive and risky.

Mistake 2: Too much access too quickly Fix: Start restrictive, expand based on requests. Taking away access causes problems.

Mistake 3: Forgetting mobile users Fix: Design and test for mobile thoroughly. Many external users primarily access via smartphones.

Mistake 4: No ongoing access governance Fix: Establish quarterly access reviews removing stale accounts. Abandoned accounts are security vulnerabilities.

Mistake 5: Internal jargon and navigation Fix: Design for external users unfamiliar with your organization. Test with actual external users.

Mistake 6: Inadequate documentation and support Fix: Provide clear guides, training, and responsive support. External users can’t just ask colleague for help.

Frequently Asked Questions

How do you set up an extranet?

Five steps: Figure out which external people need what access. Pick a platform (portal add-on, third-party, or custom). Lock it down with MFA and role-based access. Build the portal with content and integrations. Onboard users with verification and set up quarterly access reviews.

What security features does an extranet need?

MFA for everyone outside. Role-based access limiting what each party sees. Encryption for data in transit and at rest. Detailed activity logs. Automatic timeouts. Regular access audits to remove stale accounts. Network isolation from internal systems. Incident response plan.

How much does it cost to set up an extranet?

$20K-$40K for small (20-50 users). $150K-$400K+ for enterprise (1,000+ users). Ongoing costs for platform, admin, content, security monitoring. Portal add-ons cheapest ($5K-$30K + $3-10/user/month). Custom most expensive ($50K-$250K+).

What is the difference between extranet and VPN?

Extranet: limited access to specific apps and info through web portal for external parties. VPN: full network access like you’re in the office, typically for remote employees. Use extranet for partners/vendors. VPN for employees.

How do you control who sees what on an extranet?

Role-based permissions (define roles with access levels). Org-level segmentation (Company A sees different stuff than Company B). Individual permissions for special cases. Time-based access that expires. Quarterly reviews to make sure only the right people have access.

What platform should I use for an extranet?

Add-on to your CRM/ERP if you already have it. Third-party platforms (Liferay, OpenText) for purpose-built features. Custom only if you have weird requirements. Secure file sharing (Box, Citrix ShareFile) just for documents.

How long does it take to set up an extranet?

CRM/ERP add-ons: 1-3 months. Third-party: 2-4 months. Custom: 4-8+ months. Secure file sharing: 1-2 months. Add time for security testing and onboarding. Minimum 2-3 months.

What are common extranet security mistakes?

Weak MFA. Too-broad permissions. Not auditing access (stale accounts pile up). Inadequate logging. Treating external users like employees security-wise. Not segmenting partner access. Trusting outsiders as much as your own people.