Published: February 28, 2008

The External Collaboration Toolkit for SharePoint (ECTS) uses Active Directory Application Mode (ADAM), Microsoft SQL Server®, Windows SharePoint Services 3.0, and custom software to provide collaboration services. This chapter describes how to install the ECTS and the software it requires.

Note   This chapter describes how to install the ECTS software on a single server running Windows SharePoint Services 3.0 to minimize the number of servers required to make this environment functional. If you want to install the ECTS on more than one server, or to install it in a Microsoft Office SharePoint Server 2007 environment, see Appendix A, “Installing in Larger Environments,” before beginning this installation process.

Installation Overview

The process of installing the ECTS is relatively straightforward. The installation process generally involves the following steps:

• Prepare the environment. Before you begin the installation process, gather the data you’ll need, confirm that your environment meets the solution prerequisites, and complete a few pre-installation steps.
• Install required software. Next, you install the software that the solution requires.
• Configure Windows SharePoint Services. This phase of the installation process involves configuring the Windows SharePoint Services environment.
• Install ECTS. Finally, you install the ECTS software.

Prepare the Environment

To simplify the installation process, you can make certain decisions in advance and gather information that you will need when you install the solution. In addition, ensure that your environment meets the solution prerequisites and complete a few pre-installation steps, which include installing a certification authority and setting up DNS aliases.

Required Data

There are a number of decisions that you can make before you begin that will help streamline the installation process. Record the decisions you make about the following items before you begin installing:

• Internal URL. This is the URL for the extranet server that internal users will use. Depending on your typical DNS naming conventions, this might be a fully qualified domain name (FQDN). For example, you might choose https://collab or https://collab.corp.treyresearch.net depending on your naming convention. This name will be served by your internal DNS servers.
• External URL. This is the URL for the extranet server that external users will access. This must be a FQDN such as https://collab.extranet.treyresearch.net. This name will be served by your external DNS provider.
• ADAM host name. This is the internal FQDN of the ADAM server. This name will be used for the Secure Sockets Layer (SSL) certificate.
• SQL Server name. For a SQL Server Express installation, this will be host\SQLEXPRESS, where host is the short name of the host on which SQL Server is installed. If you use a different version of SQL Server, this name could be different.
• Internal e-mail server name. You need the name of your internal e-mail server because the ECTS software will use this e‑mail server to send messages to users of the system. Make sure the e‑mail server that you use can relay messages to users outside your organization.
• E-mail sender address. You will need to choose an e-mail address to use to send e‑mail from the ECTS system. This can be any e‑mail address, such as sharepoint@treyresearch.net. Generally speaking, this address does not need to handle incoming mail, so any valid e‑mail address should work.
• LDAP container name. This is the container that will be used to store the users in the ADAM directory. This name can be any valid container name, but we recommend using something in this form: CN=ExternalUsers,DC=domain_component,DC= domain_component For example, for the domain treyresearch.net we recommend using CN=ExternalUsers,DC=treyresearch,DC=net.
• LDAP port number. This is the port number on which the ADAM server will listen for unencrypted connections. Under normal circumstances you can accept the default of 389. If you choose to use a different port number, it must be higher than 1024 and lower than 65536, and not already be in use.
• LDAPS port number. This is the port number on which the ADAM server will listen for SSL encrypted connections. Under normal circumstances you can accept the default of 636. If you choose to use a different port number, it must be higher than 1024 and lower than 65536, and not already be in use.
• Port number for the SharePoint Central Administration server. When you install the SharePoint Central Administration server, you can specify a port number for it to use. If you don’t specify a port number, SharePoint will randomly choose one for you. Choose a port number that is higher than 1024 and lower than 65536, preferably one that is easy to remember. You will need to be able to access this port from your internal network, but should not be able to access it from the Internet.

Appendix B, “Required Data for Installation,” of this document provides a form that you can use to record the required data that you will use during the installation process.

Prerequisites

Before you begin to install the solution, ensure that you:

• Install Windows Server 2003 R2 SP2 on the server that will host your extranet collaboration environment (the extranet server).
• Deploy the extranet server in the appropriate location on your network, preferably in the perimeter network.
• Join the extranet server to your enterprise AD DS domain.
• Install and configure an internal e‑mail server and ensure that all internal users who will use the ECTS have a valid e‑mail address.
• Configure your firewalls to allow:
  • HTTP and HTTPS traffic from the internal network to the extranet server.
  • HTTPS traffic from the Internet to the extranet server.
  • SharePoint Central Administration traffic from the internal network to the extranet server.

  • Active Directory traffic from the extranet server to the Active Directory server.

    Note   In a test environment, it is reasonable to open all TCP and UDP ports from the extranet server to the Active Directory server. In a production environment, limit traffic on the firewall to the specific ports that are needed. For the specific ports that should be opened on your firewall, see How to configure a firewall for domains and trusts.

  • E‑mail traffic from the extranet server to the internal e‑mail server.

Pre-installation Steps

Before you can install and set up the solution, you must first prepare the environment. This process involves the following steps.

Install Certification Authority (Optional)

To function properly, the ECTS requires that all communication between the SharePoint Web server and ADAM be encrypted. This means that the server that hosts ADAM needs a certificate. You can either get a certificate through an external certification authority (CA) or use the Microsoft CA.

If you choose to use the Microsoft CA, you must set it up on one of your domain controllers. The software installation process is very simple. On the domain controller, in Control Panel, double-click Add or Remove Programs, then click Add/Remove Windows Components. Select the Certificate Services check box, click Next, and then choose to create an Enterprise Root CA. Provide a common name, then select the defaults for the rest of the installation. When you are done, you will have a CA that can be used to issue certificates in your organization. For more information, see Installing and configuring a certification authority.

Set Up DNS Aliases

Your servers will need to have DNS entries both internally and externally. We suggest using an alias for your internal DNS name for the collaboration environment rather than the actual host name of the extranet server. This allows you to move the collaboration environment to a different server or to deploy load balancing in the future with a minimum of disruption to your environment. Use the DNS manager to create an alias (CNAME) for your internal URL, which you recorded with your Required Data. The alias should point to the host record for the extranet server.

You also need to have your external DNS provider create an A or CNAME record that external users can use to access the extranet server. Consult with your external DNS provider to set this up.

Note   For testing purposes, both the internal and external host names can be added to your HOSTS file.

Install Certificate and Update Key File Permissions

As mentioned previously, you must have a certificate installed on your ADAM server for the ECTS to function properly. This is because the ECTS connects to the ADAM server over an SSL-encrypted Lightweight Directory Access Protocol (LDAP) connection. Therefore, you must install a certificate on the ADAM server.

Install Certificate

If you are using your own Microsoft CA, follow these instructions to get a certificate for the ADAM server. If your certificate comes from another channel, follow the instructions provided by that source.

First, you may need to modify your firewall rules to allow HTTP (port 80) traffic from the extranet server to the CA server inside your organization. This traffic is only required to get the certificate; after you have obtained the certificate, you can disable this communication.

From the extranet server, use Microsoft Internet Explorer® to access the certification service on the domain controller at https://domain_controller/certsrv, where domain_controller is the name of the domain controller running the certification authority.

To install a certificate on the extranet server:

1. Under Select a Task, click Request a certificate.
2. On the Request a Certificate page, click advanced certificate request.
3. On the next page, click Create and submit a request to this CA.
4. On the next page, under Certificate Template, click Web Server. Under Identifying information for Offline Template, in the Name field, type the FQDN of the extranet server. Fill out the rest of the fields in this section as appropriate.
5. Under Key Options, click Create a new key set. For CSP, click Microsoft RSA SChannel Cryptographic Provider. In the Key Size text box, type 1024. Click Automatic key container name, and then select the Store certificate in the local computer certificate store check box.
6. Under Additional Options, for Request Format, click PKCS10, in the Friendly Name text box, type a name, such as ADAM Certificate and then click Submit. If a Potential Scripting Violation warning appears, click Yes.
7. On the Certificate Issued page, click Install this Certificate, and then, if a Potential Scripting Violation warning appears, click Yes.

At this point you can update your firewall rules to disallow HTTP communication between the extranet server and the CA server; it will no longer necessary.

To verify that the certificate was installed, you can use Microsoft Management Console (MMC) with the Certificates snap-in to look at the local computer certificates. Expand Certificates, expand Personal, and expand Certificates to find the certificate you just installed. Or you can run certutil ‑store my from the command line to see the certificate.

Update Permissions on the Certificate File

Unfortunately, the certificate that gets installed cannot be accessed by the ADAM server until you complete one more step. You must change the file system permissions on the certificate file so that the ADAM server can read it. To do so, access the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder. One of the keys in this folder will be the key you just installed. Check the time stamp to find the appropriate key, or you can use the certutil ‑store my command to help locate the appropriate key (the key container is the file name of the key file).

To update permissions on the certificate:

1. Right-click the appropriate key file, and then click Properties.
2. Click the Security tab, and then click the Add button.
3. Click the Locations button, and then, in the Locations list, click the name of the extranet server, and then click OK.
4. In the object names text box, type Network Service, click the Check Names button to resolve the name, and then click OK to continue.
5. Under Permissions for NETWORK SERVICE, verify that the check boxes to Allow the Read and Read & Execute permissions are selected and then click OK.

ADAM will now be able to read the key file and use the certificate.

Install Required Software

Now that you have prepared the environment, it is time to install the software on the extranet server. We recommend that you log on to the server as the local administrator before installing the software packages.

Install Internet Information Services (IIS)

First, click Start, point to Administrative Tools, and then click Configure Your Server Wizard to make sure that the server is set up as an Application Server. Follow the instructions to install IIS. When asked, select the check box to enable ASP.NET. You may need your Windows Server 2003 installation disk to complete this step.

Install .NET Framework 3.0

Next, ensure that .NET Framework 3.0 is installed. If it is not already present on the server, download it from the Microsoft Download Center and install it, or select .NET Framework 3.0 in the Recommended Updates section of the Windows Update site. You may be required to restart the computer after the installation is complete.

Install ADAM

Next, you will need to install ADAM on the extranet server. ADAM should be available on your server in Add or Remove Programs under Windows Components (look under Active Directory Services), or you can get the latest version on the Microsoft Download Center. Follow the instructions and accept all the defaults for the ADAM installation. Do not create an ADAM instance at this point; you will do so later in the setup process.

Install SQL Server

Next, install SQL Server on the extranet server. You can use any version of SQL Server 2005. If you do not need advanced features, you can use SQL Server 2005 Express Edition. You can get SQL Server Express Edition from the Microsoft Download Center. Choose all the defaults for the installation. Do not create any databases at this time; you will do so later in the setup process.

Install Windows SharePoint Services

Finally, you are ready to install Windows SharePoint Services 3.0. When asked, choose the Basic installation. When you are asked if you would like to run the SharePoint Products and Technologies Configuration Wizard, clear the check box to ensure that this wizard does not run. You will set up SharePoint manually.

Important   If you run the Configuration Wizard, many of the steps that follow will not work.

Configure Windows SharePoint Services

Now that all the software is installed, it is time to start configuring Windows SharePoint Services for the ECTS.

To process to configure Windows SharePoint Services involves the following steps:

• Set up the SharePoint database and SharePoint Central Administration
• Set up e‑mail
• Create a collaboration site
• Extend the collaboration site
• Create a site collection
• Set up forms-based authentication

Set Up SharePoint Database and SharePoint Central Administration

First, you need to set up the SQL Server database for Windows SharePoint Services and create the Central Administration site. Earlier you chose not to have the wizard do this so that you could use your own SQL Server rather than the embedded SQL Server that comes with Windows SharePoint Services 3.0.

To begin the setup process, open a Command Prompt window and change to the SharePoint bin directory:

cd “%CommonProgramFiles%\microsoft shared\web server extensions\12\bin”

From there, run the following command: psconfig ‑cmd configdb ‑create ‑server SQL Server where SQL Server is the name of the SQL Server you created earlier (for example, TREY-SP-01\SQLEXPRESS). This will create the SharePoint configuration databases that Windows SharePoint Services will use.

Next, you need to create the Central Administration server. To do so, use the following command: psconfig ‑cmd adminvs ‑provision ‑port port where port is the port number for the Central Administration server that you recorded with your Required Data.

Set Up E‑mail

Now that you have created the Central Administration server, you can use it to complete the configuration of Windows SharePoint Services. To access the server, click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration, or use Internet Explorer to access https://host name:port where host name is the host name of the extranet server and port is the port number for the Central Administration server that you recorded with your Required Data. The first thing to configure inside Windows SharePoint Services is outgoing e‑mail.

To configure outgoing e‑mail:

1. In Central Administration, under Administrator Tasks, click Outgoing e‑mail settings.
2. In the Action area, click Configure Outgoing E‑Mail Settings.
3. On the Outgoing E‑Mail Settings page, fill in the form using the information that you recorded with your Required Data. In the Outbound SMTP server text box, type the internal e‑mail server name. In the From address text box, type the e‑mail sender address. You can opt to provide a Reply-to address in the appropriate box, then click OK to finish.

At this point, SharePoint should be able to send e‑mail to internal and external users.

Create a Collaboration Site

Next, create the base site for the extranet collaboration environment. This is the site where users will create new collaboration sites, and where administrators will approve requests, manage users, and so on.

To create a collaboration site:

1. In Central Administration, click the Application Management tab.
2. Under SharePoint Web Application Management, click Create or extend Web application, and then click Create a new Web application.
3. On the Create a New Web Application page, click Create a new IIS Web site.
4. In the Description box, type a descriptive name for the new site.
5. In the Port box, type 80, in the Host Header box, type the host name of the internal collaboration site. (For example, if your internal site is https://collab, type collab).
6. In the Application Pool section, click the Use existing application pool option.
7. Leave the rest of the items as defaults and then click OK.

Eventually an Application Created page will display.

Extend the Collaboration Site

The site you just created has an internal URL that internal users can access. Now you must extend this site to an external URL that people outside your firewall can access.

To extend the Web application to the extranet zone:

1. In Central Administration, click the Application Management tab, click Create or extend Web application, and then click Extend an existing Web application.
2. At the top of the page, click No Selection, then click Change Web application.
3. In the Select a Web Application dialog box, click the name of the Web application you just created.
4. Click the Create a new IIS Web site option.
5. In the Description box, type descriptive name.
6. In the Port box, type 443 (to set up for SSL), and in the Host Header box, type the external URL. (For example, if your external URL is https://collab.extranet.treyresearch.net, type collab.extranet.treyresearch.net.)

7. In the Use Secure Sockets Layer (SSL) section, click Yes.

   Note   You will not be able to access this URL until you have installed a certificate on this Web site. If you are testing the ECTS, you can choose not to use SSL for the external URL. To do so, choose port 80 rather than port 443 in step 6, and do not enable SSL.

8. In the Load Balanced URL section, in the Zone list, click Extranet and then click OK.

When the process completes, the Application Management page will appear.

Create a Site Collection

So far, you have created a SharePoint Web application, but you have not created any content for it. By creating a site collection, you put some content in the Web application.

To create a site collection for the Web application you just created:

1. In Central Administration, click the Application Management tab, and then click Create Site Collection.
2. Verify that your Web application is correct (it should be your internal URL).
3. In the Title box, type a name, such as Collaboration Home.
4. In the Description box, type a description of the collaborative project.
5. In the Web Site Address box, leave the default /.
6. In the Template field, choose a template or take the default.
7. In the Site Collection Administrator section, select a Primary (and optionally a Secondary) person to own the site collection. A good choice would be the local or domain administrator.
8. Click OK.

The system will run for a while then display a Top-Level Site Successfully Created message. You should now be able to access your new collaboration site. You can verify that the site was created by clicking the URL on the page.

Set Up Forms-based Authentication

Finally, you need to turn on forms-based authentication for the extranet zone. This will allow your external users to log on with a familiar forms-based logon page.

To set up forms-based authentication:

1. In Central Administration, click the Application Management tab and then, under Application Security, click Authentication providers.
2. Verify that you are configuring the proper Web application, and then click Extranet.
3. On the Edit Authentication page, under Authentication Type, click Forms, and then, in the Membership Provider Name text box, type ADAMUser.

4. In the Client Integration section, under Enabled Client Integration, make sure that No is selected.

   Note   Microsoft does not recommend enabling client integration in a zone where forms-based authentication is used. For more information on client integration and forms-based authentication, see the “Client Integration” section that follows.

5. Click Save.

When the Authentication Providers page displays and shows ADAMUser in the Extranet Membership Provider Name field, you have completed setup of the SharePoint environment. You are now ready to install the ECTS.

Client Integration

With forms-based authentication, client integration is disabled by default. The main impact of having client integration disabled is that documents cannot be saved directly to the SharePoint site from within a client application. Instead, the user must save the document locally then upload it to the site.

There might be workarounds available that you could use to make some client integration features work with forms-based authentication. However, these workarounds might be inadequate, or you may experience unexpected issues with them. Microsoft does not support such workarounds. If you plan to use client integration with forms-based authentication, you must fully test any solutions or workarounds to determine if the performance and functionality are acceptable in your environment.

For more information about forms-based authentication and client integration, see Configure forms-based authentication (Office SharePoint Server).

Install ECTS

The External Collaboration Toolkit for SharePoint is distributed as a Windows Installer package (MSI) that contains the setup utilities and binaries for the solution. Running this MSI (called ECTS.msi) copies these files to your system, but does not automatically install or configure the software.

After the software is installed, you have two options for setting up the software: to use the Setup Wizard or run the installation scripts manually. This section describes both methods.

Whichever method you choose, the first step is to install the ECTS.msi on the extranet server. To do this, log on to the extranet server as the local administrator, then either double-click the ECTS.msi file, or run msiexec ‑i ects.msi from the command line. By default, this will copy all the necessary files into a folder called External Collaboration Toolkit under My Documents. The installer will give you the option to select which features you want to install on the server. You should generally install all the features. After you copy the binaries to the extranet server, you still must set up the ADAM user store for external users, configure SQL Server, and install the SharePoint extensions. You can either use the Setup Wizard to perform these tasks, or do them manually.

Use the ECTS Setup Wizard

The ECTS Setup Wizard simplifies ECTS setup. The Setup Wizard walks you through the process to gather the information required for setup, then configures ADAM, SQL Server, and Windows SharePoint Services as needed to enable the solution. You will need much of the information that you recorded with your Required Data to complete the Setup Wizard.

To run the Setup Wizard, log on as either local administrator (which is preferred) or the domain administrator, then double-click the ECTSSetupWizard icon in the directory in which you installed the ECTS. Follow the prompts and provide answers to all the questions and then click the Install button to set up the environment. When the wizard completes, you are ready to verify the installation, as described later in the “Verify Installation” section.

Set Up Manually

You can choose to run the installation scripts manually, which this section describes. Note that you perform the manual setup in the following order: ADAM, SQL Server, then Windows SharePoint Services. Also note that you should log on as either local administrator (preferred) or domain administrator before you begin the setup process.

Run the ADAM Setup Script

To set up the ADAM user store, you need to run a command from the ECTS installation directory (typically My Documents\External Collaboration Toolkit) on the extranet server. You should run the script after you log on as a local or domain administrator.

To set up ADAM, use the following command:

cscript ects_setup_adam.vbs container_name LDAP_port LDAPS_port

Where container_name is the LDAP container name, LDAP_port is the LDAP port number, and LDAPS_port is the LDAPS port number that you recorded with your Required Data.

This script does several things. It:

• Creates a new ADAM instance with the specified container listening on the selected ports.
• Extends the ADAM schema with new attributes used by the ECTS.
• Creates a new container for users under the specified container.
• Grants permission to the container to various service accounts.

Run the Database Setup Script

Next, you should set up the SQL Server database that the ECTS will use. You can do this by running another script, which you can find in the ECTS installation directory (typically My Documents\External Collaboration Toolkit) on the extranet server. As before, you should log on as either a local or domain administrator to run the script.

To run the SQL Server setup script, use the following command:

cscript ects_setup_sql.vbs SQL_Server

Where SQL_Server is the name of the SQL Server.

This script:

• Creates the database for the ECTS, which it will call “ECTS”.
• Sets up the permissions on that database.
• Stores a base configuration in the configuration table.

Run the ECTS Setup Script

Finally, you should install and configure the ECTS software on the extranet server. You can do this by running another script, which you can find in the ECTS installation directory (typically My Documents\External Collaboration Toolkit) on the extranet server. As before, you should log on as either a local or domain administrator to run the script.

To run the ECTS SharePoint setup script, use the following command:

cscript ects_setup_sharepoint.vbs ADAMhost container SQL_Server internalURL SMTPHost mailfrom LDAPS_port

Where ADAMhost is the server hosting the ADAM instance, container is the base container for the LDAP instance, SQL_Server is the appropriate SQL Server instance, internalURL is the URL for the internal SharePoint site, SMTPHost is the internal e‑mail host name that SharePoint should use, mailfrom is the e‑mail address from which the mail should come, and LDAPS_port is the port on which ADAM listens for SSL encrypted connections. You recorded all of this information with your Required Data.

This script:

• Creates a customized Windows SharePoint Services feature and packages it as a Windows SharePoint solution file.
• Installs ECTSBase.wsp and ECTSSolution.wsp.
• Deploys these solutions to the front-end Web servers.

• Activates all the features in these solutions.

  Note   When ECTSBase.wsp is activated, the solution makes all the required changes to the web.config files for both the internal and external sites.

• Adds all Web Parts to the appropriate Web Parts gallery.

After the ECTS is installed and basic configuration is complete, you can verify that Windows SharePoint Services is working as expected.

Verify Installation

Following setup, you can take steps to verify that basic things are working as expected. For example, you should be able to see a basic SharePoint site by accessing your internal URL from a browser on your internal network. If you attempt to access the external URL from an external browser, you should see a forms-based authentication page (assuming your firewall is configured as expected).

If you encounter errors, the most likely cause is a mistake in entering the Required Data used to set up SharePoint. If you feel that you might have entered some of the Required Data incorrectly, you can use the undeploysolution.cmd script to remove the ECTS software so you can try again. You can find this script in the installation folder (typically My Documents\External Collaboration Toolkit).

To run the undeploysolution.cmd script, use the following command:

undeploysolution.cmd internalURL

Where internalURL is the URL for the internal SharePoint site. Running this command will remove all traces of the ECTS from your SharePoint environment.

Enable SSL on the External Web Site

To finish up your installation, you need to enable SSL on the external URL of your collaboration site. This will help ensure the confidentiality of information as it traverses the Internet. Note that this step is not necessary to continue setting up the software, but should be completed before you begin using your extranet collaboration site for actual collaboration. If you enabled SSL during installation and deployment, you will not be able to access the external URL until you have installed a certificate.

For information about how to request and install a certificate on IIS, see How to enable SSL for all customers who interact with your Web site in Internet Information Services. Note that you need a certificate only for the external Web site.

Server Hardening

Before allowing external users to connect to your collaboration server, we strongly recommend that you use the Security Configuration Wizard (SCW) to ensure that non-essential functionality is turned off on your collaboration server. This will help to reduce the attack surface of your server when it is connected to the Internet. For information about how to install and run this tool, see the SCW Quick Start Guide on the Microsoft Download Center.

For more information about hardening your Windows Server 2003–based system, see the Windows Server 2003 Security Guide.

Microsoft Forefront Security for SharePoint

Now that you are collaborating with people outside your organization, it is important to use an anti-malware solution designed for SharePoint. Microsoft Forefront™ Security for SharePoint provides this capability, well as true file-type and keyword filtering capabilities. For more information, see the Forefront Security for SharePoint 2007 User Guide and Introduction to Forefront Security for SharePoint Best Practices.

Next Steps

After the software is installed and configured, you need to make the Web Parts available, set up the security for the site, and configure how the ECTS works. These topics are covered in the next chapter of this document.