Export (0) Print
Expand All

Reverse Proxy Configurations for Windows SharePoint Services and Internet Security and Acceleration Server

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
Published: July 26, 2004 | Updated : January 7, 2005

This white paper describes the reverse proxy configurations that work with Microsoft Windows SharePoint Services and includes procedures for publishing SharePoint sites using ISA Server 2004. This type of configuration is useful in an extranet scenario where you need to make your site available to authorized users on the Internet. Topics include SSL termination, SSL bridging, host-header forwarding, and reverse proxies.

Applies To

Windows SharePoint Services

Internet Security and Acceleration Server 2000

Internet Security and Acceleration Server 2004

On This Page

Introduction
Host-Header Forwarding
SSL Bridging (HTTPS to HTTPS)
Configuring Host-Header Forwarding with ISA Server 2000
Configuring Host-Header Forwarding with ISA Server 2004
Configuring SSL bridging (HTTPS to HTTPS) with ISA Server 2000
Configuring SSL bridging (HTTPS to HTTPS) with ISA Server 2004
Known Issues
Appendix A: Configuring Certificates from a Commercial Certification Authority
Appendix B: Setting up a Local Certification Authority

Introduction

Organizations that want to expose Microsoft® Windows® SharePoint® Services sites (or any Web-based applications) to the Internet must address standard security concerns. Most such environments use a reverse proxy server and firewall server to address some of these concerns. Microsoft Internet Security and Acceleration (ISA) Server includes proxy and firewall server capabilities and can address issues such as:

  • Prevention of potential disclosure of internal network-specific information, such as IP addresses, NetBIOS computer names, Domain Name System (DNS) computer names, network domain names, and so on.

    Reverse proxy configurations help protect this information by processing client queries on the proxy server instead of on a Web server internal to the network.

  • Prevention of unauthorized traffic either into or out of the internal network.

    Reverse proxy servers allow the client system to perceive the reverse proxy server as the Web server – the proxy server contacts the Web server in response to client requests, receives the response from the Web server, and then sends that request to the client. Reverse proxy servers can be configured to allow only authorized traffic in or out.

  • Detection and prevention of hacking attempts.

    Microsoft Internet Security and Acceleration Server, provides application-layer filtering to allow or deny requests based on defined access policies as well as to detect and prevent hacking attempts.

  • Avoiding excessive internal network traffic.

    Content caching allows reverse proxy servers to cache Web content so that the reverse proxy server can respond to some client requests from the cache without contacting the Web server. This minimizes internal network traffic.

  • Avoiding excessive secure sockets layer (SSL) overhead on the Web server.

    A reverse proxy configuration can terminate incoming SSL sessions in front of the Web server, thus removing the overhead of SSL termination and decryption from the Web servers.

ISA Server can address all of these issues. ISA Server also includes a feature known as SSL bridging, which allows the following:

  • Redirecting incoming HTTPS requests to Web servers as HTTP requests. Before packets are forwarded, they can be filtered all the way up to the application layer.

  • Redirecting incoming HTTPS requests to Web servers as HTTPS requests to help ensure maximum security. Before packets are forwarded, they can be filtered all the way up to the application layer.

This paper covers the supported and tested reverse proxy configurations for Windows SharePoint Services. The configurations use and were tested with Microsoft ISA Server 2000, Service Pack 1, and Microsoft ISA Server 2004, but should be applicable to most third-party reverse proxy solutions.

The following illustration shows an example reverse proxy configuration:

Figure 1. A reverse proxy configuration 

Figure 1. A reverse proxy configuration 

The traditional reverse proxy server approach allows the client and server URLs to differ. This requires that none of the hyperlinks in the Web pages be absolute. Windows SharePoint Services relies on absolute hyperlinks, so the reverse proxy configurations described here keep the URLs on the client the same as those on the server.

Some reverse proxy configurations use a URL fix-up approach to find and fix absolute URLs. Because of the way Windows SharePoint Services uses absolute URLs, a URL fix-up approach does not work for Windows SharePoint Services. Some of the absolute URLs used by Windows SharePoint Services are easy to find and fix. For example, it is fairly easy for the reverse proxy server to rewrite enough URLs to get the home page of a SharePoint site to render and function correctly. However, other absolute URLs are much harder to find and fix. For example, there are absolute URLs in ActiveX controls, form post bodies, URL parameters, and SOAP messages where most reverse proxy servers cannot find them for rewriting. The absolute URLs can be outbound from Windows SharePoint Services, inbound from client applications, or round-tripped from Windows SharePoint Services to the client and back. Furthermore, the absolute URLs can be encoded when used as a parameter – for example, the URL http://server_name can look like http%2f%3a%3aserver_name in the form post body.

The following sections describe two reverse proxy configurations that do work with Windows SharePoint Services – host-header forwarding and SSL bridging (HTTPS to HTTPS). In host-header forwarding, the reverse proxy server translates the IP address of the page that the client requests into the IP address of the page that the server returns. The SSL bridging (HTTPS to HTTPS) configuration relies on two separate SSL connections – one between the client and the reverse proxy server and one between the reverse proxy server and the server running Windows SharePoint Services. If you are running a reverse proxy server that requires that SSL connections end at the reverse proxy, you must use the SSL bridging (HTTPS to HTTPS) configuration.

Note  Although ISA Server can support several formats for SSL bridging, such as HTTPS to HTTP, only HTTPS to HTTPS is supported for Windows SharePoint Services.

Host-Header Forwarding

In a reverse proxy configuration, the client sends HTTP requests to the reverse proxy server as if the reverse proxy server were the Web server. In host-header forwarding, the reverse proxy server then forwards the HTTP packets to the actual Web server while preserving the host header in the HTTP packets. On the Web server, Windows SharePoint Services uses the host header information to generate hyperlinks on pages that will be reachable by the client. The Web server then sends HTTP responses through the reverse proxy server to the client. The following illustration shows an example of a host-header forwarding configuration:

Figure 2. Host-Header Forwarding Illustration 

Figure 2. Host-Header Forwarding Illustration 

For information about setting up host-header forwarding with Microsoft Internet Security and Acceleration (ISA) Server, see the sections Configuring Host-Header Forwarding with ISA Server 2000 and Configuring Host-Header Forwarding with ISA Server 2004 later in this article.

SSL Bridging (HTTPS to HTTPS)

In some secure sockets layer (SSL) termination configurations, a proxy server or firewall processes an HTTPS request for the client and then forwards the request to a Web server by using HTTP. This configuration ends the SSL connection between the client and the Web server at the reverse proxy server, as required by many reverse proxy servers.

However, because Windows SharePoint Services uses absolute URLs, the URL from the client and the URL sent to the server must match. To keep the URL sent from the client to the reverse proxy server the same as the URL sent from the reverse proxy server to the Web server, a new SSL connection is established between the reverse proxy server and the Web server. This is the SSL bridging (HTTPS to HTTPS) configuration.

The following illustration shows an SSL bridging (HTTPS to HTTPS) configuration:

Figure 3. Secure Sockets Layer (SSL) bridging

Figure 3. Secure Sockets Layer (SSL) bridging

For information about setting up SSL bridging with ISA Server, see the sections Configuring SSL bridging (HTTPS to HTTPS) with ISA Server 2000 or Configuring SSL bridging (HTTPS to HTTPS) with ISA Server 2004 later in this article.

The following sections describe how to configure host-header forwarding and SSL bridging (HTTPS to HTTPS) with ISA Server 2000 and 2004. If you are using a different proxy server, you should refer to that server’s documentation for implementation details.

Configuring Host-Header Forwarding with ISA Server 2000

To configure your servers for host-header forwarding, you need:

  1. One or more servers running Microsoft® Windows® SharePoint® Services.

  2. A device to act as a reverse proxy server, such as a computer running Microsoft Internet Security and Acceleration (ISA) Server 2000.

  3. A public Domain Name System (DNS) server.

Important The following configuration steps assume that you are using ISA Server 2000, Service Pack 1 or later, on your reverse proxy server and that you have set it up in integrated mode and that ISA Server 2000 Feature Pack 1 is installed.

The process of configuring host-header forwarding consists of the following steps:

  1. Install and configure your server farm to run Windows SharePoint Services.

  2. Create a new public DNS entry to map your public fully qualified domain name (FQDN) to the IP address you will use on the public interface of your reverse proxy server.

  3. Configure the network interfaces in the proxy server to respond to the appropriate IP addresses.

  4. Configure the proxy server/firewall to allow Windows SharePoint Services to make connections to the Internet when necessary.

  5. Edit your Web.config file to allow Windows SharePoint Services to make connections through the proxy server to the Internet when necessary.

  6. Configure the proxy server to listen for requests on IP addresses.

  7. Create a destination set.

  8. Create a Web publishing rule.

Installing and Configuring Your Server Farm to Run Windows SharePoint Services

Install and configure your Windows SharePoint Services server farm and sites as normal. When you have finished configuring your server farm and sites, select the Microsoft Internet Information Services (IIS) authentication method appropriate for your client, server, and proxy environment, as described in the Configuring Authentication topic in the Administrator’s Guide for Windows SharePoint Services.

Of the two types of authentication available to a Windows SharePoint Services environment – Integrated Windows authentication and Basic authentication – Integrated Windows authentication is the more secure. However, some proxy servers and some clients may not support Integrated Windows authentication. If this applies to your situation, you may also need to enable Basic authentication. Note that Basic authentication does not encrypt your user name or password as it is transmitted from the client to the server. If any part of the connection between the client and the server goes over an untrusted network, it is recommended that you use Basic authentication only over an SSL-encrypted connection. For more information about configuring your server farm to use an SSL-encrypted connection, see the Configuring SSL bridging (HTTPS to HTTPS) with ISA Server 2000 section.

ISA Server can support either Integrated Windows authentication or Basic authentication, depending on how your environment is configured. If your ISA Server policy requires authenticating the user, Basic authentication must be configured on both the servers running Windows SharePoint Services and ISA Server, and the ISA Web Publishing rule must be configured to delegate basic credentials. If your ISA Server policy does not require authenticating the user, you can use either Basic authentication or Integrated Windows authentication for the server running Windows SharePoint Services. If you are using Basic authentication, it is recommended that you use SSL Bridging (HTTPS to HTTPS). For more information, see the “Configuring SSL bridging (HTTPS to HTTPS) with ISA Server 2000” section.

For more information about authentication choices in IIS, see Setting Web Site Authentication in the IIS 6.0 Administrator Guide.

Creating a Public DNS Entry

After setting up Windows SharePoint Services on your server farm, you must create a public DNS entry to map your public FQDN to the IP address for the public interface of your reverse proxy server.

For example, you could map www.Contoso.com to 10.11.111.11. When a client attempts to connect to www.Contoso.com, it will ask the public DNS server what IP address corresponds to www.Contoso.com. The public DNS server would then point it to 10.11.111.11, which should be the public IP address for your reverse proxy server. The client will then attempt to establish a connection to 10.11.111.11.

If you are using Windows SharePoint Services in a multiple host names deployment (scalable hosting mode), you must be sure that a DNS mapping is created for each host name site you set up. To do so, create a unique public DNS entry for each host name site. For example:

Host1.Contoso.com    10.11.111.11

Host2.Contoso.com    10.11.111.11

Alternatively, you can create a wildcard public DNS entry so that all host names within your domain map to your proxy server’s public interface IP address. For example:

*.Contoso.com    10.11.111.11

For more information about creating a DNS entry or a wildcard DNS entry, see your DNS server documentation.

Configuring the Network Interfaces in the Proxy Server

After you create the new public DNS entry, you must configure the network interfaces in your proxy server to respond to the appropriate IP addresses.

Your proxy server has a public, or external, network interface, which is exposed to the clients that will attempt to connect to you (usually over the Internet). Your proxy server might have a public adapter to allow client connections from external networks such as the Internet. The proxy server must also have at least one private, internal adapter that is exposed to servers that it is protecting.

Use the Network Connections control panel on the Microsoft Windows Server 2003 computer acting as a proxy server to change the network card configuration. For more information about configuring the network interface, see the Windows Server 2003 networking documentation.

Configuring the Proxy Server or Firewall to Allow Connections to the Internet

Now you must configure the proxy server or firewall to allow Windows SharePoint Services to make connections to the Internet when necessary. You do this by configuring the proxy server or firewall to allow outbound connections from the server farm running Windows SharePoint Services to the Internet. The Web Capture Web Part and the online Web Part gallery, for example, require access to the Internet.

Allow connections to the Internet

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

  2. In the left pane, click the plus sign next to Servers and Arrays.

  3. Right-click your server name, and then click Properties.

  4. On the Outgoing Web Requests tab, under Identification, select either of the following options:

    • Use the same listener configuration for all internal IP addresses

    • Configure listeners individually per IP address

    This example assumes that you selected Use the same listener configuration for all internal IP addresses.

  5. If a listener has not already been defined, click Add to create a new listener, and then in the Server field, select the name of the computer running ISA Server.

  6. In the IP Address field, select the private IP address you set up earlier, and then click OK.

  7. Click OK to close the Properties dialog box.

  8. In the message box that indicates that the Web proxy service needs to be restarted, select either choice and click OK.  

    If you choose to not restart the service, you must restart the service manually before the changes can take effect.

  9. In the left pane, click the plus sign next to Policy Elements.

  10. Right-click Client Address Sets, point to New, and then click Set.

  11. In the Name box, type a descriptive name for your server environment such as Windows SharePoint Services servers.

  12. Click Add.

  13. In Add/Edit IP Addresses box, in the From and To boxes, enter the IP address range of your servers running Windows SharePoint Services.

    For example, if the IP addresses for your servers running Windows SharePoint Services are 192.168.1.1, 192.168.1.2, and 192.168.1.3, you would enter the following:

    • From: 192.168.1.1

    • To: 192.168.1.3

  14. Click OK to close the Add/Edit IP Addresses dialog box.

  15. Click OK to close the Client Set dialog box.

  16. Click the plus sign next to Access Policy.

  17. Right-click Protocol Rules, point to New, and then click Rule.

  18. In the Protocol rule name box, type a protocol rule name such as Allow Web servers access to Internet, and then click Next.

  19. Under Response to client requests to use protocol, select Allow, and then click Next.

  20. In the Apply this rule to box, select Selected protocols, and then under Protocols, select the HTTP and HTTPS check boxes.

  21. Click Next.

  22. In the Use this schedule box, select Always, and then click Next.

  23. Under Apply this rule to requests from, select Specific computers (client address sets), and then click Next.

  24. Click Add.

  25. In the Defined Sets pane, select the client address you created earlier, and then click Add.

  26. Click OK to close the Add Client Sets dialog box.

  27. Click Next, and then click Finish.

Note Steps 8-14 and 22-25 are optional, depending on your configuration. For more information about the process of creating a Web publishing rule and the choices you can make during this process, see the ISA Server 2000 documentation.

Editing the Web.Config File

After your proxy server is set to allow connections to the Internet, you can set Windows SharePoint Services to allow connections to the Internet. You do this by editing your Web.config file. The Web Capture Web Part and the online Web Part gallery, for example, require access to the Internet.

Find the Web.config file in the root of the virtual server or virtual servers that have been extended with Windows SharePoint Services. For example, the path to the Web.config file might be C:\Inetpub\wwwroot\web.config. In the Web.config file, after the </SharePoint> tag, add the following tags to configure Windows SharePoint Services to make connections to the Internet through your outbound proxy server, where http://myproxy:8080 is the address and TCP port to connect to the outbound proxy server’s private network interface.

<system.net> 
 <defaultProxy> 
  <proxy proxyaddress="http://myproxy:8080" bypassonlocal="true" /> 
 </defaultProxy> 
</system.net>

Note that you must make this change to the Web.config files for each virtual server on each server computer in your server farm.

Configuring the Proxy Server to Listen for Requests on IP Addresses

Now you must configure your reverse proxy server to listen to the requests coming in on the public network interface. After it is listening, the proxy server can apply the rules you set up later in this process.

Configure proxy server for IP addresses

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

  2. In the left pane, click the plus sign next to Servers and Arrays.

  3. Right-click your server name, and then click Properties.

  4. On the Incoming Web Requests tab, under Identification, select either of the following options:

    • Use the same listener configuration for all internal IP addresses

    • Configure listeners individually per IP address

  5. If you selected Configure listeners individually per IP address, click Add to add a listener, and then in the Server field, select your ISA Server name, in the IP Address field, select the public IP address you set up earlier, and then click OK.

  6. Click OK to close the Properties dialog box.

  7. In the message box, select Save the changes and restart the service(s).

    (You can also select Save the changes, but don’t restart the service(s), but then you’ll need to restart them yourself later.)

Creating a Destination Set

A destination set is used to categorize incoming requests so that the reverse proxy server or firewall can then apply rules to that request. You create a destination set for the public FQDN of your SharePoint sites so that you can later use it in a Web publishing rule to publish your SharePoint sites.

Create a destination set for SharePoint sites

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

  2. In the left pane, click the plus sign next to Servers and Arrays, click the plus sign next to your server name, and then click the plus sign next to Policy Elements.

  3. Right-click Destination Sets, point to New, and then click Set.

  4. In the Name box, type a name for this destination set, such as Windows SharePoint Services Internet-facing sites.

  5. Click Add.

  6. In the Destination box, type the host name that clients will use to access your site, such as www.Contoso.com.

  7. Click OK to close the Add/Edit Destination dialog box.

  8. Click OK to close the New Destination Set dialog box.

Note If you are running Windows SharePoint Services in a multiple host name deployment (scalable hosting mode), you will need to create additional destinations within the destination set for all of your host name sites. You can do this by repeating steps 5 – 7 for each host name (Host1.Contoso.com, Host2.Contoso.com, etc.). Alternatively, in step 6, you can simply create a single wildcard destination set (*.Contoso.com).

Creating a Web Publishing Rule

The Web publishing rule forwards requests, complete with host headers, from the proxy server to the Web server.

Create a Web publishing rule

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

  2. In the left pane, click the plus sign next to Servers and Arrays, click the plus sign next to your server name, and then click the plus sign next to Publishing.

  3. Right-click Web Publishing Rules, point to New, and then click Rule.

  4. In the Web publishing rule name box, type a name for the rule, such as Host-header forwarding to Windows SharePoint Services, and then click Next.

  5. In the Apply this rule to list select Specified destination set.

  6. In the Name list select the destination set name you created earlier, such as Windows SharePoint Services Internet-facing sites.

  7. Click Next.

  8. Under Apply the rule to requests from, select Any request, and then click Next.

  9. Under Response to client requests, select Redirect the request to this internal Web server (name or IP address), and then in the text box, type the internal DNS name for the server farm running Windows SharePoint Services.

  10. Select the Send the original host header to the publishing server instead of the actual one (specified above) check box.

  11. Verify that the port settings for the protocols are correct for the server farm running Windows SharePoint Services.

  12. Click Next, and then click Finish.

Configuring Host-Header Forwarding with ISA Server 2004

To configure your servers for host-header forwarding, you need:

  1. One or more servers running Microsoft® Windows® SharePoint® Services.

  2. A device to act as a reverse proxy server, such as a computer running Microsoft Windows Server 2003 and Microsoft Internet Security and Acceleration (ISA) Server 2004.

  3. A public Domain Name System (DNS) server.

Important  The following configuration steps assume that you are using Windows SharePoint Services, Service Pack 1 or later.

The process of configuring host-header forwarding consists of the following steps:

  1. Install and configure your server farm to run Windows SharePoint Services.

  2. Create a new public DNS entry to map your public fully qualified domain name (FQDN) to the IP address you will use on the public interface of your reverse proxy server.

  3. Configure the network interfaces on the proxy server to respond to the appropriate IP addresses.

  4. Configure the proxy server/firewall to allow Windows SharePoint Services to make connections to the Internet when necessary.

  5. Edit your Web.config file to allow Windows SharePoint Services to make connections through the proxy server to the Internet when necessary.

  6. Configure the proxy server to listen for requests on IP addresses.

  7. Configure the proxy server to publish Windows SharePoint Services.

Installing and Configuring Your Server Farm to Run Windows SharePoint Services

Install and configure your Windows SharePoint Services server farm and sites as normal. When you have finished configuring your server farm and sites, select the Microsoft Internet Information Services (IIS) authentication method appropriate for your client, server, and proxy environment, as described in the Configuring Authentication topic in the Administrator’s Guide for Windows SharePoint Services.

Of the two types of authentication available to a Windows SharePoint Services environment – Integrated Windows authentication and Basic authentication – Integrated Windows authentication is the more secure. However, some proxy servers and some clients may not support Integrated Windows authentication. If this applies to your situation, you might also need to enable Basic authentication. Note that Basic authentication does not encrypt your user name or password as it is transmitted from the client to the server. If any part of the connection between the client and the server goes over an untrusted network, it is recommended that you use Basic authentication only over a secure sockets layer (SSL)-encrypted connection. For more information about configuring your server farm to use an SSL-encrypted connection, see the Configuring SSL bridging (HTTPS to HTTPS) with ISA Server 2004 section.

ISA Server can support either Integrated Windows authentication or Basic authentication, depending on how your environment is configured. If your ISA Server policy requires authenticating the user, Basic authentication must be configured on both the servers running Windows SharePoint Services and ISA Server, and the ISA Web Publishing rule must be configured to delegate basic credentials. If your ISA Server policy does not require authenticating the user, you can use either Basic authentication or Integrated Windows authentication for the server running Windows SharePoint Services. If you are using Basic authentication, it is recommended that you use SSL Bridging (HTTPS to HTTPS). For more information, see the Configuring SSL bridging (HTTPS to HTTPS) with ISA Server 2004 section.

For more information about authentication choices in IIS, see Setting Web Site Authentication in the IIS 6.0 Administrator Guide.

Creating a Public DNS Entry

After setting up Windows SharePoint Services on your server farm, you must create a public DNS entry to map your public FQDN to the IP address for the public interface of your reverse proxy server.

For example, you could map www.Contoso.com to 10.11.111.11. When a client attempts to connect to www.Contoso.com, it will ask the public DNS server what IP address corresponds to www.Contoso.com. The public DNS server would then point it to 10.11.111.11, which should be the public IP address for your reverse proxy server. The client will then attempt to establish a connection to 10.11.111.11.

If you are using Windows SharePoint Services in a multiple host names deployment (scalable hosting mode), you must be sure that a DNS mapping is created for each host name site you set up. To do so, create a unique public DNS entry for each host name site. For example:

Host1.Contoso.com    10.11.111.11

Host2.Contoso.com    10.11.111.11

Alternatively, you can create a wildcard public DNS entry so that all host names within your domain map to your proxy server’s public interface IP address. For example:

*.Contoso.com    10.11.111.11

For more information about creating a DNS entry or a wildcard DNS entry, see your DNS server documentation.

Configuring the Network Interfaces in the Proxy Server

After you create the new public DNS entry, you must configure the network interfaces in your proxy server to respond to the appropriate IP addresses.

Your proxy server has a public, or external, network interface, which is exposed to the clients that will attempt to connect to you (usually over the Internet). Your proxy server might have a public adapter to allow client connections from external networks such as the Internet. The proxy server must also have at least one private, internal adapter, exposed to servers that it is protecting.

You use the Network Connections control panel on the Windows Server 2003 computer acting as a proxy server to change the network card configuration. For more information about configuring the network interface, see the Windows Server 2003 networking documentation.

Configuring the Proxy Server or Firewall to Allow Connections to the Internet

Now you must configure the proxy server or firewall to allow Windows SharePoint Services to make connections to the Internet when necessary. You do this by configuring the proxy server or firewall to allow outbound connections from the server farm running Windows SharePoint Services to the Internet. The Web Capture Web Part and the online Web Part gallery, for example, require access to the Internet.

Allow connections to the Internet using ISA Server 2004

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the left pane, click the plus sign next to the server name and then click the plus sign next to Configuration.

  3. Click Networks, right-click Internal, and then click Properties.

  4. On the Web proxy tab, verify that the Enable Web Proxy clients and Enable HTTP check boxes are selected.

  5. Click OK.

  6. In the left pane, click Firewall Policy.

  7. In the right pane, on the Toolbox tab, click New, and then click Computer Set.

  8. In the Name box, type a descriptive name for your server environment such as Windows SharePoint Services servers.

  9. Click Add.

  10. Click AddressRange.

  11. In the New Address Range Rule Element dialog box, in the Name box, type a descriptive name, and in the Start Address and End Address boxes, enter the IP address range of your servers running Windows SharePoint Services.

    For example, if the IP addresses for your servers running Windows SharePoint Services are 192.168.1.1, 192.168.1.2, and 192.168.1.3, you would enter the following:

    • Start Address: 192.168.1.1

    • End Address: 192.168.1.3

  12. Click OK to close the New Address Range Rule Element dialog box.

  13. Click OK to close the New Computer Set Rule Element dialog box.

  14. In the left pane, right-click the Firewall Policy, point to New, and then click Access Rule.

  15. In the New Access Rule Wizard, in the Access rule name box, type an access rule name such as Allow Web servers access to Internet, and then click Next.

  16. Under Action to take when rule conditions are met, click Allow, and then click Next.

  17. In the This rule applies to box, select Selected protocols, and then click Add.

  18. In the Add Protocols dialog box, click the plus sign next to Web, and then click HTTP and click Add.

  19. Click HTTPS and click Add, and then click Close.

  20. Click Next.

  21. In the Add Protocols dialog box, under This rule applies to traffic from these sources, click Add.

  22. In the Add Network Entities dialog box, click the plus sign next to Computer Set, select the computer set you created earlier, and then click Add.

  23. Click Close to close the Add Network Entities dialog box.

  24. Click Next.

  25. Under This rule applies to traffic sent to these destinations, click Add.

  26. In the Add Network Entities dialog box, click the plus sign next to Network Set, select All Networks, and then click Add.

  27. Click Close.

  28. Click Next.

  29. Click Next again, click Finish, and then click Apply to save the changes and update the configuration.

Note For more information about the process of creating an access rule and the choices you can make during this process, see the ISA Server 2004 documentation.

Editing the Web.Config File

After your proxy server is set to allow connections to the Internet, you can set Windows SharePoint Services to allow connections to the Internet. You do this by editing your Web.config file. The Web Capture Web Part and the online Web Part gallery, for example, require access to the Internet.

Find the Web.config file in the root of the virtual server or virtual servers that have been extended with Windows SharePoint Services. For example, the path to the Web.config file might be C:\Inetpub\wwwroot\web.config. In the Web.config file, after the </SharePoint> tag, add the following tags to configure Windows SharePoint Services to make connections to the Internet through your outbound proxy server, where http://myproxy:8080 is the address and TCP port to connect to the outbound proxy server’s private network interface.

<system.net>  
 <defaultProxy>  
  <proxy proxyaddress="http://myproxy:8080" bypassonlocal="true" />  
 </defaultProxy>  
</system.net>

Note that you must make this change to the Web.config files for each virtual server on each server computer in your server farm.

Configuring the Proxy Server to Listen for Requests on IP Addresses

All incoming Web requests to ISA Server should be received by a Web listener. Multiple Web-publishing rules can use a single Web listener. When you configure a Web listener, you specify the network that corresponds to the adapter on which ISA Server will listen for incoming Windows SharePoint Services requests. For example, if you want to allow access to the SharePoint site from the Internet (External network), you should select the External network for the Web listener. The listener can listen on all IP addresses associated with a network, or specific IP addresses. You also configure the port number that will listen for requests on the selected network IP addresses.  

Configure a Web listener on ISA Server 2004

  1. In ISA Server Management, click Firewall Policy.

  2. In the right pane, on the Toolbox tab, click New and select Web listener.

  3. In the Web listener name box, type a name for the Web listener, for example, WSS_Listener.

  4. Click Next.

  5. In the Listen for requests from these networks box, select the check boxes for the interfaces that you want the listener to listen on.

    For example, select the External check box for Internet Web publishing.

  6. Click Next.

  7. On the Port Specification pane, under HTTP, select the Enable HTTP check box, and then in the Port HTTP port box, type 80.

    If the IIS virtual server you’re about to publish is configured to listen on a different port, you should configure ISA Server Web listener to use the same port.

  8. Click Next, and then click Finish.

  9. Click Apply to save the changes and update the configuration.

Important   ISA Server will not start to listen on the IP and port specified above until a Web publishing rule is created and configured to use the Web listener.

Configure the proxy server to publish the Windows SharePoint Services

The goal of Web publishing on a reverse proxy server is to forward requests, complete with host headers, from the proxy server to the Web server. Note that host-header forwarding may be called different things by different proxy server vendors. Contact your proxy server vendor to learn how to enable host-header forwarding with your reverse proxy.

Create a Web publishing rule using ISA Server 2004

  1. In ISA Server Management, right-click the Firewall Policy node, point to New, and then click Web Server Publishing Rule.

  2. In the Web Publishing Wizard, type a name for the new rule. For example, “Publish SharePoint site for external access”.

  3. Click Next.

  4. Under Action to take when rule conditions are met, click Allow, and then click Next.

  5. On the Define Website to publish page, in the Computer name or IP address box, type the IP address or name of the computer running the SharePoint site.

    Remember that if you specify a name, you will need an internal DNS entry to resolve the name to an IP address.

  6. Select the Forward the original host header instead of the actual one (specified above) check box to ensure that the host header contains the original external DNS name typed in the URL.

  7. In the Path box, type /* .

  8. Click Next.

  9. In the Public Name Details page, in the Accept requests for box, select Any domain name to forward requests to the published SharePoint site without checking for the domain name, or select This domain name, and in the Public name box, specify the external FQDN that users will specify in their browser to reach the site.

  10. Click Next.

  11. On the Select Web Listener page, in the Web listener box, select the Web listener that you created previously.

  12. Click Next.

  13. Click Next again, and then click Finish.

  14. Click Apply to save the changes and update the configuration.

HTTP security filtering using ISA Server 2004

After you have created the Web publishing rule, you must change the HTTP security filter setting. The HTTP filter screens all incoming Web requests to the ISA Server computer, and only allows requests that comply with the restrictions configured by the ISA Server administrator.

For example, the Verify Normalization feature (enabled by default) specifies that requests with URLs that contain escape characters after normalization will be blocked. Escaped characters include, but are not limited to, the percent sign (%) and space character ( ). If this feature is enabled, SharePoint document libraries will fail. URLs for document libraries and files uploaded and downloaded include non-standard characters such as the percent sign (%).

Configure HTTP filtering

  1. Right-click the Web publishing rule you created, and select Configure HTTP.

  2. On the General tab, clear the Verify normalization check box.

  3. If you are using a language containing high bit characters (for example, the umlaut in German) you should also clear the Block high bit characters check box.

Caution The Verify normalization and Block high bit characters features are meant to address potential security exploits. When you turn off these features in ISA Server, you are potentially creating an opening for malicious users.

Configuring SSL bridging (HTTPS to HTTPS) with ISA Server 2000

To configure your servers for SSL bridging: SSL termination, you need:

  1. One or more servers running Microsoft® Windows® SharePoint® Services.

  2. One or more devices to act as a reverse proxy server, such as a computer running Microsoft Internet Security and Acceleration (ISA) Server 2000.

  3. A public DNS server.

  4. An SSL certificate for your proxy server.

  5. An SSL certificate for your servers running Windows SharePoint Services (each server must use the same SSL certificate).

Important The following configuration steps assume that you are using ISA Server 2000, Service Pack 1 or later, as your reverse proxy server and that you have set it up in integrated mode and that ISA Server 2000 Feature Pack 1 is installed.

The process of configuring SSL bridging consists of the following steps:

  1. Install and configure your server farm to run Windows SharePoint Services.

  2. Install an SSL certificate on the server or servers running Windows SharePoint Services in your server farm.

  3. Create a new public DNS entry to map your public fully qualified domain name (FQDN) to the IP address you will use on the public interface of your reverse proxy server.

  4. Configure the network interfaces in the proxy server to respond to the appropriate IP addresses.

  5. Install an SSL certificate on the reverse proxy server.

  6. Configure the proxy server/firewall to allow Windows SharePoint Services to make connections to the Internet when necessary.

  7. Edit your Web.config file to allow Windows SharePoint Services to make connections through the proxy server to the Internet when necessary.

  8. Configure the proxy server to listen for requests on IP addresses.

  9. Create a destination set.

  10. Create a Web publishing rule.

Installing and Configuring your Server Farm to Run Windows SharePoint Services

Install and configure your Windows SharePoint Services server farm and sites as normal. When you have finished configuring your server farm and sites, select the Microsoft Internet Information Services (IIS) authentication method appropriate for your client, server, and proxy environment, as described in the Configuring Authentication topic in the Administrator’s Guide for Windows SharePoint Services.

Of the two types of authentication available to a Windows SharePoint Services environment – Integrated Windows authentication and Basic authentication – Integrated Windows authentication is the more secure. However, some proxy servers and some clients may not support Integrated Windows authentication. If this applies to your situation, then you may also need to enable Basic authentication. Note that Basic authentication does not encrypt your username or password as it is transmitted from the client to the server. If any part of the connection between the client and the server goes over an untrusted network, it is recommended that you use Basic authentication only over an SSL-encrypted connection. Configuring your server farm as described in this section sets up an SSL-encrypted connection.

For more information about authentication choices in Internet Information Services (IIS), see Setting Web Site Authentication in the IIS 6.0 Administrator Guide.

Configuring SSL certificates for SSL bridging on the Web server and ISA server

You must now configure the SSL certificates to use on the Web servers running Windows SharePoint Services and the proxy servers running ISA Server. All of the SSL certificates must meet the following criteria:

  1. The “Issued to” name on the certificate must match the internal DNS name you specify when you configure the Web publishing rule.

  2. The certificate must not be expired.

  3. The reverse proxy server must trust the certification authority (CA) that issued the SSL certificate on the servers running Windows SharePoint Services.

To accomplish this, during testing, a local certification authority was used for the certificates used on the internal connections between the reverse proxy and the Web servers. This ensures that the two servers trust the same certification authority.

To configure certificates, if you already have a commercial SSL server certificate installed on any of your Web server computers, do the following:

  1. Export the existing certificate from your Web server to ISA Server. For instructions, see “Export a certificate from the Web server to ISA Server” in Appendix A: Configuring Certificates from a Commercial CA. If you do not want to use the name on the existing commercial certificate, you must purchase a new one.

  2. Do one of the following on the Web server:

    • Leave a copy of the existing certificate on the Web server (for this to work, the name on the To tab of the Web publishing rule must match the name on the certificate, the published name. Otherwise an error is generated when ISA Server sends an HTTPS request.

    • Request and install a new commercial certificate for the Web server. For instructions, see “Requesting a certificate from a commercial certification authority,” and then “Submitting a certificate request file” in Appendix A: Configuring Certificates from a Commercial CA. The name on the certificate (Common Name or CN) must match the name that ISA Server uses to refer to the Web server, which is the name on the To tab of the Web publishing rule. If it does not match, you might encounter issues outlined in Microsoft Knowledge Base article 841664.

    • Use a certificate from a local certification authority (CA) for the ISA Server computer to Web server connection. This saves the cost of a second commercial certificate, and the root certificate from the local CA can be stored on the ISA Server computer. To do this, follow the procedures in Appendix B: Setting up a Local Certification Authority.

  3. Alternatively, instead of exporting the existing certificate from the Web server, you can choose to leave the existing commercial certificate on the Web server and request and install a new commercial certificate for the ISA Server computer. For procedures, see Appendix A: Configuring Certificates from a Commercial CA.

If you do not have a certificate already installed on the Web server, do the following:

  1. Obtain a certificate for ISA Server. Generally, for external sites, you will obtain a certificate from a commercial CA (such as Verisign or Thawte). To do this, create a certificate request from a commercial CA using the IIS Web Server Certificate Wizard, and submit the request file. For instructions, see “Requesting a certificate from a commercial certification authority,” and then “Submitting a certificate request file” in Appendix A: Configuring Certificates from a Commercial CA. Because IIS is typically not installed on the ISA Server computer, you will request the certificate from the Web server computer, and export it to the ISA Server computer. Note that the name you use to publish the Web site in the Web publishing rule must match the name on the certificate. Currently there is no way to request a SSL Server certificate from ISA Server 2004 to the CA directly.

  2. Do one of the following on the Web server:

    • Leave a copy of the certificate you have requested on the Web server so that both the ISA Server computer and the Web server use the same certificate. The name on the To tab of the Web publishing rule must match the name on the certificate.

    • Request and install a new commercial certificate for the Web server. For instructions, see “Requesting a certificate from a commercial certification authority,” and then “Submitting a certificate request file” in Appendix A: Configuring Certificates from a Commercial CA. The name on the certificate must match the name that ISA Server uses to refer to the Web server, which is the name on the To tab of the Web publishing rule.

    • Use a certificate from a local CA for the ISA Server computer to Web server connection. This would save you the cost of a second commercial certificate, and the root certificate from the local CA can be easily stored on the ISA Server computer. To do this, follow the procedures in Appendix B: Setting up a Local Certification Authority.

You must also install an SSL certificate on the reverse proxy server. This SSL certificate must match the public FQDN that clients will be using to connect to your SharePoint sites. Note that if you are using Windows SharePoint Services in a multiple host names deployment, you will need a wildcard SSL certificate.

For more information about installing SSL certificates, see Client certificates and server certificates in the ISA Server 2000 documentation.

Creating a Public DNS Entry

After setting up Windows SharePoint Services on your server farm, you must create a public DNS entry to map your public FQDN to the IP address for the public interface of your reverse proxy server.

For example, you could map www.Contoso.com to 10.11.111.11. When a client attempts to connect to www.Contoso.com, it will ask the public DNS server what IP address corresponds to www.Contoso.com. The public DNS server would then point it to 10.11.111.11, which should be the public IP address for your reverse proxy server. The client will then attempt to establish a connection to 10.11.111.11.

If you are using Windows SharePoint Services in a multiple host names deployment (scalable hosting mode), you must be sure that a DNS mapping is created for each host name site you set up. To do so, create a unique public DNS entry for each host name site. For example:

Host1.Contoso.com    10.11.111.11

Host2.Contoso.com    10.11.111.11

Alternatively, you can create a wildcard public DNS entry so that all host names within your domain map to your proxy server’s public interface IP address. For example:

*.Contoso.com    10.11.111.11

For more information about creating a DNS entry or a wildcard DNS entry, see your DNS server documentation.

Configuring the Network Interfaces in the Proxy Server

After you create the new public DNS entry, you must configure the network interfaces in your proxy server to respond to the appropriate IP addresses.

Your proxy server has a public, or external, network interface, which is exposed to the clients that will attempt to connect to you (usually over the Internet). Your proxy server might have a public adapter to allow client connections from external networks such as the Internet. The proxy server must also have at least one private, internal adapter that is exposed to servers that it is protecting.

Use the Network Connections control panel on the Windows Server 2003 computer acting as a proxy server to change the network card configuration. For more information about configuring the network interface, see the Windows Server 2003 networking documentation.

Configuring the Proxy Server or Firewall to Allow Connections to the Internet

Now you must configure the proxy server or firewall to allow Windows SharePoint Services to make connections to the Internet when necessary. You do this by configuring the proxy server or firewall to allow outbound connections from the server farm running Windows SharePoint Services to the Internet. The Web Capture Web Part and the online Web Part gallery, for example, require access to the Internet.

Allow connections to the Internet

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

  2. In the left pane, click the plus sign next to Servers and Arrays.

  3. Right-click your server name, and then click Properties.

  4. On the Outgoing Web Requests tab, under Identification, select either of the following options:

    • Use the same listener configuration for all internal IP addresses

    • Configure listeners individually per IP address

    This example assumes that you selected Use the same listener configuration for all internal IP addresses.

  5. If a listener has not already been defined, click Add to create a new listener, and then in the Server field, select the name of the computer running ISA Server.

  6. In the IP Address field, select the private IP address you set up earlier, and then click OK.

  7. Click OK to close the Properties dialog box.

  8. In the message box that indicates that the Web proxy service needs to be restarted, select either choice and click OK.  

    If you choose to not restart the service, you must restart the service manually before the changes can take effect.

  9. In the left pane, click the plus sign next to Policy Elements.

  10. Right-click Client Address Sets, point to New, and then click Set.

  11. In the Name box, type a descriptive name for your server environment such as Windows SharePoint Services servers.

  12. Click Add.

  13. In Add/Edit IP Addresses box, in the From and To boxes, enter the IP address range of your servers running Windows SharePoint Services.

    For example, if the IP addresses for your servers running Windows SharePoint Services are 192.168.1.1, 192.168.1.2, and 192.168.1.3, you would enter the following:

    • From: 192.168.1.1

    • To: 192.168.1.3

  14. Click OK to close the Add/Edit IP Addresses dialog box.

  15. Click OK to close the Client Set dialog box.

  16. Click the plus sign next to Access Policy.

  17. Right-click Protocol Rules, point to New, and then click Rule.

  18. In the Protocol rule name box, type a protocol rule name such as Allow Web servers access to Internet, and then click Next.

  19. Under Response to client requests to use protocol, select Allow, and then click Next.

  20. In the Apply this rule to box, select Selected protocols, and then under Protocols, select the HTTP and HTTPS check boxes.

  21. Click Next.

  22. In the Use this schedule box, select Always, and then click Next.

  23. Under Apply this rule to requests from, select Specific computers (client address sets), and then click Next.

  24. Click Add.

  25. In the Defined Sets pane, select the client address you created earlier, and then click Add.

  26. Click OK to close the Add Client Sets dialog box.

  27. Click Next, and then click Finish.

Note Steps 8-14 and 22-25 are optional, depending on your configuration. For more information about the process of creating a Web publishing rule and the choices you can make during this process, see the ISA Server 2000 documentation.

Editing the Web.Config File

After your proxy server is set to allow connections to the Internet, you can set Windows SharePoint Services to allow connections to the Internet. You do this by editing your Web.config file. The Web Capture Web Part and the online Web Part gallery, for example, require access to the Internet.

Find the Web.config file in the root of the virtual server or virtual servers that have been extended with Windows SharePoint Services. For example, the path to the Web.config file might be C:\Inetpub\wwwroot\web.config. In the Web.config file, after the </SharePoint> tag, add the following tags to configure Windows SharePoint Services to make connections to the Internet through your outbound proxy server, where http://myproxy:8080 is the address and TCP port to connect to the outbound proxy server’s private network interface.

<system.net> 
 <defaultProxy> 
  <proxy proxyaddress="http://myproxy:8080" bypassonlocal="true" /> 
 </defaultProxy> 
</system.net>

Note that you must make this change to the Web.config files for each virtual server on each server computer in your server farm.

Configuring the Proxy Server to Listen for Requests on IP Addresses

All incoming Web requests to ISA Server should be received by a Web listener. Multiple Web-publishing rules can use a single Web listener. When you configure a Web listener, you specify the network that corresponds to the adapter on which ISA Server will listen for incoming Windows SharePoint Services requests. For example, if you want to allow access to the SharePoint site from the Internet (External network), you should select the External network for the Web listener. The listener can listen on all IP addresses associated with a network, or on specific IP addresses. You also configure the port number that will listen for requests on the selected network IP addresses.  

Configure proxy server for IP addresses

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

  2. In the left pane, click the plus sign next to Servers and Arrays.

  3. Right-click your server name, and then click Properties.

  4. On the Incoming Web Requests tab, select the Enable SSL listeners check box.

  5. In the SSL Listeners message box, click OK.

  6. Under Identification, click Configure listeners individually per IP address.

    You can also select Use the same listener configuration for all internal IP addresses, but the following steps reflect the Configure listeners individually per IP address option.

  7. Click Add to add a listener, and then in the Server field, select your ISA Server name.

  8. In the IP Address field, select the public IP address you set up earlier.

  9. Select the Use a server certificate to authenticate to web clients check box.

  10. Click the Select button, and then in the Select Certificate box, click the SSL certificate you installed on the proxy server, and then click OK.

  11. Click OK to close the Add/Edit Listeners dialog box.

  12. Click OK to close the Properties dialog box.

  13. In the message box, select Save the changes and restart the service(s). (You can also select Save the changes, but don’t restart the service(s), but then you’ll need to restart them yourself later.)

Creating a Destination Set

A destination set is used to categorize incoming requests so that the reverse proxy server or firewall can then apply rules to that request. You create a destination set for the public FQDN of your SharePoint sites so that you can later use it in a Web publishing rule to publish your SharePoint sites.

Create a destination set for SharePoint sites    

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

  2. In the left pane, click the plus sign next to Servers and Arrays, click the plus sign next to your server name, and then click the plus sign next to Policy Elements.

  3. Right-click Destination Sets, point to New, and then click Set.

  4. In the Name box, type a name for this destination set, such as Windows SharePoint Services Internet-facing sites.

  5. Click Add.

  6. In the Destination box, type the host name that clients will use to access your site, such as www.Contoso.com.

  7. Click OK to close the Add/Edit Destination dialog box.

  8. Click OK to close the New Destination Set dialog box.

Note If you are running Windows SharePoint Services in a multiple host name deployment (scalable hosting mode), you will need to create additional destinations within the destination set for all of your host name sites. You can do this by repeating steps 5 – 7 for each host name (Host1.Contoso.com, Host2.Contoso.com, etc.). Alternatively, in step 6, you can simply create a single wildcard destination set (*.Contoso.com).

Creating a Web Publishing Rule

The Web publishing rule forwards requests, complete with host headers, from the proxy server to the Web server. Note that host-header forwarding may be called different things by different proxy server vendors. Contact your proxy server vendor to learn how to enable host-header forwarding with your reverse proxy.

Create a Web publishing rule

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

  2. In the left pane, click the plus sign next to Servers and Arrays, click the plus sign next to your server name, and then click the plus sign next to Publishing.

  3. Right-click Web Publishing Rules, point to New, and then click Rule.

  4. In the Web publishing rule name box, type a name for the rule, such as Host-header forwarding to Windows SharePoint Services, and then click Next.

  5. In the Apply this rule to list select Specified destination set.

  6. In the Name list select the destination set name you created earlier, such as Windows SharePoint Services Internet-facing sites.

  7. Click Next.

  8. Under Apply the rule to requests from, select Any request, and then click Next.

  9. Under Response to client requests, select Redirect the request to this internal Web server (name or IP address), and then in the text box, type the internal DNS name or IP address for the server farm running Windows SharePoint Services.

  10. Select the Send the original host header to the publishing server instead of the actual one (specified above) check box.

  11. Verify that the port settings for the protocols are correct for the server farm running Windows SharePoint Services.

  12. Click Next, and then click Finish.

  13. In the left pane, click Web Publishing Rules.

  14. In the right pane, double-click the rule you just created.

  15. In the Rule Name Properties box, on the Bridging tab, verify that SSL requests (establish a new secure channel to the site) is selected under Redirect SSL requests as.

  16. If you only want to allow SSL access to your SharePoint sites, select the Require secure channel (SSL) for published site check box.

  17. Click OK to close the Properties dialog box.

Configuring SSL bridging (HTTPS to HTTPS) with ISA Server 2004

To configure your servers for SSL bridging you need:

  1. One or more servers running Microsoft® Windows® SharePoint® Services.

  2. One or more devices to act as a reverse proxy server, such as a computer running Microsoft Internet Security and Acceleration (ISA) Server 2004.

  3. A public DNS server.

  4. A secure sockets layer (SSL) certificate for your proxy server.

  5. An SSL certificate for your servers running Windows SharePoint Services (each server must use the same SSL certificate).

Important These configuration steps assume that you are using ISA Server 2004.

The process of configuring SSL bridging consists of the following steps:

  1. Install and configure your server farm to run Windows SharePoint Services.

  2. Install an SSL certificate on the server or servers running Windows SharePoint Services in your server farm.

  3. Create a public DNS entry to map your public fully qualified domain name (FQDN) to the IP address you will use on the public interface of your reverse proxy server.

  4. Configure the network interfaces in the proxy server to respond to the appropriate IP addresses.

  5. Install an SSL certificate on the reverse proxy server.

  6. Configure the proxy server/firewall to allow Windows SharePoint Services to make connections to the Internet when necessary.

  7. Edit your Web.config file to allow Windows SharePoint Services to make connections through the proxy server to the Internet when necessary.

  8. Configure the proxy server to listen for requests on IP addresses.

  9. Configure the proxy server to publish Windows SharePoint Services.

Installing and Configuring your Server Farm to Run Windows SharePoint Services

Install and configure your Windows SharePoint Services server farm and sites as normal. When you have finished configuring your server farm and sites, select the Microsoft Internet Information Services (IIS) authentication method appropriate for your client, server, and proxy environment, as described in the Configuring Authentication topic in the Administrator’s Guide for Windows SharePoint Services.

Of the two types of authentication available to a Windows SharePoint Services environment – Integrated Windows authentication and Basic authentication – Integrated Windows authentication is the more secure. However, some proxy servers and some clients may not support Integrated Windows authentication. If this applies to your situation, you may also need to enable Basic authentication. Note that Basic authentication does not encrypt your username or password as it is transmitted from the client to the server. If any part of the connection between the client and the server goes over an untrusted network, it is recommended that you use Basic authentication only over an SSL-encrypted connection. Configuring your server farm as described in this section sets up an SSL-encrypted connection.

For more information about authentication choices in IIS, see Setting Web Site Authentication in the IIS 6.0 Administrator Guide.

Configuring SSL certificates for SSL bridging on the Web server and ISA server

You must now configure the SSL certificates to use on the Web servers running Windows SharePoint Services and the proxy servers running ISA Server. All of the SSL certificates must meet the following criteria:

  1. The “Issued to” name on the certificate must match the internal DNS name you specify when you configure the Web publishing rule.

  2. The certificate must not be expired.

  3. The reverse proxy server must trust the certification authority (CA) that issued the SSL certificate on the servers running Windows SharePoint Services.

To accomplish this, during testing, a local certification authority was used for the certificates used on the internal connections between the reverse proxy and the Web servers. This ensures that the two servers trust the same certification authority.

To configure certificates, if you already have a commercial SSL server certificate installed on any of your Web server computers, do the following:

  1. Export the existing certificate from your Web server to ISA Server. For instructions, see “Export a certificate from the Web server to ISA Server” in Appendix A: Configuring Certificates from a Commercial CA. If you do not want to use the name on the existing commercial certificate, you must purchase a new one.

  2. Do one of the following on the Web server:

    • Leave a copy of the existing certificate on the Web server (for this to work, the name on the To tab of the Web publishing rule must match the name on the certificate, the published name. Otherwise an error is generated when ISA Server sends an HTTPS request.

    • Request and install a new commercial certificate for the Web server. For instructions, see “Requesting a certificate from a commercial certification authority,” and then “Submitting a certificate request file” in Appendix A: Configuring Certificates from a Commercial CA. The name on the certificate (Common Name or CN) must match the name that ISA Server uses to refer to the Web server, which is the name on the To tab of the Web publishing rule. If it does not match, you might encounter issues outlined in Microsoft Knowledge Base article 841664.

    • Use a certificate from a local certification authority (CA) for the ISA Server computer to Web server connection. This saves the cost of a second commercial certificate, and the root certificate from the local CA can be stored on the ISA Server computer. To do this, follow the procedures in Appendix B: Setting up a Local Certification Authority.

  3. Alternatively, instead of exporting the existing certificate from the Web server, you can choose to leave the existing commercial certificate on the Web server and request and install a new commercial certificate for the ISA Server computer. For procedures, see Appendix A: Configuring Certificates from a Commercial CA.

If you do not have a certificate already installed on the Web server, do the following:

  1. Obtain a certificate for ISA Server. Generally, for external sites you will obtain a certificate from a commercial CA (such as Verisign or Thawte). To do this, create a certificate request from a commercial CA using the IIS Web Server Certificate Wizard, and submit the request file. For instructions, see “Requesting a certificate from a commercial certification authority,” and then “Submitting a certificate request file” in Appendix A: Configuring Certificates from a Commercial CA. Because IIS is typically not installed on the ISA Server computer, you will request the certificate from the Web server computer, and export it to the ISA Server computer. Note that the name you use to publish the Web site in the Web publishing rule must match the name on the certificate. Currently there is no way to request a SSL Server certificate from ISA Server 2004 to the CA directly.

  2. Do one of the following on the Web server:

    • Leave a copy of the existing certificate on the Web server so that both the ISA Server computer and the Web server use the same certificate. The name on the To tab of the Web publishing rule must match the name on the certificate.

    • Request and install a new commercial certificate for the Web server. For instructions, see “Requesting a certificate from a commercial certification authority,” and then “Submitting a certificate request file” in Appendix A: Configuring Certificates from a Commercial CA. The name on the certificate must match the name that ISA Server uses to refer to the Web server, which is the name on the To tab of the Web publishing rule.

    • Use a certificate from a local CA for the ISA Server computer to Web server connection. This would save you the cost of a second commercial certificate, and the root certificate from the local CA can be easily stored on the ISA Server computer. To do this, follow the procedures in Appendix B: Setting up a Local Certification Authority.

You must also install an SSL certificate on the reverse proxy server. This SSL certificate must match the public FQDN that clients will be using to connect to your SharePoint sites. Note that if you are using Windows SharePoint Services in a multiple host names deployment, you will need a wildcard SSL certificate.

For more information about installing SSL certificates, see Digital Certificates for ISA Server 2004 in the ISA Server 2004 documentation.

Creating a Public DNS Entry

After setting up Windows SharePoint Services on your server farm, you must create a public DNS entry to map your public FQDN to the IP address for the public interface of your reverse proxy server.

For example, you could map www.Contoso.com to 10.11.111.11. When a client attempts to connect to www.Contoso.com, it will ask the public DNS server what IP address corresponds to www.Contoso.com. The public DNS server would then point it to 10.11.111.11, which should be the public IP address for your reverse proxy server. The client will then attempt to establish a connection to 10.11.111.11.

If you are using Windows SharePoint Services in a multiple host names deployment (scalable hosting mode), you must be sure that a DNS mapping is created for each host name site you set up. To do so, create a unique public DNS entry for each host name site. For example:

Host1.Contoso.com    10.11.111.11

Host2.Contoso.com    10.11.111.11

Alternatively, you can create a wildcard public DNS entry so that all host names within your domain map to your proxy server’s public interface IP address. For example:

*.Contoso.com    10.11.111.11

For more information about creating a DNS entry or a wildcard DNS entry, see your DNS server documentation.

Configuring the Network Interfaces in the Proxy Server

After you create the new public DNS entry, you must configure the network interfaces in your proxy server to respond to the appropriate IP addresses.

Your proxy server has a public, or external, network interface, which is exposed to the clients that will attempt to connect to you (usually over the Internet). Your proxy server might have a public adapter to allow client connections from external networks such as the Internet. The proxy server must also have at least one private, internal adapter that is exposed to servers that it is protecting.

You use the Network Connections control panel on the Windows Server 2003 computer acting as a proxy server to change the network card configuration. For more information about configuring the network interface, see the Windows Server 2003 networking documentation.

Configuring the Proxy Server or Firewall to Allow Connections to the Internet

Now you must configure the proxy server or firewall to allow Windows SharePoint Services to make connections to the Internet when necessary. You do this by configuring the proxy server or firewall to allow outbound connections from the server farm running Windows SharePoint Services to the Internet. The Web Capture Web Part and the online Web Part gallery, for example, require access to the Internet.

Allow connections to the Internet using ISA Server 2004

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the left pane, click the plus sign next to the server name and then click the plus sign next to Configuration.

  3. Click Networks, right-click Internal and then click Properties.

  4. On the Web proxy tab, verify that the Enable Web Proxy clients and Enable HTTP check boxes are selected.

  5. Click OK.

  6. In the left pane, click Firewall Policy.

  7. In the right pane, on the Toolbox tab, click New, and then click Computer Set.

  8. In the Name box, type a descriptive name for your server environment, such as Windows SharePoint Services servers.

  9. Click Add.

  10. Click AddressRange.

  11. In the New Address Range Rule Element dialog box, in the Name box, type a descriptive name, and in the Start Address and End Address boxes, enter the IP address range of your servers running Windows SharePoint Services.

    For example, if the IP addresses for your servers running Windows SharePoint Services are 192.168.1.1, 192.168.1.2, and 192.168.1.3, you would enter the following:

    • Start Address: 192.168.1.1

    • End Address: 192.168.1.3

  12. Click OK to close the New Address Range Rule Element dialog box.

  13. Click OK to close the New Computer Set Rule Element dialog box.

  14. In the left pane, right-click the Firewall Policy, point to New, and then click Access Rule.

  15. In the New Access Rule Wizard, in the Access rule name box, type an access rule name such as Allow Web servers access to Internet, and then click Next.

  16. Under Action to take when rule conditions are met, click Allow, and then click Next.

  17. In the This rule applies to box, select Selected protocols, and then click Add.

  18. In the Add Protocols dialog box, click the plus sign next to Web, and then click HTTP and click Add.

  19. Click HTTPS and click Add, and then click Close.

  20. Click Next.

  21. In the Add Protocols dialog box, under This rule applies to traffic from these sources, click Add.

  22. In the Add Network Entities dialog box, click the plus sign next to Computer Set, select the computer set you created earlier, and then click Add.

  23. Click Close to close the Add Network Entities dialog box.

  24. Click Next.

  25. Under This rule applies to traffic sent to these destinations, click Add.

  26. In the Add Network Entities dialog box, click the plus sign next to Network Set, select All Networks, and then click Add.

  27. Click Close.

  28. Click Next.

  29. Click Next again, click Finish, and then click Apply to save the changes and update the configuration.

Note For more information about the process of creating an access rule and the choices you can make during this process, see the ISA Server 2004 documentation.

Editing the Web.Config File

After your proxy server is set to allow connections to the Internet, you can set Windows SharePoint Services to allow connections to the Internet. You do this by editing your Web.config file. The Web Capture Web Part and the online Web Part gallery, for example, require access to the Internet.

Find the Web.config file in the root of the virtual server or virtual servers that have been extended with Windows SharePoint Services. For example, the path to the Web.config file might be C:\Inetpub\wwwroot\web.config. In the Web.config file, after the </SharePoint> tag, add the following tags to configure Windows SharePoint Services to make connections to the Internet through your outbound proxy server, where http://myproxy:8080 is the address and TCP port to connect to the outbound proxy server’s private network interface.

<system.net>  
 <defaultProxy>  
  <proxy proxyaddress="http://myproxy:8080" bypassonlocal="true" />  
 </defaultProxy>  
</system.net>

Note that you must make this change to the Web.config files for each virtual server on each server computer in your server farm.

Configuring the Proxy Server to Listen for Requests on IP Addresses

By default, all incoming Web requests to ISA Server must be received by a Web listener. A single Web listener may be used in multiple Web publishing rules. When you configure a Web listener, you specify the network that corresponds to the adapter on which ISA Server will listen for incoming Windows SharePoint Services requests. For example, if you want to allow access to the SharePoint site from the Internet (External network), you should select the External network for the Web listener. The listener can listen on all IP addresses associated with a network, or on specific IP addresses. You also configure the port number that will listen for requests on the selected network IP addresses.

Configure a Web listener on ISA Server 2004

  1. In ISA Server Management, click Firewall Policy.

  2. In the right pane, on the Toolbox tab, click New and select Web listener.

  3. In the Web listener name box, type a name for the Web listener, for example, WSS_Listener.

  4. Click Next.

  5. In the Listen for requests from these networks box, select the check boxes for the interfaces that you want the listener to listen on.

    For example, select the External check box for Internet Web publishing.

  6. Click Next.

  7. On the Port Specification page, under HTTP, clear the Enable HTTP check box.

  8. Under SSL, select the Enable SSL check box, and then in the SSL port box, type 443.

    If the IIS virtual server you’re about to publish is configured to listen on a different port, you should configure ISA Server Web Listener to use the same port.

  9. Next to Certificate, click Select to choose the server certificate you will use for the SSL session establishing process.

  10. In the Select Certificate dialog box, select the certificate you want to use, and then click OK.

  11. Click Next, and then click Finish.

  12. Click Apply to save the changes and update the configuration.

Important ISA Server will not start to listen on the IP and port specified above until a Web publishing rule is created and configured to use the Web listener.

Configure the proxy server to publish the Windows SharePoint Services

The goal of Web publishing on a reverse proxy server is to forward requests, complete with host headers, from the proxy server to the Web server. Note that host-header forwarding may be called different things by different proxy server vendors. Contact your proxy server vendor to learn how to enable host-header forwarding with your reverse proxy.

Create a Secure Web publishing rule using ISA Server 2004

  1. In ISA Server Management, right-click the Firewall Policy node, point to New, and then click Secure Web Server Publishing Rule.

  2. In the Secure Web Publishing Wizard, type a name for the new rule. For example, “Publish WSS for external access”.

  3. Click Next.

  4. On the Publishing Mode page, select SSL Bridging.

  5. Click Next.

  6. On the Select Rule Action page, under Action to take when rule conditions are met, click Allow, and then click Next.

  7. On the Bridging mode page, click Secure connection to clients and Web server.

  8. Click Next.

  9. In the Define Website to publish page, in the Computer name or IP address box, type the IP address or name of the computer running the SharePoint Web site.

    Remember that if you specify a name, you will need an internal DNS entry to resolve the name to an IP address.

  10. Select the Forward the original host header instead of the actual one (specified above) check box to ensure that the host header contains the original external DNS name typed in the URL.

  11. In the Path box, type “/*”.

  12. Click Next.

  13. On the Public Name Details page, in the Accept requests for box, select Any domain name to forward requests to the published SharePoint site without checking for the domain name, or select This domain name, and then in the Public name box, specify the external FQDN that users will specify in their browser to reach the site.

  14. Click Next.

  15. On the Select Web Listener page, in the Web listener box, select the Web listener that you created previously, and then click Next.

  16. Click Next again, and then click Finish.

  17. Click Apply to save the changes and update the configuration.

HTTP security filtering using ISA Server 2004

After you have created the Web publishing rule, you must change the HTTP security filter setting. The HTTP filter screens all incoming Web requests to the ISA Server computer, and only allows requests that comply with the restrictions configured by the ISA Server administrator.

For example, the Verify Normalization feature (enabled by default) specifies that requests with URLs that contain escape characters after normalization will be blocked. Escaped characters include, but are not limited to, the percent sign (%) and a space character ( ). If this feature is enabled, SharePoint document libraries will fail. URLs for document libraries and files uploaded and downloaded include non standard characters such as the percent sign (%).

Configure HTTP filtering

  1. Right-click the Web publishing rule you created, and select Configure HTTP.

  2. On the General tab, clear the Verify normalization check box.

  3. If you are using a language containing high bit characters (for example, umlauts in German) you should also clear the Block high bit characters check box.

Caution The Verify normalization and Block high bit characters features are meant to address potential security exploits. When you turn off these features in ISA Server, you are potentially creating an opening for malicious users.

Known Issues

Because of the way URLs are handled in Microsoft® Windows® SharePoint® Services, no reverse proxy configuration can provide a complete solution. Even after configuring your environment to use either the host-header forwarding or SSL bridging (HTTPS to HTTPS) configuration, you may still experience issues in the following situations:

  • SharePoint Central Administration does not work through a reverse proxy server.

    The instructions in this paper are for the content virtual servers and do not apply to the SharePoint Central Administration site. Any URLs referenced in virtual server management are based on the hostname of the URL used to browse to SharePoint Central Administration, and not on any URLs sent by the reverse proxy server.

  • Administrative e-mail messages from Windows SharePoint Services – such as quota limit warnings and site collection use confirmation e-mail messages – include the URL used when the site was created. This is usually different from the URL sent by the reverse proxy server.

  • To make links in Windows SharePoint Services include HTTPS (instead of HTTP), you must ensure that Microsoft Internet Information Services (IIS) is configured on each virtual server to require SSL. You cannot control this setting from the proxy server. For more information, see Enabling Secure Sockets Layer (SSL) in the topic Configuring Authentication in the Windows SharePoint Services Administrator’s Guide.

  • The announcement added when you turn on Self-Service Site Creation may not have the correct host header name.

    You can manually edit this announcement on each site that it appears on to include the correct URL.

  • Explorer View, Web Distributed Authoring and Versioning (WebDAV), Web view and Web file properties, the Shared Workspace task pane in Microsoft Office System programs, and opening and saving files from Office programs to the site might fail if ISA Server is configured to intercept HTTP OPTIONS requests.

    You can configure ISA Server 2000 to not intercept these requests by adding a registry key. For more information, see the Knowledge Base article 304340.

    HTTP OPTIONS settings are allowed by default for ISA Server 2004.

  • Using the ISA 2004 path-mapping feature to publish Windows SharePoint Services is not supported. Also, Link Translation should be disabled for the ISA 2004 Web Publishing rule when publishing Windows SharePoint Services.

Appendix A: Configuring Certificates from a Commercial Certification Authority

This appendix walks you through the steps to configure certificates obtained from a commercial certification authority. You can also create a local certification authority. For more information, see “Appendix B: Setting up a Local Certification Authority.”

Requesting a certificate from a commercial certification authority

The following procedure generates a new certificate request to be sent to a certification authority (CA) for processing.

Create a certificate request from a commercial CA

  1. Click Start, point to All Programs, point to Administrative Tools, and select Internet Information Services (IIS) Manager.

  2. Double-click the local computer, and then double-click the Web Sites folder.

  3. Right-click the Web site you are requesting a certificate for and click Properties.

  4. On the Directory Security tab, under Secure Communications, click Server Certificate.

  5. In the Web Server Certificate Wizard, on the Welcome page, click Next.

  6. On the Server Certificate page, select Create a new certificate, and then click Next.

  7. On the Delayed or Immediate Request page, select Prepare the request now, but send it later and click Next.

  8. On the Name and Security Settings page, in the Name box, type a friendly name for the site.

    This name is not critical to the functioning of the certificate, so pick a name that is easy to refer to and to remember.

  9. In the Bit length box, select the bit length of the key you want to use.

  10. If you want to use cryptographic service provider (CSP), select the Select Cryptographic Service Provider (CSP) for this certificate check box, and then click Next.

  11. On the Organization Information page, in the Organization box, type your organization’s name, then in the Organizational unit box, type your organizational unit, and then click Next.

    For example, if your company is called Fabrikam, Inc. and you are setting up a Web server for the Sales department, you would enter Fabrikam for the organization and Sales for your organizational unit.

  12. On the Your Site’s Common Name page, in the Common name box, type the common name (CN) for your site, and then click Next.

    Note that if this certificate will be exported to the ISA Server computer, the name on the certificate must match the name you use to publish the Web site in the Web publishing rule. If this certificate will remain on the Web server, the name on the certificate must match the name that ISA Server uses to refer to the Web server, which is the name on the To tab of the Web publishing rule.

  13. On the Geographical Information page, type your information in Country/Region, State/province, and City/locality boxes, and then click Next.

    It is important that you do not abbreviate the names of the state/province or city/locality.

  14. On the Certificate Request File Name page, in the File name box, type a name for the certificate request file that you are about to create, and then click Next.

    This file will contain all the information that you included in this procedure, as well as the public key for your site. This creates a .txt file when the procedure steps are completed. The default name for the file is Certreq.txt.

  15. On the summary page, verify that all of the information is correct, and then click Next.

  16. On the Completing the Web Server Certificate page, click Finish.

  17. Click OK to close the Web Site Properties dialog box.

Important  The common name of the certificate must match the fully-qualified internal DNS name of the Web server running Windows SharePoint Services or the CN  that ISA Server will accept requests from in the Web Publishing Rule.

Submitting a certificate request file

For the certificate to be used on the Internet, you must submit the request file to an online CA. The CA then generates a certificate response file, which contains your public key and is digitally signed by the commercial CA. Follow the instructions provided by the commercial CA to submit the request file and receive your certificate response, which you will then use to install the certificate.

Note that to submit a request you need access to the CA’s Web site. It is recommended that you copy the request file from the Web server to a computer with Internet access, and then submit it according to the CA’s instructions. Alternatively, you can allow connectivity from your Web server to the commercial CA by creating an ISA Server access rule on the protocols used by the CA. Make the rule as specific as possible. For example, if you require access on the HTTP protocol, create an allow rule from a computer set containing only the Web server to a URL set containing only the CA’s Web site and allowing only HTTP traffic.

Installing the certificate on the Web server

After you receive your response file from the CA, you must install it on the Web server. You can then export the certificate to be used on the ISA Server computer. However, you cannot install the certificate directly to the ISA Server computer – you must first install it on the Web server computer for which the certificate was requested.

Install the certificate on the Web server

  1. Click Start, point to All Programs, point to Administrative Tools, and select Internet Information Services (IIS) Manager.

  2. Double-click the local computer, and then double-click the Web Sites folder.

  3. Right-click the Web site you are requesting a certificate for, and click Properties.

  4. On the Directory Security tab, under Secure Communications, click Server Certificate.

  5. In the Web Server Certificate Wizard, on the Welcome page, click Next.

  6. On the Server Certificate page, click Process the pending request and install the certificate, and then click Next.

  7. In the File name box, type the location of the certificate response file (you may also browse to the file), and then click Next.

  8. On the SSLPort page, in the SSL port box, select the SSL port that the Web site will use.

    By default, this is port 443.

  9. On the Certificate Summary page, review the information to ensure that you are processing the correct certificate, and then click Next.

  10. On the Completing the Web Server Certificate Wizard page, click Finish.

Verify that the server certificate was properly installed

  1. On the Start menu, click Run.

  2. In the Open box, type MMC, and then click OK.

  3. In Microsoft Management Console (MMC), on the File menu, click Add/Remove Snap-in.

  4. In the Add/Remove Snap-in dialog box, click Add.

  5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.

  6. In the Certificates snap-in dialog box, select Computer account, and then click Next.

  7. In the Select Computer dialog box, verify that Local computer: (the computer this console is running on) is selected, and then click Finish.

  8. Click Close to close the Add Standalone Snap-in dialog box, and then click OK to close the Add/Remove Snap-in dialog box.

  9. In MMC, double-click Certificates (local computer), and then double-click Personal.

  10. Click Certificates, and then double-click the new server certificate.

  11. On the General tab, verify that there is a note that says You have a private key that corresponds to this certificate.

  12. On the Certification Path tab, verify the hierarchical relationship between your certificate and the CA, and verify that there is a note that says This certificate is OK.

  13. Click OK to close the Certificate properties box.

  14. On the File menu, click Exit to close MMC.

  15. In the message that appears, click Yes to save the console settings.

  16. In the File name box, type a descriptive name, such as LocalComputerCertificates.msc, and then click Save.

Exporting a certificate from the Web server to ISA Server

Now you can export the certificate from the Web server computer for use on the ISA Server computer.

Export a certificate from the Web server to ISA Server

  1. From the Start menu, point to All Programs, point to Administrative Tools, and select LocalComputerCertificates.msc (or the name that you provided when saving the certificates console).

  2. In MMC, double-click Certificates (local computer), and then double-click Personal.

  3. Click Certificates.

    A certificate with the name of your Web site appears in the Issued To column in the right pane.

  4. Right-click your certificate, click All Tasks, and then click Export.

  5. In the Certificate Export Wizard, on the Welcome page, click Next.

  6. On the Export Private Key page, select Yes, export the private key, and then click Next.

    Note If you do not have the option to click Yes in the Export Private Key page, the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on the ISA Server computer. You must request a new certificate for ISA Server for this Web site.

  7. On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). 

  8. Maintain the default settings for all three check boxes under Personal Information Exchange, and then click Next.

  9. On the Password page, in the Password box, type a password to protect the exported file, and then confirm the password.

  10. Click Next

  11. On the File to Export page, in the File name box, type a file name and location for the export file, and then click Save.

  12. Click Next.

  13. On the wizard completion page, click Finish.

    Be sure to safeguard the file that you just created because your ability to use the SSL protocol depends upon this file.

  14. In the confirmation dialog box that appears telling you that the export was successful, click OK.

  15. Copy the file that you created to the ISA Server computer.

Installing the exported certificate on the ISA Server computer

You can now install the exported certificate to the ISA Server computer.

Install the exported certificate on the ISA Server computer

  1. On the ISA Server computer, on the Start menu, click Run.

  2. In the Open box, type MMC, and then click OK.

  3. In MMC, on the File menu, click Add/Remove Snap-in.

  4. In the Add/Remove Snap-in dialog box, click Add.

  5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.

  6. In the Certificates snap-in dialog box, select Computer account, and then click Next.

  7. In the Select Computer dialog box, verify that Local computer: (the computer this console is running on) is selected, and then click Finish.

  8. Click Close to close the Add Standalone Snap-in dialog box, and then click OK to close the Add/Remove Snap-in dialog box.

  9. In MMC, double-click Certificates (local computer).

  10. Right-click Personal, click All Tasks, and then click Import.

  11. In the Certificate Import Wizard, on the Welcome page, click Next.

  12. On the File to Import page, click Browse and browse to select the file that you copied from your Web server computer, and then click Next.

  13. On the Password page, in the Password box, type the password for this file, and then click Next.

    Note The Password page provides the option Mark this key as exportable. If you want to prevent the exporting of the key from the ISA Server computer, do not select this option.

  14. On the Certificate Store page, verify that Place all certificates in the following store and Certificate Store are set to Personal (the default settings), and then click Next. 

  15. On the wizard completion page, click Finish.

  16. In the confirmation dialog box that appears telling you that the import was successful, click OK.

  17. On the File menu, click Exit to close MMC.

  18. In the error message, click Yes to save the console settings.

  19. In the File name box, type a descriptive name, such as LocalComputerCertificates.msc, and then click Save.

Verify that the server certificate was properly installed

  1. From the Start menu, point to All Programs, point to Administrative Tools, and select LocalComputerCertificates.msc (or the name that you provided when saving the certificates console).

  2. In MMC, double-click Certificates (local computer), and then double-click Personal.

  3. Click Certificates, and then double-click the new server certificate.

  4. On the General tab, verify that there is a note that says You have a private key that corresponds to this certificate.

  5. On the Certification Path tab, verify the hierarchical relationship between your certificate and the CA, and verify that there is a note that says This certificate is OK.

  6. Click OK to close the Certificate properties box.

  7. On the File menu, click Exit to close MMC.

To remove a certificate

If there is a certificate bound to the Web site and you do not want SSL enabled on the Web site (HTTPS to HTTP) then you must unbind the Web site certificate.

Unbind the certificate from the IIS Web site

  1. On the Web server computer, click Start, point to All Programs, point to Administrative Tools, and select Internet Information Services (IIS) Manager.

  2. Double-click the local computer, and then double-click the Web Sites folder.

  3. Right-click the Web site you are requesting a certificate for, and select Properties.

  4. On the Directory Security tab, under Secure Communications, click Server Certificate.

  5. In the Web Server Certificate Wizard, on the Welcome page, click Next.

  6. On the Modify the Current Certificate Assignment page, select Remove the current certificate, and then click Next.

  7. On the Remove a Certificate page, click Next.

  8. On the wizard completion page, click Finish.

  9. Close Internet Information Services Manager.

If you have simply used the Web server as a method of installing the certificate on the ISA Server, or no longer require a certificate on the Web server, you may want to delete the certificate from the Web server computer.

Delete the certificate from the computer

  1. On the Web server computer, from the Start menu, point to All Programs, point to Administrative Tools, and select LocalComputerCertificates.msc (or the name that you provided when saving the certificates console).

  2. In MMC, double-click Certificates (local computer), and then double-click Personal.

  3. Click Certificates, and then right-click the certificate and click Delete.

  4. In the warning dialog box, click OK to delete the certificate.

Appendix B: Setting up a Local Certification Authority

You need a certification authority (CA) if you want to issue digital certificates. When the certificates are for internal use, we recommend that you create a local CA, negating the need to purchase a commercial certificate.

Setting up a Certification Authority

This procedure is performed on a computer running Windows Server 2003 or Windows 2000 Server. For a stand-alone root CA, this can be any computer. An enterprise root CA must be installed on a server that is a member of a domain.

This procedure also installs the services that will enable computers to obtain the certificates through a Web page. If you prefer a different approach for obtaining the certificates for computers, you do not have to perform the Internet Information Services (IIS) and Active Server Pages installations described in this procedure.

Set up a certification authority

  1. Open the Control Panel.

  2. Double-click Add or Remove Programs.

  3. Click Add/Remove Windows Components.

  4. Double-click Application Server.

  5. Double-click Internet Information Services (IIS).

  6. Double-click World Wide Web Service.

  7. Select the Active Server Pages check box.

  8. Click OK to close the World Wide Web Service dialog box, click OK to close the Internet Information Services (IIS) dialog box, and then click OK to close the Application Server dialog box.

  9. Select Certificate Services.

  10. Review the warning regarding the computer name and domain membership.

  11. Click Yes in the warning dialog box if you want to continue, and then click Next in the Windows components dialog box.

  12. On the CA Type page, choose one of the following, and then click Next:

    • Enterprise-rootCA. An enterprise root CA must be installed on a domain member. The enterprise root CA will automatically issue certificates when requested by authorized users (recognized by the domain controller).

    • Stand-alone root CA– A stand-alone root CA requires that the administrator issue each requested certificate.

  13. On the CA Identifying Information page, provide a common name for the CA, check the distinguished name suffix, select a validity period, and then click Next.

  14. On the Certificate Database Settings page, review the default settings.

    You may revise the database locations.

  15. Click Next.

  16. On the Completing the Windows Components Wizard page, review the summary, and then click Finish.

Note that to allow access to the CA Web site, you must publish it. To limit access, you can publish only specific folders to a specific set of users. For more information about Web publishing, see Publishing Web Servers Using ISA Server 2004.

Installing a local server certificate

This procedure is performed on the computer that requires the digital certificate. In the case of Web publishing, this will be the ISA Server computer, at a minimum, and may also include the Web server computer. In the case of server publishing, this will be only the server computer that you are publishing. If you installed a stand-alone root CA rather than an enterprise root CA, there are also actions that take place on the certification authority.

Install a local server certificate

  1. Open Microsoft Internet Explorer.

  2. On the Tools menu, click Internet Options.

  3. On the Security tab, under Select a Web content zone to specify its security settings, click Trusted Sites.

  4. Click the Sites button to open the Trusted sites dialog box.

  5. In Add this Web site to the zone box, type the certificate server Web site name (http://IP_Address_Of_Certification_Authority_Server/certsrvname), and then click Add.

  6. Click OK to close the Trusted sites dialog box, and then click OK to close Internet Options.

  7. Browse to: http://IP_Address_Of_Certification_Authority_Server /certsrv.

  8. Request a certificate.

  9. Select Advanced Certificate Request.

  10. Select Create and submit a request to this CA (Windows Server 2003 CA), or Submit a certificate request to this CA using a form (Windows 2000 Server CA).

  11. Complete the form and in the Type box, select Server Authentication Certificate.

    To avoid the client receiving an error when trying to connect, it is critical that the common name you provide for the certificate matches the published server name, as follows:

    • For Web publishing, for a certificate on the ISA Server computer, type the fully-qualified host name or URL that external clients will type in their Web browser to access the Web site, for example news.adatum.com.

    • For Web publishing, if you are also installing a server certificate on the Web server in addition to the certificate required on the ISA Server computer, the common name is the name that the ISA Server computer uses to access the Web server through the Web publishing rule. This should be the fully-qualified domain name (FQDN) of the Web server, such as webserver1.adatum.com.

  12. Select Store Certificate in the local computer certificate store (Windows Server 2003 CA) or Use local machine store (Windows 2000 Server CA) and then click Submit to submit the request.

  13. Review the warning dialog box that appears, and then click Yes.

  14. If you installed a stand-alone root CA, perform the following steps on the certification authority computer. These steps are automated in an enterprise root CA.

    1. Click Start, point to All Programs, point to Administrative tools, and then click Certification Authority.

    2. Expand the CAName certificates node, where CAName is the name of your CA.

    3. Click the Pending requests node, right-click your request, click All Tasks, and then click Issue.

  15. On the ISA Server computer, return to the Web page http://IP_Address_Of_Certification_Authority_Server /certsrv, and then click View status of a pending request.

  16. Click your request and choose Install this certificate.

Verify that the server certificate was properly installed

  1. Open MMC, and go to the Certificates snap-in.

  2. Open Certificates (local computer), double-click the Personal node, click Certificates, and then double-click the new server certificate.

  3. On the General tab, verify that there is a note that says You have a private key that corresponds to this certificate.

  4. On the Certification Path tab, verify the hierarchical relationship between your certificate and the CA, and verify that there is a note that says This certificate is OK.

  5. Click OK to close the Certificate properties box.

  6. On the File menu, click Exit to close MMC.

  7. Note that on an ISA Server computer running on Windows Server 2003 or Windows 2000 Server, the server certificate obtained from a CA must be stored in the Personal Certificate store of the ISA Server computer. The root certificate for the CA must be stored in the Trusted Root Certificate Authorities store of the ISA Server computer

Installing a root certificate

For a client computer to trust the server certificates that you have installed from a local CA, you must install the root certificate from the CA on the client computer. Follow this procedure on any client computer that requires the root certificate. Note that you can also transfer the root certificate on a medium such as a disk, and then install it on the client computer.

Install a root certificate

  1. Open Internet Explorer.

  2. On the Tools menu, click Internet Options.

  3. On the Security tab, click Custom Level to open the Security Settings dialog box.

  4. Under Reset custom settings, in the Reset to box, select Medium, and then click OK to close the Security Settings dialog box.

  5. Click OK to close the Internet Options dialog box.

    Note Certificates cannot be installed when the security setting is set to High.

  6. Browse to: http://IP_Address_Of_Certification_Authority_Server/certsrv.

  7. Click Download a CA Certificate, Certificate Chain, or CRL.

  8. On the next page, click Download CA Certificate.

    This is the trusted root certificate that must be installed on the ISA Server computer.

  9. In the File Download dialog box, click Open.

  10. On the Certificate dialog box, click Install Certificate to start the Certificate Import Wizard.

  11. On the Welcome page, click Next.

  12. On the Certificate Store page, select Place all certificates in the following store and click Browse.

  13. In the Select Certificate Store dialog box, select Show Physical Stores.

  14. Double-click Trusted Root Certification Authorities, select Local Computer, and then click OK.

  15. On the Certificate Store page, click Next.

  16. On the summary page, review the details and click Finish.

Verify that the server certificate was properly installed

  1. Open MMC, and go to the Certificates snap-in.

  2. Open Certificates (local computer), double-click the Trusted Root Certification Authorities node, click Certificates, and then verify that the root certificate is in place.

Note You can also install certificates on a computer from the MMC Certificates (Local Computer) snap-in. This provides access only to CAs in the same domain.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft