Managing the Microsoft SharePoint® Portal Server 2003 application in IAG SP2

Applies To: Intelligent Application Gateway (IAG)

The Microsoft SharePoint Portal Server 2003 application defined in Whale Communications Intelligent Application Gateway (IAG) 2007 is used to access both Windows SharePoint Services (WSS) and SharePoint Portal Server (SPS).

Application-specific settings

This topic describes the required and optional application-specific settings for the SharePoint Portal Server 2003 application, as follows:

• Requirements on the Endpoint Computer.

• Additional configuration steps you may have to take in these cases:

  • When more than one SharePoint Server application is defined on the same trunk.

  • When one SharePoint Server application is defined on the trunk, with multiple servers.

These steps are described in Configuration in a Multiple-Address Setup.

• Preventing end-users from uploading, checking-in files, and saving files from Microsoft Office applications to the SharePoint Server, unless their computer meets the security policy requirements you define, as described in Blocking File Upload Operations.

• Preventing end-users from downloading files, exporting to a spreadsheet, or editing datasheets, unless their computer meets the security policy requirements you define, as described in Blocking File Download Operations.

• Disabling end-users’ ability to modify webparts, unless their computer meets the security policy requirements you define, as described in Disabling Modification of Webparts.

• Restricting end-users’ access to sensitive areas of the application, unless their computer meets the security policy requirements you define, as described in Restricting Access to Zones and Areas.

• Enabling access from the SharePoint Server to third-party applications, as described in Integration with Third-Party Applications.

Requirements on the client endpoint

• For maximum integration, Microsoft Office 2003 SP1 must be installed on the endpoint computer.

• In order to enable integration with Microsoft Office applications, the IAG Attachment Wiper client component must be installed on the endpoint computer. On client endpoints where the IAG Attachment Wiper component is not installed, Office documents will be displayed in the browser, and will not be cached.

Configuration in a Multiple-Address Setup

This topic describes additional configuration steps that are relevant when you use the same IAG trunk to access more than one SharePoint Server. This topic is not relevant to the following scenarios:

• If there is only one SharePoint Server application in the trunk, with one server, defined by a single, plain-text IP address or hostname and a single port number.

• If there are two or more trunks, each with a single SharePoint application with one server.

When using the instructions in this topic, note that if you define more than one trunk with multiple addresses, you must repeat the instructions in this section for each of the trunks. When end-users access more than one SharePoint site from the same trunk, working with Office documents is only enabled from the first site accessed.

Configure a multiple-address setup in the following scenarios:

• When one SharePoint Server application is defined on the trunk, with multiple servers. That is, the application’s servers are defined using multiple IP addresses, a subnet, or regular expressions.

• When more than one SharePoint Server application is defined on the same trunk.

In both these configurations, it is recommended that all SharePoint Servers in the trunk are defined with port 80. If another port number is defined, this may impede the functionality of Microsoft Office applications when accessed via the SharePoint Server application.

The first time you add a SharePoint Server application to the trunk, the system automatically creates two dynamic Manual URL Replacement rules that reroute the requests to the application server. Each rule includes two server definitions:

• A dynamic parameter, *DynamicSharepointServer*, which is used to determine the destination server to which the request is rerouted.

• A fallback server, to which requests are rerouted in case the dynamic parameter cannot be resolved.

The fallback server is the first server that is defined for the first SharePoint Server application you add to the trunk, regardless of any servers you later add to the application. In addition, since the same fallback server is used for all the SharePoint Server applications in a trunk, if you later add more SharePoint Server applications to the trunk, they will all use the server you initially defined as the fallback server.

For example: If the trunk includes one SharePoint Server application with two servers, ServerA and ServerB, and ServerA is the fallback server, and you then add a new SharePoint Server application to the trunk, with ServerC, the fallback server for the new application is ServerA.

If you create a different trunk with SharePoint Server applications, a new set of dynamic Manual URL Replacement rerouting rules is created for that trunk, independently of the existing trunk.

Manual URL Replacement rules are visible in the Application Access Portal tab of the Advanced Trunk Configuration window. For details, see Manually replacing URLs for HAT configuration in IAG.

The following procedure describes how you can change the fallback server defined in the rerouting rules. Note that:

• When the rules are created for a "Subnet" or "Regular Expression" address-type, there is no pre-defined fallback server, and you must define one.

• When the rules are created for a server that is defined by an "IP/Host" address-type, you can optionally change the fallback server.

To change the dynamic rerouting fallback server

1. In the Configuration console, access the Advanced Trunk Configuration window.

2. In the Application Access Portal tab, in the Manual URL Replacement area, double-click the first SharePoint Server rule.

3. In the URL Change dialog box, edit the server definitions in Server Name as follows:

   • For a server that is defined by a subnet or regular expression, the default value of Server Name is:

     *DynamicSharepointServer*localhost

     Change this value to:

     *DynamicSharepointServer*<fallback_server>

     Where <fallback_server> is the IP address or hostname of the fallback server.

     Do not change the parameter *DynamicSharepointServer*

   • For a server that is defined by an IP address or hostname, the default value of Server Name is:

     *DynamicSharepointServer*<fallback_server>

     Where <fallback_server> is the IP address or hostname of the first SharePoint Server that was defined on the trunk. You can change the value of <fallback_server> as required.

     Do not change the parameter *DynamicSharepointServer*

     Note

     Do not deselect the Dynamic option next to the Server Name field.

4. Repeat steps 2–3 for the second SharePoint Server rule.

5. In the IAG Configuration console, click the Activate icon to activate the configuration.

   If the dynamic parameter cannot be resolved, requests will be rerouted to the fallback server you defined here.

Blocking file upload operations

You can configure the application upload policy so that end-users cannot do the following, unless their computer meets the security policy requirements you define:

• Upload files.

• Check-in files.

• Save files from Microsoft Office applications to the SharePoint Server.

Users that are blocked are notified accordingly.

To block file upload operations

1. In the IAG Configuration console, access the Application Properties dialog box and click Manage Policies.

2. In the ManagePolicies and expressions dialog box, under the Policies group, select the SharePoint 2003 Upload Checkin policy, and then click EditPolicy.

3. On the Policy Editor dialog box, you can edit the policy in order to comply with your corporate policy, so that noncompliant computers, such as computers that don't run an up-to-date antivirus software, are blocked. You can use the Default Web Application Upload policy as a basis for your definitions. For more information, see Managing IAG client endpoint policies.

   On the Policy Editor dialog box, click OK, and then on the Manage Policies and Expressions dialog box, click Close.

   On the Application Properties dialog box, on the general tab, in the Upload list, click the SharePoint 2003 Upload Checkin policy, and then click OK.

4. On the toolbar of the Configuration console, click the Activate Configuration icon, and then on the Activate Configuration dialog box, click Activate.

   When the configuration is activated, the message "IAG configuration activated successfully" appears.

   The upload operations described in this section will be blocked, on both the client and the server side, on endpoint computers that do not comply with the security policy you defined here.

   Note   The above steps ensure full correlation of the policy on the client and server sides. If you wish to cancel the policy, you must redefine the policy value as True, and cancel selection of the policy in the General tab of the Application Properties dialog box.

Blocking file download operations

You can configure the application download policy so that end-users cannot do the following, unless their computer meets the security policy requirements you define:

• Download files.

• Use the Edit in Datasheet option.

• Use the Export to Spreadsheet option.

Users that are blocked are notified accordingly.

To block file download operations

1. In the IAG Configuration console, access the General tab of the Application Properties dialog box and then click Manage Policies.

2. In the ManagePolicies and expressions dialog box, under the Policies group, select the SharePoint 2003 Download policy, and then click EditPolicy.

3. On the Policy Editor dialog box, you can edit the policy in order to comply with your corporate policy, so that noncompliant computers, such as computers that don't run a firewall, are blocked. You can use the Default Web Application Download policy as a basis for your definitions. For more information, see Managing IAG client endpoint policies.

   On the Policy Editor dialog box, click OK, and then on the Manage Policies and Expressions dialog box, click Close.

   On the Application Properties dialog box, on the general tab, in the Download list, click the SharePoint 2003 Download policy, and then click OK.

4. On the toolbar of the Configuration console, click the Activate Configuration icon, and then on the Activate Configuration dialog box, click Activate.

   On the Policy Editor dialog box, click OK, and then on the Manage Policies and Expressions dialog box, click Close.

   On the Application Properties dialog box, on the general tab, in the Download list, click the SharePoint 2003 Download policy, and then click OK.

   When the configuration is activated, the message "IAG configuration activated successfully" appears.

   The download operations described in this section will be blocked, on both the client and the server side, on endpoint computers that do not comply with the security policy you defined here.

   Note

   The above steps ensure full correlation of the policy on the client and server sides. If you wish to cancel the policy, you must redefine the policy value as True, and cancel selection of the policy in the General tab of the Application Properties dialog box.

Disabling modification of Web parts

This section describes how you prevent end-users from modifying Web parts, including adding, editing, and deleting items in Web parts, unless their computer meets the security policy requirements you define.

You prevent the modification of Web parts by blocking end-users at the client side. This is achieved by activating the endpoint policy SharePoint 2003 Enhanced Security and defining it to comply with your corporate policy, as described in the procedure below.

To prevent the modification of Web parts on the client side

1. In the Configuration console, open the Application Properties dialog box. In the General tab, click Manage Policies.

2. In the manage Policies and Expressions dialog box, under the Policies group, select the SharePoint 2003 Enhanced Security policy, then click Edit Policy.

3. To define the prerequisites that endpoint computers must meet in order to enable modification of Web parts, remove the default values from the relevant platform-specific policies, and assign the appropriate values. For details, see Managing IAG client endpoint policies.

4. On the toolbar of the Configuration console, click the Activate Configuration icon, and then on the Activate Configuration dialog box, click Activate.

   When the configuration is activated, the message "IAG configuration activated successfully" appears.

   Modification of Web parts is blocked at the client side, on client endpoints that do not comply with the security policy that you define here.

Restricting access to zones and areas

You can configure the restricted zone policy for an application so that end-users cannot access specific zones and areas of the application, such as administrative zones, if their computer does not meet the security policy requirements.

In order to enable this option, once you finish adding the application to the trunk, you need to assign a unique restricted zone policy to the application, as described below. The defined zones and areas are blocked on the server side, and users that are blocked are notified accordingly.

To restrict access to zones and areas

1. In the Configuration console, access the Application Properties dialog box. Click the Web Settings tab, and then verify that the option Activate Restricted Zone is selected.

2. Click the General tab, then in the Endpoint Policies area, from the Restricted Zone drop-down list, select the policy SharePoint 2003 Admin Zones and then click Manage Policies.

3. In the Manage Policies and Expressions dialog box, under the Policies group, select the policy SharePoint 2003 Admin Zones, and then click Edit Policy.

4. To define the prerequisites that endpoint computers must meet in order to enable access to all zones and areas of the application, remove the default values from the relevant platform-specific policies, and assign the appropriate values. For details, see Managing IAG client endpoint policies.

5. To block access to additional areas of the application, such as the News area, access the Global URL Settings tab of the Advanced Trunk Configuration window, and, next to Restricted Zone URLs, click Configure. In the Restricted Zone URLs Settings dialog box, add a rule with the URL of the area you wish to block. Repeat for additional areas as required. For example, to block access to the News area, add the following rule:

   Type: SharePoint 2003

   URL: .*/news/default\.aspx

   Method: GET

6. On the toolbar of the Configuration console, click the Activate Configuration icon, and then on the Activate Configuration dialog box, click Activate.

   When the configuration is activated, the message "IAG configuration activated successfully" appears.

   Access to the administrative zones and to the areas you defined will be blocked on the server side, for client endpoints that do not comply with the security policy that you define here.

Integration with third-party applications

You can enable access from the SharePoint Server to third-party applications, via the SharePoint Server Web parts, when the SharePoint Server is accessed through IAG. This is required only for third-party applications that communicate directly with the application server, for example an Outlook Web Access server.

For applications of this type, you need to add a corresponding application to the IAG portal. In the IAG Configuration console, use the Add Application Wizard to add the required applications to the trunk that enables access to the SharePoint Server.