Managing the Microsoft Office SharePoint Server 2007 (backward compatibility) application in IAG SP2

  • Article

Applies To: Intelligent Application Gateway (IAG)

The Office SharePoint Server 2007 (backward compatibility) application in Intelligent Application Gateway (IAG) 2007 is used to access the following SharePoint Products and Technologies: Windows SharePoint Services 2007 and SharePoint Portal Server 2007.

This application is used to support SharePoint Products and Technologies that were published via Intelligent Application Gateway (IAG) in previous versions, prior to the support of alternate access mapping in IAG. We recommend that you use the Office SharePoint Server 2007 application for all your SharePoint Products and Technologies publishing needs; the backward compatibility application should only be used in cases where the Office SharePoint Server 2007 application cannot be used.

Application-Specific Settings

This section describes the required and optional application-specific settings for the Microsoft Office SharePoint Server 2007 (backward compatibility) application, as follows:

  • Requirements on the Endpoint Computer.

  • Additional configuration steps you may have to take in these cases:

    • When more than one SharePoint Server 2007 (backward compatibility) application is defined on the same trunk.

    • When one SharePoint Server 2007 (backward compatibility) application is defined on the trunk, with multiple servers.

    These steps are described in Configuration in a Multiple-Address Setup.

  • Preventing end-users from uploading, checking-in files, and saving files from Microsoft Office applications to the server running SharePoint Products and Technologies, unless their computer meets the security policy requirements that you define, as described in Blocking File Upload Operations.

  • Preventing end-users from downloading files, exporting to a spreadsheet, or editing datasheets, unless their computer meets the security policy requirements that you define, as described in Blocking File Download Operations.

  • Restricting end-users’ access to sensitive areas of the application, unless their computer meets the security policy requirements that you define, as described in Restricting Access to Zones and Areas.

  • Enabling the "Explorer View" option, as described in Enabling the Explorer View Option.

  • Enabling access from the server running SharePoint Products and Technologies to third-party applications, as described in Integration with Third-Party Applications.

  • Providing end-users with information on configuring Windows Internet Explorer 7 to work with client integration, as described in Using the Windows Vista Operating System with Internet Explorer 7.

Requirements on client endpoints

  • For maximum integration, Microsoft Office 2003 SP1 or higher must be installed on the client endpoints

  • In order to enable integration with Microsoft Office applications, the IAG Attachment Wiper client component must be installed on the endpoint computer. On computers where the Attachment Wiper is not installed, Office documents will be displayed in the browser, and will not be cached.

Configuration in a multiple-address setup

This section describes additional configuration steps that are relevant when you use the same IAG trunk to access more than one server running SharePoint Products and Technologies. This section is not relevant to the following scenarios:

  • If there is only one SharePoint Server 2007 (backward compatibility) application in the trunk, with one server, defined by a single, plain-text IP address or hostname and a single port number.

  • If there are two or more trunks, each with a single SharePoint Server 2007 (backward compatibility) application with one server.

When using the instructions in this section, note that if you define more than one trunk with multiple addresses, you must repeat the instructions in this section for each of the trunks. When end-users access more than one SharePoint site from the same trunk, working with Office documents is only enabled from the first site accessed.

Configure a multiple-address setup in the following scenarios:

  • When one SharePoint Server 2007 (backward compatibility) application is defined on the trunk, with multiple servers. That is, the application’s servers are defined using multiple IP addresses, a subnet, or regular expressions.

  • When more than one SharePoint Server 2007 (backward compatibility) application is defined on the same trunk.

In both these setups, it is recommended that all SharePoint Server 2007 (backward compatibility) applications in the trunk are defined with port 80. If another port number is defined, this may impede the functionality of Microsoft Office applications when accessed via the SharePoint Server 2007 (backward compatibility) application.

The first time you add a SharePoint Server 2007 (backward compatibility) application to the trunk, the system automatically creates two dynamic Manual URL Replacement rules that reroute the requests to the application server. Each rule includes two server definitions:

  • A dynamic parameter, *DynamicSharepointServer*, which is used to determine the destination server to which the request is rerouted.

  • A fallback server, to which requests are rerouted in case the dynamic parameter cannot be resolved.

The fallback server is the first server that is defined for the first SharePoint Server 2007 (backward compatibility) application you add to the trunk, regardless of any servers you later add to the application. In addition, since the same fallback server is used for all the SharePoint Server 2007 (backward compatibility) applications in a trunk, if you later add more SharePoint Server 2007 (backward compatibility) applications to the trunk, they will all use the server you initially defined as the fallback server.

For example: If the trunk includes one SharePoint Server 2007 (backward compatibility) application with two servers, ServerA and ServerB, and ServerA is the fallback server, and you then add a new SharePoint Server 2007 (backward compatibility) application to the trunk, with ServerC, the fallback server for the new application is ServerA.

If you create a different trunk with SharePoint Server 2007 (backward compatibility) applications, a new set of dynamic Manual URL Replacement rerouting rules is created for that trunk, independently of the existing trunk.

Note

If you edit the definition of the server that is used as the fallback server, or if you delete that server, you must redefine the fallback server, as described in this procedure.

Tip

Once you add an application to the trunk, the configuration of the application servers can be seen and edited in the Web Servers tab of the Application Properties dialog box.

Manual URL Replacement rules are visible in the Application Access Portal tab of the Advanced Trunk Configuration window. For details, see Manually replacing URLs for HAT configuration in IAG.

The following procedure describes how you can change the fallback server defined in the rerouting rules. Note that:

  • When the rules are created for a "Subnet" or "Regular Expression" address-type, there is no pre-defined fallback server, and you must define one.

  • When the rules are created for a server that is defined by an "IP/Host" address-type, you can optionally change the fallback server.

Note

Make sure you implement the changes for both rerouting rules.

To change the fallback server

  1. In the Configuration console, access the Advanced Trunk Configuration window.

  2. On the Application Access Portal tab, in the Manual URL Replacement area, double-click the first SharePoint Server rule.

  3. On the URL Change dialog box, edit the server definitions in Server Name as follows:

    • For a server that is defined by a subnet or regular expression, the default value of Server Name is:

      *DynamicSharepointServer*localhost

      Change this value to:

      *DynamicSharepointServer*<fallback_server>

      Where <fallback_server> is the IP address or hostname of the fallback server.

      Do not change the parameter *DynamicSharepointServer*

    • For a server that is defined by an IP address or hostname, the default value of Server Name is:

      *DynamicSharepointServer*<fallback_server>

      Where <fallback_server> is the IP address or hostname of the first Server running SharePoint Products and Technologies that was defined on the trunk. You can change the value of <fallback_server> as required.

      Do not change the parameter *DynamicSharepointServer*

Note

Do not deselect the Dynamic option next to the Server Name field.

  1. Repeat steps 2–3 for the second rerouting rule.

  2. On the toolbar of the Configuration console, click the Activate Configuration icon, and then on the Activate Configuration dialog box, click Activate.

    When the configuration is activated, the message "IAG configuration activated successfully" appears.

    If the dynamic parameter cannot be resolved, requests will be rerouted to the fallback server you defined here.

Blocking File Upload Operations

You can configure the application upload policy so that end-users cannot do the following, unless their computer meets the security policy requirements you define:

  • Upload files.

  • Save files from Microsoft Office applications to the Server running SharePoint Products and Technologies.

Users that are blocked are notified accordingly.

To block file upload operations

  1. In the Configuration console, access the Application Properties dialog box and click Manage Policies.

  2. In the ManagePolicies and Expressions dialog box, under the Policies group, select the SharePoint 2007 Upload Checkin policy, and then click EditPolicy.

  3. On the Policy Editor dialog box, you can edit the policy in order to comply with your corporate policy, so that noncompliant computers, such as computers that don't run an up-to-date antivirus software, are blocked. You can use the Default Web Application Upload policy as a basis for your definitions. For more information, see Managing IAG client endpoint policies.

    On the Policy Editor dialog box, click OK, and then on the Manage Policies and Expressions dialog box, click Close.

    On the Application Properties dialog box, on the general tab, in the Upload list, click the SharePoint 2007 Upload Checkin policy, and then click OK.

  4. On the toolbar of the Configuration console, click the Activate Configuration icon, and then on the Activate Configuration dialog box, click Activate.

    When the configuration is activated, the message "IAG configuration activated successfully" appears.

    The upload operations described in this section will be blocked, on both the client and the server side, on endpoint computers that do not comply with the security policy you defined here.

    Note

    The above steps ensure full correlation of the policy on the client and server sides. If you wish to cancel the policy, you must redefine the policy value as True, and cancel selection of the policy in the General tab of the Application Properties dialog box.

Blocking file download operations

You can configure the application download policy so that end-users cannot do the following, unless their computer meets the security policy requirements you define:

  • Download files.

  • Use the Edit in Datasheet option.

Users that are blocked are notified accordingly.

To block file download operations

  1. In the Configuration console, access the General tab of the Application Properties dialog box and then click Manage Policies.

  2. In the ManagePolicies and expressions dialog box, under the Policies group, select the SharePoint 2007 Download policy, and then click EditPolicy.

  3. On the Policy Editor dialog box, you can edit the policy in order to comply with your corporate policy, so that noncompliant computers, such as computers that don't run a firewall, are blocked. You can use the Default Web Application Download policy as a basis for your definitions. For more information, see Managing IAG client endpoint policies.

    On the Policy Editor dialog box, click OK, and then on the Manage Policies and Expressions dialog box, click Close.

    On the Application Properties dialog box, on the general tab, in the Download list, click the SharePoint 2007 Download policy, and then click OK.

  4. On the toolbar of the Configuration console, click the Activate Configuration icon, and then on the Activate Configuration dialog box, click Activate.

    On the Policy Editor dialog box, click OK, and then on the Manage Policies and Expressions dialog box, click Close.

    On the Application Properties dialog box, on the general tab, in the Download list, click the SharePoint 2007 Download policy, and then click OK.

    When the configuration is activated, the message "IAG configuration activated successfully" appears.

    The download operations described in this section will be blocked, on both the client and the server side, on endpoint computers that do not comply with the security policy you defined here.

    Note

    The above steps ensure full correlation of the policy on the client and server sides. If you wish to cancel the policy, you must redefine the policy value as True, and cancel selection of the policy in the General tab of the Application Properties dialog box.

Restricting access to zones and areas

You can configure the restricted zone policy for an application so that end-users cannot access sensitive zones and areas of the application, such as administrative zones, if their computer does not meet the security policy requirements.

In order to enable this option, once you finish adding the application to the trunk, you need to assign a unique Restricted Zone policy to the application, as described in this section. The defined zones and areas are blocked on the server side, and users that are blocked are notified accordingly.

To restrict access to zones and areas

  1. In the Configuration console, access the Application Properties dialog box. Click the Web Settings tab, and then verify that the option Activate Restricted Zone is selected.

  2. Click the General tab, then in the Endpoint Policies area, from the Restricted Zone drop-down list, select the policy SharePoint 2007 Admin Zones and then click Manage Policies.

  3. In the Manage Policies and Expressions dialog box, under the Policies group, select the policy SharePoint 2007 Admin Zones, and then click Edit Policy.

  4. To define the prerequisites that endpoint computers must meet in order to enable access to all zones and areas of the application, remove the default values from the relevant platform-specific policies, and assign the appropriate values. For details, see Managing IAG client endpoint policies.

  5. To block access to additional areas of the application, such as the News area, access the Global URL Settings tab of the Advanced Trunk Configuration window, and, next to Restricted Zone URLs, click Configure. In the Restricted Zone URLs Settings dialog box, add a rule with the URL of the area you wish to block. Repeat for additional areas as required. For example, to block access to the News area, add the following rule:

    Type: SharePoint 2007

    URL: .*/news/default\.aspx

    Method: GET

  6. On the toolbar of the Configuration console, click the Activate Configuration icon, and then on the Activate Configuration dialog box, click Activate.

    When the configuration is activated, the message "IAG configuration activated successfully" appears.

    Access to the administrative zones and to the areas you defined will be blocked on the server side, for client endpoints that do not comply with the security policy that you define here.

Enabling the Explorer view option

By default, the Explorer View option is blocked. You can enable this option as described in this section; note that this option may not function as expected.

To enable the Explorer View option

  1. In the Configuration console, access the General tab of the Application Properties dialog box and then click Manage Policies.

  2. In the ManagePolicies and expressions dialog box, under the Policies group, select the SharePoint 2007 Enable Explorer View policy, and then click EditPolicy.

  3. To define the prerequisites that endpoint computers must meet in order to access the "Explorer View" option, remove the default values from the relevant platform-specific policies, and assign the appropriate values. For details, see Managing IAG client endpoint policies.

  4. On the toolbar of the Configuration console, click the Activate Configuration icon, and then on the Activate Configuration dialog box, click Activate.

    When the configuration is activated, the message "IAG configuration activated successfully" appears.

    End-users can now access the "Explorer View" option.

Integration with third-party applications

You can enable access from the Server running SharePoint Products and Technologies to third-party applications, via the SharePoint Server Web parts, when the Server running SharePoint Products and Technologies is accessed through IAG. This is required only for third-party applications that communicate directly with the application server, for example Outlook Web Access.

For applications of this type, you need to add a corresponding application to the IAG portal. In the IAG Configuration console, use the Add Application Wizard to add the required applications to the trunk that enables access to the Server running SharePoint Products and Technologies.

Using the Windows Vista Operating System with Internet Explorer 7

In Windows Vista, Internet Explorer 7 includes an additional security feature called protected mode. By default, protected mode is enabled for the Internet, Intranet, and Restricted Zones sites. Because this feature places persistent cookies in a location that prevents sharing across applications, client integration does not work as intended.

To configure Internet Explorer 7 to work with client integration, do one of the following:

  • Disable protected mode.

  • If protected mode is enables, add the portal site to the Trusted sites zone in Internet Explorer.