Export (0) Print
Expand All

Scenario 2: Back-to-back perimeter topology

Office 2007

Updated: February 25, 2010

 

Topic Last Modified: 2010-02-24

This article describes how to deploy Microsoft Office SharePoint Server 2007 and Microsoft Office Project Server 2007 in an extranet environment with the back-to-back perimeter topology. This is the one of three deployment scenarios in deploying Office SharePoint Server 2007 with Office Project Server 2007 in an extranet environment. The other two scenarios are:

  • Deploy Office SharePoint Server 2007 and Office Project Server 2007 in an extranet environment with the edge firewall topology

  • Deploy Office SharePoint Server 2007 and Office Project Server 2007 in an extranet environment with the split back-to-back topology

For additional information about deploying Office SharePoint Server 2007 with Office Project Server 2007, see Deploy Office Project Server 2007 with Office SharePoint Server 2007.

This paper is inspired by another article already published under the name Deploying Office SharePoint Server 2007 with ISA Server 2006. A lot of the concepts covered in that article apply to Office Project Server 2007.

ImportantImportant:
Before installing Office Project Server 2007 or Office SharePoint Server 2007, it is very important to thoroughly plan for the deployment. For information on planning for Office Project Server 2007, see Planning and architecture for Office Project Server 2007. For information on planning for Office SharePoint Server 2007, see Planning and architecture for Office SharePoint Server 2007 and Extranet Resource Center for SharePoint Products and Technologies.

This scenario allows extranet users to access the Microsoft Office Project Web Access site integrated in an Office SharePoint Server 2007 farm. The communication from the extranet is encrypted and the communication in the intranet is not encrypted. The firewall technology used is based on Microsoft ISA Server 2006 SP1 and the Office Project Web Access site is published to the extranet by using the web site publishing feature of Microsoft ISA Server 2006 SP1. The authentication of the extranet users used is Windows Authentication.

This scenario allows extranet users to access the Office Project Web Access environment.

Physical Architecture: Back-to-Back Perimeter

Because of the flexible nature of Microsoft ISA Server 2006 configuration schemes, two physical models are possible.

This configuration requires only one ISA Server 2006 installation on a server with three distinct network adapters that are configured to communicate with the Internet, the Perimeter network and the Internal network. When configuring ISA Server 2006, the range of IP addresses used by the Internet, perimeter and internal networks have to be specified as well as the Firewall Policy rules that govern the communication rules between each network.

ISA Server 2006 3-Leg Perimeter Network

This configuration requires two ISA Server 2006 installations on two separate servers with two distinct network adapters each that are configured to communicate with the Internet, the Perimeter network and the Internal network. When configuring ISA Server 2006, the range of IP addresses used by the Internet, perimeter and internal networks have to be specified as well as the Firewall Policy rules that govern the communication rules between each network. This is done in two steps that target the front firewall and then the back firewall.

ISA Server 2006 Back-to-Back Perimeter Network

The following table provides information about the computers used in the solution walkthrough. All the server names and network addresses are provided as an example and should be updated to reflect your environment.

 

Computer name Operating system Additional software Comments

topo1dc

Microsoft Windows Server® 2003 with Service Pack 1 (SP1)

Domain controller, Domain Name System (DNS), Internet Information Services (IIS), certification authority (CA)

Domain controller and internal CA

topo1app

Windows Server 2003 with SP1

Office SharePoint Server 2007 with SP2, IIS, Office Project Server 2007 with SP2

None

topo1app2

Windows Server 2003 with SP1

Office SharePoint Server 2007 with SP2, IIS, Office Project Server 2007 with SP2

None

topo1app3

Windows Server 2003 with SP1

Office SharePoint Server 2007 with SP2, IIS, Office Project Server 2007 with SP2

None

topo1isa1

Windows Server 2003 with SP1

ISA Server 2006 Standard Edition with SP1

None

topo1isa2

Windows Server 2003 with SP1

ISA Server 2006 Standard Edition with SP1

None

Topo1client1

Windows® XP Professional with SP2

Microsoft Office Project Professional 2007, Microsoft Office Word 2007 or Office Word 2003, Microsoft Office Excel 2007 or Office Excel 2003, and Microsoft Office Outlook 2007 or Office Outlook 2003

None

Topo1client2

Windows® XP Professional with SP2

Office Project Professional 2007, Office Word 2007 or Office Word 2003, Office Excel 2007 or Office Excel 2003, and Office Outlook 2007 or Office Outlook 2003

None

Topo1ca

Windows Server 2003 SP1

IIS, DNS, CA

Simulated Internet routing, DNS, and CA services

The following applies:

  • A computer referred to as topo1dc is the domain controller for Intra_Net and provides the following services:

    • Domain controller for corp.fabrikam.com

    • Authentication services

    • DNS for the internal domain corp.fabrikam.com

    • CA services for corp.fabrikam.com

  • A set of computers referred to as topo1app(n) is providing Office SharePoint Server 2007 and Office Project Server 2007 services for remote users. This computer is a member of the domain.

  • A set of computers referred to as topo1isa(n) is providing firewall and publishing services. This computer is in a workgroup. You will configure LDAP authentication to enable ISA Server to authenticate domain users. The topo1isa1 computer has two network adapters installed:

    • The IP address of the adapter connected to Intra_Net is 10.0.0.254/24.

    • The IP address of the adapter connected to the Perimeter network is 172.16.0.2/24 with the secondary IP addresses 172.16.0.103 through 172.16.0.104.

This scenario is used to expose a pre-existing deployment of Office SharePoint Server 2007 and Office Project Server 2007 to the internet as part of an extranet environment.

  • To deploy Office SharePoint Server 2007 and Office Project Server 2007 in an extranet environment with the Edge Firewall topology, you will take the following steps:

    1. Prepare the environment. Before beginning the installation process, you will need to gather data, confirm that the environment meets the prerequisites and complete a few pre-installation steps.

    2. Configure Office SharePoint Server 2007 and Office Project Server 2007.

    3. Install and Configure required software. In this step, you will install and configure the additional software required to support the extranet deployment.

Office SharePoint Server 2007 and Office Project Server 2007 have identical system requirements for the installation.

Several pieces of information are required before installing and configuring this solution.

  • Internal URL. This is the URL for the extranet server that internal users will use. This will likely be a Fully Qualified Domain Name (FQDN). For this scenario, we will use http://topo1app.fabrikam.com/pwa. The name resolution is served by the internal DNS servers.

  • External URL. This is the URL for the extranet server that external users will use. The name must be an FQDN like https://project.fabrikam.com. The name will be resolved by the external DNS provider.

  • Install a Certification Authority (Optional)

    You can either get a certificate through an external certification authority (CA) or use the Microsoft CA.

    If you choose to use the Microsoft CA, you must set it up on one of your domain controllers. The software installation process is very simple. On the domain controller, in Control Panel, double-click Add or Remove Programs, then click Add/Remove Windows Components. Select the Certificate Services check box, click Next, and then choose to create an Enterprise Root CA. Provide a common name, then select the defaults for the rest of the installation. When you are done, you will have a CA that can be used to issue certificates in your organization. For more information, see Installing and configuring a certification authority

  • Set Up DNS Aliases

    The servers will need to have DNS entries both internally and externally. We suggest using an alias for your internal DNS name for the collaboration environment rather than the actual host name of the extranet server. This allows you to move the collaboration environment to a different server or to deploy load balancing in the future with a minimum of disruption to your environment. The alias should point to the host record for the extranet server.

    You also need to have your external DNS provider create an A or CNAME record that external users can use to access the extranet server. Consult with your external DNS provider to set this up.

    NoteNote:
    For testing purposes, both the internal and external host names can be added to your HOSTS file.
  • Install Certificates

    Several certificates are required as described below to allow for the communication in the extranet network to be encrypted.

    • The TOPO1APP(n) computer has an SSL certificate installed from TOPO1DC with a common name of topo1app.corp.fabrikam.com (only required for HTTPS-to-HTTPS bridging). The internal URL is https:// topo1app.corp.fabrikam.com.

    • The computer TOPO1ISA1 has the root CA certificate for TOPO1DC installed. This is necessary for ISA Server to accept the validity of the certificate on TOPO1APP.

    Follow the steps highlighted in the two articles below to respectively request and install the certificates.

    How to implement SSL in IIS

    How To: Install Imported certificates on a Web Server in Windows Server 2003

The site you just created has an internal URL that internal users can access. Now you must extend this site to an external URL that people outside your firewall can access.

To extend the Web application to the extranet zone:

  1. In Central Administration, click the Application Management tab, click Create or extend Web application, and then click Extend an existing Web application.

  2. At the top of the page, click No Selection, then click Change Web application.

  3. In the Select a Web Application dialog box, click the name of the Web application you just created.

  4. Click the Create a new IIS Web site option.

  5. In the Description box, type a descriptive name.

  6. In the Port box, type 443 (to set up for SSL), and in the Host Header box, type the external URL. (For example, if your external URL is https://project.fabrikam.com, type project.fabrikam.com.)

  7. In the Use Secure Sockets Layer (SSL) section, click Yes.

    NoteNote:
    If the security certificate has not been installed, you will not be able to access this URL until you have installed a certificate on this Web site.
  8. In the Load Balanced URL section, in the Zone list, click Intranet, and then click OK.

When the process completes, the Application Management page will appear.

  1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.

  2. Click Operations.

  3. Click Alternate access mappings.

  4. In the Alternate Access Mapping Collection selector, click the selector, and then click Change Alternate Access Mapping Collection.

  5. Click the Web application that you are publishing.

  6. Click Edit Public URLs.

  7. In the Default field, enter the URL of the requests as they will be delivered to the Office SharePoint Server computer by the Office SharePoint Server publishing rule. For example, type https://project.fabrikam.com.

  8. Click Save.

  9. Click Add Internal URLs.

  10. In the URL protocol, host and port field, enter the URL of requests as they will be delivered to the Office SharePoint Server computer by the Office SharePoint Server publishing rule. For example, type https://project.fabrikam.com. Note that the SharePoint Publishing Wizard automatically selects port 80 for HTTP or port 443 for SSL. If you want the Web application to use a different port on the Office SharePoint Server computer for the publishing rule, you need to edit the Office SharePoint Server publishing rule in ISA Server to bridge your requests to the desired port. If you do not want to use the feature in the Office SharePoint Server publishing rule to forward the original host header, you need to enter an alternative name here that will resolve to your Office SharePoint Server computer.

  11. In the Zone field, select the zone that you extended for the Office SharePoint Server publishing rule. For example, select Default.

  12. Click Save.

Install Microsoft ISA Server 2006 SP1 on the server TOPO1ISA1 and TOPO1ISA2, by following the instructions at ISA Server 2006 Installation Guide.

Configure ISA Server 2006 to use a network of type 3-Leg Perimeter or Back-to-Back Perimeter.

Follow the steps highlighted in the two articles below to respectively request and install the certificates.

How to implement SSL in IIS

How To: Install Imported certificates on a Web Server in Windows Server 2003

LDAP authentication is similar to Active Directory authentication, except that the ISA Server computer does not have to be a member of the domain. ISA Server 2006 connects to a configured LDAP server over the LDAP protocol to authenticate the user. Every Windows domain controller is also an LDAP server by default, with no additional configuration changes required. By using LDAP authentication, you get the following benefits:

  • When ISA Server 2006 is installed in a perimeter network, you no longer need to open all of the ports required for domain membership.

  • You can authenticate users in a domain with which there is no trust relationship.

Perform the following procedure to create an LDAP server set. For Standard Edition, perform the following procedure on computer isa01. For Enterprise Edition, perform the following procedure on computer storage01.

To create an LDAP server set:

  1. In the console tree of ISA Server Management, click General:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand isa01, expand Configuration, and then click General.

  2. In the details pane, click Specify RADIUS and LDAP Servers.

  3. On the LDAP Servers Sets tab, click Add to open the Add LDAP Server Set dialog box.

  4. In LDAP server set name, type FabrikamUsers.

  5. Click Add, to add each LDAP server name or IP address.

  6. In Server name, type dc01 and click OK.

  7. Click OK to close the Add LDAP Server Set dialog box.

  8. Click New to open the New LDAP Server Mapping dialog box.

  9. In Login expression, type fabrikam\*. In LDAP server set, select FabrikamUsers, and then click OK.

  10. Click Close to close the Authentication Servers window.

To authenticate users through LDAP, you need to determine which users to authenticate and who authenticates the users. To do this, you need to create an LDAP user set.

Perform the following procedure to create an LDAP user set. For Standard Edition, perform the following procedure on computer TOPO1ISA1. To create an LDAP user set:

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand isa01, and then click Firewall Policy.

  2. On the Toolbox tab, click Users, and then click New. Use the wizard to create the new user set as outlined in the following table.

 

Page Field or property Setting

Welcome

User set name

Type FabrikamUsers.

Users

Select the users to include in this user set

Click Add, and select LDAP.

Add LDAP User

LDAP server set

User name

Select FabrikamUsers, the LDAP server set from the drop-down list.

Select All Users in this namespace.

You can also specify user groups or specific user accounts if you do not want all users to be part of this LDAP user set.

Completing the New User Set Wizard

Review settings

Click Back to make changes and Finish to complete the wizard.

Microsoft ISA Server 2006 works with the Windows SharePoint Services 3.0 technology and the Office SharePoint Server 2007 product to enhance security.

Using the combined collaboration features of Windows SharePoint Services and Office SharePoint Server, users in your organization can easily create, manage, and build their own collaborative Web sites and make them available throughout the organization.

When you publish Office SharePoint Server or Office Project Server 2007 sites to the Internet, you provide employees, who are not in the office, access to the information that they need to complete their jobs, no matter where they are located, without compromising security.

When you publish an Office SharePoint Server or Office Project Server 2007 site through ISA Server, you protect the Office SharePoint Server site from direct external access because the name and IP address of the Office SharePoint Server site are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the published Office SharePoint Server site according to the conditions of your Office SharePoint Server publishing rule.

When you publish an Office SharePoint Server site, ISA Server enables you to configure forms-based authentication, enforce a required authentication method, enable two-factor authentication, and control centralized logging.

The following assumptions apply for this walkthrough:

  • Office SharePoint Server 2007 and Office Project Server 2007 is installed and configured on TOPO1APP(n).

  • Office SharePoint Server alternate access mapping is properly configured on TOPO1APP.

  • The TOPO1APP(n) computer has an SSL certificate installed from TOPO1DC with a common name of topo1app.corp.fabrikam.com (only required for HTTPS-to-HTTPS bridging). The internal URL is https://topo1app.corp.fabrikam.com.

  • The computer TOPO1ISA1 has the root CA certificate for TOPO1DC installed. This is necessary for ISA Server to accept the validity of the certificate on TOPO1APP.

  • The external common name, which is the fully qualified domain name (FQDN), is project.fabrikam.com.

  • The TOPO1ISA1 computer has an SSL certificate installed from TOPO1CA with a common name of project.fabrikam.com.

  • ISA Server responds to requests for project.fabrikam.com on the IP address 172.16.0.103.

When you create a Web publishing rule, you must specify a Web listener to be used when creating the rule. The Web listener properties determine the following:

  • Which IP address or addresses and ports on the specified networks will listen for Web requests (HTTP or HTTPS)

  • Which server certificates to use with which IP address

  • Which authentication method to use

  • Number of concurrent connections that are allowed

  • ISA Server single sign on (SSO) settings

Use the information on the worksheet that you filled in previously, and perform the following procedure to create a Web listener.

To create a Web listener:

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand isa01, and then click Firewall Policy.

  2. On the Toolbox tab, click Network Objects, click New, and then select Web Listener. Use the wizard to create the Web listener as outlined in the following table.

 

Page Field or property Setting

Welcome

Web listener name

Type FBA.

Client Connection Security

Connection type, either SSL or not SSL

Select Require SSL secured connections with clients.

Web Listener IP Addresses

Listen for incoming Web requests on these networks

ISA Server will compress content

Select IP Addresses

Select the External network.

Check box should be selected (default).

See External Network Listener IP Selection page.

External Network Listener IP Selection

Listen for requests on

Available IP Addresses

Select Specified IP addresses on the ISA Server computer in the selected network.

Select 172.16.0.103 and click Add.

Listener SSL Certificates

A Web listener can use a single certificate for all of its IP addresses, or a different certificate for each IP address.

Select Assign a certificate for each IP address.

Select IP address 172.16.0.103 and click Select Certificate.

Select Certificate

Select a certificate

Select the certificate issued to project.fabrikam.com and click Select. The certificate must be installed before running the wizard.

Authentication Settings

Specify how clients will provide credentials to ISA Server

Select how ISA Server will validate client credentials

Select HTML Form Authentication.

Select LDAP (Active Directory).

Single Sign On Settings

Enable SSO for Web sites published with this Web listener

SSO domain name

Confirm that this option is selected.

Type .fabrikam.com.

Completing the New Web Listener Wizard

Review settings

Click Back to make changes or Finish to complete the wizard.

NoteNote:
If an LDAP server set has not already been created, the Create Web Listener Wizard will prompt you to create the LDAP server set.
ImportantImportant:
Configure persistent cookies to allow users to open documents from an Office SharePoint Server site or an Office Project Server 2007 site without the need for the user to reauthenticate. The following security issues relate to the use of persistent cookies:
  • A malicious attacker who obtains a persistent cookie may be able to perform a brute force attack to obtain user credentials from the cookie.

  • On a public computer, if the user does not log off, the session cookie can be used by the next user to access published sites. This threat can be mitigated by not enabling persistent cookies for public computers.

  • Spyware may be able to access the cookie.

Use the information on the worksheet that you filled in previously, and perform the following procedure to publish an Office SharePoint Server site.

To publish an Office SharePoint Server site:

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand isa01, and then click Firewall Policy.

  2. On the Tasks tab, click Publish SharePoint Sites. Use the wizard to create a rule as outlined in the following table.

 

Page Field or property Setting

Welcome

SharePoint publishing rule name

Type Publishing SharePoint.

Publishing Type

Publishing type options

Select Publish a single Web site or load balancer.

NoteNote:
For more information about publishing a server farm of load balanced Web servers, see "Web Server Farm Load Balancing in ISA Server 2006" at the Microsoft TechNet Web site.

Server Connection Security

Choose the type of connections ISA Server will establish with the published server or server farm

Select Use SSL to connect to the published Web server or server farm.

NoteNote:
For HTTPS-to-HTTP bridging (SSL Termination), you should select Use non-secured connections to connect the published Web server or server farm.

Internal Publishing Details

Internal site name

Type TOPO1APP.corp.fabrikam.com.

ImportantImportant:
The internal site name must match the name of the server certificate that is installed on the internal Web servers.
NoteNote:
If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server, and then type the required IP address or name that is resolvable by the ISA Server computer.

Public Name Details

Accept requests for

Public name

This domain name (type below)

Type project.fabrikam.com.

Select Web Listener

Web listener

Select FBA.

Authentication Delegation

Select the method used by ISA Server to authenticate to the published Web server

Select NTLM authentication.

Alternate Access Mapping Configuration

For complete integration and functionality, you need to configure alternate access mapping on the published SharePoint site.

Select SharePoint AAM is already configured on the SharePoint server.

User Sets

This rule applies to requests from the following user sets

Select All Authenticated Users and click Remove.

Click Add, select FabrikamUsers, click Add, and then click Close.

Completing the New SharePoint Publishing Rule Wizard

Review settings

Click Back to make changes and Finish to complete the wizard.

ImportantImportant:
If publishing the Windows SharePoint Services 3.0 Central Administration site, the link translation feature should be disabled in the Office SharePoint Server publishing rule. Link translation can interfere with management of the alternate access mappings.
NoteNote:
If the Office SharePoint Server computer resides in a perimeter network, you might need to open up communications between the Office SharePoint Server computer and your internal network.

On the TOPO1CA or TOPO1CLIENT2 computers, perform the following procedure to test the new Office SharePoint Server and Office Project Server 2007 publishing rule.

NoteNote:
Make sure that you have the root CA certificate of the issuing CA of the project.fabrikam.com certificate installed.

To test Office SharePoint Server publishing:

  1. Open Microsoft Internet Explorer.

  2. Browse to the following URL: https://project.fabrikam.com. Use the following details to log on:

    • Domain\user name

    • Password

      Log On Screen

You should access the Office Project Web Access site.

The ISA Server 2006 server TOPO1ISA2 manages the communication between the Perimeter network and the Internal network. The internal users must still be able to access all features of Office SharePoint Server 2007 and Office Project Server 2007. To do so, specific ports and protocols must be allowed in TOPO1ISA2. Consult the diagram below to identify these ports and protocols and use this information to create firewall policy rules in ISA Server 2006 on TOPO1ISA2.

Ports and Protocols Diagram

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft