Secure Application Publishing
Microsoft® Internet Security and Acceleration (ISA) Server 2006 is the security gateway that helps protect your mission-critical applications from Internet-based threats. ISA Server enables your business to do more, with secure access to Microsoft applications and data. Secure your Microsoft application infrastructure by protecting your corporate applications, services, and data across all network layers with stateful packet inspection, application-layer filtering, and comprehensive publishing tools. Streamline your network with simplified administrator and user experiences through a unified firewall and virtual private network (VPN) architecture, which includes Web caching and bandwidth management, an optimized firewall filtering engine, and comprehensive access controls. Safeguard your information technology environment to reduce security risks and costs, and help eliminate the effects that malicious software and attackers have on your business, by using comprehensive tools for scanning and blocking harmful content, files, and Web sites.
In this document, the following new or enhanced features are discussed:
- Secure application publishing scenarios
- Microsoft Office SharePoint® Portal Server publishing
- Microsoft Exchange Web client access publishing
- Microsoft Outlook® Web Access
- Microsoft Office Outlook 2003 RPC over HTTP access
- Server farms for load balancing between Web servers
- Single sign on (SSO)
Scenario
Solution
Network Topology
Secure Application Publishing Walk-Throughs
Appendix A: Additional Publishing Features
Appendix B: LDAP Configuration
Appendix C: Alternate Access Mapping
Appendix D: Security Tips
Appendix E: Administrative Tips
Contoso, Ltd wants to provide employees, when they are not in the office, simple and secure access to the following business applications:
- Outlook Web Access
- RPC over HTTP for Outlook clients
- SharePoint Portal Server and Windows SharePoint Services
Contoso also wants to enhance the working relationship with partners and vendors by providing access to these applications.
Currently, access to these applications is available only to users through a client access VPN connection. For security reasons, Contoso does not want to allow direct access from the Internet to these applications, because attacks may be hidden within Secure Sockets Layer (SSL) connections. Contoso does not want internal servers to be accessible directly from the Internet.
Client access VPN connections can be slow, and proper configuration of the VPN connection on the client computer is required. Also, when employees are at an off-site location, they may be behind a firewall, which blocks client access VPN connections. These limitations reduce the effectiveness of accessing important information when not in the office. ISA Server 2006 publishing provides secure and quick access to applications.
The prescribed solution is to publish applications with ISA Server 2006. Communication from external clients to the ISA Server computer and from the ISA Server computer to the published server is encrypted using SSL. ISA Server is not joined to the domain and performs authentication via a Lightweight Directory Access Protocol (LDAP) connection to the domain.
ISA Server 2006 Standard Edition or ISA Server 2006 Enterprise Edition can be used in this solution.
ISA Server 2006 addresses the Contoso issues by making their applications available over the Internet in a secure way.
When you publish an application through ISA Server 2006, you are protecting the server from direct external access because the name and IP address of the server are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the server according to the conditions of the server publishing rule.
SSL bridging protects against attacks that are hidden in SSL-encrypted connections. For SSL-enabled Web applications, after receiving the client's request, ISA Server 2006 decrypts it, inspects it, and terminates the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the publishing Web server. If the secure Web publishing rule is configured to forward the request using Secure HTTP (HTTPS), ISA Server initiates a new SSL connection with the published server. Because the ISA Server computer is now an SSL client, it requires that the publishing Web server responds with a server-side certificate.
ISA Server 2006 enables you to configure forms-based authentication for supported applications. Forms-based authentication enables you to enforce required authentication methods, enable two-factor authentication, control e-mail attachment availability, and provide centralized logging.
ISA Server 2006 supports LDAP authentication, enabling you to place the ISA Server computer in the perimeter network (also known as DMZ, demilitarized zone, and screened subnet). The ISA Server computer does not join the domain, so you no longer need to open all of the required ports for Active Directory® directory service communications. You still need to open LDAP or global catalog ports between the ISA Server computer and the configured Active Directory domain controller. Keeping your ISA Server computers in a workgroup configuration reduces the attack surface and simplifies the deployment of ISA Server. For more information about authentication, see "Authentication in ISA Server 2006" at the Microsoft TechNet Web site.
ISA Server 2006 overcomes the difficulties of using client access VPN connections in the following ways:
- Access to published applications is via a Web browser.
- Applications are now more widely available and more accessible than remote access VPNs due to the use of SSL. You can access your published applications behind firewalls, from connections using network address translation (NAT), and from other networking devices that might otherwise be blocking remote access VPN connections.
- The reconnect process is easier and quicker, due to SSL. If your connection to the Internet is disconnected, you no longer need to reconnect via the remote access VPN dialer. After Internet access is reconnected, you can go back to your published application.
- Partners, vendors, and employees who are not in the office can easily access the required information in a secure way.
The scenarios assume that you will deploy this solution in a laboratory environment that includes the following two networks:
- A network simulating your corporate network, called HQ_Net. In the walk-through, HQ_Net spans this address range: 10.0.0.1 through 10.0.0.254.
- A network simulating the Internet, called Test_Internet. In the walk-through, Test_Internet spans this address range: 172.16.0.0 through 172.16.255.255.
The following figure illustrates the computers used in the feature walk-through.
The following table provides information about the computers used in the feature walk-through.
Computer name | Operating system | Additional software | Comments |
---|---|---|---|
dc01 |
Microsoft Windows Server® 2003 with Service Pack 1 (SP1) |
Domain controller, Domain Name System (DNS), Internet Information Services (IIS), certification authority (CA) |
Domain controller and internal CA |
exchange01 |
Windows Server 2003 SP1 |
Microsoft Exchange Server 2003 SP1, IIS |
Back-end Exchange server |
owa01 |
Windows Server 2003 SP1 |
Exchange Server 2003 SP1, IIS |
Front-end Exchange server |
sps01 |
Windows Server 2003 SP1 |
Microsoft Office SharePoint Portal Server 2003 with Service Pack 2, IIS |
None |
isa01 |
Windows Server 2003 SP1 |
ISA Server 2006 Standard Edition or Enterprise Edition |
None |
client01 |
Windows® XP Professional with Service Pack 2 (SP2) |
Microsoft Office Word 2003, Office Excel 2003, and Office Outlook 2003 |
None |
storage01 |
Windows Server 2003 SP1 |
ISA Server 2006 Enterprise Edition |
Configuration Storage server required only for Enterprise Edition |
router01 |
Windows Server 2003 SP1 |
IIS, DNS, CA |
Simulated Internet routing, DNS, and CA services |
The following applies:
- A computer referred to as dc01 is the domain controller for HQ_Net and provides the following services:
- Domain controller for corp.contoso.com
- Authentication services
- DNS for internal domain corp.contoso.com
- CA services for corp.contoso.com
- A computer referred to as exchange01 is providing messaging services for corp.contoso.com. This computer is a member of the domain.
- A computer referred to as owa01 is providing Outlook Web Access for remote users. This computer is a member of the domain.
- A computer referred to as sps01 is providing SharePoint Portal Server 2003 portal services for remote users. This computer is a member of the domain.
- A computer referred to as storage01 is the Configuration Storage server for the enterprise, necessary in a case where you are using ISA Server Enterprise Edition. This computer is a member of the domain. The Configuration Storage server was installed with a certificate for authentication over a SSL-encrypted channel.
- A computer referred to as isa01 is providing firewall and publishing services. This computer is in a workgroup. You will configure LDAP authentication to enable ISA Server to authenticate domain users. The isa01 computer has two network adapters installed:
- The IP address of the adapter connected to HQ_Net is 10.0.0.254/24.
- The IP address of the adapter connected to Test_Internet is 172.16.0.2/24 with the secondary IP addresses 172.16.0.103 through 172.16.0.104.
- For ISA Server 2006 Enterprise Edition, the following applies:
- Follow the instructions in the ISA Server 2006 Quick Start Guide to install the Configuration Storage server. Because the ISA Server computer will not join the domain, during the installation, on the Enterprise Deployment Environment page, select Use certificate authentication, and provide the location of the exported server certificate.
- The solution assumes that an array named main has been created with the following configuration settings:
- Storage01 has been added to the Remote Management Computers computer set.
- Authentication on the Configuration Storage page has been set to Authenticate over SSL-encrypted channel.
- isa01 has joined the main array during installation of ISA Server 2006.
For more information about installing ISA Server 2006, see the Quick Start Guides and the Installation Guides on the product CD.
The following table shows three users who have been created in the domain and have mailboxes on exchange01.
First name | Last name | User logon name | Prior to Windows 2000 Server | Password | Mailbox | Exchange |
---|---|---|---|---|---|---|
Matt |
Berg |
mberg |
Mberg |
Passw0rd |
Yes |
exchange01 |
Jeff |
Hay |
Jhay |
Jhay |
Passw0rd |
Yes |
exchange01 |
Lisa |
Miller |
lmiller |
Lmiller |
Passw0rd |
Yes |
exchange01 |
A computer referred to as router01 is providing DNS and CA services to the Test_Internet network. This computer is not a member of the domain.
Note
The configuration would be similar in a production environment. The differences would be in the use of the default ISA Server defined External network (representing the Internet) rather than Test_Internet, and the use of your actual IP address ranges for your Internal and perimeter networks.
For more information about installing ISA Server 2006, see the Quick Start Guides and the Installation Guides on the product CD.
This section discusses the following topics:
Configure ISA Server 2006 for LDAP Authentication
Publish Outlook Web Access and RPC over HTTP
Publish SharePoint Sites
Secure Single Sign On Between Web and Outlook Web Access Publishing
LDAP authentication is similar to Active Directory authentication, except that the ISA Server computer does not have to be a member of the domain. ISA Server 2006 connects to a configured LDAP server over the LDAP protocol to authenticate the user. Every Windows domain controller is also an LDAP server, by default, with no additional configuration changes required. By using LDAP authentication, you get the following benefits:
- ISA Server 2006 Standard Edition server or ISA Server 2006 Enterprise Edition array members in workgroup mode. When ISA Server is installed in a perimeter network, you no longer need to open all of the ports required for domain membership.
- Authentication of users in a domain with which there is no trust relationship.
For more information about LDAP, see Appendix B: LDAP Configuration.
To configure LDAP authentication, you need to:
Create an LDAP Server Set
Create an LDAP User Set
Perform the following procedure to create an LDAP Server set. For Standard Edition, perform the following procedure on computer isa01. For Enterprise Edition, perform the following procedure on computer storage01.
To create an LDAP server set
In the console tree of ISA Server Management, click General:
- For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand isa01, expand Configuration, and then click General.
- For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, expand Configuration, and then click General.
In the details pane, click Specify RADIUS and LDAP Servers.
On the LDAP Servers Sets tab, click Add to open the Add LDAP Server Set dialog box.
In LDAP server set name, type CorpLDAP.
Click Add, to add each LDAP server name or IP address.
In Server name, type dc01 and click OK.
Click OK to close the Add LDAP Server Set dialog box.
Click New to open the New LDAP Server Mapping dialog box.
In Login expression, type corp\*. In LDAP server set, select CorpLDAP, and click OK.
Click Close to close the Authentication Servers window.
For more information about LDAP server settings, see Appendix B: LDAP Configuration
To authenticate users through LDAP, you need to determine which users to authenticate and who authenticates the users. To do this, you need to create an LDAP user set.
Perform the following procedure to create an LDAP user set. For Standard Edition, perform the following procedure on computer isa01. For Enterprise Edition, perform the following procedure on computer storage01.
To create an LDAP user set
- In the console tree of ISA Server Management, click Firewall Policy:
Page | Field or property | Setting |
---|---|---|
Welcome |
User set name |
Type LDAPUsers. |
Users |
Select the users to include in this user set |
Click Add, and select LDAP. |
Add LDAP User |
LDAP server set User name |
Select CorpLDAP, the LDAP server set from the drop-down list. Select All Users in this namespace. Note You can also specify user groups or specific user accounts if you do not want all users to be part of this LDAP user set. |
Completing the New User Set Wizard |
Review settings. |
Click Back to make changes and Finish to complete the wizard. |
- Click the Apply button in the details pane to save the changes and update the configuration.
Outlook Web Access provides Web browser access to e-mail, scheduling (including group scheduling), contacts, tasks, and collaborative information stored in Exchange Storage System folders. Outlook Web Access is used by remote, home, and roving users.
RPC over HTTP enables users to access e-mail with Office Outlook 2003 over the Internet. Exchange Server 2003, together with Outlook 2003 and Windows Server 2003, support the use of RPC over HTTP to access servers that are running Exchange Server. By using RPC over HTTP, users no longer have to use a VPN connection to connect to Exchange mailboxes. Users who are running Outlook 2003 on client computers can connect to an Exchange server in a corporate environment from the Internet.
When you publish Outlook Web Access servers and RPC over HTTP through ISA Server, you are protecting the Outlook Web Access server and the RPC over HTTP proxy server from direct external access because the name and IP address are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the Outlook Web Access server or RPC over HTTP proxy server according to the conditions of your mail server publishing rule.
Further, when you publish Outlook Web Access, ISA Server enables you to configure forms-based authentication, enforce required authentication methods, enable two-factor authentication, control e-mail attachment availability, and provide centralized logging.
The New Exchange Server Publishing Wizard also enables you to publish Outlook Mobile Access and Exchange ActiveSync®. Outlook Mobile Access provides users with access to Outlook from mobile devices. Using Exchange ActiveSync, you can synchronize with high levels of security, directly to your Exchange mailboxes from Microsoft Windows Mobile®-based devices, such as Pocket PC, Pocket PC Phone Edition, and Smartphones.
In this section, the assumptions for the scenario are reviewed. Information worksheets are provided to assist in gathering the necessary information required when using the New Web Listener Wizard and the New Exchange Publishing Rule Wizard.
The following assumptions apply to the scenario:
Exchange Server 2003 is installed and configured on exchange01.
Exchange Server 2003 is installed and configured on owa01. The owa01 computer should be configured as an Exchange front-end server. For more information about Exchange Server front-end and back-end configurations, see the following:
- "Front-End and Back-End Server Topology Guide for Exchange Server 2003 and Exchange 2000 Server" at the Microsoft TechNet Web site
- "Configuring an Exchange Front-End Server" at the Microsoft TechNet Web site
Important
On owa01, do not select the Exchange Server 2003 forms-based authentication option. Forms-based authentication should be configured on the ISA Server Web publishing rule.
The owa01 computer has an SSL certificate installed from dc01 with a common name of owa01.corp.contoso.com. The internal URL is https://owa01.corp.contoso.com/exchange.
The external common name (fully qualified domain name or FQDN) is mail.contoso.com.
The isa01 computer has the root CA certificate for dc01 installed. This is necessary for ISA Server to accept the validity of the certificate on owa01.
The isa01 computer has an SSL certificate installed from router01 with the common name of mail.contoso.com.
The FQDN mail.contoso.com will resolve to the IP address 172.16.0.104, which is installed as a secondary IP address on isa01.
Update the following table with information that will be used when you use the New Web Listener Wizard.
Property | Value |
---|---|
Web listener name |
Name: ________________________ |
Client connection security Note the following:
|
HTTPS or HTTP (circle one) |
Web listener IP address |
Network: ___________________ Optional Specific IP address: ___.___.___.___
Note:
If this specific IP address is not the primary network adapter IP address, a secondary IP address needs to be installed on the ISA Server computer before creating the Web listener.
|
Authentication settings Web listener SSL certificate Note This is only required if HTTPS has been selected for client connectivity security. |
___Use a single certificate for this Web listener. Certificate issued to: _______________________ ___Assign a certificate for each IP address. (This option will only be available if a specific IP address has been assigned to the Web listener.) Certificate issued to: _______________________ |
Single sign on settings |
___Enable single sign on. Single sign on domain name: ___________________________ |
Update the following table with information that will be used when you use the New Exchange Publishing Rule Wizard.
Property | Value |
---|---|
Exchange publishing rule name |
Name: ________________________ |
Services |
Exchange version: ____________ __Outlook Web Access __Outlook RPC over HTTP __Outlook Mobile Access __Exchange ActiveSync |
Publishing type |
__Publish a single Web site. or __Publish a server farm of load balanced servers. and Server farm name:_____________ |
Server connection security |
HTTPS or HTTP (circle one) Note the following:
|
Internal publishing details |
Internal site name (FQDN): ______________________ If the FQDN is not resolvable by the ISA Server computer: Computer name or IP address:_____________________ |
Public name details |
Accept request for: __This domain name:______________ or __Any domain name |
Select Web listener |
Web listener:________________ |
User set |
List user sets that will have access to this rule: _________________ __________________ |
The following computers are required for this walk-through:
- dc01
- exchange01
- owa01
- storage01 (for Enterprise Edition)
- isa01
- router01
- client01
The following procedures are used to publish Outlook Web Access and RPC over HTTP:
Create a server farm (optional)
Create a Web listener
Create an Exchange Web client access publishing rule
When you have more than one Web server providing access to the same content, you can use ISA Server 2006 to provide load balancing for these servers. This will enable you to publish the Web site once, instead of having to run the wizard multiple times. Also, this eliminates the need for a third-party product to load balance a Web site. If one of the servers is unavailable, ISA Server 2006 will detect that the server is not available and will direct users to servers that are working. ISA Server 2006 verifies on regular intervals that the servers that are members of the server farm are functioning. The server farm properties determine the following:
- Servers included in the farm
- Connectivity verification method that ISA Server will use to verify that the servers are functioning
Server farm considerations:
- There is a second Exchange front-end server named owa02.corp.contoso.com.
- Both servers have a server certificate installed with the following FQDN: owa.corp.contoso.com.
Perform the following procedure to create a server farm.
To create a server farm
In the console tree of ISA Server Management, click Firewall Policy:
- For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand ISA01, and then click Firewall Policy.
- For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.
On the Toolbox tab, click Network Objects, click New, and select Server Farm. Use the wizard to create the server farm as outlined in the following table.
Page | Field or property | Setting |
---|---|---|
Welcome |
Server farm name |
Type Exchange OWA. |
Servers |
Servers |
Select Add and enter either the IP addresses or names of your servers: owa01.corp.contoso.com owa02.corp.contoso.com |
Connectivity Monitoring |
Apply this method |
Select Send an HTTP/HTTPS "GET" request to the following URL. |
Completing the New Server Farm Wizard |
Reviews settings. |
Click Back to make changes and Finish to complete the wizard. |
- When the wizard completes, click Yes in the Enable HTTP Connectivity Verification dialog box.
- Click the Apply button in the details pane to save the changes and update the configuration.
For more information about connectivity verifiers, see the product Help.
When you create a Web publishing rule, you must specify a Web listener to be used when creating the rule. The Web listener properties determine the following:
- Which IP addresses and ports on the specified networks will listen for Web requests (HTTP or HTTPS).
- Which server certificates to use with which IP address.
- Which authentication method to use.
- Number of concurrent connections that are allowed.
- Single sign on (SSO) settings.
Use the information on the worksheet that you filled in previously, and perform the following procedure to create a Web listener.
To create a Web listener
In the console tree of ISA Server Management, click Firewall Policy:
- For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand ISA01, and then click Firewall Policy.
- For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.
On the Toolbox tab, click Network Objects, click New, and then select Web Listener. Use the wizard to create the Web listener as outlined in the following table.
Page | Field or property | Setting |
---|---|---|
Welcome |
Web listener name |
Type FBA. |
Client Connection Security |
Connection type, either SSL or not SSL. |
Select Require SSL secured connections with clients. |
Web Listener IP Addresses |
Listen for incoming Web requests on these networks ISA Server will compress content Select IP Addresses |
Select the External network. Check box should be selected (default). See External Network Listener IP Selection page. |
External Network Listener IP Selection |
Listen for requests on Available IP Addresses |
Select Specified IP addresses on the ISA Server computer in the selected network. Select 172.16.0.104 and click Add. |
Listener SSL Certificates |
A Web listener can use a single certificate for all of its IP addresses, or a different certificate for each IP address. |
Select Assign a certificate for each IP address. Select IP address 172.16.0.104 and click Select Certificate. |
Select Certificate |
Select a certificate |
Select the certificate issued to mail.contoso.com and click Select. The certificate must be installed before running the wizard. |
Authentication Settings |
Specify how clients will provide credentials to ISA Server Select how ISA Server will validate client credentials |
Select HTML Form Authentication. Select LDAP (Active Directory). |
Single Sign On Settings |
Enable SSO for Web sites published with this Web listener SSO domain name |
Clear this check box. SSO will be enabled later in the solution. Leave this field blank. |
Completing the New Web Listener Wizard |
Review settings. |
Click Back to make changes or Finish to complete the wizard. |
When you publish an internal Web server through ISA Server 2006, you are protecting the Web server from direct external access because the name and IP address of the server are not accessible to the user. The user accesses the ISA Server 2006 computer, which then forwards the request to the internal Web server according to the conditions of your Web server publishing rule. An Exchange Web client access publishing rule is a Web publishing rule that contains default settings appropriate to Exchange Web client access.
Use the information on the worksheet that you filled in previously, and perform the following procedure to create an Exchange Web client access publishing rule.
To create an Exchange Web client access publishing rule
In the console tree of ISA Server Management, click Firewall Policy:
- For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand ISA01, and then click Firewall Policy.
- For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.
On the Tasks tab, click Publish Exchange Web Client Access. Use the wizard to create the rule as outlined in the following tables.
For a single Web server, use the table in New Exchange Publishing Rule Wizard for a single Web site.
Page | Field or property | Setting |
---|---|---|
Welcome |
Exchange Publishing rule name |
Type Exchange OWA Publishing. |
Select Services |
Exchange version Web client mail services |
Select Exchange Server 2003. Select Outlook Web Access and Outlook RPC/HTTP(s). |
Publishing Type |
Select the type of publishing. |
Select Publish a single Web site or load balancer. |
Server Connectivity Security |
Choose the type of connections ISA Server will establish with the published Web server or server farm. |
Select Use SSL to connect to the published Web server or server farm. |
Internal Publishing Details |
Internal site name |
Type owa01.corp.contoso.com.
Important:
The internal site name must match the name of the server certificate that is installed on the internal Web server.
Note:
If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server and then type the required IP address or name that is resolvable by the ISA Server computer.
|
Public Name Details |
Accept requests for Public name |
This domain name (type below) Type mail.contoso.com. |
Select Web Listener |
Web listener |
Select FBA. |
Authentication Delegation |
Select the method used by ISA Server to authenticate to the published Web server |
Select Basic authentication. |
User Sets |
This rule applies to requests from the following user sets |
Select All Authenticated Users and click Remove. Click Add, select LDAPUsers, click Add, and then click Close. |
Completing the New Exchange Publishing Rule Wizard |
Review settings. |
Click Back to make changes and Finish to complete the wizard. |
- Click the Apply button in the details pane to save the changes and update the configuration.
Go to SSL Bridging.
Page | Field or property | Setting |
---|---|---|
Welcome |
Exchange Publishing rule name |
Type Exchange OWA Publishing. |
Select Services |
Exchange version Web client mail services |
Select Exchange Server 2003. Select Outlook Web Access and Outlook RPC/HTTP(s). |
Publishing Type |
Select the type of publishing. |
Select Publish a server farm of load balanced Web servers. |
Server Connectivity Security |
Choose the type of connections ISA Server will establish with the published Web server or server farm. |
Select Use SSL to connect to the published Web server or server farm.
Note:
A server certificate must be installed on the published Web servers and the root CA certificate must be installed on the ISA Server computer.
|
Internal Publishing Details |
Internal site name |
Type owa.corp.contoso.com.
Important:
The internal site name must match the name of the server certificate that is installed on the internal Web servers.
Note If you cannot properly resolve the Internal site name, you can select Use a computer name or IP address to connect to the published server and then type the required IP address or name that is resolvable by the ISA Server computer. |
Specify Server Farm |
Select the Web mail farm you want to publish |
Select Exchange OWA. |
Public Name Details |
Accept requests for Public name |
This domain name (type below) Type mail.contoso.com. |
Select Web Listener |
Web listener |
Select FBA. |
Authentication Delegation |
Select the method used by ISA Server to authenticate to the published Web server |
Select Basic authentication. |
User Sets |
This rule applies to requests from the following user sets |
Select All Authenticated Users and click Remove. Click Add, select LDAPUsers, click Add, and then click Close. |
Completing the New Exchange Publishing Rule Wizard |
Review settings. |
Click Back to make changes and Finish to complete the wizard. |
- Click the Apply button in the details pane to save the changes and update the configuration.
SSL bridging is used when ISA Server ends or initiates an SSL connection. In ISA Server 2006, SSL bridging is automatically configured when the specified Web listener is configured to listen for HTTPS traffic.
Specifically, SSL bridging works in the following scenarios:
- A client requests an SSL object. ISA Server decrypts the request, and then encrypts it again and forwards it to the Web server. The Web server returns the encrypted object to ISA Server. ISA Server decrypts the object and then encrypts it again and sends it to the client. SSL requests are forwarded as SSL requests.
- A client requests an SSL object. ISA Server decrypts the request and forwards it to the Web server. The Web server returns the HTTP object to ISA Server. ISA Server encrypts the object and sends it to the client. SSL requests are forwarded as HTTP requests.
For incoming Web requests, an external client uses HTTPS to request an object from a Web server located on your Internal network. The client connects to ISA Server on a port—by default, port 443.
After receiving the client's request, ISA Server decrypts it, terminating the SSL connection. The Web publishing rules determine how ISA Server communicates the request for the object to the publishing Web server (FTP, HTTP, or SSL).
If the secure Web publishing rule is configured to forward the request using HTTPS, ISA Server initiates a new SSL connection with the publishing server, sending a request to port 443. Because the ISA Server computer is now an SSL client, it requires that the publishing Web server responds with a server-side certificate.
In this section, you will test the new Exchange publishing rule that you just created.
Test Outlook Web Access
From the router01 or client01 computer, use the following procedure to test the new Exchange Web client access publishing rule.
Note Make sure that you have the root CA of the issuing CA of the mail.contoso.com certificate installed.
To test the Outlook Web Access publishing rule
Open Microsoft Internet Explorer.
Browse to the following URL: https://mail.contoso.com/exchange and use the following details to log on:
- Domain\user name: corp\mberg
- Password: Passw0rd
- You can now read and send e-mail messages.
Test RPC over HTTP
This procedure must be done from client01.
Note
We recommend configuring Outlook without RPC over HTTP. Confirm that Outlook is working properly on the Internal network before configuring RPC over HTTP.
To test RPC over HTTP from Outlook 2003 from client01 from the Test_Internet network
Change the following account setting in Outlook 2003:
- On the Outlook 2003 Tools menu, select E-mail Accounts.
- Select View or change existing e-mail accounts, and then click Next.
- Select your Microsoft Exchange account and click Change.
- Click More Settings.
- If you receive an error from Outlook that it could not connect to Exchange, click Cancel and continue to step H.
- Click the Connection tab, select Connect to my Exchange mailbox using HTTP, and then click Exchange Proxy Settings.
- Type mail.contoso.com in Use this URL to connect to my proxy server for Exchange in Connection settings.
- Select Mutually authenticate the session when connecting with SSL and type msstd:mail.contoso.com in Principal name for proxy server.
- Select Basic Authentication for Proxy authentication settings.
- Click OK to close the Exchange Proxy Settings dialog box.
- Click OK to close the Microsoft Exchange Server dialog box.
- Click Next and then click Finished to close the E-mail Accounts dialog box.
- Restart Outlook.
- When you restart Outlook, you will be presented with a logon dialog box. Enter the user name and password and click OK.
Note
For RPC over HTTP to work, both when the user is out of the office and when the user is in the office, the FQDN mail.contoso.com must resolve to the external address when users are in the office and when connected to the Internet.
ISA Server 2006 works with Windows SharePoint Services and SharePoint Portal Server 2003, to enhance security.
Using the combined collaboration features of Windows SharePoint Services and SharePoint Portal Server 2003, users in your organization can easily create, manage, and build their own collaborative Web sites and make them available throughout the organization.
When you publish SharePoint portal sites to the Internet, you provide employees, who are not in the office, access to the information that they need to complete their jobs, no matter where they are located, without compromising security.
When you publish a SharePoint site through ISA Server, you protect the SharePoint site from direct external access because the name and IP address of the SharePoint site are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the published SharePoint site according to the conditions of your SharePoint publishing rule.
When you publish a SharePoint site, ISA Server enables you to configure forms-based authentication, enforce a required authentication method, enable two-factor authentication, control attachment availability, and control centralized logging.
In this section, the assumptions for the scenario are reviewed. Information worksheets are provided to assist in gathering the necessary information required when using the SharePoint Publishing Rule Wizard.
The following assumptions apply for this walk-through:
- SharePoint Portal Server 2003 with SP2 is installed and configured on sps01.
- SharePoint alternate access mapping is properly configured on sps01. For more information about alternate access mapping, see Appendix C: Alternate Access Mapping.
- You created a portal with a link to https://owa01.corp.contoso.com/exchange. This link will be translated to https://mail.contoso.com/exchange by the ISA Server link translation feature. For more information about link translation, see "Link Translation Concepts in ISA Server 2006" at the Microsoft TechNet Web site.
- The sps01 computer has an SSL certificate installed from dc01 with a common name of sps01.corp.contoso.com. The internal URL is https://sps01.corp.contoso.com.
- The isa01 computer has the root CA certificate for dc01 installed. This is necessary for ISA Server to accept the validity of the certificate on sps01.
- The external common name (fully qualified domain name) is portal.contoso.com.
- The isa01 computer has an SSL certificate installed from router01 with a common name of portal.contoso.com.
- ISA Server responds to requests for portal.contoso.com on the IP address 172.16.0.103.
You should have the following information available before running the SharePoint Publishing Rule Wizard.
Property | Value |
---|---|
SharePoint publishing rule name |
Name: ________________________ |
Publishing type |
__Publish a single Web site. or __Publish a server farm of load balanced servers. and Server farm name:_____________ |
Server connection security How ISA Server connects to the published Web server |
HTTPS or HTTP (circle one) If HTTPS is selected, a server certificate needs to be installed on the Web server. |
Internal publishing details |
Internal site name (FQDN): ______________________ If the FQDN is not resolvable by ISA Server: Computer name or IP address:_____________________ |
Public name details |
Accept request for: __This domain name:______________ or __Any domain name |
Select Web listener |
Web listener:________________ |
Alternate access mapping For more information about configuring alternate access mapping, see Appendix C: Alternate Access Mapping. |
Confirm whether alternate access mapping has been configured on the SharePoint Portal Server computer. Yes or no (circle one) |
User set |
List users sets that will have access to this rule: _________________ __________________ |
The following computers are required for this walk-through:
- dc01
- storage01 (Enterprise Edition)
- isa01
- sps01
- router01
The following sections describe how to configure the solution:
Edit the Web listener
Publish SharePoint site
Test SharePoint publishing
You need to modify the Web listener, created in Create a Web listener, so that the ISA Server computer listens for requests on the IP address 172.16.0.103, and uses the portal.contoso.com server certificate only on this IP address. The Web listener will then listen for Exchange Web client requests on 172.16.0.104, using the certificate that matches the public name used for Exchange Web client access, and will listen on 172.16.0.103 for SharePoint client requests, using the certificate that matches the public name used for SharePoint client access.
To edit the Web listener
In the console tree of ISA Server Management, click Firewall Policy:
- For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand ISA01, and then click Firewall Policy.
- For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.
On the Toolbox tab, click Network Objects, expand Web Listeners, right-click FBA, and then select Properties.
Select the Networks tab. Select External and click Address.
Select 172.16.0.103 from the Available IP Addresses column, click Add, and click OK.
Click the Certificates tab, and then:
- Select 172.16.0.103 and click Select Certificate.
- Select portal.contoso.com and click Select.
Click OK to close the properties of the FBA Web listener.
Use the information on the worksheet that you filled in previously, and perform the following procedure to publish a SharePoint site.
To publish the SharePoint site
In the console tree of ISA Server Management, click Firewall Policy:
- For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand ISA01, and then click Firewall Policy.
- For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.
On the Tasks tab, click Publish SharePoint Sites. Use the wizard to create a rule as outlined in the following table.
Page | Field or property | Setting |
---|---|---|
Welcome |
SharePoint publishing rule name |
Type Publishing SharePoint. |
Publishing Type |
Publishing type options |
Select Publish a single Web site or load balancer. |
Server Connection Security |
Choose the type of connections ISA Server will establish with the published server or server farm |
Select Use SSL to connect to the published Web server or server farm. |
Internal Publishing Details |
Internal site name |
Type sps01.corp.contoso.com.
Important:
The internal site name must match the name of the server certificate that is installed on the internal Web servers.
Note If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server and then type the required IP address or name that is resolvable by the ISA Server computer. |
Public Name Details |
Accept requests for Public name |
This domain name (type below) Type portal.contoso.com. |
Select Web Listener |
Web listener |
Select FBA. |
Authentication Delegation |
Select the method used by ISA Server to authenticate to the published Web server |
Select NTLM authentication. |
Alternate Access Mapping Configuration |
For complete integration and functionality, you need to configure alternate access mapping on the published SharePoint site. |
Select SharePoint AAM is already configured on the SharePoint server. |
User Sets |
This rule applies to requests from the following user sets |
Select All Authenticated Users and click Remove. Click Add, select LDAPUsers, click Add, and then click Close. |
Completing the New SharePoint Publishing Rule Wizard |
Review settings. |
Click Back to make changes and Finish to complete the wizard. |
- Click the Apply button in the details pane to save the changes and update the configuration.
Note
If the SharePoint site does not contain confidential information, you can choose Use non-secured connections to connect the published Web server or server farm on the Server Connection Security page. The connection from the user to the ISA Server would be via HTTPS. The connection from the ISA Server to the internal published server the connection would be via HTTP.
On the router01 or client01 computer, perform the following procedure to test the new SharePoint publishing rule.
Note
Make sure that you have the root CA certificate of the issuing CA of the portal.contoso.com certificate installed.
To test SharePoint publishing
Open Internet Explorer.
Browse to the following url: https://portal.contoso.com. Use the following details to log on:
- Domain\user name: ** corp\mberg
- Password: ** Passw0rd
You should be in the portal now.
- On the right side, select External OWA under Links for You.
- This will open a new ISA Server logon page so you can open the published Outlook Web Access site you created earlier.
This is not ideal, because users must log on multiple times with the same credentials. This might be confusing, generating unnecessary support calls. This also increases the time it takes to complete a task. When users are rushed, such as trying to depart on an airplane flight, they might not be able to complete the task. For this reason, you should configure SSO, as described in the next topic.
When users access two different Web sites, such as an Outlook Web Access site and a SharePoint site, users should not have to provide the same credentials again when they click a link to open another site.
The ISA Server 2006 SSO feature reuses user credentials for another published server, eliminating the need to reenter credentials a second or third time. This will enhance the user experience, because users will click a link that will open another Web application without having to provide their credentials.
The following assumptions apply:
- Outlook Web Access is successfully published.
- SharePoint Portal Server is successfully published.
The following computers are required:
- dc01
- storage01 (Enterprise Edition)
- isa01
- sps01
- exchange01
- owa01
- router01
The following sections describe how to configure the solution:
Modify a Web Listener to Enable Single Sign On
Test Single Sign On Between SharePoint Portal Server and Outlook Web Access
To modify a Web listener to enable single sign on
In the console tree of ISA Server Management, click Firewall Policy:
- For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand ISA01, and then click Firewall Policy.
- For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.
On the Toolbox tab, click Network Objects, expand Web Listeners, right-click FBA, and then select Properties.
Click the SSO tab. Select Enable Single Sign On. (Typically, this is enabled by default. You disabled SSO when you created the Web listener in Create a Web Listener.)
Click Add to specify the SSO domains for the Web listener.
Enter .contoso.com and click OK.
Click OK to close the FBA Properties dialog box.
Click the Apply button in the details pane to save the changes and update the configuration.
Important
When enabling SSO, be sure to provide a specific SSO domain. Providing a generic domain, such as .co.uk, will allow the Web browser to send the ISA Server SSO cookie to any Web site in that domain, creating a security risk.
Note the following:
- There is no support for SSO between different Web listeners.
- Published servers must share the same DNS suffix. For example, you can configure SSO when publishing mail.contoso.com and portal.contoso.com. You cannot configure SSO when publishing mail.fabrikam.com and portal.contoso.com.
On the router01 or client01 computer, perform the following procedure to test the new SharePoint publishing rule.
To test single sign on between SharePoint Portal Server and Outlook Web Access
Open Internet Explorer.
Browse to the following URL: https://portal.contoso.com. Use the following details to log on:
- Domain\user name: corp\mberg
- Password: Passw0rd
- On the right side, select External OWA under Links for You.
- This will automatically open the user's Outlook Web Access page.
- Log off from the Outlook Web Access page.
- You can log on to https://mail.contoso.com/exchange, open an e-mail message called New External Portal, and then click the link in the e-mail message to open the SharePoint portal site.
In this section, these additional features, which you can configure to ease your deployments, are discussed:
- Redirect HTTP to HTTPS
- Password Management
When publishing a Web site, we recommend that users open an HTTPS connection between them and the ISA Server computer to protect the sensitive information that is being transferred over the Internet. This requires that users enter a URL such as https://portal.contoso.com. If the user just enters portal.contoso.com, the user will receive the following error.
Users have a tendency not to enter the HTTPS portion of the URL even when going to a secured Web site. This behavior has been reinforced by Web administrators who have scripted their Web sites to redirect users to an HTTPS page, even when they enter HTTP. This is done to reduce the number of Help desk calls by users when they cannot open the URL they are trying to open.
To enable HTTP to HTTPS redirection, perform the following procedure.
To enable HTTP to HTTPS redirection
In the console tree of ISA Server Management, click Firewall Policy:
- For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server Name, and then click Firewall Policy.
- For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array Name, and then click Firewall Policy.
On the Toolbox tab, click Network Objects, expand Web Listeners, right-click the Web listener, and then select Properties.
Select the Connections tab.
Select Enable HTTP connections on port and confirm that the listening port for HTTP is 80.
Confirm that Enable SSL (HTTPS) connections on port is selected and is listening on port 443.
Select Redirect all traffic from HTTP to HTTPS.
- Click OK to close the properties of the Web listener.
- Click the Apply button in the details pane to save the changes and update the configuration.
It is good security policy to require your users to change their passwords on a regular basis. Users who are not in the office on a regular basis need a method to change their passwords when they are not in the office.
When using forms-based authentication, you can inform users that their passwords are going to expire in a specific number of days and you can enable your users to change their passwords so they do not expire. Users will also be able to change an expired password.
To configure the Change Password option when using LDAP authentication, LDAP needs to be configured with the following settings:
- Connection to the LDAP servers must be over a secured connection. This requires an SSL certificate to be installed on the Active Directory server. For more information about enabling LDAP over SSL, see "How to Enable LDAP over SSL with a third party certification authority" at the Microsoft Support Web site.
- The ISA Server computer needs to have the root certificate for the CA that issued the SSL certificate installed on the Active Directory servers.
- Connection to the LDAP servers cannot be via a global catalog.
- A user name and password that are used for verifying user account status and changing passwords are required.
To enable the change password functionality for forms-based authentication
In the console tree of ISA Server Management, click Firewall Policy:
- For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server Name, and then click Firewall Policy.
- For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array Name, and then click Firewall Policy.
On the Toolbox tab, click Network Objects, expand Web Listeners, right-click the Web listener, and then select Properties.
Select the Forms tab.
Select Allow users to change their passwords and Remind users that their password will expire in this number of days. The default number of days is 15.
- Click OK to close the properties of the Web listener.
- Click the Apply button in the details pane to save the changes and update the configuration.
The users will now see the following logon screen. Notice the option I want to change my password after logging on.
ISA Server 2006 features the ability to authenticate users via LDAP on computers that are running Windows Server 2003 or Windows 2000 Server. ISA Server currently does not support other LDAP servers.
LDAP authentication enables the ISA Server computer to remain in a workgroup. ISA Server authenticates users in Active Directory, using an authentication method that is similar to the method used when the ISA Server computer is a domain member.
Users can authenticate via LDAP using the following, which are shown as login expressions in ISA Server Management:
- Security Accounts Manager (SAM) account name (domain\username)
- User principal name (UPN) (username@domain.com)
ISA Server can connect to an LDAP server in any of the ways described in the following table.
Connection | Port | Requires Active Directory domain name | Supports Change Password option |
---|---|---|---|
LDAP |
389 |
Yes |
No |
LDAPS |
636 |
Yes |
Yes |
LDAP using global catalog |
3268 |
No |
No |
LDAPS using global catalog |
3269 |
No |
No |
Note
To use LDAPS or LDAPS using global catalog, a server certificate must be installed on the LDAP server and the root certificate from the issuing CA needs to be installed on the ISA Server computer.
To properly configure LDAP authentication, you need to configure an LDAP server set and at least one login expression.
An LDAP server set is a grouping of LDAP servers, which ISA Server uses to perform user authentication. All the servers in an LDAP server set share the same LDAP connection settings.
The following table lists the properties of an LDAP server set.
Item | Description | Comment |
---|---|---|
LDAP server set |
Listing of LDAP servers available for LDAP user authentication. All servers listed will share the same LDAP connection settings. |
Required. |
LDAP servers |
Listing of LDAP servers available for LDAP user authentication. Note the following:
|
Minimum of one server is required. |
Active Directory domain |
Enter the domain name of the domain where the user accounts are defined. The name of the domain can be in one of the following formats:
|
Optional if Use Global Catalog (GC) has not been selected. |
Use global catalog |
If your LDAP servers are also configured to be global catalog servers, select the Use Global Catalog (GC) option and you do not need to specify an Active Directory domain name. To use the Change Password option, this option must not be selected. |
Optional. Note The Password Management feature does not work when an LDAP server set is configured with this property. |
Connect LDAP servers over secure connection |
Select the Connect LDAP servers over secure connection option, if you want the connection between the ISA Server computer and the LDAP server to be encrypted via SSL. For more information about enabling LDAP over SSL, see "How to Enable LDAP over SSL with a third party certification authority" at the Microsoft Support Web site. |
Optional.
Note:
To use the Change Password option, this option must be selected.
|
User name and password |
This option is only required if you want to use the Password Management option with forms-based authentication. Because the ISA Server computer will not be a member of the domain, you need to specify a user name and password that will be used for verifying user account status. This account can be any domain account, even a restrictive user account. This account is used by the ISA Server to bind to the LDAP server and query the properties of the user who is logging on. This account is not involved when changing the user's password. |
Optional. |
A login expression matches the user entered credentials with the correct LDAP server set. You need at least one login expression for each LDAP server set for authentication to occur.
An LDAP server set can have more than one login expression assigned to it. However, a login expression can only be assigned to one LDAP server set.
Examples of login expressions:
corp\*
*@corp.contoso.com
If a user entered credentials in the format mberg@contoso.com, and the login expression *@contoso.com has not been entered, the logon attempt will fail.
Update the following table with information about the LDAP server set and login expressions.
Item | Value |
---|---|
LDAP server set |
Name: _________________ |
Server name |
Name: ___________________ or IP address: ___.___.___.___ |
Active Directory domain name |
FQDN or distinguished name: _____________________________ |
Use global catalog |
Yes or no (circle one) |
Connect LDAP servers over secure connection |
Yes or no (circle one) Note If you have selected to connect over a secure connection, confirm that the proper certificates have been installed. |
User name and password |
User name: ______________ Password: ________________ |
Login expression |
__________________ For example: corp\* |
To create an LDAP server set, see Create an LDAP Server Set.
Note
Use the LDP.exe tool to test the connectivity between the ISA Server computer and the LDAP server. LDP.exe, by default, is located in the following location: %PROGRAMFILES%\Support Tools directory.
Alternate access mappings provide a mechanism for SharePoint administrators to identify the different ways in which users access portal sites, ensuring that URLs (links) are displayed appropriately for the manner in which the user accesses the portal site. Note the following:
- Administrators often deploy portal sites that users can access by using different URLs. It is important that functionality, such as search results for portal site and document library (Web storage system-based) content, be appropriate for the URL that was used to access the portal site. External URLs must be provided to the user in a form that is appropriate for how the user is currently accessing the portal site.
- Without alternate access settings, search results might be displayed in a way that would make them inaccessible to users. Users might receive search results that they cannot access whenever they access the portal site by using a URL that is different from the original URL used for crawling the content.
The Microsoft SharePointPSSearch service consults the alternate access setting entries when crawling a document. If the URL of the document matches one of the mapping entry URLs, the URL is replaced with the mapping ID for the entry. When the search result is displayed, the mapping ID is replaced by the appropriate URL if the user is requesting the document from an access point listed in the alternate access setting entries. If there is no appropriate alternate mapping, the search results display the default URL.
Every alternate access setting entry must have a default URL. Each entry can have additional alternate access methods or zones, for either intranet, extranet, or custom access. Each URL must be different from all other URLs. These mappings are stored in the configuration database. SharePoint Portal Server 2003 uses the default URL for any requested URL that is not found in the mapping table.
Important
For alternate access mapping to work properly, your SharePoint publishing rule must be configured to forward the original host header. This is the default configuration when using the SharePoint Publishing Wizard.
Windows SharePoint Services allows teams to create Web sites for information sharing and document collaboration, benefits that help increase individual and team productivity. Windows SharePoint Services is a component of the Windows Server 2003 information worker infrastructure and provides team services and sites to the Microsoft Office System and other desktop programs. It also serves as a platform for application development. Including such information technology (IT) resources as portals, team workspaces, e-mail, presence awareness, and Web-based conferencing, Windows SharePoint Services enables users to locate distributed information quickly and efficiently, as well as connect to and work with others more productively.
For more information about Windows SharePoint Services, see the Windows SharePoint Services home page.
SharePoint Portal Server 2003 enables enterprises to develop an intelligent portal that seamlessly connects users, teams, and knowledge so that people can take advantage of relevant information across business processes to help them work more efficiently. SharePoint Portal Server 2003 provides an enterprise business solution that integrates information from various systems into one solution through single sign on and enterprise application integration capabilities, with flexible deployment options and management tools. The portal facilitates end-to-end collaboration by enabling aggregation, organization, and search capabilities for people, teams, and information. Users can find relevant information quickly through customization and personalization of portal content and layout, as well as by audience targeting. Organizations can target information, programs, and updates to audiences based on their organizational role, team membership, interest, security group, or any other membership criteria that can be defined.
SharePoint Portal Server 2003 uses Windows SharePoint Services sites to create portal pages for people, information, and organizations. The portal also extends the capabilities of Windows SharePoint Services sites with organization and management tools, and enables teams to publish information in their sites to the entire organization.
For more information about SharePoint Portal Server, see the SharePoint Portal Server home page.
To properly configure alternate access mapping settings, you need the software versions discussed in the following table.
Product | Version |
---|---|
Windows SharePoint Services |
Windows SharePoint Services with Service Pack 2 |
SharePoint Portal Server |
SharePoint Portal Server 2003 with Service Pack 2 |
Consider the following:
- Configuration of alternate access mapping for Windows SharePoint Services is done from a command prompt with the Stsadm.exe command.
- Configuration of alternate access mapping for SharePoint Portal Server is done via Central Administration for the SharePoint Portal Server Web administration.
Note
If you are running SharePoint Portal Server, we recommend also configuring alternate access mapping settings for Windows SharePoint Services.
You have published a SharePoint site through ISA Server 2006 using the SharePoint Publishing Wizard. Users will access the site by entering the following URL: https://portal.contoso.com. ISA Server will connect to the internal Web server using the following URL: https://sps01. Based on the following information, you will configure alternate access mapping for Windows SharePoint Services and SharePoint Portal Server.
When configuring alternate access mapping settings, you configure the extranet zone. A zone is another method of accessing the SharePoint site that is different than the default zone. For example, a SharePoint site named sps01 is accessed from the Internal network as https://sps01. However, when accessed by a user on the Internet via ISA Server, the user accesses https://portal.contoso.com.
Run the Stsadm.exe commands. For Stsadm.exe, you need to define both an incoming and outgoing setting for each alternate access mapping method (zone).
Configure alternate access mapping for Windows SharePoint Services
To configure the outgoing zone, run the following command at a command prompt:
stsadm.exe
-o addzoneurl -urlzone extranet -zonemappedurl https://portal.contoso.com -url https://sps01
To configure the incoming zone, run the following command at a command prompt:
stsadm.exe -o addalternatedomain -urlzone extranet -incomingurl https://portal.contoso.com -url https://sps01
To confirm the Stsadm setting, run the following command at a command prompt:
stsadm.exe -o enumalternatedomains -url https://sps01
For SharePoint Portal Server, you need to configure the alternate access mapping method (zone), which automatically configures both the incoming and outgoing setting.
To configure alternate access mapping for SharePoint Portal Server
Click Start, point to Programs, point to SharePoint Portal Server, and then click SharePoint Central Administration to open the SharePoint Central Administration application.
On the SharePoint Portal Server Central Administration for SPS01 page, in the Portal Site and Virtual Server Configuration section, click Configure alternate portal site URLs for intranet, extranet, and custom access.
On the Configure Alternate Portal Access Settings page, point to Default Web Site, and then click the arrow that appears.
On the menu that appears, click Edit.
On the Change Alternate Access Setting page, in the Extranet URL box, type the extranet URL https://portal.contoso.com.
Click OK.
Note
This only configures alternate access mapping for SharePoint Portal Server services. If your site is also using Windows SharePoint Services services, you need to also configure alternate access mapping for Windows SharePoint Services.
The following sections highlight some security items that should be considered when publishing Web servers.
We do not recommend publishing two sites with the same host name. If you had two internal Web sites, https://site1 and https://site2, do not publish them using the same host name, https://external.contoso.com/site1 and https://external.contoso.com/site2.
The more secure publishing method is to publish each site with a unique host name, https://site1.contoso.com and https://site2.contoso.com.
Users should be educated to properly log off from kiosk workstations. This is especially important when using published applications that do not have a log off button and when single sign on is configured.
If a user is accessing a published application, a cookie is stored on the local computer. If the application does not have a log off button, and the user browses to another Web page and then leaves the kiosk without logging off, the cookie is still on the computer and still valid. Another user could use this cookie to access any other published application that has been configured as a single sign on published application.
The following best practices should be used when using public computers to access the Internet:
- Perform logoff on published applications, if available.
- Delete cookies after you finish using published applications.
- Delete temporary Internet files that Office created when working with SharePoint Portal Server.
- Close all browser windows.
- Log off from Windows, if possible.
Note
Cookies created by ISA Server will time out by default in 30 minutes.
You should ensure that your Web application is designed to resist session riding attacks (also known as cross-site-posting, cross-site-request-forgery, or luring attacks) before publishing it using ISA Server.
This section provides administrative tips for RPC over HTTP logging and for non-English forms-based authentication.
When you publish RPC over HTTP, the ISA Server log may contain Failed Connection entries including Error 64: "The specified network name is no longer available" (ERROR_NETNAME_DELETED). You can safely ignore these entries, which are a response to how Exchange handles the RPC over HTTP connection.
The language settings of the user’s browser determine the language of the forms that ISA Server uses. This is automatic and there are no configuration changes required.
The following conditions need to be taken into account when client certificate authentication has been configured.
When there are multiple client certificates installed on the user's computer, and the Client Authentication Method selected on the Web listener is SSL Client Certificate Authentication, the user must select the correct certificate, from the Choose a digital certificate dialog box, when accessing the published Web server.
If you have configured single sign on between two published applications with different host names, for example portal.contoso.com and owa.contoso.com, and the Client Authentication Method selected on the Web listener is SSL Client Certificate Authentication, users will be prompted to select their certificate a second time when going from one published Web site to the second published Web site. Users will only be prompted for the PIN code the first time they select the certificate as long as the second published Web server is opened in the same browser application process.
This issue does not affect published Web sites that share the same host name, for example https://public.contoso.com/owa and https://public.contoso.com/portal.