Deploying Office SharePoint Server 2007 with ISA Server 2006

  • Article

Microsoft® Internet Security and Acceleration (ISA) Server 2006 is the security gateway that helps protect your mission-critical applications from Internet-based threats. ISA Server enables your business to do more, with secure access to Microsoft applications and data. Secure your Microsoft application infrastructure by protecting your corporate applications, services, and data across all network layers with stateful packet inspection, application-layer filtering, and comprehensive publishing tools. Streamline your network with simplified administrator and user experiences through a unified firewall and virtual private network (VPN) architecture, which includes Web caching and bandwidth management, an optimized firewall filtering engine, and comprehensive access controls. Safeguard your information technology environment to reduce security risks and costs, and help eliminate the effects that malicious software and attackers have on your business, by using comprehensive tools for scanning and blocking harmful content, files, and Web sites.

This document discusses publishing Microsoft Office SharePoint® Server 2007 with ISA Server 2006. For information about the new ISA Server 2006 publishing features and how to publish Office SharePoint Server, see "Secure Application Publishing" at the Microsoft TechNet Web site.

Contents

Scenario

Solution

Network topology

Office SharePoint Server publishing walkthroughs

Appendix A: Additional publishing features

Appendix B: LDAP configuration

Appendix C: Alternate access mapping

Scenario

Contoso, Ltd wants to provide employees, when they are not in the office, simple and secure access to the internal computer running Office SharePoint Server.

Contoso also wants to enhance the working relationship with partners and vendors by providing access to these internal sites.

Currently, access to these applications is available only to users through a client access VPN connection. For security reasons, Contoso does not want to allow direct access from the Internet to these applications, because attacks may be hidden within Secure Sockets Layer (SSL) connections. Contoso does not want internal servers to be accessible directly from the Internet.

Client access VPN connections can be slow, and proper configuration of the VPN connection on the client computer is required. Also, when employees are at an off-site location, they may be behind a firewall, which blocks client access VPN connections. These limitations reduce the effectiveness of accessing important information when not in the office. ISA Server 2006 publishing provides secure and quick access to applications.

Solution

The prescribed solution is to publish Office SharePoint Server with ISA Server 2006. Communication from external clients to the ISA Server computer and from the ISA Server computer to the published server is encrypted using SSL. ISA Server is not joined to the domain and performs authentication via a Lightweight Directory Access Protocol (LDAP) connection to the domain.

ISA Server 2006 Standard Edition or ISA Server 2006 Enterprise Edition can be used in this solution.

For more information about Office SharePoint Server, see the Microsoft Office SharePoint Server 2007 Web site.

Security

ISA Server 2006 addresses the Contoso issues by making applications available over the Internet in a secure way.

No direct access to the server from the Internet

When you publish an application through ISA Server 2006, you are protecting the server from direct external access because the name and IP address of the server are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the server according to the conditions of the server publishing rule.

SSL packet inspection

When you create a secure Web publishing rule, you can configure how SSL requests will be redirected as Hypertext Transfer Protocol (HTTP) requests or as SSL requests.

HTTPS-to-HTTPS bridging

HTTPS-to-HTTPS bridging protects against attacks that are hidden in SSL-encrypted connections. For SSL-enabled Web applications, after receiving the client's request, ISA Server 2006 decrypts it, inspects it, and terminates the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the publishing Web server. If the secure Web publishing rule is configured to forward the request using Secure HTTP (HTTPS), ISA Server initiates a new SSL connection with the published server. Because the ISA Server computer is now an SSL client, it requires that the publishing Web server responds with a server-side certificate.

HTTPS-to-HTTP bridging (SSL Termination)

HTTPS-to-HTTP bridging (SSL Termination) protects against attacks that are hidden in SSL-encrypted connections. For HTTP-enabled Web applications, after receiving the client's request, ISA Server 2006 decrypts it, inspects it, and terminates the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the publishing Web server. If the secure Web publishing rule is configured to forward the request using HTTP (unencrypted), ISA Server initiates a regular HTTP connection with the published server. Because the connection between the ISA Server computer and the published Web server is over HTTP, the SSL processing load is removed from the published Web server. HTTPS-to-HTTP bridging can increase the performance of your published Web servers.

Important

Because the communication between the ISA Server computer and the published Web server is not encrypted, we recommend that the published Web server be on a separate internal network or located in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).

Note

This document discusses HTTPS-to-HTTPS bridging in the walkthroughs.

Authentication

ISA Server 2006 enables you to configure forms-based authentication for supported applications. Forms-based authentication enables you to enforce required authentication methods, enable two-factor authentication, control e-mail attachment availability, and provide centralized logging.

ISA Server 2006 supports LDAP authentication, enabling you to place the ISA Server computer in the perimeter network. The ISA Server computer does not join the domain, so you no longer need to open all of the required ports for Active Directory® directory service communications. You still need to open LDAP or global catalog ports between the ISA Server computer and the configured Active Directory domain controller. Keeping your ISA Server computers in a workgroup configuration reduces the attack surface and simplifies the deployment of ISA Server. For more information about authentication, see "Authentication in ISA Server 2006" at the Microsoft TechNet Web site.

Ease of use

ISA Server 2006 overcomes the difficulties of using client access VPN connections in the following ways:

  • Access to published applications is via a Web browser.
  • Applications are now more widely available and more accessible than remote access VPNs due to the use of SSL. You can access your published applications behind firewalls, from connections using network address translation (NAT), and from other networking devices that might otherwise be blocking remote access VPN connections.
  • The reconnect process is easier and quicker, due to SSL. If your connection to the Internet is disconnected, you no longer need to reconnect via the remote access VPN dialer. After Internet access is reconnected, you can go back to your published application.
  • Partners, vendors, and employees who are not in the office can easily access the required information in a secure way.

Network topology

The scenarios assume that you will deploy this solution in a laboratory environment that includes the following two networks:

  • A network simulating your corporate network, called HQ_Net. In the walkthrough, HQ_Net spans this address range: 10.0.0.1 through 10.0.0.254.
  • A network simulating the Internet, called Test_Internet. In the walkthrough, Test_Internet spans this address range: 172.16.0.0 through 172.16.255.255.

The following figure illustrates the computers used in the feature walkthrough.

Cc268368.99360824-ba3c-451c-a936-09032929b138(en-us,TechNet.10).jpg

The following table provides information about the computers used in the feature walkthrough.

Computer name Operating system Additional software Comments

dc01

Microsoft Windows Server® 2003 with Service Pack 1 (SP1)

Domain controller, Domain Name System (DNS), Internet Information Services (IIS), certification authority (CA)

Domain controller and internal CA

sp01

Windows Server 2003 SP1

Office SharePoint Server 2007, IIS

None

isa01

Windows Server 2003 SP1

ISA Server 2006 Standard Edition or Enterprise Edition

None

client01

Windows® XP Professional with Service Pack 2 (SP2)

Microsoft Office Word 2007 or Word 2003, Office Excel® 2007 or Excel 2003, and Office Outlook® 2007 or Outlook 2003

None

storage01

Windows Server 2003 SP1

ISA Server 2006 Enterprise Edition

Configuration Storage server required only for Enterprise Edition

router01

Windows Server 2003 SP1

IIS, DNS, CA

Simulated Internet routing, DNS, and CA services

The following applies:

  • A computer referred to as dc01 is the domain controller for HQ_Net and provides the following services:
    • Domain controller for corp.contoso.com
    • Authentication services
    • DNS for internal domain corp.contoso.com
    • CA services for corp.contoso.com
  • A computer referred to as sp01 is providing Office SharePoint Server services for remote users. This computer is a member of the domain.
  • A computer referred to as storage01 is the Configuration Storage server for the enterprise, necessary in a case where you are using ISA Server Enterprise Edition. This computer is a member of the domain. The Configuration Storage server was installed with a certificate for authentication over an SSL-encrypted channel.
  • A computer referred to as isa01 is providing firewall and publishing services. This computer is in a workgroup. You will configure LDAP authentication to enable ISA Server to authenticate domain users. The isa01 computer has two network adapters installed:
    • The IP address of the adapter connected to HQ_Net is 10.0.0.254/24.
    • The IP address of the adapter connected to Test_Internet is 172.16.0.2/24 with the secondary IP addresses 172.16.0.103 through 172.16.0.104.
  • For ISA Server 2006 Enterprise Edition, follow the instructions in the ISA Server 2006 Quick Start Guide to install the Configuration Storage server. Because the ISA Server computer will not join the domain during the installation, on the Enterprise Deployment Environment page, select Use certificate authentication, and provide the location of the exported server certificate.
  • The solution assumes that an array named main has been created with the following configuration settings:
    • Storage01 has been added to the Remote Management Computers computer set.
    • Authentication on the Configuration Storage page has been set to Authenticate over SSL-encrypted channel.
    • The isa01 computer has joined the main array during installation of ISA Server 2006.

For more information about installing ISA Server 2006, see the Quick Start Guides and the Installation Guides on the product CD.

The following table shows three users who have been created in the domain.

First name Last name User logon name Password

Matt

Berg

mberg

Passw0rd

Jeff

Hay

Jhay

Passw0rd

Lisa

Miller

lmiller

Passw0rd

A computer referred to as router01 is providing DNS and CA services to the Test_Internet network. This computer is not a member of the domain.

Note

The configuration would be similar in a production environment. The differences would be in the use of the default ISA Server defined External network (representing the Internet) rather than Test_Internet, and the use of your actual IP address ranges for your Internal and perimeter networks.

For more information about installing ISA Server 2006, see the Quick Start Guides and the Installation Guides on the product CD.

Office SharePoint Server publishing walkthroughs

This section discusses the following topics:

Configure ISA Server 2006 for LDAP authentication

Publish Office SharePoint Server

Configure ISA Server 2006 for LDAP authentication

LDAP authentication is similar to Active Directory authentication, except that the ISA Server computer does not have to be a member of the domain. ISA Server 2006 connects to a configured LDAP server over the LDAP protocol to authenticate the user. Every Windows domain controller is also an LDAP server by default, with no additional configuration changes required. By using LDAP authentication, you get the following benefits:

  • For an ISA Server 2006 Standard Edition server or for ISA Server 2006 Enterprise Edition array members in workgroup mode, when ISA Server is installed in a perimeter network, you no longer need to open all of the ports required for domain membership.
  • You can authenticate users in a domain with which there is no trust relationship.

For more information about LDAP, see Appendix B: LDAP configuration.

To configure LDAP authentication, you need to:

Create an LDAP server set

Create an LDAP user set

Create an LDAP server set

Perform the following procedure to create an LDAP server set. For Standard Edition, perform the following procedure on computer isa01. For Enterprise Edition, perform the following procedure on computer storage01.

To create an LDAP server set

  1. In the console tree of ISA Server Management, click General:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand isa01, expand Configuration, and then click General.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, expand Configuration, and then click General.

  2. In the details pane, click Specify RADIUS and LDAP Servers.

  3. On the LDAP Servers Sets tab, click Add to open the Add LDAP Server Set dialog box.

  4. In LDAP server set name, type CorpLDAP.

  5. Click Add, to add each LDAP server name or IP address.

  6. In Server name, type dc01 and click OK.

  7. Click OK to close the Add LDAP Server Set dialog box.

  8. Click New to open the New LDAP Server Mapping dialog box.

  9. In Login expression, type corp\*. In LDAP server set, select CorpLDAP, and then click OK.

  10. Click Close to close the Authentication Servers window.

For more information about LDAP server settings, see Appendix B: LDAP configuration.

Create an LDAP user set

To authenticate users through LDAP, you need to determine which users to authenticate and who authenticates the users. To do this, you need to create an LDAP user set.

Perform the following procedure to create an LDAP user set. For Standard Edition, perform the following procedure on computer isa01. For Enterprise Edition, perform the following procedure on computer storage01.

To create an LDAP user set

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand isa01, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.

  2. On the Toolbox tab, click Users, and then click New. Use the wizard to create the new user set as outlined in the following table.

Page Field or property Setting

Welcome

User set name

Type LDAPUsers.

Users

Select the users to include in this user set

Click Add, and select LDAP.

Add LDAP User

LDAP server set

User name

Select CorpLDAP, the LDAP server set from the drop-down list.

Cc268368.note(en-us,TechNet.10).gifNote:
For information about creating an LDAP server set, see Create an LDAP server set in the preceding section.

Select All Users in this namespace.

Cc268368.note(en-us,TechNet.10).gifNote:
You can also specify user groups or specific user accounts if you do not want all users to be part of this LDAP user set.

Completing the New User Set Wizard

Review settings.

Click Back to make changes and Finish to complete the wizard.

Publish Office SharePoint Server

ISA Server 2006 works with the Windows SharePoint Services 3.0 technology and the Office SharePoint Server 2007 product to enhance security.

Using the combined collaboration features of Windows SharePoint Services and Office SharePoint Server, users in your organization can easily create, manage, and build their own collaborative Web sites and make them available throughout the organization.

When you publish SharePoint sites to the Internet, you provide employees, who are not in the office, access to the information that they need to complete their jobs, no matter where they are located, without compromising security.

When you publish a SharePoint site through ISA Server, you protect the SharePoint site from direct external access because the name and IP address of the SharePoint site are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the published SharePoint site according to the conditions of your Office SharePoint Server publishing rule.

When you publish a SharePoint site, ISA Server enables you to configure forms-based authentication, enforce a required authentication method, enable two-factor authentication, and control centralized logging.

Before you begin

In this section, the assumptions for the scenario are reviewed. Information worksheets are provided to assist in gathering the necessary information required when using the SharePoint Publishing Rule Wizard.

Scenario assumptions

The following assumptions apply for this walkthrough:

  • Office SharePoint Server 2007 is installed and configured on sp01.
  • Office SharePoint Server alternate access mapping is properly configured on sp01. For more information about alternate access mapping, see Appendix C: Alternate access mapping.
  • The sp01 computer has an SSL certificate installed from dc01 with a common name of sp01.corp.contoso.com (only required for HTTPS-to-HTTPS bridging). The internal URL is https://sp01.corp.contoso.com. For more information about ISA Server HTTPS bridging options, see SSL packet inspection.
  • The isa01 computer has the root CA certificate for dc01 installed. This is necessary for ISA Server to accept the validity of the certificate on sp01.
  • The external common name, which is the fully qualified domain name (FQDN), is portal.contoso.com.
  • The isa01 computer has an SSL certificate installed from router01 with a common name of portal.contoso.com.
  • ISA Server responds to requests for portal.contoso.com on the IP address 172.16.0.103.
Information worksheet

You should have the following information available before running the SharePoint Publishing Rule Wizard.

Property Value

Office SharePoint Server publishing rule name

Name: ________________________

Publishing type

__Publish a single Web site

or

__Publish a server farm of load balanced servers

and

Server farm name:_____________

For more information about server farms, see "Web Server Farm Load Balancing in ISA Server 2006" at the Microsoft TechNet Web site.

Server connection security

How ISA Server connects to the published Web server

HTTPS or HTTP (circle one)

If HTTPS is selected, a server certificate needs to be installed on the Web server.

Internal publishing details

Internal site name (FQDN): ______________________

If the FQDN is not resolvable by ISA Server:

Computer name or IP address:_____________________

Public name details

Accept request for:

__This domain name:______________

or

__Any domain name

Select Web listener

Web listener:________________

Alternate access mapping

For more information about configuring alternate access mapping, see Appendix C: Alternate access mapping.

Confirm whether alternate access mapping has been configured on the Office SharePoint Server computer.

Yes or no (circle one)

User sets

List user sets that will have access to this rule:

_________________

__________________

Walkthrough

The following computers are required for this walkthrough:

  • dc01
  • storage01 (Enterprise Edition)
  • isa01
  • sp01
  • router01

The following sections describe how to configure the solution:

Create a Web listener

Publish a SharePoint site

Test Office SharePoint Server publishing

Create a Web listener

When you create a Web publishing rule, you must specify a Web listener to be used when creating the rule. The Web listener properties determine the following:

  • Which IP address or addresses and ports on the specified networks will listen for Web requests (HTTP or HTTPS)
  • Which server certificates to use with which IP address
  • Which authentication method to use
  • Number of concurrent connections that are allowed
  • ISA Server single sign on (SSO) settings

Use the information on the worksheet that you filled in previously, and perform the following procedure to create a Web listener.

To create a Web listener

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand isa01, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.

  2. On the Toolbox tab, click Network Objects, click New, and then select Web Listener. Use the wizard to create the Web listener as outlined in the following table.

Page Field or property Setting

Welcome

Web listener name

Type FBA.

Client Connection Security

Connection type, either SSL or not SSL.

Select Require SSL secured connections with clients.

Web Listener IP Addresses

Listen for incoming Web requests on these networks

ISA Server will compress content

Select IP Addresses

Select the External network.

Check box should be selected (default).

See External Network Listener IP Selection page.

External Network Listener IP Selection

Listen for requests on

Available IP Addresses

Select Specified IP addresses on the ISA Server computer in the selected network.

Select 172.16.0.103 and click Add.

Listener SSL Certificates

A Web listener can use a single certificate for all of its IP addresses, or a different certificate for each IP address.

Select Assign a certificate for each IP address.

Select IP address 172.16.0.103 and click Select Certificate.

Select Certificate

Select a certificate

Select the certificate issued to portal.contoso.com and click Select. The certificate must be installed before running the wizard.

Authentication Settings

Specify how clients will provide credentials to ISA Server

Select how ISA Server will validate client credentials

Select HTML Form Authentication.

Select LDAP (Active Directory).

Single Sign On Settings

Enable SSO for Web sites published with this Web listener

SSO domain name

Confirm that this option is selected.

Type .contoso.com.

Completing the New Web Listener Wizard

Review settings.

Click Back to make changes or Finish to complete the wizard.

Note

If an LDAP server set has not already been created, the Create Web Listener Wizard will prompt you to create the LDAP server set.

Important

Configure persistent cookies to allow users to open documents from an Office SharePoint Server site without the need for the user to reauthenticate. The following security issues relate to the use of persistent cookies:

  • A malicious attacker who obtains a persistent cookie may be able to perform a brute force attack to obtain user credentials from the cookie.
  • On a public computer, if the user does not log off, the session cookie can be used by the next user to access published sites. This threat can be mitigated by not enabling persistent cookies for public computers.
  • Spyware may be able to access the cookie.
Publish a SharePoint site

Use the information on the worksheet that you filled in previously, and perform the following procedure to publish a SharePoint site.

To publish a SharePoint site

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand isa01, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.

  2. On the Tasks tab, click Publish SharePoint Sites. Use the wizard to create a rule as outlined in the following table.

Page Field or property Setting

Welcome

SharePoint publishing rule name

Type Publishing SharePoint.

Publishing Type

Publishing type options

Select Publish a single Web site or load balancer.

Cc268368.note(en-us,TechNet.10).gifNote:
For more information about publishing a server farm of load balanced Web servers, see "Web Server Farm Load Balancing in ISA Server 2006" at the Microsoft TechNet Web site.

Server Connection Security

Choose the type of connections ISA Server will establish with the published server or server farm

Select Use SSL to connect to the published Web server or server farm.

Cc268368.note(en-us,TechNet.10).gifNote:
For HTTPS-to-HTTP bridging (SSL Termination), you should select Use non-secured connections to connect the published Web server or server farm.

Internal Publishing Details

Internal site name

Type sp01.corp.contoso.com.

Cc268368.note(en-us,TechNet.10).gifImportant:
The internal site name must match the name of the server certificate that is installed on the internal Web servers.
Cc268368.note(en-us,TechNet.10).gifNote:
If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server, and then type the required IP address or name that is resolvable by the ISA Server computer.

Public Name Details

Accept requests for

Public name

This domain name (type below)

Type portal.contoso.com.

Select Web Listener

Web listener

Select FBA.

Authentication Delegation

Select the method used by ISA Server to authenticate to the published Web server

Select NTLM authentication.

Alternate Access Mapping Configuration

For complete integration and functionality, you need to configure alternate access mapping on the published SharePoint site.

Select SharePoint AAM is already configured on the SharePoint server.

User Sets

This rule applies to requests from the following user sets

Select All Authenticated Users and click Remove.

Click Add, select LDAPUsers, click Add, and then click Close.

Completing the New SharePoint Publishing Rule Wizard

Review settings.

Click Back to make changes and Finish to complete the wizard.

Important

If publishing the Windows SharePoint Services 3.0 Central Administration site, the link translation feature should be disabled in the Office SharePoint Server publishing rule. Link translation can interfere with management of the alternate access mappings.

Note

If the Office SharePoint Server computer resides in a perimeter network, you might need to open up communications between the Office SharePoint Server computer and your internal network.

Test Office SharePoint Server publishing

On the router01 computer, perform the following procedure to test the new Office SharePoint Server publishing rule.

Note

Make sure that you have the root CA certificate of the issuing CA of the portal.contoso.com certificate installed.

To test Office SharePoint Server publishing

  1. Open Microsoft Internet Explorer.

  2. Browse to the following url: https://portal.contoso.com. Use the following details to log on:

    1. Domain\user name: ** corp\mberg
    2. Password: ** Passw0rd

Cc268368.de23ec59-c800-4eee-8e10-2a4632712ff5(en-us,TechNet.10).bmp

You should be in the portal now.

Cc268368.636a0c5f-793c-462c-af4f-422834541cc1(en-us,TechNet.10).bmp

Appendix A: Additional publishing features

In this section, the following additional features are discussed, which you can configure to ease your deployments:

Redirect HTTP to HTTPS

Password management

Single sign on

HTTP Filtering

Redirect HTTP to HTTPS

When publishing a Web site, we recommend that users open an HTTPS connection between them and the ISA Server computer to protect the sensitive information that is being transferred over the Internet. This requires that users enter a URL such as https://portal.contoso.com. If the user enters portal.contoso.com, the user will receive the following error.

Cc268368.30acd38d-c5b5-49f5-8281-6eb2b55a5542(en-us,TechNet.10).bmp

Users have a tendency not to enter the HTTPS portion of the URL even when going to a secured Web site. This behavior has been reinforced by Web administrators who have scripted their Web sites to redirect users to an HTTPS page, even when they enter HTTP. This is done to reduce the number of Help desk calls by users when they cannot open the URL they are trying to open.

To enable HTTP to HTTPS redirection, perform the following procedure.

To enable HTTP to HTTPS redirection

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server Name, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array Name, and then click Firewall Policy.

  2. On the Toolbox tab, click Network Objects, expand Web Listeners, right-click the Web listener, and then select Properties.

  3. Select the Connections tab.

  4. Select Enable HTTP connections on port and confirm that the listening port for HTTP is 80.

  5. Confirm that Enable SSL (HTTPS) connections on port is selected and is listening on port 443.

  6. Select Redirect all traffic from HTTP to HTTPS.

    Cc268368.457bec84-baec-4030-98a3-176f3c3b8082(en-us,TechNet.10).bmp

  7. Click OK to close the properties of the Web listener.

  8. Click the Apply button in the details pane to save the changes and update the configuration.

Password management

It is good security policy to require your users to change their passwords on a regular basis. Users who are not in the office on a regular basis need a method to change their passwords when they are not in the office.

When using forms-based authentication, you can inform users that their passwords are going to expire in a specific number of days and you can enable your users to change their passwords so they do not expire. Users will also be able to change an expired password.

To configure the Change Password option when using LDAP authentication, LDAP needs to be configured with the following settings:

  • Connection to the LDAP servers must be over a secured connection. This requires an SSL certificate to be installed on the Active Directory server. For more information about enabling LDAP over SSL, see "How to Enable LDAP over SSL with a third-party certification authority" at the Microsoft Help and Support Web site.
  • The ISA Server computer needs to have the root certificate for the CA that issued the SSL certificate installed on the Active Directory servers.
  • Connection to the LDAP servers cannot be via a global catalog.
  • A user name and password that are used for verifying user account status and changing passwords are required.

To enable the change password functionality for forms-based authentication

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server Name, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array Name, and then click Firewall Policy.

  2. On the Toolbox tab, click Network Objects, expand Web Listeners, right-click the Web listener, and then select Properties.

  3. Select the Forms tab.

  4. Select Allow users to change their passwords and Remind users that their password will expire in this number of days. The default number of days is 15.

Cc268368.0f41508e-f9aa-4e57-997d-45a61ba3a040(en-us,TechNet.10).bmp

  1. Click OK to close the properties of the Web listener.
  2. Click the Apply button in the details pane to save the changes and update the configuration.

The users will now see the following logon screen. Notice the option I want to change my password after logging on.

Cc268368.880e2ee7-fc08-4f9a-90d6-8a0e8b0156d6(en-us,TechNet.10).bmp

Single sign on

When users access two different Web sites, such as an Outlook Web Access site and a SharePoint site, users should not have to provide the same credentials again when they click a link to open another site.

The ISA Server 2006 SSO feature reuses user credentials for another published server, eliminating the need to reenter credentials a second or third time. This will enhance the user experience, because users will click a link that will open another Web application without having to provide their credentials.

For more information about ISA Server SSO, see "Secure Application Publishing" at the Microsoft TechNet Web site.

HTTP Filtering

ISA Server provides granular control over HTTP communication. This control is provided in the form of an HTTP filter, an application-layer filter that examines HTTP commands and data, through which you set HTTP policy. The HTTP filter screens all HTTP traffic that passes through the ISA Server computer, and only allows compliant requests to pass through.

For example, the Verify Normalization feature (enabled by default) specifies that requests with URLs that contain escape characters after normalization will be blocked. Escaped characters include, but are not limited to, the percent sign (%) and a space character (). If this feature is enabled, SharePoint document libraries will fail. URLs for document libraries and files uploaded and downloaded include non-standard characters such as the percent sign (%).

If you are using a language containing high-bit characters (for example, umlauts in German) you should also clear the Block high bit characters check box.

More information about HTTP Filtering is provided in "Using the HTTP Filter to Help Secure HTTP Access" at the Microsoft TechNet Web site.

Note

The Verify normalization and Block high bit characters features are meant to address potential security exploits. When you turn off these features in ISA Server, you are potentially creating an opening for malicious users.

Appendix B: LDAP configuration

ISA Server 2006 features the ability to authenticate users via LDAP on computers that are running Windows Server 2003 or Windows 2000 Server. ISA Server currently does not support other LDAP servers.

LDAP authentication enables the ISA Server computer to remain in a workgroup. ISA Server authenticates users in Active Directory, using an authentication method that is similar to the method used when the ISA Server computer is a domain member.

Users can authenticate via LDAP using the following, which are shown as login expressions in ISA Server Management:

  • Security Accounts Manager (SAM) account name (domain\username)
  • User principal name (UPN) (username@domain.com)

ISA Server can connect to an LDAP server in any of the ways described in the following table.

Connection Port Requires Active Directory domain name Supports Change Password option

LDAP

389

Yes

No

LDAP over SSL (LDAPS)

636

Yes

Yes

LDAP using global catalog

3268

No

No

LDAPS using global catalog

3269

No

No

Note

To use LDAPS or LDAPS using global catalog, a server certificate must be installed on the LDAP server and the root certificate from the issuing CA needs to be installed on the ISA Server computer.

ISA Server LDAP servers properties

To properly configure LDAP authentication, you need to configure an LDAP server set and at least one login expression.

LDAP server set

An LDAP server set is a grouping of LDAP servers, which ISA Server uses to perform user authentication. All the servers in an LDAP server set share the same LDAP connection settings.

The following table lists the properties of an LDAP server set.

Item Description Comment

LDAP server set

Listing of LDAP servers available for LDAP user authentication. All servers listed will share the same LDAP connection settings.

Required.

LDAP servers

Listing of LDAP servers available for LDAP user authentication.

Note the following:

  • When there is more than one server, the servers are queried in the order in which they are listed. If a server does not respond, it will be in time-out for one minute. If the same server does not respond again after the one minute time-out, the time-out will continue to double until the time-out reaches 32 minutes. At that point, the time-out stays at 32 minutes. When ISA Server connects to the server, the time-out counter is reset.
  • We recommend that you configure more than one LDAP server to provide redundancy for user authentication.

Minimum of one server is required.

Active Directory domain

Enter the domain name of the domain where the user accounts are defined.

The name of the domain can be in one of the following formats:

  • FQDN: corp.contoso.com
  • Distinguished name: DC=corp,DC=contoso,DC=com

Optional if Use Global Catalog (GC) has not been selected.

Use global catalog

If your LDAP servers are also configured to be global catalog servers, select the Use Global Catalog (GC) option and you do not need to specify an Active Directory domain name.

To use the Change Password option, this option must not be selected.

Optional.

Note   The Password Management feature does not work when an LDAP server set is configured with this property.

Connect LDAP servers over secure connection

Select the Connect LDAP servers over secure connection option, if you want the connection between the ISA Server computer and the LDAP server to be encrypted via SSL.

For more information about enabling LDAP over SSL, see "How to Enable LDAP over SSL with a third-party certification authority" at the Microsoft Help and Support Web site.

Optional.

Cc268368.note(en-us,TechNet.10).gifNote:
To use the Change Password option, this option must be selected.

User name and password

This option is only required if you want to use the Password Management option with forms-based authentication.

Because the ISA Server computer will not be a member of the domain, you need to specify a user name and password that will be used for verifying user account status. This account can be any domain account, even a restrictive user account. This account is used by the ISA Server computer to bind to the LDAP server and query the properties of the user who is logging on. This account is not involved when changing the user's password.

Optional.

Login expression

A login expression matches the user entered credentials with the correct LDAP server set. You need at least one login expression for each LDAP server set for authentication to occur.

An LDAP server set can have more than one login expression assigned to it. However, a login expression can only be assigned to one LDAP server set.

Examples of login expressions:

corp\*

*@corp.contoso.com

If a user enters credentials in the format mberg@contoso.com, and the login expression *@contoso.com has not been entered, the logon attempt will fail.

Before you begin

Update the following table with information about the LDAP server set and login expressions.

Item Value

LDAP server set

Name: _________________

Server name

Name: ___________________

or

IP address: ___.___.___.___

Active Directory domain name

FQDN or distinguished name:

_____________________________

Use global catalog

Yes or no (circle one)

Connect LDAP servers over secure connection

Yes or no (circle one)

Cc268368.note(en-us,TechNet.10).gifNote:
If you have selected to connect over a secure connection, confirm that the proper certificates have been installed.

User name and password

User name: ______________

Password: ________________

Login expression

__________________

For example: corp\*

To create an LDAP server set, see Create an LDAP server set.

Note

Use the LDP.exe tool to test the connectivity between the ISA Server computer and the LDAP server. LDP.exe, by default, is located in the following location: %PROGRAMFILES%\Support Tools directory.

Appendix C: Alternate access mapping

Alternate access mapping provides a mechanism for Office SharePoint Server administrators to identify the different ways in which users access SharePoint sites, ensuring that URLs (links) are displayed appropriately for the manner in which the user accesses the SharePoint site. Note the following:

  • Administrators often deploy SharePoint sites that users can access by using different URLs. It is important that functionality, such as search results for portal site and document library (Web storage system-based) content, be appropriate for the URL that was used to access the portal site. External URLs must be provided to the user in a form that is appropriate for how the user is currently accessing the SharePoint site.
  • Without alternate access mapping settings, search results might be displayed in a way that would make them inaccessible to users. Users might receive search results that they cannot access whenever they access the SharePoint site by using a URL that is different from the original URL used for crawling the content.

The Microsoft SharePoint Search service consults the alternate access mapping setting entries when crawling a document. If the URL of the document matches one of the mapping entry URLs, the URL is replaced with the mapping ID for the entry. When the search result is displayed, the mapping ID is replaced by the appropriate URL if the user is requesting the document from an access point listed in the alternate access mapping setting entries. If there is no appropriate alternate access mapping, the search results display the default public URL for zone.

Each Web application and external resource must have a default public URL for zone defined in alternate access mappings. A public URL for zone is the URL that end users type to reach the Office SharePoint Server Web application or external resource. Each Web application and external resource can have public URLs defined for up to four additional zones: intranet, Internet, custom, and extranet. Each public zone can have one or more internal URLs. An internal URL is the URL of a request as it is delivered to the Office SharePoint Server computer. Internal URLs are often different from the public URL when HTTPS-to-HTTP bridging is used with ISA Server, when the original host header is not forwarded, or when the port number of the SharePoint site on the Office SharePoint Server computer is different from the port number of the Web listener. Each URL must be different from all other URLs. These mappings are stored in the configuration database. Office SharePoint Server uses the default URL for any requested URL that is not found in the mapping table.

Important

For alternate access mapping to work properly, your Office SharePoint Server publishing rule must be configured to forward the original host header. This is the default configuration when using the SharePoint Publishing Wizard.

Windows SharePoint Services

Windows SharePoint Services is a technology that allows teams to create Web sites for information sharing and document collaboration, benefits that help increase individual and team productivity. Windows SharePoint Services is a component of the Windows Server 2003 information worker infrastructure and provides team services and sites to the Microsoft Office System and other desktop programs. It also serves as a platform for application development. Including such information technology (IT) resources as portals, team workspaces, e-mail, presence awareness, and Web-based conferencing, Windows SharePoint Services enables users to locate distributed information quickly and efficiently, as well as connect to and work with others more productively.

For more information about Windows SharePoint Services, see "Windows SharePoint Services in Windows Server 2003" at the Microsoft TechNet Web site.

Office SharePoint Server 2007

Office SharePoint Server 2007 is a product that enables enterprises to develop an intelligent portal that seamlessly connects users, teams, and knowledge so that people can take advantage of relevant information across business processes to help them work more efficiently. Office SharePoint Server 2007 provides an enterprise business solution that integrates information from various systems into one solution through single sign on and enterprise application integration capabilities, with flexible deployment options and management tools. The portal facilitates end-to-end collaboration by enabling aggregation, organization, and search capabilities for people, teams, and information. Users can find relevant information quickly through customization and personalization of portal content and layout, as well as by audience targeting. Organizations can target information, programs, and updates to audiences based on their organizational role, team membership, interest, security group, or any other membership criteria that can be defined.

Office SharePoint Server 2007 uses Windows SharePoint Services sites to create portal pages for people, information, and organizations. The portal also extends the capabilities of Windows SharePoint Services sites with organization and management tools, and enables teams to publish information in their sites to the entire organization.

For more information about Office SharePoint Server, see the Office SharePoint Server home page.

Requirements for alternate access mapping configuration

To properly configure alternate access mapping settings, you need the software versions discussed in the following table.

Technology or product Version

Windows SharePoint Services

Windows SharePoint Services 3.0

Office SharePoint Server

Office SharePoint Server 2007

Configure alternate access mapping

You can configure alternate access mapping:

  • Configuration of alternate access mapping for Windows SharePoint Services can be done from a command prompt with the Stsadm.exe command or from the Windows SharePoint Services 3.0 Central Administration site.
  • Configuration of alternate access mapping for Office SharePoint Server is done via Central Administration for the Office SharePoint Server Web administration.

Scenario

You publish a SharePoint site through ISA Server 2006 using the SharePoint Publishing Wizard. Users access the site by entering the following URL: https://portal.contoso.com. ISA Server connects to the internal Web server using the following URL: https://sps01. Based on the following information, you will configure alternate access mapping for Windows SharePoint Services and Office SharePoint Server.

When configuring alternate access mapping settings, you configure the extranet zone. A zone is another method of accessing the SharePoint site that is different from the default zone. For example, a SharePoint site named sp01 is accessed from the Internal network as https://sp01. However, when accessed by a user on the Internet via ISA Server, the user accesses https://portal.contoso.com.

When configuring a Web application to be exposed in additional zones, we recommend extending additional IIS Web sites and mapping them to the existing Web application. This allows you to independently configure authentication and security policy settings for your additional zones, such as what type of authentication to accept and whether anonymous access is allowed. We recommend using the Default zone for your published IIS Web site and the Intranet zone for access via your internal corporate network.

To extend an additional IIS Web site for your Web application, perform the following steps.

To extend an additional IIS Web site for your Web application

  1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.

  2. Click Application Management.

  3. Click Create or extend Web application.

  4. Click Extend an existing Web application.

  5. In the Web Application selector, click the selector, and then click Change Web Application.

  6. Click the Web application you want to publish.

  7. In the Description field, enter a description for the IIS Web site you will be creating for this new zone.

  8. In the Port field, select the port number of the Office SharePoint Server computer you want to extend the new zone on. Note that port 80 is commonly used for HTTP access and port 443 is commonly used for SSL access. If another IIS Web site is configured to use one of these ports, you should configure a unique host header in the next step.

  9. In the Host Header field, enter the Intranet host name of the site. For example, type sp01.

  10. In the Use Secure Sockets Layer (SSL) section, select No if you want the IIS Web site on the Office SharePoint Server computer to use HTTP, or select Yes if you want it to use SSL. HTTP is preferred for better performance, and SSL is preferred if the network between the client and the Office SharePoint Server computer is untrusted.

  11. In the URL field, type the URL of the SharePoint site for the Intranet zone. For example, type https://sp01.

  12. In the Zone field, select Intranet.

  13. Click OK to extend the Web application to the new zone.

  14. When Office SharePoint Server finishes extending the Web application to the new zone, click Operations.

  15. Click Alternate access mappings.

  16. In the Alternate Access Mapping Collection selector, click the selector, and then click Change Alternate Access Mapping Collection.

  17. Click the Web application that you are publishing.

  18. Click Edit Public URLs.

  19. In the Default field, enter the URL of the requests as they will be delivered to the Office SharePoint Server computer by the Office SharePoint Server publishing rule. For example, type https://portal.contoso.com.

  20. Click Save.

  21. Click Add Internal URLs.

  22. In the URL protocol, host and port field, enter the URL of requests as they will be delivered to the Office SharePoint Server computer by the Office SharePoint Server publishing rule. For example, type https://portal.contoso.com. Note that the SharePoint Publishing Wizard automatically selects port 80 for HTTP or port 443 for SSL. If you want the Web application to use a different port on the Office SharePoint Server computer for the publishing rule, you need to edit the Office SharePoint Server publishing rule in ISA Server to bridge your requests to the desired port. If you do not want to use the feature in the Office SharePoint Server publishing rule to forward the original host header, you need to enter an alternative name here that will resolve to your Office SharePoint Server computer.

  23. In the Zone field, select the zone that you extended for the Office SharePoint Server publishing rule. For example, select Default.

  24. Click Save.