Was this page helpful?
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Microsoft Project Server and the Internet

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
On This Page

Security Settings and Recommendations for the Extranet
Feature Limitations of Microsoft Project Server in the Extranet


This article describes how Microsoft Project Server can be best configured to work on the extranetan intranet that is partially accessible to authorized outsiders. While an intranet resides behind a firewall and is accessible only to authorized users in an organization, an extranet can provide access to outsiders. Microsoft Project Server is not designed for the Internet that is, it cannot be hosted and accessed by anonymous users like Microsoft.com or any other Internet Web page.

This article also discusses certain feature limitations on the extranet, and special steps required to enable certain features such as Portfolio Analyzer to work on the Internet. You should note that some of these same recommendations are probably valid for cross-domain scenarios, not just for the extranet.

Security Settings and Recommendations for the Extranet

This section will explain recommended security settings for Microsoft Project Server and Microsoft Internet Information Services (IIS) when opening Microsoft Project Server to the extranet. This section will also explain recommendations for running Microsoft Project Server in the most secure way on the extranet.

Much of the information below may already be in the Microsoft Project Server Setup documentation and in the Help file, Pjsvr10.chm, which comes on the Microsoft Project Server Setup CD. However, we will highlight things that we should recommend again:

  • Use Secure Socket Layers (SSL)this will encrypt information traveling between the client and the server. For details on how to set up SSL, see the Setting up SSL on Your Server article on the Windows 2000 Server Documentation Web site.

  • It is recommended that you implement Windows Authentication only; Windows authentication is more secure than Microsoft Project Server Authentication. To implement Windows authentication, you will need to change the Administrator account in Microsoft Project Server to a Windows Authorized account.

To change the Administrator account in Microsoft Project Server to a Windows Authorized account

  1. Log on to Microsoft Project Web Access as an Administrator.

  2. Click Admin, and on the Administration overview page, click Manage Users and Groups.

  3. Select Administrator from the drop-down list box, and click Modify User.

  4. On the Modify User page, select the Windows Authentication, using the Windows User Account option button.

  5. Type the user name in the Windows User Account box, enter the e-mail name in the E-mail box, enter the user name in the User Name box, and click Save Changes.

Note: If you are using Windows Authentication only, you must select Basic authentication for the Microsoft Project Server virtual root, for the Msadcs.dll in the MSADC virtual directory, and for the SharePoint Team Services from Microsoft virtual directory. If you cannot use Integrated Windows authentication only, use Microsoft Project Server authentication; you will need to select Anonymous Access for the items just mentioned.

You may want to require Microsoft Project to authenticate to Microsoft Project Server before publishing. This is the default setting during Microsoft Project Server Setup when you select "Microsoft Project Professional 2002" in the "Choose a version of Microsoft Project" step. If you select "Microsoft Project Standard 2002 and/or Microsoft Project 2000," any user can publish information to Microsoft Project Server without authentication. However, if you are in a Microsoft Project Standard 2002 environment where you don't work with Microsoft Project 2000, you can still require authenticationby doing this, Microsoft Project adds a layer of security. Also, if you choose the latter option and are not using Microsoft Project 2000, you should also clear the Anonymous access box for the Pjdbcomm.dll in ISAPI virtual directory of Microsoft Project Server (you will do this in IIS). One word of cautionyou should not do this if Microsoft Project 2000 needs to connect to Microsoft Project Server. In that case, once you migrate all users to Microsoft Project 2002, you can proceed with these steps.

Feature Limitations of Microsoft Project Server in the Extranet

The most prominent feature that is not supported in the extranet is that of Microsoft Project Professional 2002 saving data to the enterprise database. Microsoft Project Professional saves to the enterprise database by using Open Database Connectivity (ODBC). This does not work over the extranet, unless a particular port is opened for the Microsoft SQL Server database (see "Saving Projects to Microsoft Project Server Over the Extranet [Microsoft Project Professional Only]," below).

Note: Microsoft Project Standard can publish projects to Microsoft Project Server in the extranet. The workaround for Microsoft Project Professional users is to use the offline functionality to save a project offline, work on it, and then connect back to the network to save the changes back to the enterprise database.

Portfolio Analyzer in the Extranet

Portfolio Analyzer overview

With the new Portfolio Analyzer, users can quickly query information across their portfolios. This tool enables users to view project and resource information conveniently, in a variety of ways as a PivotTable, as a chart, or both.

The Portfolio Analyzer view provides executives and functional managers with easy access to detailed information about their projects and resources. This feature supports fast and powerful analysis capabilities using data directly from Microsoft Project Server. The analyses can then be used to support fundamental project-related business decisions.

To deliver this functionality, Microsoft Project uses Office Web Components (OWC). These are a collection of Microsoft ActiveX controls designed to let users publish fully interactive worksheets, charts, PivotTable reports, and databases to the Web. When users view a Web page that contains an OWC, they can interact with the data displayed in that document directly in Microsoft Internet Explorer, as long as they have a license for the OWCs on their system. Users can sort, filter, add, or change data, expand and collapse detail views, work with PivotTable lists, and chart the results of their changes.

The OWCs provide a common set of functions that can be accessed from several Microsoft Office applications, for example, Microsoft Excel 2002, Microsoft FrontPage 2002, and now Microsoft Project Professional or Microsoft Project Web Access.

While OWCs can access many different data sources, the only source for Portfolio Analyzer is the online analytical processing (OLAP) cube that has been generated by the administrator.

While there are many different parts to the OWCs, only some of their functions will be used in Portfolio Analyzer. These are:

  • PivotTable

    The PivotTable provides dynamic views that enable users to analyze information by sorting, grouping, filtering, and pivoting. The data comes from the Microsoft Project Server OLAP cube, and will be displayed in a spreadsheet format.

  • Data Source

    The data source component is the reporting engine behind the PivotTable component. It manages communication with back-end database servers and determines which database records can be displayed on the page. It manages the sorting, filtering, and updating of those records in response to user actions. It relies on Microsoft Active Data Objects (ADO). In Microsoft Project Professional and Microsoft Project Web Access, the only valid data source is the Microsoft Project Server OLAP cube.

  • Chart

    The chart component graphically displays information from the spreadsheet, from the PivotTable views, or from the data source component. It is not "bound" or linked directly to other controls on the display page, and therefore always updates instantly in response to user interactions. For example, a user can chart a PivotTable view that displays sales by region.

There are three modes in which an Analyzer view can be defined: PivotTable, Chart, and a combination of both.

Setting up the analysis server to be accessible via HTTP

The key issue with the architecture of Portfolio Analyzer is that Microsoft uses the OWCs to bind directly to the analysis server. In order for this to work over the extranet, you must configure it correctly. It is recommended that you read a support article that explains how the analysis server needs to be configuredsee the How to Connect to Analysis Server 2000 By Using HTTP Connection (279489) article on the Product Support Services Web site. The main points of this article are as follows:

  • You need the Enterprise Edition of SQL Server Analysis Services (this comes with the Enterprise Edition of SQL Server 2000)

  • Internet Information Server (IIS) has to run on the computer where SQL Server Analysis Services is running. This need not be the same machine as Microsoft Project Serverin fact, it is recommended that it not be on the same machine as Microsoft Project Server

You need to follow the steps, as specified in the article, to set up the server.

To set up the analysis server

  1. On the analysis services computer, copy the file Msolap.asp from the Program Files\Microsoft Analysis Services\Bin folder to either the Inetpub\Wwwroot folder or to a subfolder under Wwwroot.

  2. To ensure that Msolap.asp is installed and working properly, in the Address bar, type the URL http://www.AnalysisServerName/Msolap.asp, and replace "AnalysisServerName" with the name of your server.

If everything is working properly, you should see a blank page, instead of the message "The page could not be displayed," or a similar message.

Note: The URL must be accessible through the Internet.

Set Msolap.asp to use Basic authentication and Integrated Windows authentication, as follows:

  1. Right-click Msolap.asp, and then click Properties.

  2. Click the File Security tab, and then edit the Anonymous Access and Authentication Control box to make changes.

  3. Make sure that both the Basic Authentication and Integrated Windows Authentication check boxes are selected.

Note: It is strongly recommended that SSL be used on the analysis server computer so that the data is encrypted (most importantly, the NT passwords) when it is sent between the client and the server computers.

Setting up connection strings in the Portfolio Analyzer view

Once the analysis server has been configured, the administrator needs to follow these steps when creating Portfolio Analyzer views that are to be viewed over the Internet:

  1. On a machine that is within the intranet, log on to Microsoft Project Web Access as an administrator.

  2. Click Admin, and on the Administration overview page, click Manage views.

  3. Click Add View.

  4. Click the Portfolio Analyzer option button.

  5. On the Office PivotTable toolbar, click the Commands and Options option button.

  6. Click the Data Source tab.

  7. In the connection string, leave everything untouched, except for the following:

    • Add "http://" and "/" to the connection string; for example:

      Data Source = myanalysisserver becomes Data Source = http://myanalysisserver/

    • Insert "Prompt=Yes" anywhere in the connection string.

  8. Save your changes.

When users try to access this extranet-enabled view from Microsoft Project or from the Resource center of Microsoft Project Web Access, they will be prompted to enter their Windows user account name and password before they can see the view. Since the Windows user account name and password are sent in plain text, you should be sure to use SSL so that the information is sent encrypted.

Note: When Portfolio Analyzer is installed according to the above instructions, it will be accessible through the Internet or your intranet. Exposure to the Internet may not be acceptable to all enterprises or in all situations, so plan your installation accordingly.

See also

It is strongly recommended that you view the Microsoft SQL Server 2000 Analysis Services: How to Connect to Analysis Services over the Internet webcast at the Microsoft Support Services Web site.

Documents and Issues (SharePoint Team Services) on the Internet

Overview of SharePoint Team Services

SharePoint Team Services from Microsoft provides both Web publishing and collaboration features to make communicating ideas and sharing information easier. SharePoint Team Services is a superset of Microsoft FrontPage Server Extensions 2002, and includes all of the features available with the server extensions. In addition, SharePoint Team Services contains new workgroup features that create a rich environment for Web publishing and team communication. By using SharePoint Team Services, administrators can create, author, and administer Web sites that help a team organize and make progress on a project.

Configuring SharePoint Team Services

If Microsoft Project Server requires SSL security, SharePoint Team Services also requires the same.

To set up SharePoint Team Services for SSL

  1. Configure the virtual server running SharePoint Team Services so that it requires SSL. For information on how to set up SSL, see the Setting up SSL on Your Server article on the Windows 2000 Server Documentation Web site.

    Also, see the SharePoint Team Services Administrator's Guide article on Microsoft TechNet.

    Both the SharePoint Team Services Web site and SharePoint Team Services administration Web site should be configured to require SSL.

  2. Log on to Microsoft Project Web Access as an Administrator.

  3. Click Admin, and on the Administration overview page, click Manage SharePoint Team Services.

  4. Click Connect to servers.

  5. To add a new server, click Add Server, or to modify an existing server, click Modify Server.

  6. Select the Always access SharePoint websites using SSL and The SharePoint Administration port is a SSL port check boxes.

  7. For external users, create local NT accounts on both the Microsoft Project Server computer and on the SharePoint Team Services computer, so that users can be authenticated into Microsoft Project Server and SharePoint Team Services using a Windows account.

  8. Turn off anonymous access for the virtual server running SharePoint Team Services.

For more information on other security settings for SharePoint Team Services, see the Configuring Properties for a Virtual Server article on TechNet.

See Also

For more detailed information about SharePoint Team Services and possible feature limitations, see the Microsoft Project Server and SharePoint Team Services resource kit article.

For more information about setting up SharePoint Team Services, see the Microsoft Project Server Installation Guide, Pjsvr10.chm, found on the Microsoft Project Server Setup CD. You may download a copy of the Microsoft Project Server Installation Guide from the General Reference Tools section of the resource kit toolbox.

Security Settings

You will determine which security settings to implement on all virtual servers. On the Change Configuration Settings page of SharePoint Team Services, you can change security options in the Security Settings section. You can track information about the authoring processes by selecting the Log authoring actions check box. When you select this check box, an Author.log file is created in the Web site's _vti_log folder. If you want all users to use SSL security, you can select the Require SSL for authoring and administration check box. Finally, you can specify whether to allow users to store executable files (such as EXE files) on your virtual server by selecting or clearing the Allow authors to upload executables check box. Note that if the Allow authors to upload executables check box is cleared, users cannot upload files to any folders that are marked executable. It does not matter whether the files being uploaded are executable files or not.

Saving Projects to Microsoft Project Server Over the Extranet (Microsoft Project Professional Only)

This section addresses issues with running Microsoft Project Professional from outside the corporate firewall. Microsoft Project Web Access functionality will work over the extranet, however, performing project management tasks with Microsoft Project Professional in online mode requires a direct ODBC connection to the SQL Server computer which hosts the Microsoft Project Server database.

There are three solutions to this ODBC connection problem:

  • Utilize a VPN connection to the corporate network. This allows a user to utilize the extranet as if it were a secure network cable back to the corporate network. A user's remote machine would be running as if he were logged on directly to the corporate network inside the firewall. There are possible bandwidth issues with this solution, as well as possible reliability issues depending on location of the user, the corporate network, and the Internet in general.

  • Utilize a VPN and Windows Terminal Services. The VPN will handle the security of the connection, and utilizing Windows Terminal Services helps to minimize bandwidth issues, since only the "display" bits are passed over the wire, and the rest of the data movement happens inside the firewall on the corporate network.

  • Open the SQL Server computer to the extranet, which requires opening the correct inbound port through the firewall to access the SQL Server (typically 1433), as well as positioning the SQL Server computer on your network where it is directly exposed to the extranet segment. This is generally considered to be a very bad idea, primarily due to security concerns. Exposing your database server to the extranet segment is an invitation for hackers.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft