Secure Application Publishing

Microsoft® Internet Security and Acceleration (ISA) Server 2006 is the security gateway that helps protect your mission-critical applications from Internet-based threats. ISA Server enables your business to do more, with secure access to Microsoft applications and data. Secure your Microsoft application infrastructure by protecting your corporate applications, services, and data across all network layers with stateful packet inspection, application-layer filtering, and comprehensive publishing tools. Streamline your network with simplified administrator and user experiences through a unified firewall and virtual private network (VPN) architecture, which includes Web caching and bandwidth management, an optimized firewall filtering engine, and comprehensive access controls. Safeguard your information technology environment to reduce security risks and costs, and help eliminate the effects that malicious software and attackers have on your business, by using comprehensive tools for scanning and blocking harmful content, files, and Web sites.

In this document, the following new or enhanced features are discussed:

  • Secure application publishing scenarios
  • Microsoft Office SharePoint® Portal Server publishing
  • Microsoft Exchange Web client access publishing
  • Microsoft Outlook® Web Access
  • Microsoft Office Outlook 2003 RPC over HTTP access
  • Server farms for load balancing between Web servers
  • Single sign on (SSO)

Contents

Scenario

Solution

Network Topology

Secure Application Publishing Walk-Throughs

Appendix A: Additional Publishing Features

Appendix B: LDAP Configuration

Appendix C: Alternate Access Mapping

Appendix D: Security Tips

Appendix E: Administrative Tips

Scenario

Contoso, Ltd wants to provide employees, when they are not in the office, simple and secure access to the following business applications:

  • Outlook Web Access
  • RPC over HTTP for Outlook clients
  • SharePoint Portal Server and Windows SharePoint Services

Contoso also wants to enhance the working relationship with partners and vendors by providing access to these applications.

Currently, access to these applications is available only to users through a client access VPN connection. For security reasons, Contoso does not want to allow direct access from the Internet to these applications, because attacks may be hidden within Secure Sockets Layer (SSL) connections. Contoso does not want internal servers to be accessible directly from the Internet.

Client access VPN connections can be slow, and proper configuration of the VPN connection on the client computer is required. Also, when employees are at an off-site location, they may be behind a firewall, which blocks client access VPN connections. These limitations reduce the effectiveness of accessing important information when not in the office. ISA Server 2006 publishing provides secure and quick access to applications.

Solution

The prescribed solution is to publish applications with ISA Server 2006. Communication from external clients to the ISA Server computer and from the ISA Server computer to the published server is encrypted using SSL. ISA Server is not joined to the domain and performs authentication via a Lightweight Directory Access Protocol (LDAP) connection to the domain.

ISA Server 2006 Standard Edition or ISA Server 2006 Enterprise Edition can be used in this solution.

Security

ISA Server 2006 addresses the Contoso issues by making their applications available over the Internet in a secure way.

No Direct Access to Server from the Internet

When you publish an application through ISA Server 2006, you are protecting the server from direct external access because the name and IP address of the server are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the server according to the conditions of the server publishing rule.

SSL Packet Inspection

SSL bridging protects against attacks that are hidden in SSL-encrypted connections. For SSL-enabled Web applications, after receiving the client's request, ISA Server 2006 decrypts it, inspects it, and terminates the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the publishing Web server. If the secure Web publishing rule is configured to forward the request using Secure HTTP (HTTPS), ISA Server initiates a new SSL connection with the published server. Because the ISA Server computer is now an SSL client, it requires that the publishing Web server responds with a server-side certificate.

Authentication

ISA Server 2006 enables you to configure forms-based authentication for supported applications. Forms-based authentication enables you to enforce required authentication methods, enable two-factor authentication, control e-mail attachment availability, and provide centralized logging.

ISA Server 2006 supports LDAP authentication, enabling you to place the ISA Server computer in the perimeter network (also known as DMZ, demilitarized zone, and screened subnet). The ISA Server computer does not join the domain, so you no longer need to open all of the required ports for Active Directory® directory service communications. You still need to open LDAP or global catalog ports between the ISA Server computer and the configured Active Directory domain controller. Keeping your ISA Server computers in a workgroup configuration reduces the attack surface and simplifies the deployment of ISA Server. For more information about authentication, see "Authentication in ISA Server 2006" at the Microsoft TechNet Web site.

Ease of Use

ISA Server 2006 overcomes the difficulties of using client access VPN connections in the following ways:

  • Access to published applications is via a Web browser.
  • Applications are now more widely available and more accessible than remote access VPNs due to the use of SSL. You can access your published applications behind firewalls, from connections using network address translation (NAT), and from other networking devices that might otherwise be blocking remote access VPN connections.
  • The reconnect process is easier and quicker, due to SSL. If your connection to the Internet is disconnected, you no longer need to reconnect via the remote access VPN dialer. After Internet access is reconnected, you can go back to your published application.
  • Partners, vendors, and employees who are not in the office can easily access the required information in a secure way.

Network Topology

The scenarios assume that you will deploy this solution in a laboratory environment that includes the following two networks:

  • A network simulating your corporate network, called HQ_Net. In the walk-through, HQ_Net spans this address range: 10.0.0.1 through 10.0.0.254.
  • A network simulating the Internet, called Test_Internet. In the walk-through, Test_Internet spans this address range: 172.16.0.0 through 172.16.255.255.

The following figure illustrates the computers used in the feature walk-through.

Bb794854.99360824-ba3c-451c-a936-09032929b138(en-us,TechNet.10).jpg

The following table provides information about the computers used in the feature walk-through.

Computer name Operating system Additional software Comments

dc01

Microsoft Windows Server® 2003 with Service Pack 1 (SP1)

Domain controller, Domain Name System (DNS), Internet Information Services (IIS), certification authority (CA)

Domain controller and internal CA

exchange01

Windows Server 2003 SP1

Microsoft Exchange Server 2003 SP1, IIS

Back-end Exchange server

owa01

Windows Server 2003 SP1

Exchange Server 2003 SP1, IIS

Front-end Exchange server

sps01

Windows Server 2003 SP1

Microsoft Office SharePoint Portal Server 2003 with Service Pack 2, IIS

None

isa01

Windows Server 2003 SP1

ISA Server 2006 Standard Edition or Enterprise Edition

None

client01

Windows® XP Professional with Service Pack 2 (SP2)

Microsoft Office Word 2003, Office Excel 2003, and Office Outlook 2003

None

storage01

Windows Server 2003 SP1

ISA Server 2006 Enterprise Edition

Configuration Storage server required only for Enterprise Edition

router01

Windows Server 2003 SP1

IIS, DNS, CA

Simulated Internet routing, DNS, and CA services

The following applies:

  • A computer referred to as dc01 is the domain controller for HQ_Net and provides the following services:
    • Domain controller for corp.contoso.com
    • Authentication services
    • DNS for internal domain corp.contoso.com
    • CA services for corp.contoso.com
  • A computer referred to as exchange01 is providing messaging services for corp.contoso.com. This computer is a member of the domain.
  • A computer referred to as owa01 is providing Outlook Web Access for remote users. This computer is a member of the domain.
  • A computer referred to as sps01 is providing SharePoint Portal Server 2003 portal services for remote users. This computer is a member of the domain.
  • A computer referred to as storage01 is the Configuration Storage server for the enterprise, necessary in a case where you are using ISA Server Enterprise Edition. This computer is a member of the domain. The Configuration Storage server was installed with a certificate for authentication over a SSL-encrypted channel.
  • A computer referred to as isa01 is providing firewall and publishing services. This computer is in a workgroup. You will configure LDAP authentication to enable ISA Server to authenticate domain users. The isa01 computer has two network adapters installed:
    • The IP address of the adapter connected to HQ_Net is 10.0.0.254/24.
    • The IP address of the adapter connected to Test_Internet is 172.16.0.2/24 with the secondary IP addresses 172.16.0.103 through 172.16.0.104.
  • For ISA Server 2006 Enterprise Edition, the following applies:
    • Follow the instructions in the ISA Server 2006 Quick Start Guide to install the Configuration Storage server. Because the ISA Server computer will not join the domain, during the installation, on the Enterprise Deployment Environment page, select Use certificate authentication, and provide the location of the exported server certificate.
  • The solution assumes that an array named main has been created with the following configuration settings:
  • Storage01 has been added to the Remote Management Computers computer set.
  • Authentication on the Configuration Storage page has been set to Authenticate over SSL-encrypted channel.
  • isa01 has joined the main array during installation of ISA Server 2006.

For more information about installing ISA Server 2006, see the Quick Start Guides and the Installation Guides on the product CD.

The following table shows three users who have been created in the domain and have mailboxes on exchange01.

First name Last name User logon name Prior to Windows 2000 Server Password Mailbox Exchange

Matt

Berg

mberg

Mberg

Passw0rd

Yes

exchange01

Jeff

Hay

Jhay

Jhay

Passw0rd

Yes

exchange01

Lisa

Miller

lmiller

Lmiller

Passw0rd

Yes

exchange01

A computer referred to as router01 is providing DNS and CA services to the Test_Internet network. This computer is not a member of the domain.

Note

The configuration would be similar in a production environment. The differences would be in the use of the default ISA Server defined External network (representing the Internet) rather than Test_Internet, and the use of your actual IP address ranges for your Internal and perimeter networks.

For more information about installing ISA Server 2006, see the Quick Start Guides and the Installation Guides on the product CD.

Secure Application Publishing Walk-Throughs

This section discusses the following topics:

Configure ISA Server 2006 for LDAP Authentication

Publish Outlook Web Access and RPC over HTTP

Publish SharePoint Sites

Secure Single Sign On Between Web and Outlook Web Access Publishing

Configure ISA Server 2006 for LDAP Authentication

LDAP authentication is similar to Active Directory authentication, except that the ISA Server computer does not have to be a member of the domain. ISA Server 2006 connects to a configured LDAP server over the LDAP protocol to authenticate the user. Every Windows domain controller is also an LDAP server, by default, with no additional configuration changes required. By using LDAP authentication, you get the following benefits:

  • ISA Server 2006 Standard Edition server or ISA Server 2006 Enterprise Edition array members in workgroup mode. When ISA Server is installed in a perimeter network, you no longer need to open all of the ports required for domain membership.
  • Authentication of users in a domain with which there is no trust relationship.

For more information about LDAP, see Appendix B: LDAP Configuration.

To configure LDAP authentication, you need to:

Create an LDAP Server Set

Create an LDAP User Set

Create an LDAP Server Set

Perform the following procedure to create an LDAP Server set. For Standard Edition, perform the following procedure on computer isa01. For Enterprise Edition, perform the following procedure on computer storage01.

To create an LDAP server set

  1. In the console tree of ISA Server Management, click General:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand isa01, expand Configuration, and then click General.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, expand Configuration, and then click General.
  2. In the details pane, click Specify RADIUS and LDAP Servers.

  3. On the LDAP Servers Sets tab, click Add to open the Add LDAP Server Set dialog box.

  4. In LDAP server set name, type CorpLDAP.

  5. Click Add, to add each LDAP server name or IP address.

  6. In Server name, type dc01 and click OK.

  7. Click OK to close the Add LDAP Server Set dialog box.

  8. Click New to open the New LDAP Server Mapping dialog box.

  9. In Login expression, type corp\*. In LDAP server set, select CorpLDAP, and click OK.

  10. Click Close to close the Authentication Servers window.

For more information about LDAP server settings, see Appendix B: LDAP Configuration

Create an LDAP User Set

To authenticate users through LDAP, you need to determine which users to authenticate and who authenticates the users. To do this, you need to create an LDAP user set.

Perform the following procedure to create an LDAP user set. For Standard Edition, perform the following procedure on computer isa01. For Enterprise Edition, perform the following procedure on computer storage01.

To create an LDAP user set

  1. In the console tree of ISA Server Management, click Firewall Policy:
Page Field or property Setting

Welcome

User set name

Type LDAPUsers.

Users

Select the users to include in this user set

Click Add, and select LDAP.

Add LDAP User

LDAP server set

User name

Select CorpLDAP, the LDAP server set from the drop-down list.

Select All Users in this namespace.

Note   You can also specify user groups or specific user accounts if you do not want all users to be part of this LDAP user set.

Completing the New User Set Wizard

Review settings.

Click Back to make changes and Finish to complete the wizard.

  1. Click the Apply button in the details pane to save the changes and update the configuration.

Publish Outlook Web Access and RPC over HTTP

Outlook Web Access provides Web browser access to e-mail, scheduling (including group scheduling), contacts, tasks, and collaborative information stored in Exchange Storage System folders. Outlook Web Access is used by remote, home, and roving users.

RPC over HTTP enables users to access e-mail with Office Outlook 2003 over the Internet. Exchange Server 2003, together with Outlook 2003 and Windows Server 2003, support the use of RPC over HTTP to access servers that are running Exchange Server. By using RPC over HTTP, users no longer have to use a VPN connection to connect to Exchange mailboxes. Users who are running Outlook 2003 on client computers can connect to an Exchange server in a corporate environment from the Internet.

When you publish Outlook Web Access servers and RPC over HTTP through ISA Server, you are protecting the Outlook Web Access server and the RPC over HTTP proxy server from direct external access because the name and IP address are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the Outlook Web Access server or RPC over HTTP proxy server according to the conditions of your mail server publishing rule.

Further, when you publish Outlook Web Access, ISA Server enables you to configure forms-based authentication, enforce required authentication methods, enable two-factor authentication, control e-mail attachment availability, and provide centralized logging.

The New Exchange Server Publishing Wizard also enables you to publish Outlook Mobile Access and Exchange ActiveSync®. Outlook Mobile Access provides users with access to Outlook from mobile devices. Using Exchange ActiveSync, you can synchronize with high levels of security, directly to your Exchange mailboxes from Microsoft Windows Mobile®-based devices, such as Pocket PC, Pocket PC Phone Edition, and Smartphones.

Before You Begin

In this section, the assumptions for the scenario are reviewed. Information worksheets are provided to assist in gathering the necessary information required when using the New Web Listener Wizard and the New Exchange Publishing Rule Wizard.

Scenario assumptions

The following assumptions apply to the scenario:

  • Exchange Server 2003 is installed and configured on exchange01.

  • Exchange Server 2003 is installed and configured on owa01. The owa01 computer should be configured as an Exchange front-end server. For more information about Exchange Server front-end and back-end configurations, see the following:

    Important

    On owa01, do not select the Exchange Server 2003 forms-based authentication option. Forms-based authentication should be configured on the ISA Server Web publishing rule.

  • The owa01 computer has an SSL certificate installed from dc01 with a common name of owa01.corp.contoso.com. The internal URL is https://owa01.corp.contoso.com/exchange.

  • The external common name (fully qualified domain name or FQDN) is mail.contoso.com.

  • The isa01 computer has the root CA certificate for dc01 installed. This is necessary for ISA Server to accept the validity of the certificate on owa01.

  • The isa01 computer has an SSL certificate installed from router01 with the common name of mail.contoso.com.

  • The FQDN mail.contoso.com will resolve to the IP address 172.16.0.104, which is installed as a secondary IP address on isa01.

Information worksheets

Update the following table with information that will be used when you use the New Web Listener Wizard.

Property Value

Web listener name

Name: ________________________

Client connection security

Note the following:

  • If HTTP is selected, information between the ISA Server computer and the client will be transferred in plaintext.
  • If HTTPS is selected, a server certificate needs to be installed on the ISA Server computer.

HTTPS or HTTP (circle one)

Web listener IP address

Network: ___________________

Optional

Specific IP address: ___.___.___.___

Bb794854.note(en-us,TechNet.10).gifNote:
If this specific IP address is not the primary network adapter IP address, a secondary IP address needs to be installed on the ISA Server computer before creating the Web listener.

Authentication settings Web listener SSL certificate

Note   This is only required if HTTPS has been selected for client connectivity security.

___Use a single certificate for this Web listener.

Certificate issued to: _______________________

___Assign a certificate for each IP address. (This option will only be available if a specific IP address has been assigned to the Web listener.)

Certificate issued to: _______________________

Single sign on settings

___Enable single sign on.

Single sign on domain name:

___________________________

Update the following table with information that will be used when you use the New Exchange Publishing Rule Wizard.

Property Value

Exchange publishing rule name

Name: ________________________

Services

Exchange version: ____________

__Outlook Web Access

__Outlook RPC over HTTP

__Outlook Mobile Access

__Exchange ActiveSync

Publishing type

__Publish a single Web site.

or

__Publish a server farm of load balanced servers.

and

Server farm name:_____________

Server connection security

HTTPS or HTTP (circle one)

Note the following:

  • If HTTP is selected, information between the ISA Server computer and the Web server will be transferred in plaintext.
  • If HTTPS is selected, a server certificate needs to be installed on the Web server.

Internal publishing details

Internal site name (FQDN): ______________________

If the FQDN is not resolvable by the ISA Server computer:

Computer name or IP address:_____________________

Public name details

Accept request for:

__This domain name:______________

or

__Any domain name

Select Web listener

Web listener:________________

User set

List user sets that will have access to this rule:

_________________

__________________

Walk-Through

The following computers are required for this walk-through:

  • dc01
  • exchange01
  • owa01
  • storage01 (for Enterprise Edition)
  • isa01
  • router01
  • client01

The following procedures are used to publish Outlook Web Access and RPC over HTTP:

Create a server farm (optional)

Create a Web listener

Create an Exchange Web client access publishing rule

Create a server farm (optional)

When you have more than one Web server providing access to the same content, you can use ISA Server 2006 to provide load balancing for these servers. This will enable you to publish the Web site once, instead of having to run the wizard multiple times. Also, this eliminates the need for a third-party product to load balance a Web site. If one of the servers is unavailable, ISA Server 2006 will detect that the server is not available and will direct users to servers that are working. ISA Server 2006 verifies on regular intervals that the servers that are members of the server farm are functioning. The server farm properties determine the following:

  • Servers included in the farm
  • Connectivity verification method that ISA Server will use to verify that the servers are functioning

Server farm considerations:

  • There is a second Exchange front-end server named owa02.corp.contoso.com.
  • Both servers have a server certificate installed with the following FQDN: owa.corp.contoso.com.

Perform the following procedure to create a server farm.

To create a server farm

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand ISA01, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.
  2. On the Toolbox tab, click Network Objects, click New, and select Server Farm. Use the wizard to create the server farm as outlined in the following table.

Page Field or property Setting

Welcome

Server farm name

Type Exchange OWA.

Servers

Servers

Select Add and enter either the IP addresses or names of your servers:

owa01.corp.contoso.com

owa02.corp.contoso.com

Connectivity Monitoring

Apply this method

Select Send an HTTP/HTTPS "GET" request to the following URL.

Completing the New Server Farm Wizard

Reviews settings.

Click Back to make changes and Finish to complete the wizard.

  1. When the wizard completes, click Yes in the Enable HTTP Connectivity Verification dialog box.
  2. Click the Apply button in the details pane to save the changes and update the configuration.

For more information about connectivity verifiers, see the product Help.

Create a Web listener

When you create a Web publishing rule, you must specify a Web listener to be used when creating the rule. The Web listener properties determine the following:

  • Which IP addresses and ports on the specified networks will listen for Web requests (HTTP or HTTPS).
  • Which server certificates to use with which IP address.
  • Which authentication method to use.
  • Number of concurrent connections that are allowed.
  • Single sign on (SSO) settings.

Use the information on the worksheet that you filled in previously, and perform the following procedure to create a Web listener.

To create a Web listener

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand ISA01, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.
  2. On the Toolbox tab, click Network Objects, click New, and then select Web Listener. Use the wizard to create the Web listener as outlined in the following table.

Page Field or property Setting

Welcome

Web listener name

Type FBA.

Client Connection Security

Connection type, either SSL or not SSL.

Select Require SSL secured connections with clients.

Web Listener IP Addresses

Listen for incoming Web requests on these networks

ISA Server will compress content

Select IP Addresses

Select the External network.

Check box should be selected (default).

See External Network Listener IP Selection page.

External Network Listener IP Selection

Listen for requests on

Available IP Addresses

Select Specified IP addresses on the ISA Server computer in the selected network.

Select 172.16.0.104 and click Add.

Listener SSL Certificates

A Web listener can use a single certificate for all of its IP addresses, or a different certificate for each IP address.

Select Assign a certificate for each IP address.

Select IP address 172.16.0.104 and click Select Certificate.

Select Certificate

Select a certificate

Select the certificate issued to mail.contoso.com and click Select. The certificate must be installed before running the wizard.

Authentication Settings

Specify how clients will provide credentials to ISA Server

Select how ISA Server will validate client credentials

Select HTML Form Authentication.

Select LDAP (Active Directory).

Single Sign On Settings

Enable SSO for Web sites published with this Web listener

SSO domain name

Clear this check box. SSO will be enabled later in the solution.

Leave this field blank.

Completing the New Web Listener Wizard

Review settings.

Click Back to make changes or Finish to complete the wizard.

Create an Exchange Web client access publishing rule

When you publish an internal Web server through ISA Server 2006, you are protecting the Web server from direct external access because the name and IP address of the server are not accessible to the user. The user accesses the ISA Server 2006 computer, which then forwards the request to the internal Web server according to the conditions of your Web server publishing rule. An Exchange Web client access publishing rule is a Web publishing rule that contains default settings appropriate to Exchange Web client access.

Use the information on the worksheet that you filled in previously, and perform the following procedure to create an Exchange Web client access publishing rule.

To create an Exchange Web client access publishing rule

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand ISA01, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.
  2. On the Tasks tab, click Publish Exchange Web Client Access. Use the wizard to create the rule as outlined in the following tables.

For a single Web server, use the table in New Exchange Publishing Rule Wizard for a single Web site.

New Exchange Publishing Rule Wizard for a single Web site
Page Field or property Setting

Welcome

Exchange Publishing rule name

Type Exchange OWA Publishing.

Select Services

Exchange version

Web client mail services

Select Exchange Server 2003.

Select Outlook Web Access and Outlook RPC/HTTP(s).

Publishing Type

Select the type of publishing.

Select Publish a single Web site or load balancer.

Server Connectivity Security

Choose the type of connections ISA Server will establish with the published Web server or server farm.

Select Use SSL to connect to the published Web server or server farm.

Internal Publishing Details

Internal site name

Type owa01.corp.contoso.com.

Bb794854.note(en-us,TechNet.10).gifImportant:
The internal site name must match the name of the server certificate that is installed on the internal Web server.
Bb794854.note(en-us,TechNet.10).gifNote:
If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server and then type the required IP address or name that is resolvable by the ISA Server computer.

Public Name Details

Accept requests for

Public name

This domain name (type below)

Type mail.contoso.com.

Select Web Listener

Web listener

Select FBA.

Authentication Delegation

Select the method used by ISA Server to authenticate to the published Web server

Select Basic authentication.

User Sets

This rule applies to requests from the following user sets

Select All Authenticated Users and click Remove.

Click Add, select LDAPUsers, click Add, and then click Close.

Completing the New Exchange Publishing Rule Wizard

Review settings.

Click Back to make changes and Finish to complete the wizard.

  1. Click the Apply button in the details pane to save the changes and update the configuration.

Go to SSL Bridging.

New Exchange Server Publishing Rule Wizard for a server farm
Page Field or property Setting

Welcome

Exchange Publishing rule name

Type Exchange OWA Publishing.

Select Services

Exchange version

Web client mail services

Select Exchange Server 2003.

Select Outlook Web Access and Outlook RPC/HTTP(s).

Publishing Type

Select the type of publishing.

Select Publish a server farm of load balanced Web servers.

Server Connectivity Security

Choose the type of connections ISA Server will establish with the published Web server or server farm.

Select Use SSL to connect to the published Web server or server farm.

Bb794854.note(en-us,TechNet.10).gifNote:
A server certificate must be installed on the published Web servers and the root CA certificate must be installed on the ISA Server computer.

Internal Publishing Details

Internal site name

Type owa.corp.contoso.com.

Bb794854.note(en-us,TechNet.10).gifImportant:
The internal site name must match the name of the server certificate that is installed on the internal Web servers.

Note   If you cannot properly resolve the Internal site name, you can select Use a computer name or IP address to connect to the published server and then type the required IP address or name that is resolvable by the ISA Server computer.

Specify Server Farm

Select the Web mail farm you want to publish

Select Exchange OWA.

Public Name Details

Accept requests for

Public name

This domain name (type below)

Type mail.contoso.com.

Select Web Listener

Web listener

Select FBA.

Authentication Delegation

Select the method used by ISA Server to authenticate to the published Web server

Select Basic authentication.

User Sets

This rule applies to requests from the following user sets

Select All Authenticated Users and click Remove.

Click Add, select LDAPUsers, click Add, and then click Close.

Completing the New Exchange Publishing Rule Wizard

Review settings.

Click Back to make changes and Finish to complete the wizard.

  1. Click the Apply button in the details pane to save the changes and update the configuration.
SSL bridging

SSL bridging is used when ISA Server ends or initiates an SSL connection. In ISA Server 2006, SSL bridging is automatically configured when the specified Web listener is configured to listen for HTTPS traffic.

Specifically, SSL bridging works in the following scenarios:

  • A client requests an SSL object. ISA Server decrypts the request, and then encrypts it again and forwards it to the Web server. The Web server returns the encrypted object to ISA Server. ISA Server decrypts the object and then encrypts it again and sends it to the client. SSL requests are forwarded as SSL requests.
  • A client requests an SSL object. ISA Server decrypts the request and forwards it to the Web server. The Web server returns the HTTP object to ISA Server. ISA Server encrypts the object and sends it to the client. SSL requests are forwarded as HTTP requests.

For incoming Web requests, an external client uses HTTPS to request an object from a Web server located on your Internal network. The client connects to ISA Server on a port—by default, port 443.

After receiving the client's request, ISA Server decrypts it, terminating the SSL connection. The Web publishing rules determine how ISA Server communicates the request for the object to the publishing Web server (FTP, HTTP, or SSL).

If the secure Web publishing rule is configured to forward the request using HTTPS, ISA Server initiates a new SSL connection with the publishing server, sending a request to port 443. Because the ISA Server computer is now an SSL client, it requires that the publishing Web server responds with a server-side certificate.

Test Exchange publishing rule

In this section, you will test the new Exchange publishing rule that you just created.

Test Outlook Web Access

From the router01 or client01 computer, use the following procedure to test the new Exchange Web client access publishing rule.

Note   Make sure that you have the root CA of the issuing CA of the mail.contoso.com certificate installed.

To test the Outlook Web Access publishing rule

  1. Open Microsoft Internet Explorer.

  2. Browse to the following URL: https://mail.contoso.com/exchange and use the following details to log on:

    1. Domain\user name: corp\mberg
    2. Password: Passw0rd

Bb794854.65cf64a6-59ff-4b3d-9002-01e7ca7cd65a(en-us,TechNet.10).jpg

  1. You can now read and send e-mail messages.

Bb794854.46ffb58b-cf29-44ee-8a3c-ff78f9646233(en-us,TechNet.10).jpg

Test RPC over HTTP

This procedure must be done from client01.

Note

We recommend configuring Outlook without RPC over HTTP. Confirm that Outlook is working properly on the Internal network before configuring RPC over HTTP.

To test RPC over HTTP from Outlook 2003 from client01 from the Test_Internet network

  1. Change the following account setting in Outlook 2003:

    1. On the Outlook 2003 Tools menu, select E-mail Accounts.
    2. Select View or change existing e-mail accounts, and then click Next.
    3. Select your Microsoft Exchange account and click Change.
    4. Click More Settings.
    5. If you receive an error from Outlook that it could not connect to Exchange, click Cancel and continue to step H.
    6. Click the Connection tab, select Connect to my Exchange mailbox using HTTP, and then click Exchange Proxy Settings.
    7. Type mail.contoso.com in Use this URL to connect to my proxy server for Exchange in Connection settings.
    8. Select Mutually authenticate the session when connecting with SSL and type msstd:mail.contoso.com in Principal name for proxy server.
    9. Select Basic Authentication for Proxy authentication settings.

Bb794854.120a496c-8114-4ad3-9041-2dc4d634fe2d(en-us,TechNet.10).bmp

  1. Click OK to close the Exchange Proxy Settings dialog box.
  2. Click OK to close the Microsoft Exchange Server dialog box.
  3. Click Next and then click Finished to close the E-mail Accounts dialog box.
  4. Restart Outlook.
  1. When you restart Outlook, you will be presented with a logon dialog box. Enter the user name and password and click OK.

Note

For RPC over HTTP to work, both when the user is out of the office and when the user is in the office, the FQDN mail.contoso.com must resolve to the external address when users are in the office and when connected to the Internet.

Publish SharePoint Sites

ISA Server 2006 works with Windows SharePoint Services and SharePoint Portal Server 2003, to enhance security.

Using the combined collaboration features of Windows SharePoint Services and SharePoint Portal Server 2003, users in your organization can easily create, manage, and build their own collaborative Web sites and make them available throughout the organization.

When you publish SharePoint portal sites to the Internet, you provide employees, who are not in the office, access to the information that they need to complete their jobs, no matter where they are located, without compromising security.

When you publish a SharePoint site through ISA Server, you protect the SharePoint site from direct external access because the name and IP address of the SharePoint site are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the published SharePoint site according to the conditions of your SharePoint publishing rule.

When you publish a SharePoint site, ISA Server enables you to configure forms-based authentication, enforce a required authentication method, enable two-factor authentication, control attachment availability, and control centralized logging.

Before You Begin

In this section, the assumptions for the scenario are reviewed. Information worksheets are provided to assist in gathering the necessary information required when using the SharePoint Publishing Rule Wizard.

Scenario assumptions

The following assumptions apply for this walk-through:

  • SharePoint Portal Server 2003 with SP2 is installed and configured on sps01.
  • SharePoint alternate access mapping is properly configured on sps01. For more information about alternate access mapping, see Appendix C: Alternate Access Mapping.
  • You created a portal with a link to https://owa01.corp.contoso.com/exchange. This link will be translated to https://mail.contoso.com/exchange by the ISA Server link translation feature. For more information about link translation, see "Link Translation Concepts in ISA Server 2006" at the Microsoft TechNet Web site.
  • The sps01 computer has an SSL certificate installed from dc01 with a common name of sps01.corp.contoso.com. The internal URL is https://sps01.corp.contoso.com.
  • The isa01 computer has the root CA certificate for dc01 installed. This is necessary for ISA Server to accept the validity of the certificate on sps01.
  • The external common name (fully qualified domain name) is portal.contoso.com.
  • The isa01 computer has an SSL certificate installed from router01 with a common name of portal.contoso.com.
  • ISA Server responds to requests for portal.contoso.com on the IP address 172.16.0.103.
Information worksheet

You should have the following information available before running the SharePoint Publishing Rule Wizard.

Property Value

SharePoint publishing rule name

Name: ________________________

Publishing type

__Publish a single Web site.

or

__Publish a server farm of load balanced servers.

and

Server farm name:_____________

Server connection security

How ISA Server connects to the published Web server

HTTPS or HTTP (circle one)

If HTTPS is selected, a server certificate needs to be installed on the Web server.

Internal publishing details

Internal site name (FQDN): ______________________

If the FQDN is not resolvable by ISA Server:

Computer name or IP address:_____________________

Public name details

Accept request for:

__This domain name:______________

or

__Any domain name

Select Web listener

Web listener:________________

Alternate access mapping

For more information about configuring alternate access mapping, see Appendix C: Alternate Access Mapping.

Confirm whether alternate access mapping has been configured on the SharePoint Portal Server computer.

Yes or no (circle one)

User set

List users sets that will have access to this rule:

_________________

__________________

Walk-Through

The following computers are required for this walk-through:

  • dc01
  • storage01 (Enterprise Edition)
  • isa01
  • sps01
  • router01

The following sections describe how to configure the solution:

Edit the Web listener

Publish SharePoint site

Test SharePoint publishing

Edit the Web listener

You need to modify the Web listener, created in Create a Web listener, so that the ISA Server computer listens for requests on the IP address 172.16.0.103, and uses the portal.contoso.com server certificate only on this IP address. The Web listener will then listen for Exchange Web client requests on 172.16.0.104, using the certificate that matches the public name used for Exchange Web client access, and will listen on 172.16.0.103 for SharePoint client requests, using the certificate that matches the public name used for SharePoint client access.

To edit the Web listener

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand ISA01, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.
  2. On the Toolbox tab, click Network Objects, expand Web Listeners, right-click FBA, and then select Properties.

  3. Select the Networks tab. Select External and click Address.

  4. Select 172.16.0.103 from the Available IP Addresses column, click Add, and click OK.

  5. Click the Certificates tab, and then:

    1. Select 172.16.0.103 and click Select Certificate.
    2. Select portal.contoso.com and click Select.
  6. Click OK to close the properties of the FBA Web listener.

Publish SharePoint site

Use the information on the worksheet that you filled in previously, and perform the following procedure to publish a SharePoint site.

To publish the SharePoint site

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand ISA01, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.
  2. On the Tasks tab, click Publish SharePoint Sites. Use the wizard to create a rule as outlined in the following table.

Page Field or property Setting

Welcome

SharePoint publishing rule name

Type Publishing SharePoint.

Publishing Type

Publishing type options

Select Publish a single Web site or load balancer.

Server Connection Security

Choose the type of connections ISA Server will establish with the published server or server farm

Select Use SSL to connect to the published Web server or server farm.

Internal Publishing Details

Internal site name

Type sps01.corp.contoso.com.

Bb794854.note(en-us,TechNet.10).gifImportant:
The internal site name must match the name of the server certificate that is installed on the internal Web servers.

Note   If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server and then type the required IP address or name that is resolvable by the ISA Server computer.

Public Name Details

Accept requests for

Public name

This domain name (type below)

Type portal.contoso.com.

Select Web Listener

Web listener

Select FBA.

Authentication Delegation

Select the method used by ISA Server to authenticate to the published Web server

Select NTLM authentication.

Alternate Access Mapping Configuration

For complete integration and functionality, you need to configure alternate access mapping on the published SharePoint site.

Select SharePoint AAM is already configured on the SharePoint server.

User Sets

This rule applies to requests from the following user sets

Select All Authenticated Users and click Remove.

Click Add, select LDAPUsers, click Add, and then click Close.

Completing the New SharePoint Publishing Rule Wizard

Review settings.

Click Back to make changes and Finish to complete the wizard.

  1. Click the Apply button in the details pane to save the changes and update the configuration.

Note

If the SharePoint site does not contain confidential information, you can choose Use non-secured connections to connect the published Web server or server farm on the Server Connection Security page. The connection from the user to the ISA Server would be via HTTPS. The connection from the ISA Server to the internal published server the connection would be via HTTP.

Test SharePoint publishing

On the router01 or client01 computer, perform the following procedure to test the new SharePoint publishing rule.

Note

Make sure that you have the root CA certificate of the issuing CA of the portal.contoso.com certificate installed.

To test SharePoint publishing

  1. Open Internet Explorer.

  2. Browse to the following url: https://portal.contoso.com. Use the following details to log on:

    1. Domain\user name: ** corp\mberg
    2. Password: ** Passw0rd

Bb794854.de23ec59-c800-4eee-8e10-2a4632712ff5(en-us,TechNet.10).bmp

You should be in the portal now.

Bb794854.636a0c5f-793c-462c-af4f-422834541cc1(en-us,TechNet.10).bmp

  1. On the right side, select External OWA under Links for You.
  2. This will open a new ISA Server logon page so you can open the published Outlook Web Access site you created earlier.

This is not ideal, because users must log on multiple times with the same credentials. This might be confusing, generating unnecessary support calls. This also increases the time it takes to complete a task. When users are rushed, such as trying to depart on an airplane flight, they might not be able to complete the task. For this reason, you should configure SSO, as described in the next topic.

Secure Single Sign On Between Web and Outlook Web Access Publishing

When users access two different Web sites, such as an Outlook Web Access site and a SharePoint site, users should not have to provide the same credentials again when they click a link to open another site.

The ISA Server 2006 SSO feature reuses user credentials for another published server, eliminating the need to reenter credentials a second or third time. This will enhance the user experience, because users will click a link that will open another Web application without having to provide their credentials.

The following assumptions apply:

  • Outlook Web Access is successfully published.
  • SharePoint Portal Server is successfully published.

The following computers are required:

  • dc01
  • storage01 (Enterprise Edition)
  • isa01
  • sps01
  • exchange01
  • owa01
  • router01

The following sections describe how to configure the solution:

Modify a Web Listener to Enable Single Sign On

Test Single Sign On Between SharePoint Portal Server and Outlook Web Access

Modify a Web Listener to Enable Single Sign On

To modify a Web listener to enable single sign on

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand ISA01, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, and then click Firewall Policy.
  2. On the Toolbox tab, click Network Objects, expand Web Listeners, right-click FBA, and then select Properties.

  3. Click the SSO tab. Select Enable Single Sign On. (Typically, this is enabled by default. You disabled SSO when you created the Web listener in Create a Web Listener.)

  4. Click Add to specify the SSO domains for the Web listener.

  5. Enter .contoso.com and click OK.

  6. Click OK to close the FBA Properties dialog box.

  7. Click the Apply button in the details pane to save the changes and update the configuration.

Important

When enabling SSO, be sure to provide a specific SSO domain. Providing a generic domain, such as .co.uk, will allow the Web browser to send the ISA Server SSO cookie to any Web site in that domain, creating a security risk.

Note the following:

  • There is no support for SSO between different Web listeners.
  • Published servers must share the same DNS suffix. For example, you can configure SSO when publishing mail.contoso.com and portal.contoso.com. You cannot configure SSO when publishing mail.fabrikam.com and portal.contoso.com.

Test Single Sign On Between SharePoint Portal Server and Outlook Web Access

On the router01 or client01 computer, perform the following procedure to test the new SharePoint publishing rule.

To test single sign on between SharePoint Portal Server and Outlook Web Access

  1. Open Internet Explorer.

  2. Browse to the following URL: https://portal.contoso.com. Use the following details to log on:

    1. Domain\user name: corp\mberg
    2. Password: Passw0rd

Bb794854.de23ec59-c800-4eee-8e10-2a4632712ff5(en-us,TechNet.10).bmp

  1. On the right side, select External OWA under Links for You.
  2. This will automatically open the user's Outlook Web Access page.
  3. Log off from the Outlook Web Access page.
  4. You can log on to https://mail.contoso.com/exchange, open an e-mail message called New External Portal, and then click the link in the e-mail message to open the SharePoint portal site.

Appendix A: Additional Publishing Features

In this section, these additional features, which you can configure to ease your deployments, are discussed:

  • Redirect HTTP to HTTPS
  • Password Management

Redirect HTTP to HTTPS

When publishing a Web site, we recommend that users open an HTTPS connection between them and the ISA Server computer to protect the sensitive information that is being transferred over the Internet. This requires that users enter a URL such as https://portal.contoso.com. If the user just enters portal.contoso.com, the user will receive the following error.

Bb794854.30acd38d-c5b5-49f5-8281-6eb2b55a5542(en-us,TechNet.10).bmp

Users have a tendency not to enter the HTTPS portion of the URL even when going to a secured Web site. This behavior has been reinforced by Web administrators who have scripted their Web sites to redirect users to an HTTPS page, even when they enter HTTP. This is done to reduce the number of Help desk calls by users when they cannot open the URL they are trying to open.

To enable HTTP to HTTPS redirection, perform the following procedure.

To enable HTTP to HTTPS redirection

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server Name, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array Name, and then click Firewall Policy.
  2. On the Toolbox tab, click Network Objects, expand Web Listeners, right-click the Web listener, and then select Properties.

  3. Select the Connections tab.

  4. Select Enable HTTP connections on port and confirm that the listening port for HTTP is 80.

  5. Confirm that Enable SSL (HTTPS) connections on port is selected and is listening on port 443.

  6. Select Redirect all traffic from HTTP to HTTPS.

Bb794854.457bec84-baec-4030-98a3-176f3c3b8082(en-us,TechNet.10).bmp

  1. Click OK to close the properties of the Web listener.
  2. Click the Apply button in the details pane to save the changes and update the configuration.

Password Management

It is good security policy to require your users to change their passwords on a regular basis. Users who are not in the office on a regular basis need a method to change their passwords when they are not in the office.

When using forms-based authentication, you can inform users that their passwords are going to expire in a specific number of days and you can enable your users to change their passwords so they do not expire. Users will also be able to change an expired password.

To configure the Change Password option when using LDAP authentication, LDAP needs to be configured with the following settings:

  • Connection to the LDAP servers must be over a secured connection. This requires an SSL certificate to be installed on the Active Directory server. For more information about enabling LDAP over SSL, see "How to Enable LDAP over SSL with a third party certification authority" at the Microsoft Support Web site.
  • The ISA Server computer needs to have the root certificate for the CA that issued the SSL certificate installed on the Active Directory servers.
  • Connection to the LDAP servers cannot be via a global catalog.
  • A user name and password that are used for verifying user account status and changing passwords are required.

To enable the change password functionality for forms-based authentication

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server Name, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array Name, and then click Firewall Policy.
  2. On the Toolbox tab, click Network Objects, expand Web Listeners, right-click the Web listener, and then select Properties.

  3. Select the Forms tab.

  4. Select Allow users to change their passwords and Remind users that their password will expire in this number of days. The default number of days is 15.

Bb794854.0f41508e-f9aa-4e57-997d-45a61ba3a040(en-us,TechNet.10).bmp

  1. Click OK to close the properties of the Web listener.
  2. Click the Apply button in the details pane to save the changes and update the configuration.

The users will now see the following logon screen. Notice the option I want to change my password after logging on.

Bb794854.880e2ee7-fc08-4f9a-90d6-8a0e8b0156d6(en-us,TechNet.10).bmp

Appendix B: LDAP Configuration

ISA Server 2006 features the ability to authenticate users via LDAP on computers that are running Windows Server 2003 or Windows 2000 Server. ISA Server currently does not support other LDAP servers.

LDAP authentication enables the ISA Server computer to remain in a workgroup. ISA Server authenticates users in Active Directory, using an authentication method that is similar to the method used when the ISA Server computer is a domain member.

Users can authenticate via LDAP using the following, which are shown as login expressions in ISA Server Management:

  • Security Accounts Manager (SAM) account name (domain\username)
  • User principal name (UPN) (username@domain.com)

ISA Server can connect to an LDAP server in any of the ways described in the following table.

Connection Port Requires Active Directory domain name Supports Change Password option

LDAP

389

Yes

No

LDAPS

636

Yes

Yes

LDAP using global catalog

3268

No

No

LDAPS using global catalog

3269

No

No

Note

To use LDAPS or LDAPS using global catalog, a server certificate must be installed on the LDAP server and the root certificate from the issuing CA needs to be installed on the ISA Server computer.

ISA Server LDAP Servers Properties

To properly configure LDAP authentication, you need to configure an LDAP server set and at least one login expression.

LDAP Server Set

An LDAP server set is a grouping of LDAP servers, which ISA Server uses to perform user authentication. All the servers in an LDAP server set share the same LDAP connection settings.

The following table lists the properties of an LDAP server set.

Item Description Comment

LDAP server set

Listing of LDAP servers available for LDAP user authentication. All servers listed will share the same LDAP connection settings.

Required.

LDAP servers

Listing of LDAP servers available for LDAP user authentication.

Note the following:

  • When there is more than one server, the servers are queried in the order in which they are listed. If a server does not respond, it will be in time-out for 1 minute. If the same server does not respond again after the 1 minute time-out, the time-out will continue to double until the time-out reaches 32 minutes. At that point, the time-out stays at 32 minutes. When ISA Server connects to the server, the time-out counter is reset.
  • We recommend that you configure more than one LDAP server to provide redundancy for user authentication.

Minimum of one server is required.

Active Directory domain

Enter the domain name of the domain where the user accounts are defined.

The name of the domain can be in one of the following formats:

  • FQDN: corp.contoso.com
  • Distinguished name: DC=corp,DC=contoso,DC=com

Optional if Use Global Catalog (GC) has not been selected.

Use global catalog

If your LDAP servers are also configured to be global catalog servers, select the Use Global Catalog (GC) option and you do not need to specify an Active Directory domain name.

To use the Change Password option, this option must not be selected.

Optional.

Note   The Password Management feature does not work when an LDAP server set is configured with this property.

Connect LDAP servers over secure connection

Select the Connect LDAP servers over secure connection option, if you want the connection between the ISA Server computer and the LDAP server to be encrypted via SSL.

For more information about enabling LDAP over SSL, see "How to Enable LDAP over SSL with a third party certification authority" at the Microsoft Support Web site.

Optional.

Bb794854.note(en-us,TechNet.10).gifNote:
To use the Change Password option, this option must be selected.

User name and password

This option is only required if you want to use the Password Management option with forms-based authentication.

Because the ISA Server computer will not be a member of the domain, you need to specify a user name and password that will be used for verifying user account status. This account can be any domain account, even a restrictive user account. This account is used by the ISA Server to bind to the LDAP server and query the properties of the user who is logging on. This account is not involved when changing the user's password.

Optional.

Login Expression

A login expression matches the user entered credentials with the correct LDAP server set. You need at least one login expression for each LDAP server set for authentication to occur.

An LDAP server set can have more than one login expression assigned to it. However, a login expression can only be assigned to one LDAP server set.

Examples of login expressions:

corp\*

*@corp.contoso.com

If a user entered credentials in the format mberg@contoso.com, and the login expression *@contoso.com has not been entered, the logon attempt will fail.

Before You Begin

Update the following table with information about the LDAP server set and login expressions.

Item Value

LDAP server set

Name: _________________

Server name

Name: ___________________

or

IP address: ___.___.___.___

Active Directory domain name

FQDN or distinguished name:

_____________________________

Use global catalog

Yes or no (circle one)

Connect LDAP servers over secure connection

Yes or no (circle one)

Note   If you have selected to connect over a secure connection, confirm that the proper certificates have been installed.

User name and password

User name: ______________

Password: ________________

Login expression

__________________

For example: corp\*

To create an LDAP server set, see Create an LDAP Server Set.

Note

Use the LDP.exe tool to test the connectivity between the ISA Server computer and the LDAP server. LDP.exe, by default, is located in the following location: %PROGRAMFILES%\Support Tools directory.

Appendix C: Alternate Access Mapping

Alternate access mappings provide a mechanism for SharePoint administrators to identify the different ways in which users access portal sites, ensuring that URLs (links) are displayed appropriately for the manner in which the user accesses the portal site. Note the following:

  • Administrators often deploy portal sites that users can access by using different URLs. It is important that functionality, such as search results for portal site and document library (Web storage system-based) content, be appropriate for the URL that was used to access the portal site. External URLs must be provided to the user in a form that is appropriate for how the user is currently accessing the portal site.
  • Without alternate access settings, search results might be displayed in a way that would make them inaccessible to users. Users might receive search results that they cannot access whenever they access the portal site by using a URL that is different from the original URL used for crawling the content.

The Microsoft SharePointPSSearch service consults the alternate access setting entries when crawling a document. If the URL of the document matches one of the mapping entry URLs, the URL is replaced with the mapping ID for the entry. When the search result is displayed, the mapping ID is replaced by the appropriate URL if the user is requesting the document from an access point listed in the alternate access setting entries. If there is no appropriate alternate mapping, the search results display the default URL.

Every alternate access setting entry must have a default URL. Each entry can have additional alternate access methods or zones, for either intranet, extranet, or custom access. Each URL must be different from all other URLs. These mappings are stored in the configuration database. SharePoint Portal Server 2003 uses the default URL for any requested URL that is not found in the mapping table.

Important

For alternate access mapping to work properly, your SharePoint publishing rule must be configured to forward the original host header. This is the default configuration when using the SharePoint Publishing Wizard.

Windows SharePoint Services

Windows SharePoint Services allows teams to create Web sites for information sharing and document collaboration, benefits that help increase individual and team productivity. Windows SharePoint Services is a component of the Windows Server 2003 information worker infrastructure and provides team services and sites to the Microsoft Office System and other desktop programs. It also serves as a platform for application development. Including such information technology (IT) resources as portals, team workspaces, e-mail, presence awareness, and Web-based conferencing, Windows SharePoint Services enables users to locate distributed information quickly and efficiently, as well as connect to and work with others more productively.

For more information about Windows SharePoint Services, see the Windows SharePoint Services home page.

SharePoint Portal Server

SharePoint Portal Server 2003 enables enterprises to develop an intelligent portal that seamlessly connects users, teams, and knowledge so that people can take advantage of relevant information across business processes to help them work more efficiently. SharePoint Portal Server 2003 provides an enterprise business solution that integrates information from various systems into one solution through single sign on and enterprise application integration capabilities, with flexible deployment options and management tools. The portal facilitates end-to-end collaboration by enabling aggregation, organization, and search capabilities for people, teams, and information. Users can find relevant information quickly through customization and personalization of portal content and layout, as well as by audience targeting. Organizations can target information, programs, and updates to audiences based on their organizational role, team membership, interest, security group, or any other membership criteria that can be defined.

SharePoint Portal Server 2003 uses Windows SharePoint Services sites to create portal pages for people, information, and organizations. The portal also extends the capabilities of Windows SharePoint Services sites with organization and management tools, and enables teams to publish information in their sites to the entire organization.

For more information about SharePoint Portal Server, see the SharePoint Portal Server home page.

Requirements for Alternate Access Mapping Configuration

To properly configure alternate access mapping settings, you need the software versions discussed in the following table.

Product Version

Windows SharePoint Services

Windows SharePoint Services with Service Pack 2

SharePoint Portal Server

SharePoint Portal Server 2003 with Service Pack 2

Configuring Alternate Access Mapping

Consider the following:

  • Configuration of alternate access mapping for Windows SharePoint Services is done from a command prompt with the Stsadm.exe command.
  • Configuration of alternate access mapping for SharePoint Portal Server is done via Central Administration for the SharePoint Portal Server Web administration.

Note

If you are running SharePoint Portal Server, we recommend also configuring alternate access mapping settings for Windows SharePoint Services.

Scenario

You have published a SharePoint site through ISA Server 2006 using the SharePoint Publishing Wizard. Users will access the site by entering the following URL: https://portal.contoso.com. ISA Server will connect to the internal Web server using the following URL: https://sps01. Based on the following information, you will configure alternate access mapping for Windows SharePoint Services and SharePoint Portal Server.

When configuring alternate access mapping settings, you configure the extranet zone. A zone is another method of accessing the SharePoint site that is different than the default zone. For example, a SharePoint site named sps01 is accessed from the Internal network as https://sps01. However, when accessed by a user on the Internet via ISA Server, the user accesses https://portal.contoso.com.

Windows SharePoint Services Configuration

Run the Stsadm.exe commands. For Stsadm.exe, you need to define both an incoming and outgoing setting for each alternate access mapping method (zone).

Configure alternate access mapping for Windows SharePoint Services

  1. To configure the outgoing zone, run the following command at a command prompt:

    • stsadm.exe -o addzoneurl -urlzone extranet -zonemappedurl https://portal.contoso.com -url https://sps01
  2. To configure the incoming zone, run the following command at a command prompt:

    • stsadm.exe -o addalternatedomain -urlzone extranet -incomingurl https://portal.contoso.com -url https://sps01
  3. To confirm the Stsadm setting, run the following command at a command prompt:

    • stsadm.exe -o enumalternatedomains -url https://sps01

SharePoint Portal Server Configuration

For SharePoint Portal Server, you need to configure the alternate access mapping method (zone), which automatically configures both the incoming and outgoing setting.

To configure alternate access mapping for SharePoint Portal Server

  1. Click Start, point to Programs, point to SharePoint Portal Server, and then click SharePoint Central Administration to open the SharePoint Central Administration application.

  2. On the SharePoint Portal Server Central Administration for SPS01 page, in the Portal Site and Virtual Server Configuration section, click Configure alternate portal site URLs for intranet, extranet, and custom access.

  3. On the Configure Alternate Portal Access Settings page, point to Default Web Site, and then click the arrow that appears.

  4. On the menu that appears, click Edit.

  5. On the Change Alternate Access Setting page, in the Extranet URL box, type the extranet URL https://portal.contoso.com.

  6. Click OK.

Note

This only configures alternate access mapping for SharePoint Portal Server services. If your site is also using Windows SharePoint Services services, you need to also configure alternate access mapping for Windows SharePoint Services.

Appendix D: Security Tips

The following sections highlight some security items that should be considered when publishing Web servers.

Avoid Publishing Two Web Sites that Share the Same Host Name

We do not recommend publishing two sites with the same host name. If you had two internal Web sites, https://site1 and https://site2, do not publish them using the same host name, https://external.contoso.com/site1 and https://external.contoso.com/site2.

The more secure publishing method is to publish each site with a unique host name, https://site1.contoso.com and https://site2.contoso.com.

Single Sign On and Kiosk Stations

Users should be educated to properly log off from kiosk workstations. This is especially important when using published applications that do not have a log off button and when single sign on is configured.

If a user is accessing a published application, a cookie is stored on the local computer. If the application does not have a log off button, and the user browses to another Web page and then leaves the kiosk without logging off, the cookie is still on the computer and still valid. Another user could use this cookie to access any other published application that has been configured as a single sign on published application.

The following best practices should be used when using public computers to access the Internet:

  • Perform logoff on published applications, if available.
  • Delete cookies after you finish using published applications.
  • Delete temporary Internet files that Office created when working with SharePoint Portal Server.
  • Close all browser windows.
  • Log off from Windows, if possible.

Note

Cookies created by ISA Server will time out by default in 30 minutes.

Single Sign On and Session Riding

You should ensure that your Web application is designed to resist session riding attacks (also known as cross-site-posting, cross-site-request-forgery, or luring attacks) before publishing it using ISA Server.

Appendix E: Administrative Tips

This section provides administrative tips for RPC over HTTP logging and for non-English forms-based authentication.

RPC over HTTP Logging

When you publish RPC over HTTP, the ISA Server log may contain Failed Connection entries including Error 64: "The specified network name is no longer available" (ERROR_NETNAME_DELETED). You can safely ignore these entries, which are a response to how Exchange handles the RPC over HTTP connection.

Non-English Forms-Based Authentication

The language settings of the user’s browser determine the language of the forms that ISA Server uses. This is automatic and there are no configuration changes required.

Client Certificate Authentication

The following conditions need to be taken into account when client certificate authentication has been configured.

Multiple Client Certificates Installed on Client Computer

When there are multiple client certificates installed on the user's computer, and the Client Authentication Method selected on the Web listener is SSL Client Certificate Authentication, the user must select the correct certificate, from the Choose a digital certificate dialog box, when accessing the published Web server.

Single Sign On and Client Certificate Authentication

If you have configured single sign on between two published applications with different host names, for example portal.contoso.com and owa.contoso.com, and the Client Authentication Method selected on the Web listener is SSL Client Certificate Authentication, users will be prompted to select their certificate a second time when going from one published Web site to the second published Web site. Users will only be prompted for the PIN code the first time they select the certificate as long as the second published Web server is opened in the same browser application process.

This issue does not affect published Web sites that share the same host name, for example https://public.contoso.com/owa and https://public.contoso.com/portal.