scenario: publish a sharepoint site created in host …€¦ · web viewoffice sharepoint server...
TRANSCRIPT
STEPS to Publish SharePoint sites created in Host Header mode (HH MODE) with ISA Server 2006
ContentsScenario: Publish a SharePoint site created in Host Header Mode (HH Mode)...........................................1
System Configuration details.......................................................................................................................2
Steps to be performed on the domain controller if you are setting up for the first time............................3
Steps to be performed on the MOSS Server................................................................................................4
Create a site collection using an Host Header mode (HH Mode) using the below command..................4
To find out if the site is created in HH Mode run the below SQL query on the content DB....................4
Creating a Certificate...................................................................................................................................5
Exporting the Certificate..............................................................................................................................5
Importing the Certificate to the ISA Server..................................................................................................6
About Microsoft® Internet Security and Acceleration (ISA) Server 2006...................................................11
Steps to be performed on the ISA Server..................................................................................................11
Steps to Install ISA 2006 Standard edition.................................................................................................11
Steps to be Publish an SharePoint site in ISA Sever...................................................................................23
Steps to be performed on the Client machine...........................................................................................46
Scenario: Publish a SharePoint site created in Host Header Mode (HH Mode)
Externally I need the users to browse the site as https://paulpa.soccer.com and SSL offloading happens at ISA and internal communication from ISA server to MOSS will be as http://paulp.soccer.com
System Configuration details
Here are the details of the servers
Domain controller with SQL Server installed (Soccer.com)
Computer name ADSSRV.soccer.com
IP : 172.22.243.168 Subnet mask : 255.255.252.0Gateway:172.22.240.1
ApplicationsSQL 2005 ,DNS, CAACCESS mode remote into the server from your desktop
Computer name MOSS.soccer.com
IP : 172.22.243.169 Subnet mask : 255.255.252.0Gateway:172.22.240.1
Application Office SharePoint server 2007 with SP 2 installedACCESS mode remote into the server from your desktop
COMPUTER NAME: ISA.soccer.com
ISA Has 2 NIC
NIC 1 (internal or corpnet)IP 172.22.243.170Subnet mask 255.255.252.0Gateway:
Application ISA 2006 Standard edition with SP1 installed ACCESS mode remote into the server from either ADSSRV or MOSS server
COMPUTER NAME: MOSS-client
IP 13.0.0.2 subnet mask 255.0.0.0
ACCESS mode remote into the client from the ISA serverNOTE: client is part of the workgroup not a domain
Steps to be performed on the domain controller if you are setting up for the first time
NIC 2 (External or Public )IP 13.0.0.5Subnet mask 255.0.0.0Gateway:
1. Install and configure a new forest and New domain Eg. Soccer.com2. install and configure DNS3. Install and configure SQL Server 20054. In the DNS Create A Records of the MOSS server , Host record of the site that we are going to
browse , in our example (paulpa.soccer.com)5. Install and configure the CA if you need to have certificate authority
Steps to be performed on the MOSS Server
Install and configure server with a new FarmStart all servicesCreate a new web application with default options
Create a site collection using an Host Header mode (HH Mode) using the below command
C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN>stsadm -o createsite -url http://paulpa.soccer.com -ownerlogin soccer\administrator-owneremail [email protected] -hhurl http://paul-moss:26480
The port specified for the new host header site does not match any known bindings in the specified Web Application. The new site will not be accessible if theWeb Application is not extended to an IIS Web Site serving this port.
Operation completed successfully.
Paulpa.soccer.com is the HH MODE site collection http://paul-moss:26480 is the web application where it would have HHMODE site collection created
NOTE : Make sure you have an DNS /Host entry for paulpa.soccer.com
To find out if the site is created in HH Mode run the below SQL query on the content DB
Select * from dbo.Sites where hostheader !='%NULL%'
Creating a Certificate======================Go to the MOSS Server and follow the below steps
Open IISMGR directory Security
Create a new certificate
Send the request immediately to an online certification authority
Provide the name it can any name Bit length let it be default click Next
Organization and Organization unit can be typed or click next
In the Site’s Common Name please provide external url the client will be accessing the site (http://paulpa.soccer.com)In the Geographic information you can leave it default or provide the details and click nextSSL Port is 443 by default or we can change it depending on the requirement
Select he CA running on the server (in this example the CA is hosted on the ADSSRV server )
Then you will get the message that certificate is installed on the server successfully .
Exporting the Certificate===============================Click on view Certificate and export the certificate to a file
Select yes, export the private key and click next .Next is default value click next
You can provide the password or click next.Provide the file name and click on finish.File extention is .pfx
In the IIS manager remove the certificate from the site . (this is because we are using SSL offloading on the ISA , external user will browse the site using https://paulpa.soccer.com internal communication from ISA to moss will be http://paulpa.soccer.com )
Copy the certificate to the ISA server
Importing the Certificate to the ISA Server
After copying the certificate needs to be imported. This is to be done to be able to view the certificates while creating web listener in the ISA firewall rule
Click on start run and type MMCClick on File Add/Remove Snap-in Click on Add button and select Certificates and click on Add.You would get and window as below
Select Computer Account and click on option
“This snap-in will always manage – Local Computer (the computer this console is running on)
Click on Finish
To import right click on personal all tasks Import
Select the file name
This needs to be provided if you had given any password while exporting the certificate as mentioned earlier
In this screen select “Place all certificate in the following Store” an click next
About Microsoft® Internet Security and Acceleration (ISA) Server 2006
It is the security gateway that helps protect your mission-critical applications from Internet-based threats. ISA Server enables your business to do more, with secure access to Microsoft applications and data. Secure your Microsoft application infrastructure by protecting your corporate applications, services, and data across all network layers with stateful packet inspection, application-layer filtering, and comprehensive publishing tools. Streamline your network with simplified administrator and user experiences through a unified firewall and virtual private network (VPN) architecture, which includes Web caching and bandwidth management, an optimized firewall filtering engine, and comprehensive access controls. Safeguard your information technology environment to reduce security risks and costs, and help eliminate the effects that malicious software and attackers have on your business, by using comprehensive tools for scanning and blocking harmful content, files, and Web sites.
Steps to be performed on the ISA Server
ISA Needs to have 2 NIC , internal and external
Internal IP is 172.22.243.170
External IP is 13.0.0.5 (is it can be anything make sure the client also has the same range eg.13.0.0.2)
Steps to Install ISA 2006 Standard edition
Copy the installation source to the ISA server locally Double click on the ISAautorun.exe and continue the wizard as seen below
Provide the internal network details in our example it is NIC1 with the IP details as below 172.22.243.170
Click on Finish and ISA 2006 setup is completed
Click on Start All ProgramsMicrosoft ISA Server ISA Server Management
Note :- there will be a default rule which block all traffic , which means you will not be able to ping to any server from and to ISA server
Follow the below steps to create a new access rule to allow the traffic. This is to be with extreme care if we are using in LIVE scenario. For testing you can follow the below steps
Note : Make sure you click on Apply to make sure the effect take place and you would see 2 rules as above
Steps to be Publish an SharePoint site in ISA Sever
Scenario : I need to publish a SharePoint site created in Host Header Mode (HH Mode)
Externally I need the users to browse the site as https://paulpa.soccer.com and SSL offloading happens at ISA and internal communication from ISA server to MOSS will be as http://paulp.soccer.com
Right click on the Firewall Policy select New SharePoint Site Publishing Rule
Type in name of the Rule (it can be any name)
In the next screen select Publishing Type in our scenario we need to select Publish a single Web site or load balancer.
Publishing Type
Publishing type options
Select Publish a single Web site or load balancer.
Note: For more information about publishing a server farm of load balanced Web servers, see "Web Server Farm Load Balancing in ISA Server 2006" at the Microsoft TechNet Web site.
In the next screen “Server Connection Security “select “Use non-secured connections to connect the published Web server or server farm.”
Server Connection Security
Choose the type of connections ISA Server will establish with the published server or server farm
Note: For HTTPS-to-HTTP bridging (SSL Termination), you should select Use non-secured connections to connect the published Web server or server farm.
In the next screen provide the Internal Publishing Details Internal Publishing Details
Internal site name
Type : paulpa.soccer.com
As per our exampleImportant: The internal site name must match the name of the server certificate that is installed on the internal Web servers.
Note: If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server, and then type the required IP address or name that is resolvable by the ISA Server computer.
In the next screen provide the Public Name Details
Public Name Details Accept requests for Public name
This domain name (type below) Type paulpa.soccer.com (as per our example)
In the next screen select the Web Listener. This will let us to configure how the external users will browse the SharePoint site in our case it would be https://paulpa.soccer.com
Since it’s a new configuration we will create a new web listener by clicking on the NEW tab
Type the name of the web listener
In the next screen select the “Client Connection Security”
Client Connection Security
Connection type, either SSL or not SSL.
Select Require SSL secured connections with clients.
In the next screen select the “Web Listener IP Addresses”
Web Listener IP Addresses
Listen for incoming Web requests on these networks ISA Server will compress content Select IP Addresses
Select the External network.Check box should be selected (default).
In the window click on “Select IP Adresses”External Network Listener IP Selection
Listen for requests on Available IP Addresses
Select Specified IP addresses on the ISA Server computer in the selected network.Select 13.0.0.5 and click Add.
In the next screen select the
Listener SSL Certificates
A Web listener can use a single certificate for all of its IP addresses, or a different certificate for each IP address.
Select Use a single certificate for this web listener
Click on the Select Certificate as below Select Certificate
Select a certificate
Select the certificate issued to paulpa.soccer.com and click Select. The certificate must be installed before running the wizard.
Click on paulpa.soccer.com and click on Select button
Click on Next and select Authentication Settings
Authentication Settings
Specify how clients will provide credentials to ISA Server Select how ISA Server will validate client credentials
Select HTML Form Authentication.Select Windows (Active Directory)
In the next screen
Single Sign On Settings
Enable SSO for Web sites published with this Web listener SSO domain name
Uncheck as we do not have SSO Configured in this scenario
In the next screen
Completing the New Web Listener Wizard
Review settings.
Click Back to make changes or Finish to complete the wizard
Click on Finish and you would see the details as below
Click next and select Authentication Delegation
Authentication Delegation
Select the method used by ISA Server to authenticate to the published Web server
Select NTLM authentication.
In the next screen Alternate Access Mapping Configuration
Alternate Access Mapping Configuration
For complete integration and functionality, you need to configure alternate access mapping on the published SharePoint site.
Select SharePoint AAM is already configured on the SharePoint server.
Since we are using HH MODE we do not have an option to configure AAM’s for each web application and it completely depends on the link translation feature of ISA
In the next screen of User Sets
User Sets
This rule applies to requests from the following user sets
Select All Authenticated Users and click Next
In the next screen select Completing the New SharePoint Publishing Rule WizardCompleting the New SharePoint Publishing Rule Wizard
Review settings.
Click Back to make changes and Finish to complete the wizard.
Click on Test Rule to verify or click on Finish
Note: Test Rule is only available in ISA 2006 SP1 and above
Steps to be performed on the Client machine
Since the host entry is not registered publically we need to add a HOST files entry for our test scenario
Add host entry
Note: 13.0.0.5 is the IP address of the ISA Server (2nd NIC)
Save the host file .
Open the internet Explorer and type in https://paulpa.soccer.com you have prompt as below
Type in the credentials and would you be getting the screen as below and this is due to the certificate error which can be rectified by having a valid certificate
This will confirm that we were successfully able to browse the site with the above mentioned scenario
Good luck !!!