SharePoint Notes

Bleeding on the cutting edge …

SharePoint Extranet Solutions with ISA Server 2006 – Part 2: Creating the Extranet Web Application

Posted by Christian Dam on March 2, 2008

Update: The previous post was a bit too complex. It has been modified a bit so now it should actually work 😉 

Let’s create and extend the Extranet Web Application. Since we need to access it in three different ways, the web application will be extended so it covers two zones:

  • Default Zone: extranet.sharepointntes.local. This zone is used for access by internal corporate users as well as services like search. Will use Windows authentication.
  • Extranet Zone: dmz.extranet.sharepointnotes.local. This zone is used for external partners. Will use a DMZ AD for authentication

Step 1: Create the Extranet Web Application

  1. In Central Administration navigate to Application Management 
  2. In the SharePoint Web Application Management section select Create or extend Web application
  3. Select Create a new Web application
  4. In the IIS Web Site section opt to Create a new IIS web site and enter the required information, e.g:
    • Description: SharePoint Extranet – 80
    • Port: 80
    • Host Header: extranet.sharepointnotes.local
    • Path: use default
  5. Keep the default selections for Security Configuration
  6. In the Load Balanced URL change the URL to http://extranet.sharepointnotes.local (remove :80)
  7. In the Application Pool section select to Create new application pool. Name the new application pool and enter user name and password.
  8. In the Database Name and Authentication section, enter the Database server and  Database Name.Is is recommended not to accept the suggested database name, but rather to name your database something that is specific related to your Web Application, e.g WSS_Content_Extranet
  9. Finally, select which Search Server that should be used if you have more than one
  10. Click OK to create the Web Application.
  11. Click Create Site Collection to create the site collection to be hosted by the new Web App. Use the template and quota settings that are applicable in your environment, This Web Application will be used to host an partner collaboration site, so the Collaboration Portal-template is used.
  12. Once the Site Collection is created, test that it can be accessed using the Host Header name you specified when the Web Application was created

Step 2: Extend the Web Application to facilitate external access for partners

  1. In Central Administration navigate to Application Management 
  2. In the SharePoint Web Application Management section select Create or extend Web application
  3. Select Extend an existing new Web application
  4. In the IIS Web Site section opt to Create a new IIS web site and enter the required information, e.g:
    • Description: SharePoint Extranet (Extranet Zone) – 80
    • Port: 80
    • Host Header: dmz.extranet.sharepointnotes.local
    • Path: use default
  5. For now, go with the default selections for Security Configuration
  6. In the Load Balanced URL change the URL to https://extranet.sharepointnotes.local and set the zone to Extranet
  7. Click OK to extend the Web Application.
  8. The external partners will authenticate using AD and LDAP, but we’ll configure that in a later post
  9. Go to the Operations section of Central Administration 
  10. In the Global configuration section click Alternate access mappings 
  11. Click Add Internal URLs
  12. Select the Extranet Web Application and the host header for the extended web app, in this case http://dmz.extranet.sharepointnotes.local/
  13. Assign the Internal URL to the Extranet zone and click Save

So far so good. Now we have the web application created and extended to use different zones. Next step is to use ISA Server 2006 to publish the Extranet for corporate users across the Internet.


16 Responses to “SharePoint Extranet Solutions with ISA Server 2006 – Part 2: Creating the Extranet Web Application”

  1. Sue Massey said

    I found your site on google blog search and read a few of your other posts. Keep up the good work. Just added your RSS feed to my feed reader. Look forward to reading more from you.

    – Sue.

  2. Tristan said

    I believe this article said that ISA 2006 does not support ADAM yesterday. That’s gone now? If that is true can you please point me to where you saw that? If not, have you received different guidance since the original post? I thought that would be odd if it doesn’t, as ISA uses ADAM for its configuration data.



  3. Tristan said

    Never mind. I see that was on the Extranet Collaboration Toolkit post. I’ll re-post this there.

  4. Hi Tristan,

    you are correct, I initially wanted to configure the access using ADAM as I, like you, thought it was possible since ISA Servers ADAM for it’s configuration.

    Unfortunately, ISA Server cannot use ADAM as a user repository in conjunction with LDAP. A shame really, since SharePoint have no problem validating uses in an ADAM.

    Tom Shindler mentions it in a blog post:

    I have since asked my local Microsoft TAM to look into it, and the answer I got was that no, ISA Server cannot use ADAM as a user repository and he couldn’t find any information that suggests that it would be supported in the next version, either.


  5. Tristan said

    Thanks loads Christian!

  6. Juliane Hecht said


    I’m trying to publish sharepoint (MOSS 07) over the ISA 2006, but I still have one porblem: if you go into “deeper” navigation the urls can not be translated. For example:
    I can log on the sharepoint over the ISA. I can choose one of the top level sites “product X” for example. On the site of ProduktX I can see all document libraries. I can open the document library BUT I can’t open a folder in the library!?! BUT I can open that folder over right-click “open in new window”.

    Why does the alternate access not work in deeper levels???

    can you help me?


  7. Hi Juliane,

    it is difficult to say, but I would guess that one or more of your alternate access mappings are broken.

    I have seen something similar at one point, where I configured AAM incorrectly. I could access the site using but when I created a new sub-site, it got created as and could not be accessed through ISA.

    It could be the same thing that you are seeing, so my advise would be to check the AAM once again.


  8. zuahir said

    hi everybody,
    I had the same problem of Juliane, when published my sharepoint over ISA 2006.
    accessing folders is done through HTTP, even if you are using HTTPS.. as far as I noticed.
    I have fixed this problem by having the ISA web listener to listen on port 80 and 443 and chose to redirect all http traffic to https…. this is one.
    I made sure that the network the web listner on, has the proxy client listen on different port other that 80 (the default).

    and pooooof it worked fine.

  9. Zuahir,

    thanks for commenting! I am not sure I understand the problem. The redirect option in the Bridging tab is for ISA to MOSS traffic. The example scenarios I have posted in the Extranet series assumes that HTTPS/443 is used from Client to ISA and HTTP/80 is used from ISA to MOSS. With that setup, I get no errors when creating or accessing folders.

    Can you elaborate a bit on the problem? Have you configured SSL on the MOSS server?


  10. Chris Davis said

    Hi Everybody,

    I have the same problem of Juliane and unfortunately Zuahir’s suggestion did not help me – however I have found if you select the properties of the folder, then click open all is fine. In my case I have configured SSL on WSS 3 SP1 (with ISA 2006.)



  11. Ricardo Caldas said


    I have the same folder problem, and, in my case, I discovered that if you see the source code page, you can find that there is a block of java script that is redirecting the user for an internal URL. If you disable de script execution in the page you will be able to open the folder normally, but of course that disable the script execution it’s not a fine solution, so if you found another solution will be great.


  12. Vishal said

    Did anyone have a solution of this issue i am also facing same issue. Ricardo can you give me the script which you disabled to fix this issue?

  13. Sean Johnson said

    I had the same problem it is all down to AAM there is a very good document that fixed it for me, you will find it at

    Now all menu’s work however I still get problems with the javascript drop down menus.

  14. Ricardo Caldas said


    I did not fixed the problem. What I have done, was just disable the script executing in the browser (using the browser properties, just click disable).

    But like I said, it works but it’s not practicable. I can’t tell to all my user just to disable the script execution in the browser. I was just giving more information to help finding and resolving the problem.

    Best regards

  15. Byung said

    I had the same problem, and it was caused by a mistake to create a Internal URL in AAM, and fixed it the link in Sean John’s comment. Here is the portion of the instruction.

    —- As you can see, the public URL from the reverse proxy publishing rule has been assigned to your web application’s Internet zone. The final touch is to add the internal URL from the reverse proxy publishing rule to your web application’s Internet zone. To do this, click “Add Internal URLs” in the AAM toolbar, type in the internal URL, and select the same zone that you used for the public URL. In this case, that was the Internet zone. When you’re finished, click Save. You should now see the additional URL is assigned to your web application, in the same zone as the public URL of your reverse proxy publishing rule. —

  16. dan said

    If you receive an 401.1 error when trying to browse the Web-application that uses Integrated Authentication and is hosted on IIS 5.1 or a later version, this might be caused by having the the Web site uses Integrated Authentication, with a name that is mapped to the local loopback address i.e.

    A workaround is to specify host names (Preferred method if NTLM authentication is desired) on the server.


Sorry, the comment form is closed at this time.

%d bloggers like this: