SharePoint Notes

Bleeding on the cutting edge …

SharePoint Extranet Solutions with ISA Server 2006 – Part 8: Publishing

Posted by Christian Dam on April 23, 2008

Finally, we’ve arrived at the last part of the series where everything should come together!

Let the SharePoint publishing begin!

  1. On the right pane, select the Tasks tab and click Publish SharePoint sites
  2. Name the publishing rule and click Next
  3. Select Publish a single Web site or load balancer and click Next 
  4. Use SSL to connect to the published Web server or server farm and click Next 
  5. Enter the Internal site name. The internal name is in this case the host header in the Extranet Web application that was extended to the Extranet zone: dmz.extranet.sharepointnotes.local
  6. If the ISA server cannot resolve the internal site name (e.g. if it is not created as a A record in DNS), specify the computer name or IP address. Click Next
  7. Accept requests for This domain name (type below), enter the Public name and click Next. The public name is the web site name, the clients will use to access the site. In this case extranet.sharepointnotes.local
  8. Select the Web listener to use. If you haven’t one already, here’s how to create one:
    • Click New 
    • Name the listener and click Next
    • Select Require SSL secured connection with clients and click Next
    • Select the External network interface and click Select IP Addresses
    • Select Specified IP Addresses on the ISA Server computer in the selected network and select the IP Address that is used to server internal users coming from the Internet. Click Add and OK
    • Back on the Web Listener IP Addresses page click Next
    • Select Assign a certificate for each IP address and click Select Certificate 
    • Choose the certificate issued to extranet.sharepointnotes.local and click Select and then Next 
    • Use HTML Forms Authentication and let ISA validate using LDAP (Active Directory). Click Next
    • Do not enable SSO and click Next
    • Click Finish and OK to accept the warning
  9. Make sure the newly created listener is selected and click Next 
  10. Use Basic authentication and click Next 
  11. Select SharePoint AAM is already configured and click Next
  12. Remove All Authenticated users and click Add to add the User Set you created earlier. Click Next
  13. Click Finish and Apply the changes
  14. Right-click the new rule and select Properties
  15. Select the To tab. Since we are forwarding requests from one URL to another, make sure the Forward the original host header option is not selected.
  16. Select the Bridging tab
  17. Since we are redirecting from SSL to HTTP, make sure the Redirect requests to HTTP port 80 is selected and that Redirect requests to SSL port is not selected
  18. Click OK and Apply the changes

The rule is now created and out Extranet site is published and available for external users. Let’s test it:

  1. To test external access, browse to https://extranet.sharepointnotes.local
  2. Login using a administrative user in the format user@dmzad.local
  3. Once the credentials are validated by ISA Server, the request is forwarded to MOSS and the user is presented with a new Sign In page. Log in again using the same credentials.
  4. A good method to test access and especially Alternate Access Mappings is to create a new site:
    • From Site Actions select Create
    • In the Web Pages section select Sites and Workspaces
    • Enter a Title, URL name and select a site template
    • Leave other settings with their default values and click Create
  5. Verify the new site was created and displayed correctly. If that isn’t the case it normally indicates that the Alternate Access Mappings is configured incorrectly. 

Done! I hope you enjoyed the series. If so, drop me a note 🙂 Please also drop me a note, if you know how to avoid to enter crendetials twice (once on ISA and again on MOSS)!


12 Responses to “SharePoint Extranet Solutions with ISA Server 2006 – Part 8: Publishing”

  1. vkeegan said

    Outstanding work Christian! There must be a way to resolve the dual sign in issue if you are using the same credentials. I’ll ask around and see if I can find a solution.

  2. Cheers, Victor! Much appreciated.

    To clarify: there is no dual sign-in issue when using NTLM (Windows Integrated) all the way, but only when the user authenticate against the DMZ AD using LDAP.

  3. Ravi Vajaria said

    Great series Christian! I understand what you’re trying to do; just need to put pieces together as I haven’t played with ISA much yet. But from what I understand ISA authenticates a user as Windows User so if SharePoint Web App is configured to use Windows Authentication, you don’t need to login twice — just one on ISA should be enough for extranet users. Have you tested this in your environment?

    Thanks again… much appreciate!

  4. Thanks, Ravi!

    You are correct. ISA Server pre-validates user account against the configured user repository and passes the credentials on to SharePoint if successfully validated. SharePoint then re-validates the credentials before the connection is established as described here:

    That all works fine when the published Web Application validates against an AD using NTLM. However, when the Web Application validates against another AD using LDAP, then the user is asked for enter credentials twice.


  5. Thanks for all that detail. I have been working on this very thing Last Week! I have an internal site in which I published to a custom port and I need external partners to access it over SSL. I have extended the site to port 80 and have install the certificate to the ISA server. Will ISA be able to connect to the site since my Web App is on a custom port? or am I just screwed?

    Thanks! Desiree

  6. Desiree,

    you should be fine! Just go to the Bridging tab, find the Redirect requests to HTTP port section and enter the port used.

    Note however, that the SSL connection is terminated at the ISA server in that case. Not normally a problem, though.


  7. Stuart Evans said


    I wonder if you can help. We have two web front ends as opposed to one. How would step 8 differ. it appears that you can only specify one machine name or ip address, yet I have to machines (wfe’s).

    Any help you have woulld be much appreciated.


    Stuart Evans

  8. Stuart,

    since you have two WFEs, I assume you are using either software or hardware load balancing. In that case you must use the load balanced IP address in step 8.


  9. Brij said

    Great work, Christian!

    Can we resolve dual authentication issue by placing ISA Server in Work Group and configuring SSO as explained in following Technet Article?

    Do we need to enable Form Based Authentication on SharePoint in that case and create all external users in SQL (FBA) as well as LDAP (Same users which we created in SQL for FBA)?

    In other words is it possible to have all internal users authenticated against LDAP and in turn against AD (NTLM) and all external users authenticated against LDAP and in turn against SQL without re-entering credentials? And this is all I am trying to achieve with ISA web publishing rules, SSL and SSO.

    I would truly appreciate your comments.


  10. Brij,

    thanks 🙂

    I don’t think so. ISA Server cannot validate against a SQL Server so the the access token that ISA is using to to re-validate in MOSS is of no use. So far, the only suggestions I have to avoid the dual authentication is to use Active Directory (NTLM) or perhaps kerberos.


  11. Ben said

    Great post – if anyone has any general questions about publishing MOSS using ISA Server 2006 please check out my blog over at I am still learning, so any comments would certainly be appreciated!

  12. shahab said

    I did same, but its validating me twice,

Sorry, the comment form is closed at this time.

%d bloggers like this: