SharePoint Extranet Solutions with ISA Server 2006 – Part 8: Publishing
Posted by Christian Dam on April 23, 2008
Finally, we’ve arrived at the last part of the series where everything should come together!
Let the SharePoint publishing begin!
- On the right pane, select the Tasks tab and click Publish SharePoint sites
- Name the publishing rule and click Next
- Select Publish a single Web site or load balancer and click Next
- Use SSL to connect to the published Web server or server farm and click Next
- Enter the Internal site name. The internal name is in this case the host header in the Extranet Web application that was extended to the Extranet zone: dmz.extranet.sharepointnotes.local
- If the ISA server cannot resolve the internal site name (e.g. if it is not created as a A record in DNS), specify the computer name or IP address. Click Next
- Accept requests for This domain name (type below), enter the Public name and click Next. The public name is the web site name, the clients will use to access the site. In this case extranet.sharepointnotes.local
- Select the Web listener to use. If you haven’t one already, here’s how to create one:
- Click New
- Name the listener and click Next
- Select Require SSL secured connection with clients and click Next
- Select the External network interface and click Select IP Addresses
- Select Specified IP Addresses on the ISA Server computer in the selected network and select the IP Address that is used to server internal users coming from the Internet. Click Add and OK
- Back on the Web Listener IP Addresses page click Next
- Select Assign a certificate for each IP address and click Select Certificate
- Choose the certificate issued to extranet.sharepointnotes.local and click Select and then Next
- Use HTML Forms Authentication and let ISA validate using LDAP (Active Directory). Click Next
- Do not enable SSO and click Next
- Click Finish and OK to accept the warning
- Make sure the newly created listener is selected and click Next
- Use Basic authentication and click Next
- Select SharePoint AAM is already configured and click Next
- Remove All Authenticated users and click Add to add the User Set you created earlier. Click Next
- Click Finish and Apply the changes
- Right-click the new rule and select Properties
- Select the To tab. Since we are forwarding requests from one URL to another, make sure the Forward the original host header option is not selected.
- Select the Bridging tab
- Since we are redirecting from SSL to HTTP, make sure the Redirect requests to HTTP port 80 is selected and that Redirect requests to SSL port is not selected
- Click OK and Apply the changes
The rule is now created and out Extranet site is published and available for external users. Let’s test it:
- To test external access, browse to https://extranet.sharepointnotes.local
- Login using a administrative user in the format user@dmzad.local
- Once the credentials are validated by ISA Server, the request is forwarded to MOSS and the user is presented with a new Sign In page. Log in again using the same credentials.
- A good method to test access and especially Alternate Access Mappings is to create a new site:
- From Site Actions select Create
- In the Web Pages section select Sites and Workspaces
- Enter a Title, URL name and select a site template.
- Leave other settings with their default values and click Create
- Verify the new site was created and displayed correctly. If that isn’t the case it normally indicates that the Alternate Access Mappings is configured incorrectly.
Done! I hope you enjoyed the series. If so, drop me a note 🙂 Please also drop me a note, if you know how to avoid to enter crendetials twice (once on ISA and again on MOSS)!
12 Responses to “SharePoint Extranet Solutions with ISA Server 2006 – Part 8: Publishing”
Sorry, the comment form is closed at this time.
SharePoint Notes 
vkeegan said
Outstanding work Christian! There must be a way to resolve the dual sign in issue if you are using the same credentials. I’ll ask around and see if I can find a solution.
Christian Dam said
Cheers, Victor! Much appreciated.
To clarify: there is no dual sign-in issue when using NTLM (Windows Integrated) all the way, but only when the user authenticate against the DMZ AD using LDAP.
Ravi Vajaria said
Great series Christian! I understand what you’re trying to do; just need to put pieces together as I haven’t played with ISA much yet. But from what I understand ISA authenticates a user as Windows User so if SharePoint Web App is configured to use Windows Authentication, you don’t need to login twice — just one on ISA should be enough for extranet users. Have you tested this in your environment?
Thanks again… much appreciate!
Ravi.
Christian Dam said
Thanks, Ravi!
You are correct. ISA Server pre-validates user account against the configured user repository and passes the credentials on to SharePoint if successfully validated. SharePoint then re-validates the credentials before the connection is established as described here: http://www.microsoft.com/technet/isa/2006/authentication.mspx
That all works fine when the published Web Application validates against an AD using NTLM. However, when the Web Application validates against another AD using LDAP, then the user is asked for enter credentials twice.
Cheers,
Christian
Desiree Durang said
Thanks for all that detail. I have been working on this very thing Last Week! I have an internal site in which I published to a custom port and I need external partners to access it over SSL. I have extended the site to port 80 and have install the certificate to the ISA server. Will ISA be able to connect to the site since my Web App is on a custom port? or am I just screwed?
Thanks! Desiree
Christian Dam said
Desiree,
you should be fine! Just go to the Bridging tab, find the Redirect requests to HTTP port section and enter the port used.
Note however, that the SSL connection is terminated at the ISA server in that case. Not normally a problem, though.
Cheers,
Christian
Stuart Evans said
Hi,
I wonder if you can help. We have two web front ends as opposed to one. How would step 8 differ. it appears that you can only specify one machine name or ip address, yet I have to machines (wfe’s).
Any help you have woulld be much appreciated.
Regards
Stuart Evans
Christian Dam said
Stuart,
since you have two WFEs, I assume you are using either software or hardware load balancing. In that case you must use the load balanced IP address in step 8.
Cheers,
Christian
Brij said
Great work, Christian!
Can we resolve dual authentication issue by placing ISA Server in Work Group and configuring SSO as explained in following Technet Article?
http://technet.microsoft.com/en-us/library/bb794854.aspx
Do we need to enable Form Based Authentication on SharePoint in that case and create all external users in SQL (FBA) as well as LDAP (Same users which we created in SQL for FBA)?
In other words is it possible to have all internal users authenticated against LDAP and in turn against AD (NTLM) and all external users authenticated against LDAP and in turn against SQL without re-entering credentials? And this is all I am trying to achieve with ISA web publishing rules, SSL and SSO.
I would truly appreciate your comments.
Thanks
-Brij
Christian Dam said
Brij,
thanks 🙂
I don’t think so. ISA Server cannot validate against a SQL Server so the the access token that ISA is using to to re-validate in MOSS is of no use. So far, the only suggestions I have to avoid the dual authentication is to use Active Directory (NTLM) or perhaps kerberos.
Cheers,
Christian
Ben said
Great post – if anyone has any general questions about publishing MOSS using ISA Server 2006 please check out my blog over at http://mossblogger.blogspot.com/. I am still learning, so any comments would certainly be appreciated!
shahab said
I did same, but its validating me twice,