Deploying SharePoint Portal Server 2003 on extranet – My Findings
The purpose of this article is to outline the alternative approaches that can be taken to make SharePoint Portal available on extranet.
SharePoint Portal Server provides a great way of sharing data with employees at remote offices, suppliers, partners or anyone else who needs access to private data through an extranet. However, before you can make SharePoint workspaces available through an extranet, there are some security settings that need to be taken care of.
By default, SharePoint is set to use NTLM authentication. Although NTLM is the best choice for authentication, it may be impractical in some environments. For example, you may have users in remote offices who need to access SharePoint data, but who aren’t using Windows machines.
Though SharePoint is designed inherently for Intranets, there are many ways in which I can configure SharePoint for extranet access. However a lot would depend on the current configuration settings and security requirements.
Alternate Access Mappings.
Basically, alternate access mappings are a table which states which URL to use in which scenario. There is default, intranet, extranet, and custom URLs.
Open up SharePoint Portal Server Central Administration and click on the Configure Alternate Portal Access Settings.
On that page, edit your existing SharePoint portal mapping and add your extranet URL. You need to make sure when creating portals not to use your extranet URL as the default URL for the portal.
You can deploy SPS 2003 with or without SSL, but I would strongly recommend using it along with MS ISA 2004.
If you are NOT using SSL…………
If you are NOT using SSL (you should), then after configuring the Alternate Access Settings, add any additional mappings you need – exchange, other intranet URLs, etc. Then make sure DNS is configured properly to point the extranet URL to your SPS box and make sure there are no host headers setup on the Virtual Server in IIS manager.
Also be sure that you have a port rule setup on your router to allow port 80 traffic to pass to your SharePoint Portal Server machine.
If you are using SSL…………
If you are using SSL, then u need (at least) 2 different physical servers hosting the same portal. One for intranet and other for extranet. If u do it this way intranet users will be authenticated automatically based on their windows credentials but extranet users will have to enter their credentials. In most cases you would basic authentication for the server over SSL.
Why you can not use SSL (Secure Sockets Layer) with Host Headers?
When a client requests a "Web site" by using Secure Hypertext Transfer Protocol (HTTPS) over Transport Layer Security (TLS) or over SSL, the HTTP header with the HOST field is contained in the encrypted part of the packet. Therefore, the Web server cannot decrypt the host-header name to determine which Web site the client requested. For this reason, when you use SSL connections, you cannot use host headers as the primary means of identifying a Web site.
To configure https access, you must first setup an additional virtual server in IIS manager.
Open IIS manager and browse to Web Sites, then right-click New -> Web Site. Follow through the wizard changing the port to something that isn’t currently in use and make sure to pick a path that is not the same as the Portal’s current path (something like c:\Inetpub\wwwroot\https).
Right-click on the newly created Virtual Server and choose properties.
Go to Directory Security and click server certificate. Import or request a certificate for this virtual server. Now, test the newly created Virtual Server by opening it in IE. You will probably get an HTTP 403/Forbidden.
This is OK because you don’t have any content in your site yet, but does show that https is working.
For more information about obtaining and installing SSL certificates, see:
Obtaining and Installing Server Certificates in the IIS 6.0
Once you have verified that the Virtual Server works, you need to extend it to connect it to your portal.
Open SharePoint central administration. Click on the “Extend an existing virtual server …” link. Select the newly created HTTPS Virtual Server.
Click Extend and map to an existing Virtual Server link.
This will tell the new Virtual Server to use the same information and configuration database as the existing virtual server, basically allowing users to access the same portal from two different access points.
Choose the portal your want to map to and choose to use an existing Application Pool and choose MSSharePointPortalAppPool. Then click OK to finish the extending process.
If you want (You should) create your application pool for use with this site. Just Go to IIS Manager, Right Click Application Pools, Create New one with your choice of name and leave the rest to defaults. Then go to the newly created web site and from Home Tab, change application pool to whatever App pool you’ve just created. Hit iisreset..
Now We just have to setup alternate access settings, so go back to Central Administration and click “Configure Alternate Access …”. Edit the existing mapping name. If you are using the https site as the extranet url, then enter it into the extranet section. If you already have an extranet access URL, then use the custom URL field.
Now, open your https site (http://test-server.domain.com in my case) in IE to make sure the portal loads and you see the lock (SSL) in IE.
That's it..
Lastly we can use MS Internet Security and Acceleration (ISA) Server 2004. This is the recommended approach.
Following is a list of whitepapers/Articles available from Microsoft which discusses this issue in great details.
SharePoint Portal Server 2003 Document: Deploying on an Extranet by Using ISA Server 2000 and ISA Server 2004
Reverse Proxy Configurations for Windows SharePoint Services and Internet Security and Acceleration Server
Enabling Secure Sockets Layer for SharePoint Portal Server 2003
Enabling Client Certificates and Using Client Certificates When Crawling Content with SharePoint Portal Server 2003
There are webcasts available from Microsoft, you should view it.
SharePoint Portal Server 2003 - Deploying as an Extranet
Enabling Web and SharePoint Applications on the Internet with ISA Server 2004 - Demo 1: Publishing Web Sites with ISA Server 2004
Microsoft SharePoint Products and Technologies Resource Kit has step by step setup instruction. Great resource !!
Other Resources
Tips for a Successful SharePoint Portal Server Extranet Deployment
Configuring SharePoint Portal Server for Extranet Access
SharePoint Portal Server and SSL (Bill English)
ENJOY !!
posted by Parag Sinkar @ 10:19 PM
1 comments
1 Comments:
First of all, I like to thank you for putting out such an excellent resource. I like to tell you how we are implementing SPS2003 and need some advise. Currently, I am testing SPS2003 in VMware environment. I am running a single server with all the applications. I have a separate box running AD. I would like to only allow employees who have accounts on AD to access SPS from internet. I like to implement it with SSL. I read your article in which you mentioned that in order to implement it, one would need two separate physical servers. But that pertains to giving access to external customers. Do you think I also need 2 different physical servers?
Thanks,
faisal
Post a Comment
<< Home