Isa Server Deploys Guide

Quick Start: Configuring SharePoint Extranet Virtual Web Site and ISA Server Web Publ...
Page 1 of 41
Microsoft Internet Security and

Acceleration Server 2000
SharePoint Portal Server
Deployment Kit
Chapter 3
Quick Start: Configuring SharePoint Extranet
Virtual Web Site and ISA Server Web Publishing
Martin Grasdal
Dr. Thomas W Shinder
December 2003

Table of Contents
Abstract
Overview
Step-by-Step Background Information
Step-by-Step How To: Creating New Virtual Web Site To Host the Extranet SharePoint Site
http://www.isaserver.org/img/upl/spskit/3quickstart/3quickstart.htm 7/26/2009
Quick Start: Configuring SharePoint Extranet Virtual Web Site and ISA Server Web Publ... Page 2 of 41
Step-by-Step How To: Extending SharePoint Portal Site into the Extranet Virtual Web Site
What is an Application Pool?
Creating Application Pool for Use by Extranet Web Site
Extending SharePoint Site to Extranet Virtual Web Site
Configuring Virtual the Web Site To Support Basic Authentication
Testing Extranet SharePoint Site from Internal Client
Step-by-Step How To: Configuring ISA Server 2000 To Protect and To Publish SharePoint Extranet Web Site
Configuring IP Packet Filter Settings
Creating a Destination Set
Creating a Web Publishing Rule
Configuring the Incoming Web Requests Listener
Troubleshooting Tips for Web Publishing Rules
Configuring Outbound Access for Internal ISA Clients
Summary
Abstract
ISA Server 2000 Web Publishing Rules can provide highly secure and available access to a SharePoint Portal
Server 2003 extranet site. The security of Web Publishing Rules can be further enhanced by leveraging the in-
built security features of IIS 6.0 on Windows 2003 and SharePoint Portal Server 2003. This document shows you
how to create a secure solution for a SharePoint extranet Web site by extending the SharePoint Portal Server
2003 site into a new virtual Web site that uses an application pool to isolate worker processes in IIS 6.0,
configuring the Web site to use a different authentication method, and to configure ISA Server to publish the Web
site using a Web Publishing Rule.
This chapter provides an overview of the need for a separate site for extranet access and a summary of the
relevant features of ISA Server 2000 that make the extranet site available to external clients. It then provides an
explanation of how to set up the SharePoint Portal site in a separate virtual Web site and how to configure ISA
Server 2000 firewall to protect and publish the extranet SharePoint site.
Enabling a SharePoint extranet site for access from the Internet requires the following steps:
• Creating a new virtual Web site to host the extranet SharePoint Web site.
o Adding an IP address to Windows 2003 server to assign to new Web site.
o Adding a new Web site using Internet Information Services (IIS) Manager.
• Extending SharePoint Portal Web into the extranet Web site.
o Creating a new application pool in IIS 6.0 for use by the extranet SharePoint Site (optional).
o Creating a new SharePoint portal site in the extranet virtual Web site, or mapping an existing
SharePoint portal site to the extranet virtual Web site.
o Configuring authentication methods on the extranet virtual Web site.
o Testing the extranet site from the internal network.
• Configuring ISA Server 2000 to protect and to publish the extranet SharePoint site.
o Enabling Packet Filtering and IP Routing on ISA Server 2000 firewall.
o Configuring the Incoming Web Requests Listener.
o Adding a Destination Set.
o Testing the Web Publishing rule on ISA Server from external client.
o Creating a Protocol Rule to enable outbound access for internal clients (optional)
Overview
An extranet is a collection of internal resources that is made available to Internet clients. Access to the extranet
usually occurs through a firewall, such as ISA Server 2000, to provide security for extranet resources. A
SharePoint Portal Server 2003 site is a sophisticated Web-based application that provides an intuitive and easy-
to-use Web browser interface that provides complete access to SharePoint’s powerful capabilities. Many
organizations will find it desirable to make some or all of SharePoint’s resources available on an extranet for
external employees, customers, or business partners.
In almost all cases where SharePoint is deployed as an extranet resource, its configuration will differ from the
configuration of SharePoint site(s) located on the intranet. For example, it may be desirable to support
Anonymous or Basic authentication to allow customers and business partners to connect at will. Or, it may be
desirable to implement Secure Sockets Layer (SSL) on the SharePoint site to provide a higher degree of
protection for user credentials and data. Or, it may be desirable for the extranet SharePoint site to connect to
different content databases than the intranet site.
All of these scenarios and others require that the extranet site use a different virtual web site from the intranet
site. For example, if a user authenticates to a SharePoint site using Basic Authentication, and the SharePoint
Web site is configured to use both Basic and Windows Integrated Authentication, the user will not be able to view
search results when he or she invokes a search query on the SharePoint site. However, if the SharePoint Web
site is configured to use Basic Authentication only, the user will be able to view the results of a search. Because it
is undesirable to disable Windows Integrated Authentication on the intranet SharePoint site, it is necessary to
create a new SharePoint web site that supports Basic Authentication only.
Access to the SharePoint extranet must occur through a firewall to assure a high level of protection. Furthermore,
the firewall must be capable of providing a high degree of functionality for external clients who use the extranet
SharePoint site, while at the same time providing a high degree of protection.
ISA Server 2000 is a highly secure and extensible firewall solution that makes it the ideal firewall solution for
controlling access to the extranet. Its advanced features, such as Web publishing and Server publishing rules,
Application Layer filtering, Link Translation, Basic Delegation of Authentication Credentials, SSL bridging, detailed
logging, and others, help to ensure a high degree of both protection and functionality.
In particular, the use of Web publishing rules to make an extranet SharePoint site available to external clients
confers a number of unique advantages over using ISA Server 2000 Server Publishing rules or using other
firewall products to provide access to the extranet. Advantages of using ISA Server 2000 Web Publishing rules
include:
• Use a single external IP address to publish multiple Web sites.

• Use multiple incoming listener configurations with multiple IP addresses to support use of different digital
certificates and authentication methods.
• Authenticate with the ISA Server 2000 firewall using basic, integrated, digest, or certificate authentication.
• Use port redirection to redirect HTTP requests to an alternate port used by the Web server on the internal
network.
• Inspect the URL in the HTTP header and determine destination for request on intranet or perimeter network
(DMZ).
• Extend ISA Server 2000 firewall security by installing URLScan 2.5 to perform deep inspection of HTTP
header information and accept or deny connections based on a configurable set of rules.
• Terminate SSL requests (HTTPS) at the ISA Server 2000 firewall and redirect them as HTTP requests to the
internal Web server. This allows HTTP traffic to be inspected before it is allowed into the internal network and
saves CPU cycles on the Web server because it does not have the overhead of encrypting traffic.
• Terminate SSL requests (HTTPS) at the ISA Server 2000 firewall and redirect them as HTTPS requests to
the internal Web server. This allows HTTPS traffic to be inspected before it is allowed into the internal
network and enhances end-to-end security for data sent between clients and Web server.
Step-by-Step Background Information

The test lab used to demonstrate these step-by-step instructions has the following configuration:
• Internal Network. The internal network uses the 172.16.1.0/24 network ID. The default gateway for the
network is 172.16.1.1, which is the internal IP address of the ISA Server.
• External Network The external network uses a 192.168.100.0/24 network ID.
• Internal DNS and Active Directory Namespace Internal.net is used as the Active Directory and DNS
namespace for the internal network.
• Active Directory. A Windows 2003 Active Directory domain controller named Ad1.internal.net is used to
provide directory and DNS services. DNS is set up with root hints and forwarding to support resolution to the
external network and the Internet. The IP address of the domain controller is 172.16.1.10.
• External DNS Namespace. External.net is used as the DNS namespace for external clients connecting to
resources published through the ISA Server 2000 firewall. The DNS zone files for external.net are located on
the external network. The zone has been pre-configured with a single host record pointing to the external IP
address of the ISA Server 2000 firewall to resolve the Fully Qualified Domain Name (FQDN)
extranet.external.net for access to extranet SPS Web site.
• SharePoint Portal Server 2003 Configuration. SharePoint Portal Server 2003 installed is set up on a
Windows 2003 computer named Sps.internal.net. The SharePoint server uses a co-located SQL Server 2000
Standard Edition for the configuration and content databases. The SPS server has a primary IP static IP
address of 172.16.1.11 that uses 172.16.1.1 as the default gateway.
• SharePoint Server Virtual Web Site Configuration. IIS 6.0 was installed on the Windows 2003 server as
per the SharePoint Portal Server 2003 prerequisites found in the SharePoint Portal Server 2003 help files and
the SharePoint Portal Server 2003 Customer Evaluation Guide. The intranet SPS virtual Web site is located
at 172.16.1.11 and is configured to use Windows Integrated Authentication only. Specifically, IIS 6.0 has
been configured as follows:
o Application Server with the following components:

Microsoft ASP.NET
Enable COM+ Components
Microsoft Internet Information Services with the following components:
• Common Files
• Internet Information Services Manager
• World Wide Web Service with the following components:
o Active Server Pages
o World Wide Web Service
• ISA Server 2000 Configuration. ISA Server 2000 with Service Pack 1 and HotFix isahf255.exe is installed
on a Windows 2003 server. Other than the configuration of the Local Address Table (LAT), ISA Server is
configured using the defaults from the installation setup program. For specific instructions for installing an
ISA Server on Windows 2003, please see Tom Shinder’s article, Installing ISA Server 2000 on Windows
Server 2003 on the ISAServer.org Web site. The ISAServer.org Web site contains much useful information
on installing and configuring ISA Server, such as Will Schmied’s article, Installing ISA Server 2000, and Jim
Harrison’s article, Configuring ISA Server Interface Settings. Another good source of information and
instruction is the Microsoft TechNet ISA Server Web site.
o External NIC configuration:

IP address: 192.168.100.22/24
Default Gateway: 192.168.100.254/24
File and Print Sharing: disabled
Client for Microsoft Networks: disabled
NetBIOS: disabled
Registration of external IP address in Dynamic DNS zone: disabled
DNS server: None
Binding order: lowest
o Internal NIC configuration:

IP address: 172.16.1.1/24
Default Gateway: None

File and Print Sharing: enabled
NetBIOS: enabled
Registration of IP address in Dynamic DNS zone: enabled
DNS server: 172.16.1.10
Binding order: highest
o ISA configuration details:

Installation type: Standalone
Installation mode: Integrated (firewall and proxy services)
Local Address Table (LAT): 172.16.1.0 – 172.16.1.255
Site and Content Rule: Default
Client Configuration: All clients configured as S-NAT clients (no Web proxy client
configuration or Firewall client).
Step-by-Step How To: Creating New Virtual Web Site To Host the
Extranet SharePoint Site
This section provides basic instructions for setting up a new virtual Web site on IIS 6.0. This new Web site will
subsequently be used to demonstrate how to map an existing SharePoint site from the virtual Web site where a
SharePoint portal site resides. Note that the extranet SharePoint site will be hosted on the same server as
intranet SharePoint site.
This may not be a desirable configuration in a production environment, and you may wish to host the extranet site
on a different server. Also, this step-by-step walkthrough assumes that a pre-existing SharePoint site exists that
can be used for the extranet. For specific instructions on setting up SharePoint Portal server, please see the
SharePoint Portal Server 2003 help files and the SharePoint Portal Server 2003 Customer Evaluation Guide.
Creating New Virtual Web Site
An IIS server can host multiple virtual Web sites that use a single, shared IP address or that use individual IP
addresses that are not shared with other Web sites. To use a single, shared IP address for multiple Web sites
requires that the Web sites are configured with host header names that uniquely identify the Web sites. Using
non-shared IP addresses for virtual Web sites does not require host header names, but it does require that
multiple IP addresses (one for each virtual Web site) are bound to the network adapter.
These step-by-step instructions demonstrate how to create a virtual Web site and assign it to an IP address not
currently in use by a Web site.
To add a new IP address to the Windows 2003 server,
1. Click Start | Settings | Control Panel.

2. Double click on the Network Connections folder in Control Panel.
3. Right click on the appropriate network adapter, and click on Properties from the context menu. The
network adapter’s Properties dialog box appears.
4. In the Properties dialog box, highlight Internet Protocol (TCP/IP), and click the Properties button. The
Internet Protocol (TCP/IP) Properties dialog box appears.
5. Click the Advanced button. The Advanced TCP/IP Properties dialog box appears.
6. In the IP Addresses frame, click the Add button.
7. In the TCP/IP Address dialog box, enter an IP address and subnet mask in the appropriate fields, and
click Add.
8. Click OK twice, and then click Close to finish adding the IP address.
Once you have added a new IP address to the Windows 2003 server, you can create a new virtual Web site and
assign it to the newly added address. To create the new Virtual Web site,
1. Click Start | Administrative Tools, and double click on the Internet Information Services (IIS)
Manager. The IIS MMC console opens.
2. In the Internet Information Services (IIS) Manager console, right click on the Web Sites node in the left-
hand pane, and select New | Web Site from the context menu, as in Figure 1 below.
Figure 1 IIS Manager Console
3. On the Welcome to the Web Site Wizard page, click Next. The IP Address and Port Settings page
appears.
Quick Start: Configuring SharePoint Extranet Virtual Web Site and ISA Server Web P... Page 10 of 41
4. In the IP Address and Port Settings page, enter an unassigned IP address for the new web site, as in
Figure 2 below, and press Next.
To use a shared IP address for the new Web site, you could either enter a host header name, which is the
FQDN that external clients would use to connect to the site, or assign the Web site an unused TCP port.
Web publishing rules in ISA Server 2000 allow you to redirect an HTTP request to a TCP port other than
port 80 on an internal Web server, so it is possible to use a different TCP port for the internal Web site
without inconveniencing external clients.
Figure 2 IP Address and Port Settings of New Web Site
5. In the Web Site Home Directory page, enter the path to a folder in the file system that will contain the files
for the home directory.
If you have not previously created the folder, you can create it at this time by pressing the Browse button,
which will present you with an interface to browse to folders in the file system and create a new folder.
Create a folder for the extranet Web site here.
You do not wish to allow anonymous access to the Web site. Clear the check box for Allow anonymous
access to this Web site, as in Figure 3 below, and click Next.
Figure 3 Web Site Home Directory Path
6. In the Web Site Access Permissions page, leave the default permissions as is, and click Next to finish
the creation of the new virtual directory. When you extend the SharePoint Web site into the new virtual
directory, it will modify permissions on the virtual directory appropriately.
Figure 4 Web Site Access Permissions Page
This completes the creation of the virtual Web site that we will use to extend the SharePoint portal site. After we
have extended the SharePoint portal site into this virtual Web site, we will revisit the Web site property pages to
configure Basic Authentication and verify Web site permissions.
Step-by-Step How To: Extending SharePoint Portal Site into the

Extranet Virtual Web Site
This section describes how to extend a pre-existing SharePoint site into the new virtual Web site created in the
steps above. One of the decisions you must make before extending the SharePoint site into the new virtual server
is whether the SharePoint site will use the same application pool as the intranet site, or whether it will use a
different application pool. The application pool can be created prior to extending the SharePoint site, or it can be
created during the process of creating the SharePoint site.
What is an Application Pool?

An application pool is a feature of IIS 6.0 that allows one or more Web applications to be isolated from others
running in different application pools. Because these applications have their own worker process, failure of an
application in one application pool will not affect other applications running in another pool. Furthermore, each
application pool can use a different identity setting to enhance security.
An application pool identity is the security context used by the worker process. Previous to IIS 6.0, worker
processes ran in the security context of the LocalSystem account, which has almost unrestricted access to the
operating system. This creates a number of security implications. With application pool identity settings, it is
possible to use accounts for the security context of the worker process that have relatively low levels of access to
the operating system.
For example, one account that can be used for an application pool is the NT Authority\NetworkService
account. This account has a limited access to the local computer and network resources. Some of the rights this
account has include Logon as a service, Replace a process-level token, Access this computer from the network,
Allow log on locally, and Impersonate a user account after authentication.
You can also create a user account to use for the application pool identity. However, whatever account you use
for the SharePoint application pool identity, this account must have a SQL Login, and it must have the db_owner
role in the SharePoint databases used by the site. These databases are <portal site> _SITE database, <portal
site>_SERV database, <portal site>_PROF, and the SharePoint configuration database (by default
SPS01_Config_db).
Note:
If you have installed SharePoint Portal Server with the WMSDE version of SQL server, you will need to install
the SQL Server tools to add logins and make changes to the database roles. This requires that you purchase
a license for SQL Server 2000 Standard or Enterprise edition.
Although using different application pools and identities for SharePoint sites complicates administration, their use
enhances security and reliability. For example, if the application pool identity is compromised, only the
SharePoint site using the application pool is affected, not all of them. Furthermore, the failure of an application in
a dedicated application pool affects only the SharePoint site(s) that use the application pool, not all of them.
For more information on the topic of application pools, identities, and SharePoint sites, please see the Microsoft
whitepaper, Creating Additional Portal Site Application Pools for SharePoint Portal Server 2003.
Creating Application Pool for Use by Extranet Web Site

Although it is possible to create a dedicated application pool during the process to extend the portal site, you can
create the application pool beforehand using the Internet Information Services (IIS) Manager. The NT
Authority\NetworkServices account has very limited rights and consequently makes a good candidate for use of
as the application pool identity. To create an application pool,
1. Open the Internet Information Services (IIS) Manager MMC console, right click on the Application
Pools node, point to New in the context menu, can click on Application Pool, as in Figure 5 below.
Figure 5 Creating New Application Pool
2. In the Add New Application Pool dialog box, type in a descriptive name for the new pool in the
Application pool ID.
3. In the Application pool settings frame, select the Use existing pool as template radio button; select the
application used by the SharePoint intranet site from the Application pool name drop down box, and click
OK. The properties page for the application pool will appear.
Figure 6 Selecting SharePoint Application Pool as Template
4. In the <Name-of-application-pool> Properties dialog box, click the Identity tab to verify that the
appropriate account is being used. You can use the account used by default SharePoint application pool,
or you enter another account in this page for use by the application pool. If you want to use the NT
Authority\NetworkSevice account, select the Predefined radio button, and then select Network Service
from the drop-down list. Click OK to finish the creation and configuration of the application pool.
Note[twsmd1] :
Make sure the account you use for the application pool has sufficient rights and privileges. For example, the
account must have the db_owner role for the SharePoint configuration and content databases.
Figure 7 Configuring Identity for Application Pool
Extending SharePoint Site to Extranet Virtual Web Site

In this demonstration, we will extend the SharePoint site into a new Virtual Web site. The extranet SharePoint site
will use the application pool we created in the above steps.
The process for extending the SharePoint site is as follows:
1. On the task bar, click Start, point to Programs | SharePoint Portal Server, and then click on SharePoint
Central Administration. (As an alternative, you can access the administrative pages from the SharePoint
site by clicking on Go to SharePoint Portal Server central administration site from the General
Settings section.) The administration site appears, as in Figure 8 below.
Figure 8 SharePoint Central Administration Site
2. Click on Extend an existing virtual server from the Virtual Server List page. The Virtual Server List
appears showing the name of the virtual server created in the steps above, as in Figure 9 below.
Figure 9 Virtual Server List
3. Click on the <name of virtual server> in the Virtual Server List. The Extend Virtual Server page
appears, as in Figure 10 below.
Figure 10 Choosing a Provisioning Option
On the Extend Virtual Server page, you are presented with the option either to Extend and create a content
database or to Extend and map to another virtual server. Because we are going to make the intranet
SharePoint site available to Internet users, we are going to choose the option to Extend and map to another
virtual server.
4. Click Extend and map to another virtual server. The Extend and Map to Another Virtual Server
configuration page appears, as in Figure 11 below.
Figure 11 Extending and Mapping to Another Virtual Server
5. In the Extend and Map to Another Virtual Server page, verify the Server Mapping setting. This should
be the virtual server hosting the intranet SharePoint site. Then configure the Application Pool settings as
appropriate.
a. If you wish to use an existing application pool, click the radio button for Use an existing application
pool, and select the application pool from the drop-down list.
b. If you wish to create a new application pool for the SharePoint site, select the radio button Create a
new application pool, and enter a name for the pool.
c. In the Select a security account for this application pool section, you can choose to use one of
the 3 pre-defined application pool accounts (NT Authority\NetworkService, NT
Authority\LocalSystem, or NT Authority\LocalService) or a configurable account.
6. Click OK at the bottom of the Extend and Map to Another Virtual Server page to complete the
configuration.
Configuring Virtual the Web Site To Support Basic Authentication

Once these steps have been completed, it is necessary to configure the authentication method for the virtual Web
site to support basic authentication only and to test the Web site from an internal client.
To configure the Web site to support basic authentication only,
1. Open the Internet Information Services (IIS) Manager MMC console, expand the Web Sites node, right
click on the newly created Web site node, and click Properties from the context menu. The <Name-of-
virtual-Web-site> Properties page appears.
2. In the Properties page of the virtual Web site, click on the Directory Security tab, and then click on the
Edit button in the Authentication and access control frame, as in the figure below.
Figure 12 Directory Security Tab of Web Site Properties Page
3. In the Authentication Methods dialog box that subsequently appears, you should see that Integrated
Windows Authentication is selected. Clear the box beside Integrated Windows Authentication, and
click the box beside Basic authentication (password is sent in clear text) to enable basic
authentication. A warning will appear informing you of the consequences of basic authentication, as in the
figure below.
Note:
Make sure that you select only one authentication method. Otherwise, you may see some peculiar behavior
of the Web site. For example, the search function may not work properly for external clients who connect
using basic authentication through the ISA Server 2000 firewall, if both integrated and basic authentication
methods are selected for the Web site.
Figure 13 Basic Authentication Warning Message
4. In the IIS Manager warning message, click Yes.

5. In the Default domain text box, enter the name of the Windows domain, or click the Select button and
select the domain name. Configuring a domain name here will make it unnecessary for external clients to
enter the domain name along with their account name (eg. Internal\UserName).
6. Click OK twice to commit changes to authentication method.
Testing Extranet SharePoint Site from Internal Client

Once you have finished configuring the authentication method for the extranet SharePoint site, you should test
the Web from an internal client. To do this,
1. Open Internet Explorer, enter http://<internal-IP-address-of-extranet-site> in the address box, and

press Enter. You should be prompted for your account credentials. (If you are not prompted for
credentials, this means the web site is still using integrated authentication.) Enter a user name (without the
domain prefix to test the default domain setting in IIS) and password, as in the figure 14, and press OK.
Figure 14 Testing Extranet Web Site
Step-by-Step How To: Configuring ISA Server 2000 To Protect

and To Publish SharePoint Extranet Web Site
A default installation of ISA Server 2000 prevents both inbound and outbound access. To make internal
resources available to external clients, it is necessary to configure either Web or Server Publishing rules on the
ISA Server 2000 firewall. Web Publishing Rules can be used to publish internal Web sites. Web publishing rules
can also be used to publish internal FTP sites by redirecting HTTP requests as FTP to an internal FTP server.
Server Publishing Rules can be used to publish all other services, including Web and FTP services, provided a
protocol definition is configured on the ISA server. (Some protocols, such as FTP or H.323, also require an
application filter in addition to a protocol definition to handle the opening of secondary ports to enable
communication across the ISA Server 2000 firewall.)
This section explains how to publish a SharePoint site using a Web publishing rule on ISA Server 2000. These
instructions assume a default installation setup of ISA Server 2000 in integrated mode (Firewall and Web proxy
services). For information on the configuration of the ISA Server used in this demonstration, please go to the
beginning of this document.
There are 3 ISA Server elements that have to be configured to publish a Web site using a Web publishing rule:
1. Destination Set. Destination sets are used to control both inbound and outbound access. They are used
by a number of ISA Server 2000 Policies, such as Site and Content Rules and Bandwidth Rules. A
Destination Set is a collection of one or more Fully Qualified Domain Names (FQDNs) or IP addresses. A
Destination Set can also comprise a set of one or more path statements that can be used to direct requests
to specific subdirectories under the root directory of the Web server.
2. Web Publishing Rule. A Web Publishing Rule is an ISA Server 2000 Policy Element that uses a
Destination Set to determine where on the internal network to send HTTP or HTTPS requests from
external clients. Web Publishing Rules are flexible and can be used to redirect HTTP requests to other
ports and to FTP servers. Furthermore, they can be configured to redirect HTTPS requests as HTTP
requests to internal Web servers.
3. Incoming Web Requests Listener. Web Publishing Rules depend upon the Incoming Web Requests
Listener. The listener redirects requests through the ISA Server 2000 firewall’s Web Proxy Service for
processing before it is sent to the internal network. This means the request can be cached and the content
of the HTTP request can be inspected by a Web application filter.
The Incoming Web Request Listener listens on the default ports for HTTP (80) and HTTPS (443)
connections, but it can also be configured to listen on other ports. Furthermore, the listener can be
configured to use a digital certificate for HTTPS connections and can be configured to support a variety of
authentication methods, such as integrated, basic, digest, and client digital certificate authentication.
The Incoming Web Requests Listener can be configured to use the same listener configuration for all IP
address bound to the external interface of the ISA Server 2000 firewall, or different listener configurations
can be applied to individual IP address. This is useful if, for example, it is necessary to use two or more
different digital certificates for HTTPS requests.
Assuming a default configuration of ISA Server 2000, it is also necessary to verify and configure appropriate IP
Packet Filter settings, in addition to configuring these 3 elements. Primarily, these settings are used to control
what packets are accepted on the external interface (for both inbound and outbound access). However, the IP
Packet filter settings are also used to enable PPTP access, logging levels, and intrusion detection settings.
The steps for publishing a SharePoint and other Web site using Web Publishing Rules on an ISA Server are as
follows:
• Configuring IP Packet Filter Settings

• Creating a Destination Set
• Creating a Web Publishing Rule
• Configuring the Incoming Web Requests Listener
The following instructions are based on the Advanced View, rather than the Taskpad View of the ISA
Management MMC console. The Advanced View is enabled through the View drop-down menu of the ISA
Management MMC console.
Configuring IP Packet Filter Settings

The following steps show you how to configure appropriate settings for IP Packet Filtering:
1. Open the ISA Management MMC console, expand the Access Policy node in the left-hand pane, and
right click on IP Packet Filters to display the context menu as in the figure below.
Figure 15 IP Packet Filters Access Policy
2. Click Properties in the IP Packet Filters context menu. The IP Packet Filters Properties page appears,
as in the figure below.
Figure 16 IP Packet Filters Properties Pages
On the General tab, you want to ensure that packet filtering is enabled. For greater security, you can
also enable intrusion detection here and then subsequently configure settings for specific kinds of attacks,
such as LAND and Ping of Death, on the Intrusion Detection tab. If you want to allow PPTP access
through the ISA Server 2000 firewall, you need to enable IP routing in addition to enabling PPTP through
the PPTP tab.
IP routing is required in two situations:
It is necessary to enable IP routing when protocols other than TCP or UDP are involved, for
example, ICMP (used for ping, etc.) and GRE (used for PPTP). So, if you want to be able to ping an
external host from behind the ISA Server 2000 firewall, you need to enable IP routing.
It is also necessary to enable IP routing when ISA Server 2000 is configured as a tri-homed
perimeter network (that is the ISA Server has three network adapters, one of which is connected to
a perimeter network using a pubic IP address).
However, enabling IP routing can result in performance improvements for SecureNAT clients on the
internal network.
3. Verify that, at a minimum, packet filtering is enabled on General tab, and enable Intrusion detection and
IP routing as appropriate.
4. Select the Packet Filters tab, as in the figure below.
Figure 17 Packet Filters Tab
On the Packet Filters tab, you are presented with the options to enable filtering of IP fragments, to
enable filtering of IP options, and to log packets from “Allow” filters. The options to enable filtering of IP
fragments and IP options provide greater security against certain attacks that exploit the mechanisms of
fragmented IP datagrams and the options field of an IP datagram. Be aware that if you enable filter of IP
fragments, some multimedia applications and applications that require certificate exchange (such as
L2TP/IPSec) that rely on fragmented IP datagrams may not work properly or at all.
5. On the Packet Filters tab enable the filtering and logging options as appropriate.
6. If you have enabled intrusion detection, click on the Intrusion Detection tab and enable the intrusion
detection settings as appropriate.
Figure 18 Intrusion Detection Tab
7. Click OK when you have finished configuring the IP Packet Filter settings.
Creating a Destination Set

After configuring appropriate Packet Filter settings, the next step for configuring Web publishing is to create a
Destination Set that will be used by the Web Publishing Rule. To create a Destination Set,
1. Open the ISA Management MMC console, expand the Policy Elements node, right click on Destination
Sets, and point to New | Set in the context menu, as in figure 19.
Figure 19 Creating a New Destination Set
2. In the New Destination Set dialog box, enter a descriptive name for the destination set in the Name text
box, as in the figure 20.
Figure 20 New Destination Set
3. After entering a name and a description (optional), click on the Add button. The Add/Edit Destination
dialog box appears, as seen in figure 21.
Figure 21 Add/Edit Destination
4. Ensure that the Destination radio button is selected and enter the Fully Qualified Domain Name (FQDN)
that external clients use to connect to the SharePoint site in the Name text box.
Note:
It is extremely important that you use the external FQDN of the SharePoint site here. Destination Sets and
Web Publishing Rules are sometimes a little confusing. It may help to keep in mind that the Web
Publishing Rule will match a request for a particular FQDN in the HTTP header with an entry in a
Destination Set to determine where to redirect the traffic on the internal network.
5. Click OK to finish the creation of the Destination Set.
Creating a Web Publishing Rule

After creating the Destination Set, the next step is to create a Web Publish rule to redirect the request from an
external client to the extranet SharePoint Site on the internal network.
1. In the ISA Management MMC console, expand the Publishing node, right click on the Web Publishing
Rules object, and select New | Rule from the context menu as in the figure below.
Figure 222
2. In the Welcome to the New Web Publishing Rule Wizard page that subsequently appears, enter a
descriptive name for the Web Publishing Rule, and click Next.
3. In the Destination Sets page, select Specified destination set from the Apply this rule to drop-down
list. Then, in the Name drop-down list, select Destination Set that we created in the previous steps. The
figure 23 shows the appropriate settings.
Figure 233 Selecting a Destination Set
4. Click Next to proceed to the Client Type page of the wizard.

5. On the Client Type page, select the Any request radio button, and click Next to proceed to the Rule
Action page of the wizard.
Figure 24 Rule Action Page
6. In the Rule Action page, select the radio button to Redirect the request to this internal Web server
(name or IP address), and enter the IP address of the SharePoint extranet Web site. Then, click the
check box to Send the original host header to the publishing server instead of the actual one
(specified above). This setting preserves the FQDN specified in the HTTP header of the request from the
external client.
It is possible to use an unqualified or fully qualified domain name for SharePoint site, instead of the IP
address. However, this name must be resolvable to an internal IP address by the ISA Server 2000 firewall
either through a Hosts file entry on the ISA Server or a DNS server.
7. Click Next, and then click Finish on the Completing the New Web Publishing Rule Wizard page that
subsequently appears.
Configuring the Incoming Web Requests Listener

By default, the ISA Server 2000 firewall will not allow external clients to connect to the published Web site unless
the Incoming Web Requests Listener is configured to listen for requests on its external interface(s). To
configure a listener for the published SharePoint extranet Web site,
1. Open the ISA Management MMC Console, right click on the server node object (it will be labeled with
name of your ISA Server), and select Properties from the context menu. The <Name-of-ISA-Server>
Properties dialog box appears.
2. In the Properties dialog box, select the Incoming Web Requests tab, as shown in figure 24.
Figure 25 Incoming Web Listener Property Page
It is possible to use the same listener configuration for all IP addresses bound to the external interface or to use
different listener configurations for each of the bound IP addresses. In this demonstration, we are going to
configure the listener settings for a specific IP address.
3. In the Identification frame of the Incoming Web Requests page, select the radio button to Configure
listeners individually per IP address, and then click the Add button. The Add/Edit Listeners page
appears, as in the figure below.
On this page, it is also possible to configure the listener to force external clients to authenticate with the
ISA Server 2000 firewall before it will forward requests to the internal network. This is accomplished by
selecting the box to Ask unauthenticated users for identification in the Connections frame. When this
check box is unselected, the ISA Server 2000 firewall will forward anonymous connections to the Web
server, which can then subsequently authenticate external connections according to its own settings. In
this example, we will let the SharePoint extranet site be solely responsible for authenticating users and will
leave this check box cleared.
Figure 26 Add/Edit Listeners Page
4. On the Add/Edit Listeners page, select the ISA Server from the Server drop-down list, and then select
the desired external IP address from the IP Address drop-down list. The IP address you select here must
be the IP address that resolves to the Internet FQDN of the published SharePoint site.
Because the listener is not configured to force authentication for external connections, the settings in the
Authentication frame have no effect. You can, for the time being, safely leave these alone.
5. Click OK when finished configuring the listener settings. You will be asked whether or not you wish the
ISA Web proxy service to be restarted, as in figure 26.
Figure 27 Web Proxy Service Restart Prompt
To facilitate immediate testing of the Web Publishing Rule, you should select the option to Save the
changes, but don’t restart the service(s), and then manually restart the Web proxy service. The
reason for this is that it will take a few minutes for the ISA Server 2000 firewall to restart the service. If
you attempt to test the Web publishing rule too soon, you will receive an HTTP error response, which may
subsequently be cached, further complicating your testing of the Web publishing rule.
6. Choose the appropriate restart option and click OK.
If you choose the option to manually restart the Web proxy service, expand the Monitoring node in the ISA
MMC console, open the Servers folder, right click on the Web proxy service in the contents pane, and
click on Stop in the context menu. After the service has stopped, click on Start in the context menu.
7. The final step is to test the Web publishing rule from an external client. Before doing so, make sure that
the Web proxy service has restarted. Then from an external client, open Internet Explorer, type in the
external FQDN that you used in the destination set (make sure that this name resolves to the IP address
used by the Incoming Web Requests listener), and press Enter. If you have configured the SharePoint
extranet site to support basic authentication, you will be prompted to enter authentication credentials.
Troubleshooting Tips for Web Publishing Rules

If you receive an error when you try to access the SharePoint site using the Web publishing rule, double check
the destination set to make sure that it uses the FQDN that external clients will use. Make sure that this name is
resolvable to the external IP address of the ISA Server 2000 firewall. Make sure that the action of the Web
publishing rule, forwards the request to the appropriate IP address of the internal Web site (if using a name for
this setting, make sure the ISA Server 2000 firewall can resolve the name to the internal IP address).
You should double check the incoming listener settings. For example, if you have configured the listener to Ask
unauthenticated users for identification, and the Web site is also configured to require authentication, the
connection attempt will fail. Unless you install Feature Pack 1 for ISA Server 2000 and enable delegation of basic
authentication credentials, you cannot authenticate users at both the ISA Server 2000 firewall and the Web
server. (Integrated authentication will not work at all, since you cannot delegate authentication credentials with
this method). Make sure the Web site supports only one authentication method (either basic or integrated).
If you are still are receiving an error message, stop and restart the Web proxy service. Then, attempt to connect
using a different client to mitigate the possibility you are receiving a cached error response.
Configuring Outbound Access for Internal ISA Clients

The steps provided in the above demonstration do not enable outbound access for internal clients through the
ISA Server. In order to enable outbound access for internal clients, you must, at a minimum, create a Protocol
Rule policy and possibly create client address sets and configure other ISA Server policy elements, depending on
your security requirements.
The following steps show you how to create a simple Protocol Rule to enable outbound access for internal clients
that are initiating connections with Internet hosts through the ISA Server firewall.
Please note that this is a simple configuration used for demonstration purposes and is not recommended for
production environments. Just as it is important to limit inbound access, it is also important to limit outbound
access.
For example, the Slammer Worm would not have had as significant an impact had more administrators blocked
outbound access for UDP Port 1433. Generally, you should allow outbound access for only necessary protocols,
such as HTTP, HTTPS, DNS, and so on. Furthermore, you should limit the hosts and the users that can use
these protocols through the firewall. ISA Server 2000 is capable of providing a very fine level of access control for
both inbound and outbound access.
To configure a simple Protocol Rule to enable outbound access,
1. Open the ISA Management MMC console, expand the Access Policy node, right click on the Protocol
Rules object, and select New | Rule from the context menu.
Figure 28 Creating a Protocol Rule
2. In the Welcome to the New Protocol Wizard page that subsequently appears, enter a descriptive name,
such as “All Outbound Access”, in the Protocol rule name text box, and click Next.
3. In the subsequent Rule Action page, select the Allow radio button for the Response to client requests
to use protocol setting, and click Next.
4. In the Protocols page, select All IP traffic in the Apply this rule to drop down list, and click Next.
5. On the Schedule page, select Always from the Use this schedule drop down list, and click Next.
6. In the Client Type page, select the radio button for Any request for the Apply the rule for requests from
setting, and click Next.
7. On the Completing the New Protocol Rule Wizard page, click Finish.
Figure 29 Completing the New Protocol Rule Wizard
Summary
Web Publishing Rules in ISA Server 2000 can provide highly secure and available access to a SharePoint
extranet site. The security of Web Publishing Rules can be further enhanced by leveraging the in-built security
features of IIS 6.0 on Windows 2003 and SharePoint Portal Server 2003. This document showed you how to
create a secure solution for a SharePoint extranet Web site by extending the SharePoint site into a new virtual
Web site that uses an application pool to isolate the worker processes in IIS 6.0, configuring the Web site to use a
different authentication method, and to configure ISA Server to publish the Web site using a Web Publishing Rule.

Isa Server Deploys Guide

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Isa Server Deploys Guide

Transféré par

Droits d'auteur :

Formats disponibles

Quick Start: Configuring SharePoint Extranet Virtual Web Site and ISA Server Web Publ...

Microsoft Internet Security and

• Use a single external IP address to publish multiple Web sites.

Step-by-Step Background Information

o Application Server with the following components:

o External NIC configuration:

o Internal NIC configuration:

Default Gateway: None

o ISA configuration details:

Creating New Virtual Web Site

To add a new IP address to the Windows 2003 server,

1. Click Start | Settings | Control Panel.

Figure 1 IIS Manager Console

Figure 2 IP Address and Port Settings of New Web Site

Figure 3 Web Site Home Directory Path

Figure 4 Web Site Access Permissions Page

Step-by-Step How To: Extending SharePoint Portal Site into the

What is an Application Pool?

Creating Application Pool for Use by Extranet Web Site

Figure 5 Creating New Application Pool

Figure 6 Selecting SharePoint Application Pool as Template

Figure 7 Configuring Identity for Application Pool

Extending SharePoint Site to Extranet Virtual Web Site

The process for extending the SharePoint site is as follows:

Figure 8 SharePoint Central Administration Site

Figure 9 Virtual Server List

Figure 10 Choosing a Provisioning Option

Figure 11 Extending and Mapping to Another Virtual Server

Configuring Virtual the Web Site To Support Basic Authentication

To configure the Web site to support basic authentication only,

Figure 12 Directory Security Tab of Web Site Properties Page

Figure 13 Basic Authentication Warning Message

4. In the IIS Manager warning message, click Yes.

Testing Extranet SharePoint Site from Internal Client

1. Open Internet Explorer, enter http://<internal-IP-address-of-extranet-site> in the address box, and

Figure 14 Testing Extranet Web Site

Step-by-Step How To: Configuring ISA Server 2000 To Protect

• Configuring IP Packet Filter Settings

Configuring IP Packet Filter Settings

Figure 15 IP Packet Filters Access Policy

Figure 16 IP Packet Filters Properties Pages

IP routing is required in two situations:

Figure 17 Packet Filters Tab

Figure 18 Intrusion Detection Tab

Creating a Destination Set

Figure 19 Creating a New Destination Set

Figure 20 New Destination Set

Figure 21 Add/Edit Destination

5. Click OK to finish the creation of the Destination Set.

Creating a Web Publishing Rule

Figure 233 Selecting a Destination Set

4. Click Next to proceed to the Client Type page of the wizard.

Figure 24 Rule Action Page

Configuring the Incoming Web Requests Listener

Figure 25 Incoming Web Listener Property Page

Figure 26 Add/Edit Listeners Page

Figure 27 Web Proxy Service Restart Prompt

6. Choose the appropriate restart option and click OK.

Troubleshooting Tips for Web Publishing Rules

Configuring Outbound Access for Internal ISA Clients

To configure a simple Protocol Rule to enable outbound access,

Figure 28 Creating a Protocol Rule

Figure 29 Completing the New Protocol Rule Wizard