Exercise 10-1: Establishing Secure Access

Previous page
Table of content
Next page

Exercise 10-1: Establishing Secure Access

The work we have completed so far in this book has all been accomplished as if SPS was only accessible from an internal server. Typically, we have used the machine name of the server directly in the browser. If you want to include external access to SPS as part of your solution, however, you will have to make some changes.

The first thing you'll have to do is give your portal a name that's accessible from outside the firewall. Typically, you use portal or sharepoint as a prefix in the domain name (e.g., portal.datalan.com ) and make a new entry in the Domain Name Service (DNS) for the enterprise. You'll also have to ensure that the server running the portal has an Internet Protocol (IP) address that can be exposed on the Internet, unlike the default setup this book uses.

Although these steps are enough to expose the portal externally, they are not enough to guarantee security. At a minimum, you should enable Secure Socket Layers (SSL) for the portal. You may also choose to implement a more significant authentication scheme such as the use of tokens. In this exercise, you will give your portal an alias name and enable SSL.

Creating an Alias

Creating an alias for your web site is a simple matter of making a new record entry in the DNS for the network. Creating an alias will allow you to use a name like sharepoint.sps.local when accessing SPS instead of SPSPortal . Although you will create your alias solely for internal use, you can create an alias for external use and map it to an IP address that will expose the portal on the Internet.

Here is what you should do to create an alias for SPSPortal :

  1. Log in to SPSController as the domain administrator.

  2. Select Start Administrative Tools DNS.

  3. In the dnsmgmt dialog, expand the Forward Lookup Zones folder.

  4. Right-click the sps.local folder and select New Alias (CNAME) from the pop-up menu.

  5. In the New Resource Record dialog, type sharepoint .

  6. Click Browse.

  7. Double-click the SPSController node.

  8. Double-click the Forward Lookup folder.

  9. Double-click the sps.local folder.

  10. Select the spsportal entry from the list and click OK.

  11. In the New Resource Record dialog, click OK. Figure 10-4 shows the new entry in the DNS system.

    click to expand
    Figure 10-4: Creating an alias

One problem with using alias names to access the portal is that users will be presented with a log-in box regardless of whether they are inside or outside the firewall. There is no way to prevent this behavior. Users can also expect to be prompted occasionally when documents are accessed. You should be careful about how you configure and access SPS to minimize unnecessary logon prompts.

To test the alias name, follow this procedure:

  1. Log in to SPSClient as an end user of the portal.

  2. Open Internet Explorer and navigate to sharepoint.sps.local .

  3. When prompted, log in and verify the portal home page is visible.

Another problem with using alias names lies in the proper resolution of addresses. Hard-coded addresses that reference internal resources can become unavailable when accessed externally through the alias name. SPS helps some-what in this regard by providing a place for you to list alias names that are in use. When you list alias names for SharePoint, it will use the alias with search results to ensure that the address links are always valid.

Here is what to do to list the alias name with SharePoint Services:

  1. Log in to SPSPortal as a portal administrator.

  2. Select Start All Programs SharePoint Portal Server SharePoint Central Administration.

  3. On the SharePoint Portal Server Central Administration page, select Portal Site and Virtual Server Configuration Configure Alternate Portal Site URLs for Intranet, Extranet, and Custom Access.

  4. On the "Configure alternate portal access settings" page, select Edit from the drop-down menu associated with the Default Web Site entry.

  5. In the Intranet URL field, type http://sharepoint.sps.local .

  6. Click OK.

Enabling Secure Sockets Layer (SSL)

Enabling SSL for your portal affords an extra level of security based on certificates and encryption. In order to enable SSL for your portal, you must have a certificate for the server. Once the certificate is available, you can install it on the server and enable SSL.

Installing Certificate Services

Server certificates can be purchased commercially from a trusted source such as VeriSign, or you can create your own using Microsoft Certificate Services. In this exercise, you will install and use Microsoft Certificate Services. Making your own certificates is fine for testing and limited production use, but if you are going to allow access to the portal to a wide audience, you should consider getting a certificate from a trusted provider.

To install Certificate Server, follow these steps:

  1. Log in to SPSController as a domain administrator.

  2. Select Start Control Panel Add or Remove Programs.

  3. In the Add or Remove Programs dialog, click Add/Remove Windows Components.

  4. In the Windows Components dialog, check the Certificate Services box.

  5. Respond to the warning dialog by clicking Yes.

  6. Uncheck the "Internet Explorer enhanced security configuration" box.

  7. In the Windows Components dialog, click Next.

  8. In the CA Type step, select Stand-Alone Root CA.

  9. Click Next.

  10. In the CA Identifying Information step, type spscontroller into the "Common name for this CA" text box.

  11. Click Next.

  12. In the Certificate Database Settings step, accept the default values and click Next.

  13. Click Finish to complete the operation.

Creating the New Certificate

You begin creating a certificate by preparing a request using the virtual server that you want to secure. This server prepares a text file that may then be submitted to Certificate Services. In this case, you will create a request for SPSPortal :

  1. Log in to SPSPortal as a local administrator.

  2. Open Windows Explorer.

  3. Create a new directory at c:\certificates\spsportal .

  4. Select the c:\certificates directory, right-click it, and select Sharing and Security from the pop-up menu.

  5. On the Sharing tab, select Share This Folder.

  6. Click Permissions.

  7. Grant everyone full control and click OK.

  8. Click OK again.

  9. Select Start Administrative Tools Internet Information Services (IIS) Manager.

  10. Expand the SPSPortal node and open the Web Sites folder.

  11. Right-click the Default Web Site node and select Properties from the pop-up menu.

  12. On the Directory Security tab, click Server Certificate.

  13. In the Web Server Certificate wizard, click Next.

  14. In the Server Certificate step, select the Create a New Certificate option, and click Next.

  15. In the Delayed or Immediate Request step, select the "Prepare the request now, but send it later" option, and click Next.

  16. In the Name and Security Settings step, leave the values as they are and click Next.

  17. In the Organization Information step, type your company name in the Organization field and your company unit in the Organizational Unit field.

  18. Click Next.

  19. In the Your Site's Common Name step, type spsportal in the Common Name field.

  20. Click Next.

  21. In the Geographical Information step, enter the appropriate information and click Next.

  22. In the Certificate Request File Name step, click Browse.

  23. In the Saves As dialog, navigate to the c:\certificates\spsportal directory and click Save.

  24. In the Certificate Request File Name step, click Next.

  25. In the Request File Summary step, click Next.

  26. Click Finish to complete the operation.

Once the request is prepared, you may use it to create a new certificate. Certificate Services uses the text file created under SPSPortal to generate the certificate. The new certificate may then be installed on the portal server.

Here you will create the new server certificate:

  1. Log in to SPSController as the domain administrator.

  2. Open Internet Explorer and navigate to spscontroller/certsrv/default.asp .

  3. Click the Request a Certificate link.

  4. Click the Advanced Certificate Request link.

  5. Click the link labeled "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file".

  6. Open the certificate text file in NotePad that you previously saved at \\spsportal\certificates\spsportal .

  7. Copy the entire contents of the certificate file and paste them into the Saved Request.

  8. Click Submit.

  9. Select Start Administration Tools Certification Authority.

  10. In the Certification Authority dialog, expand the tree and open the Pending Requests folder.

  11. Locate the pending request, right-click it, and select All Tasks Issue from the pop-up menu.

  12. Open Internet Explorer and navigate to spscontroller/certsrv/default.asp .

  13. Click the "View the status of a pending certificate request" link.

  14. Click the link for the pending certificate.

  15. On the Certificate Issued page, click the Download Certificate link.

  16. In the File Download dialog, click Save.

  17. Save the file into the \\spsportal\certificates\spsportal directory.

  18. On the Certificate Issued page, click the Download Certificate Chain link.

  19. In the File Download dialog, click Save.

  20. Save the file into the \\spsportal\certificates\spsportal directory.

Installing the New Certificate

Once the new certificate is created, then you can install it on the portal server. When using the Microsoft Certificate Services, you must install the certificate file with the .p7b extension. This file will establish the appropriate trusts to ensure that you can view the portal.

To install the new certificate, follow these steps:

  1. Log in to SPSPortal as the local administrator.

  2. Select Start Administrative Tools Internet Information Services (IIS) Manager.

  3. Expand the SPSPortal node and open the Web Sites folder.

  4. Right-click the Default Web Site node and select Properties from the pop-up menu.

  5. On the Directory Security tab, click Server Certificate.

  6. In the Web Server Certificate Wizard, click Next.

  7. In the Pending Certificate Request step, select "Process the pending request and install the certificate."

  8. Click Next.

  9. In the Process a Pending Request step, click Browse.

  10. In the Open dialog, navigate to the c:\certificates\spsportal directory and select the file with the .cer extension.

  11. Click Open.

  12. In the Process a Pending Request step, click Next.

  13. In the SSL Port step, accept the default value and click Next.

  14. In the Certificate Summary step, view the details and click Next.

  15. Click Finish to complete the operation.

  16. In the Default Web Site Properties dialog, click View Certificate.

  17. In the Certificate dialog, verify that the certificate is valid by viewing the Certification Path tab.

  18. Click OK.

  19. In the Default Web Site Properties dialog, click Edit under the Secure Communications section.

  20. In the Secure Communications dialog, check the Require Secure Channel box and click OK.

  21. In the Default Web Site Properties dialog, click OK.

  22. When the Inheritance Overrides dialog appears, click OK.

Testing Secure Access

Once the certificate is installed on the portal server, you are ready to utilize SSL. When users access the portal through SSL, they will initially see the certificate warning; you can subsequently install the certificate on their machine and trust your root authority. This will allow them to access the portal without acknowledging the certificate each time.

Here is what you need to do to test secure communications:

  1. Log in to SPSClient as a portal end user.

  2. Open Internet Explorer and navigate to https ://sharepoint.sps.local .

  3. When the Security Alert dialog appears, click View Certificate.

  4. On the Certification Path tab, select the root certificate named spscontroller and click View Certificate.

  5. In the Certificate dialog, click Install Certificate.

  6. In the Certificate Import Wizard, click Next.

  7. In the Certificate Store step, select to Automatically Select the Certificate Store Based on the Type of Certificate and click Next.

  8. Click Finish to complete the operation.

  9. In the Root Certificate Store dialog, click Yes.

  10. In the Certificate dialog, click OK.

  11. In the other Certificate dialog, click OK.

  12. In the Security Alert dialog, click Yes.



Previous page
Table of content
Next page
Microsoft SharePoint[c] Building Office 2003 Solutions
Microsoft SharePoint[c] Building Office 2003 Solutions
ISBN: 1590593383
EAN: N/A
Year: 2006
Pages: 92
BUY ON AMAZON
The .NET Developers Guide to Directory Services Programming
Lotus Notes and Domino 6 Development (2nd Edition)
VBScript Programmers Reference
Systematic Software Testing (Artech House Computer Library)
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy