Proxy Settings on the Server

The dashboard site uses a special server-side object called ServerXMLHTTP to make Hypertext Transfer Protocol (HTTP) requests. These requests are necessary to return the correct page to the client. The ServerXMLHTTP object has its own proxy settings. If the dashboard site is behind a proxy server, you must configure the ServerXMLHTTP object with the proxy server name to access data that is located beyond the intranet. The proxy settings are important when the dashboard site must access resources on a different server, such as when you use the Content management page to import new Web Parts.

For more information about changing proxy settings on the server, see Chapter 11, Installing SharePoint Portal Server.

Specifying the Bypass List

When you configure the proxy settings on your server, you can specify a bypass list. This section reviews the most common options that you can choose. If the virtual directory for the workspace has NTLM enabled, you must set the proxy server and bypass list. The ServerXMLHTTP object attempts NTLM authentication against the virtual directory for the workspace.

You can separate multiple bypass addresses with a semicolon. A bypass address is an address for which you do not want to use the specified proxy server.

If you are using a proxy server

If you are using a proxy server, run:

proxycfg –d –p proxy_name:port_number "root_domain_name;<local>"

In the preceding line, root_domain_name is the bypass address. Root_domain_name is the FQDN of the base root domain in which the computer is a member, with a wildcard exception prefixed to the root_domain_name. The bypass address is in the form *domain, such as *adventure-works.com. Include the brackets <> around local when you type the command.

Example. If your proxy server name is Proxy1, the port number is 80, and you want to bypass the proxy server for the SharePoint Portal Server computer in the domain adventure-works.com, type proxycfg –d –p Proxy1:80 "*adventure-works.com;<local>"

If you are not using a proxy server

If are not using a proxy server in your environment, you must specify a fake proxy server to force SharePoint Portal Server to use integrated Windows 2000 authentication. Integrated Windows 2000 authentication is most commonly used in an intranet environment. If you do not specify a fake proxy server, network components on your SharePoint Portal Server computer default to Basic authentication. As a result, SharePoint Portal Server does not work correctly. To configure a fake proxy server, you must configure both the dashboard site and Microsoft Internet Explorer.

If you are using Basic or Anonymous authentication methods, you do not need to specify the proxy settings.

To configure the proxy settings on your SharePoint Portal Server computer, run:

proxycfg -d -p fake_proxy_name:80 "*;<local>"

Example. If you do not have a proxy, specify any non-existent proxy and bypass for all addresses by using the wildcard (*). To do so, type:

proxycfg –d –p FakeProxy1234:80 "*;<local>"

Testing has indicated that this option works for most customers and that the preceding syntax should be used first, if you are not using a proxy. However, further options are provided later in this section.

To configure the proxy settings for Internet Explorer:

1. Open Internet Explorer.
2. On the Tools menu, click Internet Options.
3. Click the Connections tab, and then click LAN Settings.
4. Select the Use a proxy server check box.
5. Type fake_proxy_name in Address.
6. Type 80 in Port.
7. Select the Bypass proxy server for local addresses check box.
8. Click Advanced.
9. In Exceptions, type one of the following:

   "*root_domain_name" or "internal_FQDN"

   For example, for a server with a NetBIOS name of AdvWks, you would type one of the following:

   *adventure-works.com

   or

   AdvWks.corp.adventure-works.com

10. To close the Proxy Settings dialog box, click OK.
11. To close the Local Area Network (LAN) Settings dialog box, click OK.
12. To close the Internet Options dialog box, click OK.
13. Restart the computer.

    You must configure the proxy settings for Internet Explorer on all client computers that access the server by using an FQDN (not the computer name) and integrated Windows 2000 authentication. You can configure all your client computers to use these proxy settings by using the Internet Explorer Administration Kit. If you do not configure each client computer, each user will be prompted for authentication for each session.

If you are not using a proxy server, and if the configuration specified earlier does not work for you, you can run one of the following configurations as an option:

• To prevent downloading of Web Parts from any site, including the Microsoft Web Part Gallery, run:

  proxycfg –d –p fake_proxy_name:80 "<local>"

  This setting enables NTLM on the computer and on the subnet mask. This setting has no known security issues because all traffic is local.

• To allow downloading of Web Parts from the Microsoft Web Part Gallery, run:

  proxycfg –d –p fake_proxy_name:80 "*microsoft.com;<local>"

  With this option, you can download Web Parts from the Microsoft Web Part Gallery. You cannot download Web Parts from any other site. This setting enables NTLM on the computer and on the subnet mask. This setting may increase the security vulnerability because traffic going to www.microsoft.com may send NTLM packets. This depends on the Internet service provider (ISP) configuration. In addition, it depends on whether the ISP enables ports to send and receive NTLM packets.

• To download Web Parts from any Web site, run:

  proxycfg –d –p fake_proxy_name:80 "*;<local>"

  This setting enables NTLM on the computer and on the subnet mask. With this option, you can send NTLM traffic to any site on the Internet. This depends on the ISP configuration. In addition, it depends on whether the ISP enables ports to send and receive NTLM packets.

• To run the computer directly on the extranet, run:

  proxycfg –d

  You cannot download Web Parts from any Web site. This setting enables NTLM only on the computer, not on the subnet mask. Some SharePoint Portal Server functionality may be disabled. You must create a new Web site in IIS that uses Basic authentication. NTLM remains enabled on the Default Web Site in IIS. For more information about creating a new Web Site in IIS, see the section, Web Site Creation later in this chapter.

  Running a computer directly on the extranet with no proxy server has inherent security vulnerabilities, and is therefore not recommended. However, using Basic authentication with SSL enabled on the new Web site in IIS is the most secure SharePoint Portal Server configuration available when the computer runs directly on the extranet.

Configuring the Proxy Settings on the Server

During the SharePoint Portal Server installation, the setup process automatically configures the proxy settings for ServerXMLHTTP by using the proxy settings specified for the server. If you need to change these proxy settings at some time after installation, or if you want to use SharePoint Portal Server across the extranet without a proxy server, use the following procedure.

To configure the proxy settings:

1. On the Start menu, point to Programs, point to Accessories, and then click Command Prompt.
2. Change to the SharePoint Portal Server \Bin directory. For example, if you installed SharePoint Portal Server in the Installation directory on drive E, change to E:\Installation\Bin. If you installed SharePoint Portal Server on drive D under Program Files\SharePoint Portal Server, change to the following directory:

   D:\Program Files\SharePoint Portal Server\Bin.

3. To see the current proxy settings, type proxycfg.
4. To configure the proxy appropriately, type one of the options specified in the preceding section.
5. Restart the computer.

   SharePoint Portal Server does not support direct Internet connectivity out of the box. By default, SharePoint Portal Server is initially configured for use with a proxy server.