There are several conditions you should evaluate before publishing your SharePoint Portal Server to the Internet: determining how to configure the appropriate network services, such as DNS, choosing an authentication mechanism for external users, configuring link translation, and deciding on Secure Sockets Layer (SSL) tunneling versus SSL bridging. The following sections define each of these issues and provide appropriate guidelines.
Name resolution is one of the first conditions to consider when publishing a SharePoint Portal or Windows SharePoint Services site. Just as with other Web publishing scenarios, it is important to have a consistent split DNS infrastructure that allows both internal and external users to access the site in the most efficient way. In other words, internal users should resolve the sites with internal IP addresses and external users should resolve the sites with external IP addresses.
Avoid configuring the network in such a way that forces internal users to access internal sites through the ISA Server 2004 firewall unless you have a specific and definite need.
Creating a split DNS infrastructure, as shown in Figure 17-5, resolves this problem by supplying different addresses for internal and external users. This allows external users to get the correct external address and prevents internal users from accessing the SharePoint site using the external address.
Figure 17-5: This illustration shows an example of a split DNS configuration where internal and external DNS servers provide different addresses for the same DNS zone.
For more information on split DNS, see the article, "You Need to Create a Split DNS!" at http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html.
When publishing SharePoint Portal Server 2003 by requiring users to log on, it is best to use basic authentication because it will work with most Web browsers and will pass through most firewalls. In addition, ISA Server provides a great feature called basic delegation, which makes it possible to authenticate users at the ISA Server level and then have those credentials forwarded to the Web server for any authentication request. If the Web site requires several authentication requests, the ISA server provides the subsequent credentials to the Web site and the user is not bothered with logging on again. Basic delegation also works with SSL bridging because the SSL tunnel is terminated at the ISA server.
Because credentials are passed in clear text when using basic authentication, be sure to also use SSL encryption to protect the authentication information.
Internal clients, of course, access Web sites by referencing the Web server's host name or NetBIOS name. This resolution is often an issue for external clients accessing published SharePoint sites. When referencing items such as document libraries or other information within the SharePoint site, SharePoint uses the local server name or even the server IP address in the URL. Obviously, these references do not work properly from the Internet because the internal machine name and internal addresses are not accessible through the ISA Server 2004 server. In addition, exposing this information over the Internet can create a security issue by allowing internal naming and addressing information to pass to the Internet.
ISA Server 2004 provides the link translation feature that reads and changes references to internal server names and IP addresses to appropriate links for Internet access. This is demonstrated in Figure 17-6.
Figure 17-6: Link translation modifies references to internal server names and addresses to externally accessible names.
SharePoint sites are unique in that they tend to require long URLs for query and site requests. SharePoint also requires ASP.NET and HTTP1.1 WebDAV. This is important to take into account when setting up publishing rules and restricting content.
We said before that SharePoint Portal Server 2003 is built on top of Windows SharePoint Services. Because of this, SharePoint Portal Server 2003 Web sites have many of the same benefits as Windows SharePoint Services sites, and many of the same publishing steps are required.
This book does not go into detail about the feature differences in SharePoint Portal Server and Windows SharePoint Services; if you would like further information on this, please see the following Microsoft Web page: http://www.microsoft.com/sharepoint/evaluationoverview.asp.
This section explains the steps required to publish SharePoint Portal Server 2003. We discuss the configuration of publishing a SharePoint Portal Server 2003 site using SSL bridging. This is the deployment model for SharePoint Portal Server 2003 sites that require secure publishing because link translation is not supported in SSL tunneling.
The following scenario about setting up a SharePoint Portal Server 003 site using SSL bridging covers each step at an elevated level. If you require a more in-depth explanation, please reference the Microsoft white paper, "SharePoint Portal Server 2003 Document: Deploying on an Extranet by Using ISA Server 2000 and ISA Server 2004," at http://www.microsoft.com/downloads/details.aspx?FamilyId=4C5BF9DD-3EFB-451DB213-8ED039190BF.
This scenario assumes that the following items are already in place:
A split DNS has been created for the public name of the SharePoint Portal Server site.
The default Web site in Microsoft Internet Information Services (IIS) is configured with an SSL certificate and requires SSL.
One SharePoint Portal Server site has been set up on the default Web site in IIS using basic authentication only.
The SharePoint Portal Server site can be accessed from your corporate intranet using the SSL fully qualified domain name (FQDN).
A proper certificate has been installed on the ISA server to securely publish the SharePoint Portal Server site using the external name.
A secure Web listener has been created on the ISA server using the proper certificate.
A firewall policy rule has been created to allow the physical SharePoint Portal Server computer access to the Internet through the ISA server.
The Web.config file has been modified to allow the SharePoint Portal Server site access to the Internet through the ISA server.
In ISA Server we need to create a secure Web publishing rule. To do this, follow these steps:
Open the ISA Server Management console. In the console tree, expand the server name, and then click Firewall Policy.
In the task pane, under Firewall Policy Tasks, click the Tasks tab. Under Firewall Policy Tasks or Array Policy Tasks, click Publish A Secure Web Server.
On the Welcome To The SSL Web Publishing Rule Wizard page, type a name for the rule and click Next.
On the Publishing Mode page, click SSL Bridging and click Next.
On the Select Rule Action page, click Allow and click Next.
On the Bridging Mode page, select Secure Connection To Clients And Web Server and click Next.
For SSL bridging to work, the inside-name must match the name on the SSL certificate that is installed on the SharePoint Portal Server site.
On the Define Website To Publish page, type the computer name and path of the file or folder to publish, as shown in Figure 17-7, and click Next.
On the Public Name Details page, type in the public name and path as shown in Figure 17-8, and click Next.
On the Select Web Listener page, select the Web listener that was created and configured to allow SSL with the proper certificate and click Next.
On the User Sets page, click Next.
On the Completing The New SSL Web Publishing Rule Wizard page, click Finish.
In the details pane, click Apply to save your changes, and then click OK.
In the details pane, right-click the secure publishing rule you just created, and then select Properties.
In the Properties dialog box, click the Link Translation tab.
Add two link translations, as shown in Figure 17-9, by selecting the Replace Absolute Links In Web Pages check box, clicking Add, and then typing the following information in the Replace This Text and With This Text fields:
Inside-name of the SharePoint Portal Server site
Inside IP of the SharePoint Portal Server site
In the details pane, right-click the new rule again and select Configure HTTP.
Under URL Protection, clear the Verify Normalization check box and click OK.
In the details pane, right-click the new rule again, select Properties, and click the Listener tab.
On the Listener tab, click Properties, click the Preferences tab, and then click Authentication.
In the Authentication dialog box, clear the Integrated check box, and click OK.
Select the Basic check box, and click Yes to the warning message.
Select the Require All Users To Authenticate check box as shown in Figure 17-10. Click OK twice to continue.
Click the Users tab. Select the Forward Basic Authentication Credentials (Basic Delegation) check box, as shown in Figure 17-11. Click OK.
In the details pane, click Apply to save your changes, and then click OK.
Figure 17-7: It's important that you provide the internal name of the SharePoint Portal Server server when completing this step.
Figure 17-8: You should configure the Public Name Details when completing the Public Name Details page.
Figure 17-9: Two dictionary entries for link translations should be created— one for the inside-name of the SPS server and one for the inside IP of the SPS server.
Figure 17-10: Configure basic authentication for the SharePoint Portal site.
Figure 17-11: Forwarding basic authentication is necessary for successful completion of the publishing rule.
The SharePoint Portal Server site should now be accessible using SSL encryption through the ISA Server 2004 server.