ISA Server 2000 Web Publishing Rules can provide highly secure and available access to a SharePoint Portal Server 2003 extranet site. The security of Web Publishing Rules can be further enhanced by leveraging the in-built security features of IIS 6.0 on Windows 2003 and SharePoint Portal Server 2003. This document shows you how to create a secure solution for a SharePoint extranet Web site by extending the SharePoint Portal Server 2003 site into a new virtual Web site that uses an application pool to isolate worker processes in IIS 6.0, configuring the Web site to use a different authentication method, and to configure ISA Server to publish the Web site using a Web Publishing Rule.

This chapter provides an overview of the need for a separate site for extranet access and a summary of the relevant features of ISA Server 2000 that make the extranet site available to external clients. It then provides an explanation of how to set up the SharePoint Portal site in a separate virtual Web site and how to configure ISA Server 2000 firewall to protect and publish the extranet SharePoint site.

Enabling a SharePoint extranet site for access from the Internet requires the following steps:

· Creating a new virtual Web site to host the extranet SharePoint Web site.

o Adding an IP address to Windows 2003 server to assign to new Web site.

o Adding a new Web site using Internet Information Services (IIS) Manager.

· Extending SharePoint Portal Web into the extranet Web site.

o Creating a new application pool in IIS 6.0 for use by the extranet SharePoint Site (optional).

o Creating a new SharePoint portal site in the extranet virtual Web site, or mapping an existing SharePoint portal site to the extranet virtual Web site.

o Configuring authentication methods on the extranet virtual Web site.

o Testing the extranet site from the internal network.

· Configuring ISA Server 2000 to protect and to publish the extranet SharePoint site.

o Enabling Packet Filtering and IP Routing on ISA Server 2000 firewall.

o Configuring the Incoming Web Requests Listener.

o Adding a Destination Set.

o Testing the Web Publishing rule on ISA Server from external client.

o Creating a Protocol Rule to enable outbound access for internal clients (optional)

Overview

An extranet is a collection of internal resources that is made available to Internet clients. Access to the extranet usually occurs through a firewall, such as ISA Server 2000, to provide security for extranet resources. A SharePoint Portal Server 2003 site is a sophisticated Web-based application that provides an intuitive and easy-to-use Web browser interface that provides complete access to SharePoint’s powerful capabilities. Many organizations will find it desirable to make some or all of SharePoint’s resources available on an extranet for external employees, customers, or business partners.

In almost all cases where SharePoint is deployed as an extranet resource, its configuration will differ from the configuration of SharePoint site(s) located on the intranet. For example, it may be desirable to support Anonymous or Basic authentication to allow customers and business partners to connect at will. Or, it may be desirable to implement Secure Sockets Layer (SSL) on the SharePoint site to provide a higher degree of protection for user credentials and data. Or, it may be desirable for the extranet SharePoint site to connect to different content databases than the intranet site.

All of these scenarios and others require that the extranet site use a different virtual web site from the intranet site. For example, if a user authenticates to a SharePoint site using Basic Authentication, and the SharePoint Web site is configured to use both Basic and Windows Integrated Authentication, the user will not be able to view search results when he or she invokes a search query on the SharePoint site. However, if the SharePoint Web site is configured to use Basic Authentication only, the user will be able to view the results of a search. Because it is undesirable to disable Windows Integrated Authentication on the intranet SharePoint site, it is necessary to create a new SharePoint web site that supports Basic Authentication only.

Access to the SharePoint extranet must occur through a firewall to assure a high level of protection. Furthermore, the firewall must be capable of providing a high degree of functionality for external clients who use the extranet SharePoint site, while at the same time providing a high degree of protection.

ISA Server 2000 is a highly secure and extensible firewall solution that makes it the ideal firewall solution for controlling access to the extranet. Its advanced features, such as Web publishing and Server publishing rules, Application Layer filtering, Link Translation, Basic Delegation of Authentication Credentials, SSL bridging, detailed logging, and others, help to ensure a high degree of both protection and functionality.

In particular, the use of Web publishing rules to make an extranet SharePoint site available to external clients confers a number of unique advantages over using ISA Server 2000 Server Publishing rules or using other firewall products to provide access to the extranet. Advantages of using ISA Server 2000 Web Publishing rules include:

· Use a single external IP address to publish multiple Web sites.

· Use multiple incoming listener configurations with multiple IP addresses to support use of different digital certificates and authentication methods.

· Authenticate with the ISA Server 2000 firewall using basic, integrated, digest, or certificate authentication.

· Use port redirection to redirect HTTP requests to an alternate port used by the Web server on the internal network.

· Inspect the URL in the HTTP header and determine destination for request on intranet or perimeter network (DMZ).

· Extend ISA Server 2000 firewall security by installing URLScan 2.5 to perform deep inspection of HTTP header information and accept or deny connections based on a configurable set of rules.

· Terminate SSL requests (HTTPS) at the ISA Server 2000 firewall and redirect them as HTTP requests to the internal Web server. This allows HTTP traffic to be inspected before it is allowed into the internal network and saves CPU cycles on the Web server because it does not have the overhead of encrypting traffic.

· Terminate SSL requests (HTTPS) at the ISA Server 2000 firewall and redirect them as HTTPS requests to the internal Web server. This allows HTTPS traffic to be inspected before it is allowed into the internal network and enhances end-to-end security for data sent between clients and Web server.

Step-by-Step Background Information

The test lab used to demonstrate these step-by-step instructions has the following configuration:

· Internal Network. The internal network uses the 172.16.1.0/24 network ID. The default gateway for the network is 172.16.1.1, which is the internal IP address of the ISA Server.

· External Network The external network uses a 192.168.100.0/24 network ID.

· Internal DNS and Active Directory Namespace Internal.net is used as the Active Directory and DNS namespace for the internal network.

· Active Directory. A Windows 2003 Active Directory domain controller named Ad1.internal.net is used to provide directory and DNS services. DNS is set up with root hints and forwarding to support resolution to the external network and the Internet. The IP address of the domain controller is 172.16.1.10.

· External DNS Namespace. External.net is used as the DNS namespace for external clients connecting to resources published through the ISA Server 2000 firewall. The DNS zone files for external.net are located on the external network. The zone has been pre-configured with a single host record pointing to the external IP address of the ISA Server 2000 firewall to resolve the Fully Qualified Domain Name (FQDN) extranet.external.net for access to extranet SPS Web site.

· SharePoint Portal Server 2003 Configuration. SharePoint Portal Server 2003 installed is set up on a Windows 2003 computer named Sps.internal.net. The SharePoint server uses a co-located SQL Server 2000 Standard Edition for the configuration and content databases. The SPS server has a primary IP static IP address of 172.16.1.11 that uses 172.16.1.1 as the default gateway.

· SharePoint Server Virtual Web Site Configuration. IIS 6.0 was installed on the Windows 2003 server as per the SharePoint Portal Server 2003 prerequisites found in the SharePoint Portal Server 2003 help files and the SharePoint Portal Server 2003 Customer Evaluation Guide. The intranet SPS virtual Web site is located at 172.16.1.11 and is configured to use Windows Integrated Authentication only. Specifically, IIS 6.0 has been configured as follows:

o Application Server with the following components:

§ Microsoft ASP.NET

§ Enable COM+ Components

§ Microsoft Internet Information Services with the following components:

· Common Files

· Internet Information Services Manager

· World Wide Web Service with the following components:

o Active Server Pages

o World Wide Web Service

· ISA Server 2000 Configuration. ISA Server 2000 with Service Pack 1 and HotFix isahf255.exe is installed on a Windows 2003 server. Other than the configuration of the Local Address Table (LAT), ISA Server is configured using the defaults from the installation setup program. For specific instructions for installing an ISA Server on Windows 2003, please see Tom Shinder’s article, Installing ISA Server 2000 on Windows Server 2003 on the ISAServer.org Web site. The ISAServer.org Web site contains much useful information on installing and configuring ISA Server, such as Will Schmied’s article, Installing ISA Server 2000, and Jim Harrison’s article, Configuring ISA Server Interface Settings. Another good source of information and instruction is the Microsoft TechNet ISA Server Web site.

o External NIC configuration:

§ IP address: 192.168.100.22/24

§ Default Gateway: 192.168.100.254/24

§ File and Print Sharing: disabled

§ Client for Microsoft Networks: disabled

§ NetBIOS: disabled

§ Registration of external IP address in Dynamic DNS zone: disabled

§ DNS server: None

§ Binding order: lowest

o Internal NIC configuration:

§ IP address: 172.16.1.1/24

§ Default Gateway: None

§ File and Print Sharing: enabled

§ NetBIOS: enabled

§ Registration of IP address in Dynamic DNS zone: enabled

§ DNS server: 172.16.1.10

§ Binding order: highest

o ISA configuration details:

§ Installation type: Standalone

§ Installation mode: Integrated (firewall and proxy services)

§ Local Address Table (LAT): 172.16.1.0 – 172.16.1.255

§ Site and Content Rule: Default

§ Client Configuration: All clients configured as S-NAT clients (no Web proxy client configuration or Firewall client).

Step-by-Step How To: Creating New Virtual Web Site To Host the Extranet SharePoint Site

This section provides basic instructions for setting up a new virtual Web site on IIS 6.0. This new Web site will subsequently be used to demonstrate how to map an existing SharePoint site from the virtual Web site where a SharePoint portal site resides. Note that the extranet SharePoint site will be hosted on the same server as intranet SharePoint site.

This may not be a desirable configuration in a production environment, and you may wish to host the extranet site on a different server. Also, this step-by-step walkthrough assumes that a pre-existing SharePoint site exists that can be used for the extranet. For specific instructions on setting up SharePoint Portal server, please see the SharePoint Portal Server 2003 help files and the SharePoint Portal Server 2003 Customer Evaluation Guide.

Creating New Virtual Web Site

An IIS server can host multiple virtual Web sites that use a single, shared IP address or that use individual IP addresses that are not shared with other Web sites. To use a single, shared IP address for multiple Web sites requires that the Web sites are configured with host header names that uniquely identify the Web sites. Using non-shared IP addresses for virtual Web sites does not require host header names, but it does require that multiple IP addresses (one for each virtual Web site) are bound to the network adapter.

These step-by-step instructions demonstrate how to create a virtual Web site and assign it to an IP address not currently in use by a Web site.

To add a new IP address to the Windows 2003 server,

Click Start | Settings | Control Panel.
Double click on the Network Connections folder in Control Panel.
Right click on the appropriate network adapter, and click on Properties from the context menu. The network adapter’s Properties dialog box appears.
In the Properties dialog box, highlight Internet Protocol (TCP/IP), and click the Properties button. The Internet Protocol (TCP/IP) Properties dialog box appears.
Click the Advanced button. The Advanced TCP/IP Properties dialog box appears.
In the IP Addresses frame, click the Add button.
In the TCP/IP Address dialog box, enter an IP address and subnet mask in the appropriate fields, and click Add.
Click OK twice, and then click Close to finish adding the IP address.

Once you have added a new IP address to the Windows 2003 server, you can create a new virtual Web site and assign it to the newly added address. To create the new Virtual Web site,

Click Start | Administrative Tools, and double click on the Internet Information Services (IIS) Manager. The IIS MMC console opens.

In the Internet Information Services (IIS) Manager console, right click on the Web Sites node in the left-hand pane, and select New | Web Site from the context menu, as in Figure 1 below.

Figure 1 IIS Manager Console

On the Welcome to the Web Site Wizard page, click Next. The IP Address and Port Settings page appears.

In the IP Address and Port Settings page, enter an unassigned IP address for the new web site, as in Figure 2 below, and press Next.

To use a shared IP address for the new Web site, you could either enter a host header name, which is the FQDN that external clients would use to connect to the site, or assign the Web site an unused TCP port. Web publishing rules in ISA Server 2000 allow you to redirect an HTTP request to a TCP port other than port 80 on an internal Web server, so it is possible to use a different TCP port for the internal Web site without inconveniencing external clients.

Figure 2 IP Address and Port Settings of New Web Site

In the Web Site Home Directory page, enter the path to a folder in the file system that will contain the files for the home directory.

If you have not previously created the folder, you can create it at this time by pressing the Browse button, which will present you with an interface to browse to folders in the file system and create a new folder. Create a folder for the extranet Web site here.

You do not wish to allow anonymous access to the Web site. Clear the check box for Allow anonymous access to this Web site, as in Figure 3 below, and click Next.

Figure 3 Web Site Home Directory Path

In the Web Site Access Permissions page, leave the default permissions as is, and click Next to finish the creation of the new virtual directory. When you extend the SharePoint Web site into the new virtual directory, it will modify permissions on the virtual directory appropriately.

Figure 4 Web Site Access Permissions Page

This completes the creation of the virtual Web site that we will use to extend the SharePoint portal site. After we have extended the SharePoint portal site into this virtual Web site, we will revisit the Web site property pages to configure Basic Authentication and verify Web site permissions.

Step-by-Step How To: Extending SharePoint Portal Site into the Extranet Virtual Web Site

This section describes how to extend a pre-existing SharePoint site into the new virtual Web site created in the steps above. One of the decisions you must make before extending the SharePoint site into the new virtual server is whether the SharePoint site will use the same application pool as the intranet site, or whether it will use a different application pool. The application pool can be created prior to extending the SharePoint site, or it can be created during the process of creating the SharePoint site.

What is an Application Pool?

An application pool is a feature of IIS 6.0 that allows one or more Web applications to be isolated from others running in different application pools. Because these applications have their own worker process, failure of an application in one application pool will not affect other applications running in another pool. Furthermore, each application pool can use a different identity setting to enhance security.

An application pool identity is the security context used by the worker process. Previous to IIS 6.0, worker processes ran in the security context of the LocalSystem account, which has almost unrestricted access to the operating system. This creates a number of security implications. With application pool identity settings, it is possible to use accounts for the security context of the worker process that have relatively low levels of access to the operating system.

For example, one account that can be used for an application pool is the NT Authority\NetworkService account. This account has a limited access to the local computer and network resources. Some of the rights this account has include Logon as a service, Replace a process-level token, Access this computer from the network, Allow log on locally, and Impersonate a user account after authentication.

You can also create a user account to use for the application pool identity. However, whatever account you use for the SharePoint application pool identity, this account must have a SQL Login, and it must have the db_owner role in the SharePoint databases used by the site. These databases are <portal site> _SITE database, <portal site>_SERV database, <portal site>_PROF, and the SharePoint configuration database (by default SPS01_Config_db).

Note:

If you have installed SharePoint Portal Server with the WMSDE version of SQL server, you will need to install the SQL Server tools to add logins and make changes to the database roles. This requires that you purchase a license for SQL Server 2000 Standard or Enterprise edition.

Although using different application pools and identities for SharePoint sites complicates administration, their use enhances security and reliability. For example, if the application pool identity is compromised, only the SharePoint site using the application pool is affected, not all of them. Furthermore, the failure of an application in a dedicated application pool affects only the SharePoint site(s) that use the application pool, not all of them.

For more information on the topic of application pools, identities, and SharePoint sites, please see the Microsoft whitepaper, Creating Additional Portal Site Application Pools for SharePoint Portal Server 2003.

Creating Application Pool for Use by Extranet Web Site

Although it is possible to create a dedicated application pool during the process to extend the portal site, you can create the application pool beforehand using the Internet Information Services (IIS) Manager. The NT Authority\NetworkServices account has very limited rights and consequently makes a good candidate for use of as the application pool identity. To create an application pool,

Open the Internet Information Services (IIS) Manager MMC console, right click on the Application Pools node, point to New in the context menu, can click on Application Pool, as in Figure 5 below.

Figure 5 Creating New Application Pool

In the Add New Application Pool dialog box, type in a descriptive name for the new pool in the Application pool ID.

In the Application pool settings frame, select the Use existing pool as template radio button; select the application used by the SharePoint intranet site from the Application pool name drop down box, and click OK. The properties page for the application pool will appear.