Microsoft Internet Security and Acceleration Server 2000 SharePoint Portal Server Deployment Kit

 

Chapter 3

Quick Start: Configuring SharePoint Extranet Virtual Web Site and ISA Server Web Publishing

 

 

 

 

 

 

Martin Grasdal

Dr. Thomas W Shinder

December 2003

 

Table of Contents

 

Abstract 3

Overview. 4

Step-by-Step Background Information. 6

Step-by-Step How To:  Creating New Virtual Web Site To Host the Extranet SharePoint Site. 8

Step-by-Step How To:  Extending SharePoint Portal Site into the Extranet Virtual Web Site. 13

What is an Application Pool?. 13

Creating Application Pool for Use by Extranet Web Site. 14

Extending SharePoint Site to Extranet Virtual Web Site. 17

Configuring Virtual the Web Site To Support Basic Authentication. 21

Testing Extranet SharePoint Site from Internal Client 23

Step-by-Step How To:  Configuring ISA Server 2000 To Protect and To Publish SharePoint Extranet Web Site  24

Configuring IP Packet Filter Settings. 26

Creating a Destination Set 30

Creating a Web Publishing Rule. 33

Configuring the Incoming Web Requests Listener 36

Troubleshooting Tips for Web Publishing Rules. 39

Configuring Outbound Access for Internal ISA Clients. 39

Summary. 41

 

 

 

Abstract

ISA Server 2000 Web Publishing Rules can provide highly secure and available access to a SharePoint Portal Server 2003 extranet site.  The security of Web Publishing Rules can be further enhanced by leveraging the in-built security features of IIS 6.0 on Windows 2003 and SharePoint Portal Server 2003.  This document shows you how to create a secure solution for a SharePoint extranet Web site by extending the SharePoint Portal Server 2003 site into a new virtual Web site that uses an application pool to isolate worker processes in IIS 6.0, configuring the Web site to use a different authentication method, and to configure ISA Server to publish the Web site using a Web Publishing Rule.

 

This chapter provides an overview of the need for a separate site for extranet access and a summary of the relevant features of ISA Server 2000 that make the extranet site available to external clients.  It then provides an explanation of how to set up the SharePoint Portal site in a separate virtual Web site and how to configure ISA Server 2000 firewall  to protect and publish the extranet SharePoint site.

 

Enabling a SharePoint extranet site for access from the Internet requires the following steps:

 

·         Creating a new virtual Web site to host the extranet SharePoint Web site.

o        Adding an IP address to Windows 2003 server to assign to new Web site.

o        Adding a new Web site using Internet Information Services (IIS) Manager.

·         Extending SharePoint Portal Web into the extranet Web site.

o        Creating a new application pool in IIS 6.0 for use by the extranet SharePoint Site (optional).

o        Creating a new SharePoint portal site in the extranet virtual Web site, or mapping an existing SharePoint portal site to the extranet virtual Web site.

o        Configuring authentication methods on the extranet virtual Web site.

o        Testing the extranet site from the internal network.

·         Configuring ISA Server 2000 to protect and to publish the extranet SharePoint site.

o        Enabling Packet Filtering and IP Routing on ISA Server 2000 firewall.

o        Configuring the Incoming Web Requests Listener.

o        Adding a Destination Set.

o        Testing the Web Publishing rule on ISA Server from external client.

o        Creating a Protocol Rule to enable outbound access for internal clients (optional)

Overview

An extranet is a collection of internal resources that is made available to Internet clients. Access to the extranet usually occurs through a firewall, such as ISA Server 2000, to provide security for extranet resources.  A SharePoint Portal Server 2003 site is a sophisticated Web-based application that provides an intuitive and easy-to-use Web browser interface that provides complete access to SharePoint’s powerful capabilities.  Many organizations will find it desirable to make some or all of SharePoint’s resources available on an extranet for external employees, customers, or business partners. 

 

In almost all cases where SharePoint is deployed as an extranet resource, its configuration will differ from the configuration of SharePoint site(s) located on the intranet.  For example, it may be desirable to support Anonymous or Basic authentication to allow customers and business partners to connect at will.  Or, it may be desirable to implement Secure Sockets Layer (SSL) on the SharePoint site to provide a higher degree of protection for user credentials and data.  Or, it may be desirable for the extranet SharePoint site to connect to different content databases than the intranet site. 

 

All of these scenarios and others require that the extranet site use a different virtual web site from the intranet site.  For example, if a user authenticates to a SharePoint site using Basic Authentication, and the SharePoint Web site is configured to use both Basic and Windows Integrated Authentication, the user will not be able to view search results when he or she invokes a search query on the SharePoint site.  However, if the SharePoint Web site is configured to use Basic Authentication only, the user will be able to view the results of a search.  Because it is undesirable to disable Windows Integrated Authentication on the intranet SharePoint site, it is necessary to create a new SharePoint web site that supports Basic Authentication only.

 

Access to the SharePoint extranet must occur through a firewall to assure a high level of protection.  Furthermore, the firewall must be capable of providing a high degree of functionality for external clients who use the extranet SharePoint site, while at the same time providing a high degree of protection. 

 

ISA Server 2000 is a highly secure and extensible firewall solution that makes it the ideal firewall solution for controlling access to the extranet.  Its advanced features, such as Web publishing and Server publishing rules, Application Layer filtering, Link Translation, Basic Delegation of Authentication Credentials, SSL bridging, detailed logging, and others, help to ensure a high degree of both protection and functionality.

 

In particular, the use of Web publishing rules to make an extranet SharePoint site available to external clients confers a number of unique advantages over using ISA Server 2000 Server Publishing rules or using other firewall products to provide access to the extranet.  Advantages of using ISA Server 2000 Web Publishing rules include:

 

·         Use a single external IP address to publish multiple Web sites.

·         Use multiple incoming listener configurations with multiple IP addresses to support use of different digital certificates and authentication methods.

·         Authenticate with the ISA Server 2000 firewall using basic, integrated, digest, or certificate authentication.

·         Use port redirection to redirect HTTP requests to an alternate port used by the Web server on the internal network.

·         Inspect the URL in the HTTP header and determine destination for request on intranet or perimeter network (DMZ).

·         Extend ISA Server 2000 firewall security by installing URLScan 2.5 to perform deep inspection of HTTP header information and accept or deny connections based on a configurable set of rules.

·         Terminate SSL requests (HTTPS) at the ISA Server 2000 firewall and redirect them as HTTP requests to the internal Web server.  This allows HTTP traffic to be inspected before it is allowed into the internal network and saves CPU cycles on the Web server because it does not have the overhead of encrypting traffic.

·         Terminate SSL requests (HTTPS) at the ISA Server 2000 firewall and redirect them as HTTPS requests to the internal Web server.  This allows HTTPS traffic to be inspected before it is allowed into the internal network and enhances end-to-end security for data sent between clients and Web server.

Step-by-Step Background Information

 

The test lab used to demonstrate these step-by-step instructions has the following configuration:

 

·         Internal Network.  The internal network uses the 172.16.1.0/24 network ID.  The default gateway for the network is 172.16.1.1, which is the internal IP address of the ISA Server.

·         External Network  The external network uses a 192.168.100.0/24 network ID.

·         Internal DNS and Active Directory Namespace  Internal.net is used as the Active Directory and DNS namespace for the internal network. 

·         Active Directory.  A Windows 2003 Active Directory domain controller named Ad1.internal.net is used to provide directory and DNS services.  DNS is set up with root hints and forwarding to support resolution to the external network and the Internet.  The IP address of the domain controller is 172.16.1.10.

·         External DNS Namespace.  External.net is used as the DNS namespace for external clients connecting to resources published through the ISA Server 2000 firewall.  The DNS zone files for external.net are located on the external network. The zone has been pre-configured with a single host record pointing to the external IP address of the ISA Server 2000 firewall to resolve the Fully Qualified Domain Name (FQDN) extranet.external.net for access to extranet SPS Web site.

·         SharePoint Portal Server 2003 Configuration.  SharePoint Portal Server 2003 installed is set up on a Windows 2003 computer named Sps.internal.net.  The SharePoint server uses a co-located SQL Server 2000 Standard Edition for the configuration and content databases.  The SPS server has a primary IP static IP address of 172.16.1.11 that uses 172.16.1.1 as the default gateway. 

·         SharePoint Server Virtual Web Site Configuration.   IIS 6.0 was installed on the Windows 2003 server as per the SharePoint Portal Server 2003 prerequisites found in the SharePoint Portal Server 2003 help files and the SharePoint Portal Server 2003 Customer Evaluation Guide.  The intranet SPS virtual Web site is located at 172.16.1.11 and is configured to use Windows Integrated Authentication only.  Specifically, IIS 6.0 has been configured as follows: 

o        Application Server with the following components:

§         Microsoft ASP.NET

§         Enable COM+ Components

§         Microsoft Internet Information Services with the following components:

·         Common Files

·         Internet Information Services Manager

·         World Wide Web Service with the following components:

o        Active Server Pages

o        World Wide Web Service

·         ISA Server 2000 Configuration.  ISA Server 2000 with Service Pack 1 and HotFix isahf255.exe is installed on a Windows 2003 server.  Other than the configuration of the Local Address Table (LAT), ISA Server is configured using the defaults from the installation setup program.  For specific instructions for installing an ISA Server on Windows 2003, please see Tom Shinder’s article, Installing ISA Server 2000 on Windows Server 2003 on the ISAServer.org Web site.  The ISAServer.org Web site contains much useful information on installing and configuring ISA Server, such as Will Schmied’s article, Installing ISA Server 2000, and Jim Harrison’s article, Configuring ISA Server Interface Settings.  Another good source of information and instruction is the Microsoft TechNet ISA Server Web site.

o        External NIC configuration:

§         IP address: 192.168.100.22/24

§         Default Gateway: 192.168.100.254/24

§         File and Print Sharing: disabled

§         Client for Microsoft Networks: disabled

§         NetBIOS: disabled

§         Registration of external IP address in Dynamic DNS zone: disabled

§         DNS server: None

§         Binding order: lowest

o        Internal NIC configuration:

§         IP address: 172.16.1.1/24

§         Default Gateway: None

§         File and Print Sharing: enabled

§         NetBIOS: enabled

§         Registration of IP address in Dynamic DNS zone: enabled

§         DNS server: 172.16.1.10

§         Binding order: highest

 

o        ISA configuration details:

§         Installation type: Standalone

§         Installation mode: Integrated (firewall and proxy services)

§         Local Address Table (LAT): 172.16.1.0 – 172.16.1.255

§         Site and Content Rule: Default

§         Client Configuration:  All clients configured as S-NAT clients (no Web proxy client configuration or Firewall client).

 

Step-by-Step How To:  Creating New Virtual Web Site To Host the Extranet SharePoint Site

This section provides basic instructions for setting up a new virtual Web site on IIS 6.0.  This new Web site will subsequently be used to demonstrate how to map an existing SharePoint site from the virtual Web site where a SharePoint portal site resides.  Note that the extranet SharePoint site will be hosted on the same server as intranet SharePoint site. 

 

This may not be a desirable configuration in a production environment, and you may wish to host the extranet site on a different server.  Also, this step-by-step walkthrough assumes that a pre-existing SharePoint site exists that can be used for the extranet.  For specific instructions on setting up SharePoint Portal server, please see the SharePoint Portal Server 2003 help files and the SharePoint Portal Server 2003 Customer Evaluation Guide.

 

Creating New Virtual Web Site

 

An IIS server can host multiple virtual Web sites that use a single, shared IP address or that use individual IP addresses that are not shared with other Web sites.  To use a single, shared IP address for multiple Web sites requires that the Web sites are configured with host header names that uniquely identify the Web sites.  Using non-shared IP addresses for virtual Web sites does not require host header names, but it does require that multiple IP addresses (one for each virtual Web site) are bound to the network adapter. 

 

These step-by-step instructions demonstrate how to create a virtual Web site and assign it to an IP address not currently in use by a Web site.

 

To add a new IP address to the Windows 2003 server,

 

  1. Click Start | Settings | Control Panel. 
  2. Double click on the Network Connections folder in Control Panel.
  3. Right click on the appropriate network adapter, and click on Properties from the context menu.  The network adapter’s Properties dialog box appears.
  4. In the Properties dialog box, highlight Internet Protocol (TCP/IP), and click the Properties button.  The Internet Protocol (TCP/IP) Properties dialog box appears.
  5. Click the Advanced button.  The Advanced TCP/IP Properties dialog box appears.
  6. In the IP Addresses frame, click the Add button.
  7. In the TCP/IP Address dialog box, enter an IP address and subnet mask in the appropriate fields, and click Add.
  8. Click OK twice, and then click Close to finish adding the IP address.

 

Once you have added a new IP address to the Windows 2003 server, you can create a new virtual Web site and assign it to the newly added address.  To create the new Virtual Web site,

 

  1. Click Start | Administrative Tools, and double click on the Internet Information Services (IIS) Manager.  The IIS MMC console opens.

    2.
  2. In the Internet Information Services (IIS) Manager console, right click on the Web Sites node in the left-hand pane, and select New | Web Site from the context menu, as in Figure 1 below.

Figure 1 IIS Manager Console



  1. On the Welcome to the Web Site Wizard page, click Next.  The IP Address and Port Settings page appears.

    2.
  2. In the IP Address and Port Settings page, enter an unassigned IP address for the new web site, as in Figure 2 below, and press Next. 

    To use a shared IP address for the new Web site, you could either enter a host header name, which is the FQDN that external clients would use to connect to the site, or assign the Web site an unused TCP port.  Web publishing rules in ISA Server 2000 allow you to redirect an HTTP request to a TCP port other than port 80 on an internal Web server, so it is possible to use a different TCP port for the internal Web site without inconveniencing external clients.

Figure 2  IP Address and Port Settings of New Web Site




  1. In the Web Site Home Directory page, enter the path to a folder in the file system that will contain the files for the home directory. 

    If you have not previously created the folder, you can create it at this time by pressing the Browse button, which will present you with an interface to browse to folders in the file system and create a new folder. Create a folder for the extranet Web site here.

    You do not wish to allow anonymous access to the Web site. Clear the check box for Allow anonymous access to this Web site, as in Figure 3 below, and click Next.

 

Figure 3  Web Site Home Directory Path

 


  1. In the Web Site Access Permissions page, leave the default permissions as is, and click Next to finish the creation of the new virtual directory.  When you extend the SharePoint Web site into the new virtual directory, it will modify permissions on the virtual directory appropriately.

Figure 4  Web Site Access Permissions Page

 

This completes the creation of the virtual Web site that we will use to extend the SharePoint portal site.  After we have extended the SharePoint portal site into this virtual Web site, we will revisit the Web site property pages to configure Basic Authentication and verify Web site permissions.

Step-by-Step How To:  Extending SharePoint Portal Site into the Extranet Virtual Web Site

This section describes how to extend a pre-existing SharePoint site into the new virtual Web site created in the steps above. One of the decisions you must make before extending the SharePoint site into the new virtual server is whether the SharePoint site will use the same application pool as the intranet site, or whether it will use a different application pool.  The application pool can be created prior to extending the SharePoint site, or it can be created during the process of creating the SharePoint site.

What is an Application Pool?

An application pool is a feature of IIS 6.0 that allows one or more Web applications to be isolated from others running in different application pools.  Because these applications have their own worker process, failure of an application in one application pool will not affect other applications running in another pool.  Furthermore, each application pool can use a different identity setting to enhance security. 

 

An application pool identity is the security context used by the worker process.  Previous to IIS 6.0, worker processes ran in the security context of the LocalSystem account, which has almost unrestricted access to the operating system.  This creates a number of security implications.  With application pool identity settings, it is possible to use accounts for the security context of the worker process that have relatively low levels of access to the operating system. 

 

For example, one account that can be used for an application pool is the NT Authority\NetworkService account.  This account has a limited access to the local computer and network resources.  Some of the rights this account has include Logon as a service, Replace a process-level token, Access this computer from the network, Allow log on locally, and Impersonate a user account after authentication. 

 

You can also create a user account to use for the application pool identity.  However, whatever account you use for the SharePoint application pool identity, this account must have a SQL Login, and it must have the db_owner role in the SharePoint databases used by the site.  These databases are <portal site> _SITE database, <portal site>_SERV database, <portal site>_PROF, and the SharePoint configuration database (by default SPS01_Config_db).

 

*        Note:

If you have installed SharePoint Portal Server with the WMSDE version of SQL server, you will need to install the SQL Server tools to add logins and make changes to the database roles.  This requires that you purchase a license for SQL Server 2000 Standard or Enterprise edition.

 

Although using different application pools and identities for SharePoint sites complicates administration, their use enhances security and reliability.  For example, if the application pool identity is compromised, only the SharePoint site using the application pool is affected, not all of them.  Furthermore, the failure of an application in a dedicated application pool affects only the SharePoint site(s) that use the application pool, not all of them. 

 

For more information on the topic of application pools, identities, and SharePoint sites, please see the Microsoft whitepaper, Creating Additional Portal Site Application Pools for SharePoint Portal Server 2003.

 

Creating Application Pool for Use by Extranet Web Site

Although it is possible to create a dedicated application pool during the process to extend the portal site, you can create the application pool beforehand using the Internet Information Services (IIS) Manager.  The NT Authority\NetworkServices account has very limited rights and consequently makes a good candidate for use of as the application pool identity.  To create an application pool,

 

  1. Open the Internet Information Services (IIS) Manager MMC console, right click on the Application Pools node, point to New in the context menu, can click on Application Pool, as in Figure 5 below.

Figure 5  Creating New Application Pool

 

  1. In the Add New Application Pool dialog box, type in a descriptive name for the new pool in the Application pool ID.

    2.
  2. In the Application pool settings frame, select the Use existing pool as template radio button; select the application used by the SharePoint intranet site from the Application pool name drop down box, and click OK.  The properties page for the application pool will appear.

Figure 6  Selecting SharePoint Application Pool as Template

 


  1. In the <Name-of-application-pool> Properties dialog box, click the Identity tab to verify that the appropriate account is being used.  You can use the account used by default SharePoint application pool, or you enter another account in this page for use by the application pool.  If you want to use the NT Authority\NetworkSevice account, select the Predefined radio button, and then select Network Service from the drop-down list.  Click OK to finish the creation and configuration of the application pool.

 

*       Note[twsmd1] :
Make sure the account you use for the application pool has sufficient rights and privileges.  For example, the account must have the db_owner role for the SharePoint configuration and content databases.

Figure 7  Configuring Identity for Application Pool

 

Extending SharePoint Site to Extranet Virtual Web Site

In this demonstration, we will extend the SharePoint site into a new Virtual Web site. The extranet SharePoint site will use the application pool we created in the above steps.

 

The process for extending the SharePoint site is as follows: 

 

  1. On the task bar, click Start, point to Programs | SharePoint Portal Server, and then click on SharePoint Central Administration.  (As an alternative, you can access the administrative pages from the SharePoint site by clicking on Go to SharePoint Portal Server central administration site from the General Settings section.)  The administration site appears, as in Figure 8 below.

Figure 8 SharePoint Central Administration Site

 


  1. Click on Extend an existing virtual server from the Virtual Server List page.  The Virtual Server List appears showing the name of the virtual server created in the steps above, as in Figure 9 below.

Figure 9 Virtual Server List

 


  1. Click on the <name of virtual server> in the Virtual Server List.  The Extend Virtual Server page appears, as in Figure 10 below. 

Figure 10  Choosing a Provisioning Option

 

On the Extend Virtual Server page, you are presented with the option either to Extend and create a content database or to Extend and map to another virtual server.  Because we are going to make the intranet SharePoint site available to Internet users, we are going to choose the option to Extend and map to another virtual server.


  1. Click Extend and map to another virtual server.  The Extend and Map to Another Virtual Server configuration page appears, as in Figure 11 below.

Figure 11 Extending and Mapping to Another Virtual Server

 

  1. In the Extend and Map to Another Virtual Server page, verify the Server Mapping setting.  This should be the virtual server hosting the intranet SharePoint site.  Then configure the Application Pool settings as appropriate. 
    1. If you wish to use an existing application pool, click the radio button for Use an existing application pool, and select the application pool from the drop-down list. 
    2. If you wish to create a new application pool for the SharePoint site, select the radio button Create a new application pool, and enter a name for the pool.
    3. In the Select a security account for this application pool section, you can choose to use one of the 3 pre-defined application pool accounts (NT Authority\NetworkService, NT Authority\LocalSystem, or NT Authority\LocalService) or a configurable account. 
  2. Click OK at the bottom of the Extend and Map to Another Virtual Server page to complete the configuration.

Configuring Virtual the Web Site To Support Basic Authentication

Once these steps have been completed, it is necessary to configure the authentication method for the virtual Web site to support basic authentication only and to test the Web site from an internal client.

 

To configure the Web site to support basic authentication only,

 

  1. Open the Internet Information Services (IIS) Manager MMC console, expand the Web Sites node, right click on the newly created Web site node, and click Properties from the context menu. The <Name-of-virtual-Web-site> Properties page appears.
  2. In the Properties page of the virtual Web site, click on the Directory Security tab, and then click on the Edit button in the Authentication and access control frame, as in the figure below.

Figure 12 Directory Security Tab of Web Site Properties Page

 


  1. In the Authentication Methods dialog box that subsequently appears, you should see that Integrated Windows Authentication is selected.  Clear the box beside Integrated Windows Authentication, and click the box beside Basic authentication (password is sent in clear text) to enable basic authentication. A warning will appear informing you of the consequences of basic authentication, as in the figure below. 

 

*       Note:
Make sure that you select only one authentication method.  Otherwise, you may see some peculiar behavior of the Web site.  For example, the search function may not work properly for external clients who connect using basic authentication through the ISA Server 2000 firewall, if both integrated and basic authentication methods are selected for the Web site.

Figure 13 Basic Authentication Warning Message



  1. In the IIS Manager warning message, click Yes. 
  2. In the Default domain text box, enter the name of the Windows domain, or click the Select button and select the domain name.  Configuring a domain name here will make it unnecessary for external clients to enter the domain name along with their account name (eg. Internal\UserName).
  3. Click OK twice to commit changes to authentication method.

 

Testing Extranet SharePoint Site from Internal Client

Once you have finished configuring the authentication method for the extranet SharePoint site, you should test the Web from an internal client.  To do this,

 

  1. Open Internet Explorer, enter http://<internal-IP-address-of-extranet-site> in the address box, and press Enter.  You should be prompted for your account credentials.  (If you are not prompted for credentials, this means the web site is still using integrated authentication.)  Enter a user name (without the domain prefix to test the default domain setting in IIS) and password, as in the figure 14, and press OK.

 

Figure 14  Testing Extranet Web Site

Step-by-Step How To:  Configuring ISA Server 2000 To Protect and To Publish SharePoint Extranet Web Site

A default installation of ISA Server 2000 prevents both inbound and outbound access.  To make internal resources available to external clients, it is necessary to configure either Web or Server Publishing rules on the ISA Server 2000 firewall.  Web Publishing Rules can be used to publish internal Web sites.  Web publishing rules can also be used to publish internal FTP sites by redirecting HTTP requests as FTP to an internal FTP server. 

 

Server Publishing Rules can be used to publish all other services, including Web and FTP services, provided a protocol definition is configured on the ISA server.  (Some protocols, such as FTP or H.323, also require an application filter in addition to a protocol definition to handle the opening of secondary ports to enable communication across the ISA Server 2000 firewall.)

 

This section explains how to publish a SharePoint site using a Web publishing rule on ISA Server 2000.  These instructions assume a default installation setup of ISA Server 2000 in integrated mode (Firewall and Web proxy services).  For information on the configuration of the ISA Server used in this demonstration, please go to the beginning of this document.

 

There are 3 ISA Server elements that have to be configured to publish a Web site using a Web publishing rule:

 

  1. Destination Set.  Destination sets are used to control both inbound and outbound access. They are used by a number of ISA Server 2000 Policies, such as Site and Content Rules and Bandwidth Rules. A Destination Set is a collection of one or more Fully Qualified Domain Names (FQDNs) or IP addresses.  A Destination Set can also comprise a set of one or more path statements that can be used to direct requests to specific subdirectories under the root directory of the Web server.

  2. Web Publishing Rule.  A Web Publishing Rule is an ISA Server 2000 Policy Element that uses a Destination Set to determine where on the internal network to send HTTP or HTTPS requests from external clients. Web Publishing Rules are flexible and can be used to redirect HTTP requests to other ports and to FTP servers.  Furthermore, they can be configured to redirect HTTPS requests as HTTP requests to internal Web servers.

  3. Incoming Web Requests Listener.  Web Publishing Rules depend upon the Incoming Web Requests Listener.  The listener redirects requests through the ISA Server 2000 firewall’s Web Proxy Service for processing before it is sent to the internal network.  This means the request can be cached and the content of the HTTP request can be inspected by a Web application filter. 

    The Incoming Web Request Listener listens on the default ports for HTTP (80) and HTTPS (443) connections, but it can also be configured to listen on other ports.  Furthermore, the listener can be configured to use a digital certificate for HTTPS connections and can be configured to support a variety of authentication methods, such as integrated, basic, digest, and client digital certificate authentication. 

 

The Incoming Web Requests Listener can be configured to use the same listener configuration for all IP address bound to the external interface of the ISA Server 2000 firewall, or different listener configurations can be applied to individual IP address.  This is useful if, for example, it is necessary to use two or more different digital certificates for HTTPS requests.

Assuming a default configuration of ISA Server 2000, it is also necessary to verify and configure appropriate IP Packet Filter settings, in addition to configuring these 3 elements. Primarily, these settings are used to control what packets are accepted on the external interface (for both inbound and outbound access).  However, the IP Packet filter settings are also used to enable PPTP access, logging levels, and intrusion detection settings.

 

The steps for publishing a SharePoint and other Web site using Web Publishing Rules on an ISA Server are as follows:

 

·         Configuring IP Packet Filter Settings

·         Creating a Destination Set

·         Creating a Web Publishing Rule

·         Configuring the Incoming Web Requests Listener

 

The following instructions are based on the Advanced View, rather than the Taskpad View of the ISA Management MMC console.  The Advanced View is enabled through the View drop-down menu of the ISA Management MMC console.

Configuring IP Packet Filter Settings

The following steps show you how to configure appropriate settings for IP Packet Filtering:

 

  1. Open the ISA Management MMC console, expand the Access Policy node in the left-hand pane, and right click on IP Packet Filters to display the context menu as in the figure below.

 

Figure 15  IP Packet Filters Access Policy

 


  1. Click Properties in the IP Packet Filters context menu.  The IP Packet Filters Properties page appears, as in the figure below.

 

Figure 16  IP Packet Filters Properties Pages

 

On the General tab, you want to ensure that packet filtering is enabled.   For greater security, you can also enable intrusion detection here and then subsequently configure settings for specific kinds of attacks, such as LAND and Ping of Death, on the Intrusion Detection tab.  If you want to allow PPTP access through the ISA Server 2000 firewall, you need to enable IP routing in addition to enabling PPTP through the PPTP tab. 

 

IP routing is required in two situations: 

 

    • It is necessary to enable IP routing when protocols other than TCP or UDP are involved, for example, ICMP (used for ping, etc.) and GRE (used for PPTP).  So, if you want to be able to ping an external host from behind the ISA Server 2000 firewall, you need to enable IP routing.
    • It is also necessary to enable IP routing when ISA Server 2000 is configured as a tri-homed perimeter network (that is the ISA Server has three network adapters, one of which is connected to a perimeter network using a pubic IP address). 

 

However, enabling IP routing can result in performance improvements for SecureNAT clients on the internal network.

 

  1. Verify that, at a minimum, packet filtering is enabled on General tab, and enable Intrusion detection and IP routing as appropriate.
  2. Select the Packet Filters tab, as in the figure below.

 

Figure 17 Packet Filters Tab

 

On the Packet Filters tab, you are presented with the options to enable filtering of IP fragments, to enable filtering of IP options, and to log packets from “Allow” filters.  The options to enable filtering of IP fragments and IP options provide greater security against certain attacks that exploit the mechanisms of fragmented IP datagrams and the options field of an IP datagram.  Be aware that if you enable filter of IP fragments, some multimedia applications and applications that require certificate exchange (such as L2TP/IPSec) that rely on fragmented IP datagrams may not work properly or at all.

  1. On the Packet Filters tab enable the filtering and logging options as appropriate.

    2.
  2. If you have enabled intrusion detection, click on the Intrusion Detection tab and enable the intrusion detection settings as appropriate.

 

Figure 18  Intrusion Detection Tab

 

 

  1. Click OK when you have finished configuring the IP Packet Filter settings.

Creating a Destination Set

After configuring appropriate Packet Filter settings, the next step for configuring Web publishing is to create a Destination Set that will be used by the Web Publishing Rule.  To create a Destination Set,

 

  1. Open the ISA Management MMC console, expand the Policy Elements node, right click on Destination Sets, and point to New | Set in the context menu, as in figure 19.

 

Figure 19  Creating a New Destination Set

 


  1. In the New Destination Set dialog box, enter a descriptive name for the destination set in the Name text box, as in the figure 20.

 

Figure 20  New Destination Set

 


  1. After entering a name and a description (optional), click on the Add button.  The Add/Edit Destination dialog box appears, as seen in figure 21.

 

Figure 21 Add/Edit Destination

 

  1. Ensure that the Destination radio button is selected and enter the Fully Qualified Domain Name (FQDN) that external clients use to connect to the SharePoint site in the Name text box.

    Note:
    It is extremely important that you use the external FQDN of the SharePoint site here.  Destination Sets and Web Publishing Rules are sometimes a little confusing.  It may help to keep in mind that the Web Publishing Rule will match a request for a particular FQDN in the HTTP header with an entry in a Destination Set to determine where to redirect the traffic on the internal network. 

  2. Click OK to finish the creation of the Destination Set.

 

Creating a Web Publishing Rule

After creating the Destination Set, the next step is to create a Web Publish rule to redirect the request from an external client to the extranet SharePoint Site on the internal network.

 

  1. In the ISA Management MMC console, expand the Publishing node, right click on the Web Publishing Rules object, and select New | Rule from the context menu as in the figure below.

Figure 222

 

  1. In the Welcome to the New Web Publishing Rule Wizard page that subsequently appears, enter a descriptive name for the Web Publishing Rule, and click Next.

  2. In the Destination Sets page, select Specified destination set from the Apply this rule to drop-down list.  Then, in the Name drop-down list, select Destination Set that we created in the previous steps.  The figure 23 shows the appropriate settings.

 

Figure 233 Selecting a Destination Set

 

  1. Click Next to proceed to the Client Type page of the wizard.
  2. On the Client Type page, select the Any request radio button, and click Next to proceed to the Rule Action page of the wizard.

 

Figure 24  Rule Action Page

 

  1. In the Rule Action page, select the radio button to Redirect the request to this internal Web server (name or IP address), and enter the IP address of the SharePoint extranet Web site.  Then, click the check box to Send the original host header to the publishing server instead of the actual one (specified above).  This setting preserves the FQDN specified in the HTTP header of the request from the external client. 

    It is possible to use an unqualified or fully qualified domain name for SharePoint site, instead of the IP address.  However, this name must be resolvable to an internal IP address by the ISA Server 2000 firewall either through a Hosts file entry on the ISA Server or a DNS server. 

  2. Click Next, and then click Finish on the Completing the New Web Publishing Rule Wizard page that subsequently appears.

 

Configuring the Incoming Web Requests Listener

By default, the ISA Server 2000 firewall will not allow external clients to connect to the published Web site unless the Incoming Web Requests Listener is configured to listen for requests on its external interface(s).  To configure a listener for the published SharePoint extranet Web site,

 

  1. Open the ISA Management MMC Console, right click on the server node object (it will be labeled with name of your ISA Server), and select Properties from the context menu.  The <Name-of-ISA-Server> Properties dialog box appears.
  2. In the Properties dialog box, select the Incoming Web Requests tab, as shown in figure 24.

 

Figure 25  Incoming Web Listener Property Page

 

It is possible to use the same listener configuration for all IP addresses bound to the external interface or to use different listener configurations for each of the bound IP addresses.  In this demonstration, we are going to configure the listener settings for a specific IP address.

 


  1. In the Identification frame of the Incoming Web Requests page, select the radio button to Configure listeners individually per IP address, and then click the Add button.  The Add/Edit Listeners page appears, as in the figure below.

    On this page, it is also possible to configure the listener to force external clients to authenticate with the ISA Server 2000 firewall before it will forward requests to the internal network. This is accomplished by selecting the box to Ask unauthenticated users for identification in the Connections frame.  When this check box is unselected, the ISA Server 2000 firewall will forward anonymous connections to the Web server, which can then subsequently authenticate external connections according to its own settings.  In this example, we will let the SharePoint extranet site be solely responsible for authenticating users and will leave this check box cleared.

 

Figure 26  Add/Edit Listeners Page

 

  1. On the Add/Edit Listeners page, select the ISA Server from the Server drop-down list, and then select the desired external IP address from the IP Address drop-down list. The IP address you select here must be the IP address that resolves to the Internet FQDN of the published SharePoint site.

    Because the listener is not configured to force authentication for external connections, the settings in the Authentication frame have no effect.  You can, for the time being, safely leave these alone.

  2. Click OK when finished configuring the listener settings.  You will be asked whether or not you wish the ISA Web proxy service to be restarted, as in figure 26.

 

Figure 27  Web Proxy Service Restart Prompt

 

To facilitate immediate testing of the Web Publishing Rule, you should select the option to Save the changes, but don’t restart the service(s), and then manually restart the Web proxy service.  The reason for this is that it will take a few minutes for the ISA Server 2000 firewall to restart the service.  If you attempt to test the Web publishing rule too soon, you will receive an HTTP error response, which may subsequently be cached, further complicating your testing of the Web publishing rule.

 

  1. Choose the appropriate restart option and click OK. 

    If you choose the option to manually restart the Web proxy service, expand the Monitoring node in the ISA MMC console, open the Servers folder, right click on the Web proxy service in the contents pane, and click on Stop in the context menu.  After the service has stopped, click on Start in the context menu.

  2. The final step is to test the Web publishing rule from an external client.  Before doing so, make sure that the Web proxy service has restarted.  Then from an external client, open Internet Explorer, type in the external FQDN that you used in the destination set (make sure that this name resolves to the IP address used by the Incoming Web Requests listener), and press Enter.  If you have configured the SharePoint extranet site to support basic authentication, you will be prompted to enter authentication credentials.

 

Troubleshooting Tips for Web Publishing Rules

If you receive an error when you try to access the SharePoint site using the Web publishing rule, double check the destination set to make sure that it uses the FQDN that external clients will use.  Make sure that this name is resolvable to the external IP address of the ISA Server 2000 firewall.  Make sure that the action of the Web publishing rule, forwards the request to the appropriate IP address of the internal Web site (if using a name for this setting, make sure the ISA Server 2000 firewall can resolve the name to the internal IP address).

 

You should double check the incoming listener settings.  For example, if you have configured the listener to Ask unauthenticated users for identification, and the Web site is also configured to require authentication, the connection attempt will fail.  Unless you install Feature Pack 1 for ISA Server 2000 and enable delegation of basic authentication credentials, you cannot authenticate users at both the ISA Server 2000 firewall and the Web server.  (Integrated authentication will not work at all, since you cannot delegate authentication credentials with this method).  Make sure the Web site supports only one authentication method (either basic or integrated). 

 

If you are still are receiving an error message, stop and restart the Web proxy service.  Then, attempt to connect using a different client to mitigate the possibility you are receiving a cached error response.

Configuring Outbound Access for Internal ISA Clients

The steps provided in the above demonstration do not enable outbound access for internal clients through the ISA Server.  In order to enable outbound access for internal clients, you must, at a minimum, create a Protocol Rule policy and possibly create client address sets and configure other ISA Server policy elements, depending on your security requirements. 

 

The following steps show you how to create a simple Protocol Rule to enable outbound access for internal clients that are initiating connections with Internet hosts through the ISA Server firewall. 

 

Please note that this is a simple configuration used for demonstration purposes and is not recommended for production environments.  Just as it is important to limit inbound access, it is also important to limit outbound access. 

 

For example, the Slammer Worm would not have had as significant an impact had more administrators blocked outbound access for UDP Port 1433.  Generally, you should allow outbound access for only necessary protocols, such as HTTP, HTTPS, DNS, and so on.  Furthermore, you should limit the hosts and the users that can use these protocols through the firewall.  ISA Server 2000 is capable of providing a very fine level of access control for both inbound and outbound access.

 

To configure a simple Protocol Rule to enable outbound access,

 

  1. Open the ISA Management MMC console, expand the Access Policy node, right click on the Protocol Rules object, and select New | Rule from the context menu.

 

Figure 28 Creating a Protocol Rule

 

  1. In the Welcome to the New Protocol Wizard page that subsequently appears, enter a descriptive name, such as “All Outbound Access”, in the Protocol rule name text box, and click Next.
  2. In the subsequent Rule Action page, select the Allow radio button for the Response to client requests to use protocol setting, and click Next.
  3. In the Protocols page, select All IP traffic in the Apply this rule to drop down list, and click Next.
  4. On the Schedule page, select Always from the Use this schedule drop down list, and click Next.
  5. In the Client Type page, select the radio button for Any request for the Apply the rule for requests from setting, and click Next.

    6.
  6. On the Completing the New Protocol Rule Wizard page, click Finish.

 

Figure 29 Completing the New Protocol Rule Wizard

Summary

Web Publishing Rules in ISA Server 2000 can provide highly secure and available access to a SharePoint extranet site.  The security of Web Publishing Rules can be further enhanced by leveraging the in-built security features of IIS 6.0 on Windows 2003 and SharePoint Portal Server 2003.  This document showed you how to create a secure solution for a SharePoint extranet Web site by extending the SharePoint site into a new virtual Web site that uses an application pool to isolate the worker processes in IIS 6.0, configuring the Web site to use a different authentication method, and to configure ISA Server to publish the Web site using a Web Publishing Rule.

 [twsmd1]Is this done automatically when we configure the extranet site?