STEPS to Publish SharePoint sites created in Host Header mode (HH MODE) with ISA Server 2006

ContentsScenario: Publish a SharePoint site created in Host Header Mode (HH Mode)...........................................1

System Configuration details.......................................................................................................................2

Steps to be performed on the domain controller if you are setting up for the first time............................3

Steps to be performed on the MOSS Server................................................................................................4

Create a site collection using an Host Header mode (HH Mode) using the below command..................4

To find out if the site is created in HH Mode run the below SQL query on the content DB....................4

Creating a Certificate...................................................................................................................................5

Exporting the Certificate..............................................................................................................................5

Importing the Certificate to the ISA Server..................................................................................................6

About Microsoft® Internet Security and Acceleration (ISA) Server 2006...................................................11

Steps to be performed on the ISA Server..................................................................................................11

Steps to Install ISA 2006 Standard edition.................................................................................................11

Steps to be Publish an SharePoint site in ISA Sever...................................................................................23

Steps to be performed on the Client machine...........................................................................................46

Scenario: Publish a SharePoint site created in Host Header Mode (HH Mode)

Externally I need the users to browse the site as https://paulpa.soccer.com and SSL offloading happens at ISA and internal communication from ISA server to MOSS will be as http://paulp.soccer.com

System Configuration details

Here are the details of the servers

Domain controller with SQL Server installed (Soccer.com)

Computer name ADSSRV.soccer.com

IP : 172.22.243.168 Subnet mask : 255.255.252.0Gateway:172.22.240.1

ApplicationsSQL 2005 ,DNS, CAACCESS mode remote into the server from your desktop

Computer name MOSS.soccer.com

IP : 172.22.243.169 Subnet mask : 255.255.252.0Gateway:172.22.240.1

Application Office SharePoint server 2007 with SP 2 installedACCESS mode remote into the server from your desktop

COMPUTER NAME: ISA.soccer.com

ISA Has 2 NIC

NIC 1 (internal or corpnet)IP 172.22.243.170Subnet mask 255.255.252.0Gateway:

Application ISA 2006 Standard edition with SP1 installed ACCESS mode remote into the server from either ADSSRV or MOSS server

COMPUTER NAME: MOSS-client

IP 13.0.0.2 subnet mask 255.0.0.0

ACCESS mode remote into the client from the ISA serverNOTE: client is part of the workgroup not a domain

Steps to be performed on the domain controller if you are setting up for the first time

NIC 2 (External or Public )IP 13.0.0.5Subnet mask 255.0.0.0Gateway:

1. Install and configure a new forest and New domain Eg. Soccer.com2. install and configure DNS3. Install and configure SQL Server 20054. In the DNS Create A Records of the MOSS server , Host record of the site that we are going to

browse , in our example (paulpa.soccer.com)5. Install and configure the CA if you need to have certificate authority

Steps to be performed on the MOSS Server

Install and configure server with a new FarmStart all servicesCreate a new web application with default options

Create a site collection using an Host Header mode (HH Mode) using the below command

C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN>stsadm -o createsite -url http://paulpa.soccer.com -ownerlogin soccer\administrator-owneremail paulpa@soccer.com -hhurl http://paul-moss:26480

The port specified for the new host header site does not match any known bindings in the specified Web Application. The new site will not be accessible if theWeb Application is not extended to an IIS Web Site serving this port.

Operation completed successfully.

Paulpa.soccer.com is the HH MODE site collection http://paul-moss:26480 is the web application where it would have HHMODE site collection created

NOTE : Make sure you have an DNS /Host entry for paulpa.soccer.com

To find out if the site is created in HH Mode run the below SQL query on the content DB

Select * from dbo.Sites where hostheader !='%NULL%'

Creating a Certificate======================Go to the MOSS Server and follow the below steps

Open IISMGR directory Security

Create a new certificate

Send the request immediately to an online certification authority

Provide the name it can any name Bit length let it be default click Next

Organization and Organization unit can be typed or click next

In the Site’s Common Name please provide external url the client will be accessing the site (http://paulpa.soccer.com)In the Geographic information you can leave it default or provide the details and click nextSSL Port is 443 by default or we can change it depending on the requirement

Select he CA running on the server (in this example the CA is hosted on the ADSSRV server )

Then you will get the message that certificate is installed on the server successfully .

Exporting the Certificate===============================Click on view Certificate and export the certificate to a file

Select yes, export the private key and click next .Next is default value click next

You can provide the password or click next.Provide the file name and click on finish.File extention is .pfx

In the IIS manager remove the certificate from the site . (this is because we are using SSL offloading on the ISA , external user will browse the site using https://paulpa.soccer.com internal communication from ISA to moss will be http://paulpa.soccer.com )

Copy the certificate to the ISA server

Importing the Certificate to the ISA Server

After copying the certificate needs to be imported. This is to be done to be able to view the certificates while creating web listener in the ISA firewall rule

Click on start run and type MMCClick on File Add/Remove Snap-in Click on Add button and select Certificates and click on Add.You would get and window as below

Select Computer Account and click on option

“This snap-in will always manage – Local Computer (the computer this console is running on)

Click on Finish

To import right click on personal all tasks Import

Select the file name

This needs to be provided if you had given any password while exporting the certificate as mentioned earlier

In this screen select “Place all certificate in the following Store” an click next

About Microsoft® Internet Security and Acceleration (ISA) Server 2006

It is the security gateway that helps protect your mission-critical applications from Internet-based threats. ISA Server enables your business to do more, with secure access to Microsoft applications and data. Secure your Microsoft application infrastructure by protecting your corporate applications, services, and data across all network layers with stateful packet inspection, application-layer filtering, and comprehensive publishing tools. Streamline your network with simplified administrator and user experiences through a unified firewall and virtual private network (VPN) architecture, which includes Web caching and bandwidth management, an optimized firewall filtering engine, and comprehensive access controls. Safeguard your information technology environment to reduce security risks and costs, and help eliminate the effects that malicious software and attackers have on your business, by using comprehensive tools for scanning and blocking harmful content, files, and Web sites.

Steps to be performed on the ISA Server

ISA Needs to have 2 NIC , internal and external

Internal IP is 172.22.243.170

External IP is 13.0.0.5 (is it can be anything make sure the client also has the same range eg.13.0.0.2)

Steps to Install ISA 2006 Standard edition

Copy the installation source to the ISA server locally Double click on the ISAautorun.exe and continue the wizard as seen below

Provide the internal network details in our example it is NIC1 with the IP details as below 172.22.243.170

Click on Finish and ISA 2006 setup is completed

Click on Start All ProgramsMicrosoft ISA Server ISA Server Management

Note :- there will be a default rule which block all traffic , which means you will not be able to ping to any server from and to ISA server

Follow the below steps to create a new access rule to allow the traffic. This is to be with extreme care if we are using in LIVE scenario. For testing you can follow the below steps

Note : Make sure you click on Apply to make sure the effect take place and you would see 2 rules as above

Steps to be Publish an SharePoint site in ISA Sever

Scenario : I need to publish a SharePoint site created in Host Header Mode (HH Mode)

Externally I need the users to browse the site as https://paulpa.soccer.com and SSL offloading happens at ISA and internal communication from ISA server to MOSS will be as http://paulp.soccer.com

Right click on the Firewall Policy select New SharePoint Site Publishing Rule

Type in name of the Rule (it can be any name)

In the next screen select Publishing Type in our scenario we need to select Publish a single Web site or load balancer.

Publishing Type

Publishing type options

Select Publish a single Web site or load balancer.

Note: For more information about publishing a server farm of load balanced Web servers, see "Web Server Farm Load Balancing in ISA Server 2006" at the Microsoft TechNet Web site.

In the next screen “Server Connection Security “select “Use non-secured connections to connect the published Web server or server farm.”

Server Connection Security

Choose the type of connections ISA Server will establish with the published server or server farm

Note: For HTTPS-to-HTTP bridging (SSL Termination), you should select Use non-secured connections to connect the published Web server or server farm.

In the next screen provide the Internal Publishing Details Internal Publishing Details

Internal site name

Type : paulpa.soccer.com

As per our exampleImportant: The internal site name must match the name of the server certificate that is installed on the internal Web servers.

Note: If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server, and then type the required IP address or name that is resolvable by the ISA Server computer.

In the next screen provide the Public Name Details

Public Name Details Accept requests for Public name

This domain name (type below) Type paulpa.soccer.com (as per our example)

In the next screen select the Web Listener. This will let us to configure how the external users will browse the SharePoint site in our case it would be https://paulpa.soccer.com

Since it’s a new configuration we will create a new web listener by clicking on the NEW tab

Type the name of the web listener

In the next screen select the “Client Connection Security”

Client Connection Security

Connection type, either SSL or not SSL.

Select Require SSL secured connections with clients.

In the next screen select the “Web Listener IP Addresses”

Web Listener IP Addresses

Listen for incoming Web requests on these networks ISA Server will compress content Select IP Addresses

Select the External network.Check box should be selected (default).

In the window click on “Select IP Adresses”External Network Listener IP Selection

Listen for requests on Available IP Addresses

Select Specified IP addresses on the ISA Server computer in the selected network.Select 13.0.0.5 and click Add.

In the next screen select the

Listener SSL Certificates

A Web listener can use a single certificate for all of its IP addresses, or a different certificate for each IP address.

Select Use a single certificate for this web listener

Click on the Select Certificate as below Select Certificate

Select a certificate

Select the certificate issued to paulpa.soccer.com and click Select. The certificate must be installed before running the wizard.

Click on paulpa.soccer.com and click on Select button

Click on Next and select Authentication Settings

Authentication Settings

Specify how clients will provide credentials to ISA Server Select how ISA Server will validate client credentials

Select HTML Form Authentication.Select Windows (Active Directory)

In the next screen

Single Sign On Settings

Enable SSO for Web sites published with this Web listener SSO domain name

Uncheck as we do not have SSO Configured in this scenario

In the next screen

Completing the New Web Listener Wizard

Review settings.

Click Back to make changes or Finish to complete the wizard

Click on Finish and you would see the details as below

Click next and select Authentication Delegation

Authentication Delegation

Select the method used by ISA Server to authenticate to the published Web server

Select NTLM authentication.

In the next screen Alternate Access Mapping Configuration

Alternate Access Mapping Configuration

For complete integration and functionality, you need to configure alternate access mapping on the published SharePoint site.

Select SharePoint AAM is already configured on the SharePoint server.

Since we are using HH MODE we do not have an option to configure AAM’s for each web application and it completely depends on the link translation feature of ISA

In the next screen of User Sets

User Sets

This rule applies to requests from the following user sets

Select All Authenticated Users and click Next

In the next screen select Completing the New SharePoint Publishing Rule WizardCompleting the New SharePoint Publishing Rule Wizard

Review settings.

Click Back to make changes and Finish to complete the wizard.

Click on Test Rule to verify or click on Finish

Note: Test Rule is only available in ISA 2006 SP1 and above

Steps to be performed on the Client machine

Since the host entry is not registered publically we need to add a HOST files entry for our test scenario

Add host entry

Note: 13.0.0.5 is the IP address of the ISA Server (2nd NIC)

Save the host file .

Open the internet Explorer and type in https://paulpa.soccer.com you have prompt as below

Type in the credentials and would you be getting the screen as below and this is due to the certificate error which can be rectified by having a valid certificate

This will confirm that we were successfully able to browse the site with the above mentioned scenario

Good luck !!!