This article is an excerpt from Microsoft Forefront Threat Management Gateway (TMG) Administrator's Companion by Jim Harrison, Yuri Diogenes, and Mohit Saxena from the Microsoft Forefront TMG Team with Dr. Tom Shinder, from O'Reilly (ISBN 0-7356-2638-3, copyright Microsoft Press 2010, all rights reserved). No part of these chapters may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, electrostatic, mechanical, photocopying, recording, or otherwise—without the prior written permission of the publisher, except in the case of brief quotations embodied in critical articles or reviews.
This chapter discusses how to plan and configure a Microsoft Office SharePoint Services deployment. With Office SharePoint Services, organizations can take file sharing and collaboration to a new level by helping to improve process efficiency and information worker productivity, increase business agility, and reduce operating costs. When you publish Office SharePoint Services to the Internet, TMG can help make these sites available to external users without compromising the security of your organization's network. This chapter explains what you need to consider while planning SharePoint and how to configure a Web Publishing rule in TMG to publish SharePoint services to the Internet. We'll conclude the chapter with a discussion of some common issues related to publishing SharePoint services and how to troubleshoot them.
Contents
To have a stable and successful setup, it is essential to plan every deployment. Before publishing SharePoint, you need to take into account various aspects of the deployment. In this section we will discuss the security aspects, authentication, and Alternate Access Mapping (AAM) considerations before we publish SharePoint. One of the key aspects of every deployment is the security considerations that need to be in place before you publish any Web services. Some of the security considerations also depend on the type of authentication being used to either pre-authenticate the request at TMG or when delegating credentials to the published SharePoint using authentication delegation in TMG. You must consider your authentication requirements carefully because any authentication mismatch will cause failure in users' ability to access the published server.
Administrators prefer to allow only the most restrictive access to their published servers to reduce the chance that the security of the network can be compromised. Some of the key areas that need to be planned around security are:
Even though most of these considerations are very generic, they are important. Each area affects how the rule is configured.
The whole idea of publishing a Web service is to allow external users to access the server for the published service. The most common deployment is to allow access to users on the Internet. When you create a SharePoint Web publishing rule, the default option is to allow access from the Anywhere computer set to the listener that is listening for the requests. An administrator can, however, set up address ranges or specific IP addresses to allow access only from that address range or IP address.
One of the most important security considerations when publishing any Web service to the Internet or to a non-trusted network is the encryption of traffic. Most administrators encrypt all incoming traffic from the Internet using certificates. You can set up a listener with a certificate to restrict access to only HTTPS traffic. TMG can then forward the traffic using HTTP to the published SharePoint server or over HTTPS depending on how the SharePoint is configured locally. SSL bridging protects against attacks that are hidden in SSL-encrypted connections. For SSL-enabled Web applications such as SharePoint, after receiving the client's request, TMG decrypts the request, inspects it, and terminates the SSL connection with the client computer. The Web publishing rules determine how TMG communicates the request for the object to the published SharePoint server. If the secure Web publishing rule is configured to forward the request using SSL (HTTPS), TMG initiates a new SSL connection with the published server. Because TMG is now an SSL client, it requires that the published Web server respond with a server-side certificate.
Remember that when you choose a certificate, that certificate needs to have a private key and its Common Name (CN) or one of its Subject Alternate Names (SANs) needs to be the same as the public URL. The certificate should be trusted up to the Root Certification Authority.
![]() |
---|
For more information about certificate requirements please read http://technet.microsoft.com/en-ca/library/dd547090.aspx. |
Content caching allows TMG to cache Web content and to respond to user requests from the cache, rather than contacting the Web server. This increases the performance of requests that are being serviced for the clients over the Internet. Caching also helps reduce the traffic from TMG to the published SharePoint server because the requests that are found in TMG's cache will be delivered to the client from TMG itself and will save the round trip to the published server.
Some administrators like to restrict access based on time. This helps prevent wasting bandwidth by allowing access only during business hours and restricting access during off hours. This can be done using either the built-in schedules or creating a custom schedule and allowing and denying access in the SharePoint publishing rule based on that schedule.
TMG can pre-authenticate a request before even forwarding it to the SharePoint server. This prevents any unauthenticated requests from even getting to the SharePoint server. You can configure TMG to allow all authenticated requests for any user in Active Directory or restrict access based on a select user group so that only the users belonging to that specific user group are allowed access to the published SharePoint server.
TMG provides a variety of authentication mechanisms that can be used to pre-authenticate a request at TMG. Then the client is either allowed to authenticate against the SharePoint server directly or use the credentials collected in the pre-authentication process and delegate them to the SharePoint server, providing a seamless, single sign-on experience to the client. The different types of client authentication methods on TMG are:
TMG can validate the client credentials passed on one of these formats using the following providers and protocols:
The most commonly used authentication at TMG is Forms-Based Authentication (FBA). When configured with FBA, TMG presents an HTML Form in which the user enters a user name and password, which TMG can then authenticate against Active Directory (in case TMG is a domain member) or Active Directory over LDAP protocol (in case TMG is a non-domain member). Once authenticated, TMG can provide the credentials to the SharePoint Server so that the user is not prompted again for a user name and password.
Remember that when you choose what type of authentication to use for external users, if TMG is set to delegate the user's credentials to the published SharePoint server, the authentication delegation method must be the same as the authentication type set on SharePoint. The delegation method can vary depending on the client authentication method set on TMG and in certain cases only certain combinations can be used. Hence it is important to plan what the client authentication method should be on TMG so that a matching delegation method to the authentication type of SharePoint is available.
![]() |
---|
For different authentication methods available in TMG and what their valid authentication delegation combinations are, please read http://technet.microsoft.com/en-us/library/bb794722.aspx. |
Office SharePoint Services relies on absolute hyperlinks. A URL correction approach, such as TMG's link translation, does not provide a complete solution. This is where Alternate Access Mapping (AAM) comes into play. The main purpose of AAM is to create dynamic links for requests forwarded by the reverse proxy to serve to the end user while maintaining a proper mapping of what link should be returned to an internal user versus an external user.
Administrators often make the mistake of confusing link translation with AAM and don't deem AAM to be important. Link translation and AAM must never be used together in TMG. While configuring the SharePoint publishing rule (discussed in the next section), the TMG administrator is prompted to choose whether AAM is configured on the SharePoint server. If the administrator chooses to not configure AAM, TMG sets up link translation mappings for that rule. If the administrator decides that AAM is set up correctly, no link translation mapping is applied to that rule. SharePoint embeds its URLs in many places and in a variety of encodings that cannot be fixed by the reverse proxy server's link translation feature. SharePoint also has features that use or send URLs that do not go through reverse proxy Web publishing rules. E-mail alerts are a good example of this. Only AAM can ensure that the links in the e-mail alerts contain the correct URL, which can then be accessed publicly. Hence it is important to configure AAM on the Office SharePoint server before you publish it.
![]() |
---|
To learn more about configuring AAM, read http://technet.microsoft.com/en-us/library/cc261814.aspx. |
As explained in the section on planning, publishing a SharePoint site to the Web is similar to publishing any other Web application, with the notable exception that you must use the SharePoint Web Publishing Wizard if you want TMG to process the requests properly. This section will guide you through the process of publishing single-server and Web-farm publishing scenarios.
Regardless of which type of publishing scenario you intend to use, you always begin in the same place. Figure 23-1 illustrates the scenario from which we will derive our publishing configuration.
In this scenario, the SharePoint site administrators have already configured AAM and are using unencrypted connections between TMG and the SharePoint server by directing the Contoso network security team to support their third-party IDS system. The SharePoint administrators want TMG to use Kerberos constrained Delegation (KCD).
The following instructions only provide steps for asymmetric SSL bridging; that is, HTTPS between the client and Forefront TMG and HTTP between Forefront TMG and the SharePoint server.
![]() |
---|
The procedures that follow are condensed into four subsections: Common Starting Point (the point from which the remaining steps flow), Single Server (publishing a single computer), Multi-Server (publishing multiple sites in a single action), and Server Farm (publishing a SharePoint Web farm). |
Common Starting Point
Single-Server
The following steps continue from the Common Starting point and will guide you through the process for publishing a single SharePoint server.
![]() |
---|
Selecting the correct Kerberos Constrained Delegation configuration is a critical point for proper authentication from TMG to the published server. The considerations related to service accounts and multiple SPN are discussed in http://blogs.technet.com/isablog/archive/2009/02/05/another-blog-about-kcd-tips-and-tricks-on-kerberos-and-delegation-isa2006.aspx. |
![]() |
---|
Because we selected KCD, the publishing wizard produces the warning shown in Figure 23-13 to remind you that you should verify the necessary domain and server configuration for KCD to operate properly. |
Multi-Server
The following steps illustrate the process involved in publishing multiple, individual SharePoint sites as shown in Figure 23-15. You must begin this process with the Common Starting Point Steps. The servers that you are publishing are Sydney and Denver.
![]() |
---|
Notice that the value provided in the Service Principal Name (SPN) field is empty. This is because we are publishing multiple servers with different names. You will have to edit each of the new rules to provide the appropriate SPN for each SharePoint server. |
![]() |
---|
You must now edit each new rule individually to specify the SPN for each server being published or the rules will not work. |
Server Farm
The following steps illustrate the differences between publishing a single SharePoint site and publishing a server farm of SharePoint sites, as shown in Figure 23-27. You must begin this process with the steps from Common Starting Point. The servers that you are publishing are Sydney and Denver.
![]() |
---|
Because all servers in the farm are publishing the same sites, they must all share a common name, preferably different from the actual server names. |
![]() |
---|
You may enter simple or qualified names or IP addresses in this field. |
![]() |
---|
Because the IIS process on all SharePoint servers run under the Local System account by default, you must use http/* as the SPN. This allows TMG to use the server name for the destination host when issuing the S4U2Proxy request. For more information on S4U2Proxy requests, please see http://msdn.microsoft.com/en-us/magazine/cc188757.aspx. |
The troubleshooting approach discussed in Chapter 22, "Publishing Servers," is valid for any Web publishing rule and SharePoint publishing rule is no exception. One setting that is very specific to a successful SharePoint publishing rule is the correct configuration of AAM. This is a SharePoint configuration that enables Microsoft Office SharePoint Servers to provide a URL appropriate to the client connection context.
![]() |
---|
To understand how AAM can affect a publishing rule access read the following ISA/TMG Team Blog posting:http://blogs.technet.com/isablog/archive/2008/10/02/unable-to-check-out-a-document-in-moss-2007-published-through-isa-server-2006.aspx. |
Always use the SharePoint Publishing Rule Wizard when you publish SharePoint or MOSS services through TMG. This wizard configures some critical properties that allow the SharePoint publishing rule to work properly, and some areas shouldn't be changed unless you are guided by a Microsoft Support Engineer to do so (such as paths and link translation). For example, you might think that you should change the default paths created by SharePoint Publishing Wizard. Those paths are automatically added by the wizard and should provide proper functionality for your SharePoint site. The default set of paths are shown in Figure 23-46.
Another scenario in which you should review a SharePoint publishing rule before collecting data for troubleshooting is if you did not create that rule. As a system administrator, you sometimes inherit a deployment that was already configured by someone else and now you are responsible for maintaining that infrastructure. Reviewing each element of the publishing rule can save you time before you begin your troubleshooting efforts.
Another important element of the SharePoint publishing rule is the TCP port used by the SharePoint site. This is very important because when SharePoint is installed in a Windows Server 2003 it requires Internet Information Services (IIS), which by default uses HTTP on the default port (TCP Port 80) for the default Web site. Because SharePoint Server is installed on top of IIS and the default ports usually are already in use, SharePoint will use a random port.
![]() |
---|
It is important to note that SharePoint Server will use a random port only in a scenario that the default port is already in use, such as the preceding example. Make sure to review your IIS configuration to identify which ports are in use. |
When you finish installing SharePoint on your internal server you will notice, for example, that the Central Administration already uses a custom port randomly chosen during the installation process, as shown Figure 23-47.To make sure that this configuration is working properly review the port that SharePoint site is using and make sure it matches the Bridging tab.
Another publishing rule configuration that can cause problems is if you have a mismatch between the authentication delegation of the rule and the authentication configuration of the published site. Review the authentication method used by SharePoint site that you are publishing through TMG and make sure to configure the publishing rule authentication delegation option to match this setting. Figure 23-48 shows an example of the authentication provider for the Central Administration site on a SharePoint Server:
In this particular example the authentication method used by the SharePoint site is NTLM. Therefore, the authentication delegation method must be NTLM or Direct And The Client May Authenticate Directly.
One extremely useful tool provided by TMG is the logging query mechanism. The Logging feature allows you to see near real-time access and results, which can point out a possible root cause for the problem. Combining this feature with a network monitor trace obtained during a reproduction of the issue can guide you to faster resolution of the problem.
To allow a better understanding of how those tools combine during the troubleshooting, we will examine a scenario where the external user is unable to access the Contoso SharePoint Web site (moss.contoso.com). In this scenario the external user complains that after entering his credentials in the authentication page, he receives Error Code 403 Forbidden, similar to Figure 23-49.
To prepare TMG to gather the traffic information at the right moment, follow these steps:
![]() |
---|
This is not a mandatory procedure, but it will help you to focus your logging only from traffic originating from that particular IP and also will reduce the amount of information that appears on the Logging screen. |
In addition those steps you will need to install Network Monitor on TMG and start a capture from the internal network interface card, which has connectivity with the published server selected for capturing traffic.
![]() |
---|
For more information on how to use Network Monitor, see Chapter 33, "Using Network Monitor 3 to Troubleshoot TMG." |
After you gather the traffic while the external user reproduces the issue, you can analyze it. In this particular case, Figure 23-51 indicates the moment where TMG shows the access denied response for that publishing rule.
In this case, the Logging feature indicated that TMG was denying the request, but the question of why TMG made that decision remains. This is where Network Monitor can assist you in understanding the underlying cause of a TMG action. Let's follow the traffic between Forefront TMG and SharePoint Server during a request:
10.10.10.50 10.10.10.88 TCP TCP:Flags=......S., SrcPort=11839, DstPort=19049 10.10.10.88 10.10.10.50 TCP TCP:Flags=...A..S., SrcPort=19049, DstPort=11839 10.10.10.50 10.10.10.88 TCP TCP:Flags=...A...., SrcPort=11839, DstPort=19049
10.10.10.50 10.10.10.88 HTTP HTTP:Request, GET / , Using Basic Authorization - Http: Request, GET / , Using Basic Authorization Command: GET + URI: / ProtocolVersion: HTTP/1.1 Connection: Keep-Alive Reverse-Via: TMGB2 Cookie: MSOWebPartPage_AnonymousAccessCookie=19049; Referer: https://moss.contoso.com/CookieAuth.dll?GetLogon?curl=Z2F&reason=0&formdir=3 UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30618) Host: mossrv:19049 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/ x-ms-application, application/vnd.ms-xpsdocument, application/ xaml+xml, application/x-ms-xbap, */* Accept-Language: en-us UA-CPU: x86 Cache-Control: no-cache Front-End-Https: On X-Experience: Premium X-LogonType: Public - Authorization: Basic Y29udG9zb1xhZG1pbmlzdHJhdG9yOlBhc3N3b3JkNQ== - BasicAuthorization: Scheme: Basic - Realm: contoso\Bob:qwer!@#$ + Realm: contoso\Bob:qwer!@#$ HeaderEnd: CRLF HeaderEnd: CRLF
10.10.10.88 10.10.10.50 HTTP HTTP:Response, HTTP/1.1, Status Code = 401, URL: / , Using NTLM X-Powered-By: Authentication - Http: Response, HTTP/1.1, Status Code = 401, URL: / , Using NTLM X-Powered-By: Authentication ProtocolVersion: HTTP/1.1 StatusCode: 401, Unauthorized Reason: Unauthorized ContentLength: 1656 + ContentType: text/html Server: Microsoft-IIS/6.0 + WWWAuthenticate: Negotiate WWW-Authenticate: + WWWAuthenticate: NTLM X-Powered-By: XPoweredBy: ASP.NET MicrosoftSharePointTeamServices: 12.0.0.6219 Date: Sat, 25 Apr 2009 18:58:55 GMT HeaderEnd: CRLF + payload: HttpContentType = text/html
As you could see through the packet capture, TMG was configured to delegate Basic authentication while the published server was configured to use NTLM. This is a classical example of authentication delegation mismatch between TMG and the published server.
In this chapter we discussed how to properly plan a SharePoint server publishing with various security and authentication considerations. We also saw the various options available while publishing a SharePoint server and in the end we saw some troubleshooting techniques in case SharePoint publishing fails. In the next chapter we will discuss Exchange publishing.