Dep SPSXnet

1
Deploying SharePoint Portal Server 2003

on an Extranet by Using ISA Server 2000
and ISA Server 2004
White Paper
Published: January 2005
2
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of
any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored
in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as
expressly provided in any written license agreement from Microsoft, the furnishing of
this document does not give you any license to these patents, trademarks, copyrights,
or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted herein are
fictitious, and no association with any real company, organization, product, domain
name, e-mail address, logo, person, place, or event is intended or should be inferred.
 2005 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Active Directory directory service, Microsoft ISA Server 2000,
Microsoft ISA Server 2004, Microsoft Office SharePoint Portal Server 2003, and Microsoft
Windows SharePoint Services are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks
of their respective owners.
3
Table of Contents
Introduction.......................................................................................................9
Extranet Network Topologies...........................................................................12
Tri-Homed Perimeter Network..........................................................................13
Back-to-Back Perimeter Network......................................................................14
Inter-Server Communications..........................................................................16
General Security Considerations ......................................................................18
Scenario 1: Single Portal Site on a Single Virtual Server (Using ISA
Server 2000)....................................................................................................19
Step 1: Configure Basic Authentication on the Default Web Site in IIS...................20
Step 2: Install an SSL Server Certificate on the Default Web Site in IIS.................21
Step 3: Verify that You Can Access the Portal Site by Using an Internal SSL FQDN
URL..............................................................................................................21
Step 4: Configure IIS to Require SSL for the Default Web Site..............................23
Step 5: Modify the Default URL for the Portal Site...............................................23
Step 6: Verify that the Proxy Server Settings for SharePoint Portal Server Search Are
Correctly Specified..........................................................................................25
Step 7: Configure the SharePoint Portal Server Search Service to Use Basic
Authentication when Crawling Content Sources..................................................26
Step 8: Create a Public DNS Entry....................................................................28
Step 9: Configure the Network Adapters in the External ISA Server 2000 Computer
....................................................................................................................28
Step 10: Configure ISA Server 2000 to not Intercept HTTP Requests that Use the
OPTIONS Verb................................................................................................29
Step 11: Ensure that the Appropriate SSL Server Certificates Are Installed on the
External ISA Server 2000 Computer..................................................................29
Step 12: Configure the External ISA Server 2000 Computer to Allow Outbound
Connections to the Internet.............................................................................30
Step 13: Edit the web.config File......................................................................32
Step 14: Configure the External ISA Server 2000 Computer to Listen for Incoming
Requests on the Appropriate IP Address............................................................32
Step 15: Create a Destination Set on the External ISA Server 2000 Computer.......34
Step 16: Create a Web Publishing Rule on the External ISA Server 2000 Computer. 35
Step 17: Verify that the Web Publishing Rule Properties are Correct......................36
Step 18: Configure an Alternate Access Setting that Uses the Public (External) FQDN
URL that Users Will Use to Access the Portal Site................................................37
Step 19: Verify that You Can Access the Portal Site Through the Internet..............37
4
Scenario 2: Single Portal Site on Two Virtual Servers (Using ISA Server 2000)
.........................................................................................................................38
Step 1: Verify that the Default URL for the Portal Site Is Correctly Specified...........40
Step 3: Create a New Web Site in IIS to Host the Existing Portal Site ...................41
Step 4: Delete the SSL Port Designation for the Default Web Site in IIS.................42
Step 5: Configure the New Web Site in IIS to Use TCP Port 443 for SSL.................43
Step 6: Configure Basic Authentication on the New Web Site in IIS.......................43
Step 7: Extend the New Web Site in IIS to Host the Existing Portal Site.................44
Step 8: Verify that the New Web Site in IIS Is Correctly Hosting the Existing Portal
Site...............................................................................................................44
Step 9: Install an SSL Server Certificate on the New Web Site in IIS.....................45
Step 10: Verify that You Can Access the Portal Site Hosted on the New Web Site by
Using an Internal SSL FQDN URL......................................................................45
Step 11: Configure IIS to Require SSL for the New Web Site................................46
Step 12: Create a Public DNS Entry..................................................................47
....................................................................................................................47
Step 14: Configure ISA Server 2000 to not Intercept HTTP Requests that Use the
OPTIONS Verb................................................................................................48
Step 19: Create a Destination Set on the External ISA Server 2000 Computer.......54
Step 20: Create a Web Publishing Rule on the External ISA Server 2000 Computer. 54
Step 21: Verify that the Web Publishing Rule Properties are Correct......................55
Step 23: Verify that You Can Access the Portal Site through the Internet...............56
Scenario 3: Single Portal Site on a Single Virtual Server (Using ISA
Server 2004)....................................................................................................57
Step 1: Configure Basic Authentication on the Default Web Site in IIS...................58
Step 2: Install an SSL Server Certificate on the Default Web Site in IIS.................59
5
Step 3: Verify that You Can Access the Portal Site by Using an Internal SSL FQDN
URL..............................................................................................................60
Step 4: Configure IIS to Require SSL for the Default Web Site..............................61
Step 5: Modify the Default URL for the Portal Site...............................................62
Authentication when Crawling Content Sources..................................................64
Step 8: Create a Public DNS Entry....................................................................66
....................................................................................................................66
Step 14: Create a Secure Web Server Publishing Rule on the External ISA
Server 2004 Computer....................................................................................70
Step 15: Verify that the Secure Web Server Publishing Rule Properties are Correct. 72
Step 17: Verify that You Can Access the Portal Site Through the Internet..............73
Scenario 4: Single Portal Site on Two Virtual Servers (Using ISA Server 2004)
.........................................................................................................................74
Step 1: Verify that the Default URL for the Portal Site is Correctly Specified...........76
Step 3: Create a New Web Site in IIS to Host the Existing Portal Site ...................77
Step 4: Delete the SSL Port Designation for the Default Web Site in IIS.................78
Step 5: Configure the New Web Site in IIS to Use TCP Port 443 for SSL.................79
Step 7: Extend the New Web Site in IIS to Host the Existing Portal Site.................80
Step 8: Verify that the New Web Site in IIS Is Correctly Hosting the Existing Portal
Site...............................................................................................................80
6
Step 10: Verify that You Can Access the Portal Site Hosted on the New Web Site by
Using an Internal SSL FQDN URL......................................................................81
Step 11: Configure IIS to Require SSL for the New Web Site................................82
Step 12: Create a Public DNS Entry..................................................................83
....................................................................................................................83
Server 2004 Computer....................................................................................87
Step 19: Verify that the Secure Web Server Publishing Rule Properties Are Correct. 89
Step 21: Verify that You Can Access the Portal Site through the Internet...............90
Scenario 5: Multiple Portal Sites on Multiple Virtual Servers (Using ISA
Server 2004)....................................................................................................91
Step 1: Create a New Web Site in IIS to Host a New Portal Site............................93
Step 2: Specify a Unique TCP Port for SSL for the New Web Site...........................94
Step 3: Create a New Portal Site on the New Web Site in IIS...............................94
Step 6: Verify that You Can Access the New Portal Site Hosted on the New Web Site
by Using an Internal SSL FQDN URL .................................................................96
Step 7: Configure IIS to Require SSL for the New Web Site..................................98
Step 8: Modify the Default URL for the New Portal Site........................................98
Authentication when Crawling Content Sources (New Portal Site)........................100
..................................................................................................................102
Step 11: Create a Public DNS Entry for the New Portal Site that Will Be Exposed Over
the Extranet.................................................................................................103
External ISA Server 2004 Computer................................................................103
7
Connections to the Internet............................................................................103
Step 14: Edit the web.config File.....................................................................104
Requests on the Appropriate IP Address..........................................................105
Server 2004 Computer for the New Portal Site..................................................106
Step 17: Verify that the Secure Web Server Publishing Rule Properties Are Correct
..................................................................................................................108
URL that Users Will Use to Access the Portal Site..............................................109
Step 19: Verify that You Can Access the New Portal Site Through the Internet......109
Appendix A: Known Issues.............................................................................111
Windows SharePoint Services.........................................................................111
Absolute URLs..............................................................................................111
SSL Termination and SSL Bridging...................................................................112
IP-Bound Virtual Servers................................................................................113
SharePoint Portal Server Central Administration................................................113
URLs in Alerts E-Mail Messages.......................................................................113
Requiring SSL...............................................................................................114
Bypass Proxy Server Settings for SharePoint Portal Server Search......................114
Appendix B: Troubleshooting.........................................................................115
SSL Configuration Issues...............................................................................115
Authentication Issues....................................................................................116
8
Deploying SharePoint Portal Server 2003 on
an Extranet by Using ISA Server 2000 and
ISA Server 2004
White Paper
Writers/Technical Contributors: Mark Grossbard, Emily Schroeder
Published: January 2005
For the latest information, please see the SharePoint Portal Server site on Microsoft Office Online:
http://go.microsoft.com/fwlink/?linkid=21567&clcid=0x409
Introduction
This white paper provides the procedures to follow if you want to deploy Microsoft®
Office SharePoint® Portal Server 2003 across an extranet. In this paper, you will learn
how to configure a SharePoint Portal Server deployment so that users outside an
external corporate firewall/proxy server can access information on a portal site that is
inside an external corporate firewall/proxy server.
There are many different ways to do this and many different types of firewalls and proxy
servers available. Proxy servers are generally categorized as forward proxy or reverse
proxy servers. This paper specifically discusses using Microsoft Internet Security and
Acceleration (ISA) Server 2000 and ISA Server 2004 in what is generally considered to
be a reverse proxy configuration.
Scenarios
This paper is a prescriptive guide to deploying the following five scenarios:
• Scenario 1 Single portal site on a single virtual server (using ISA Server 2000),
exposed to both the corporate intranet and to the extranet using Basic authentication
and Secure Sockets Layer (SSL) only.
• Scenario 2 Single portal site on two virtual servers (using ISA Server 2000), where
one virtual server is used for corporate intranet access and uses Integrated Windows
authentication, and the other virtual server is used for extranet access and uses
Basic authentication and SSL.
• Scenario 3 Single portal site on a single virtual server (using ISA Server 2004),
exposed to both the corporate intranet and to the extranet using Basic authentication
and SSL only. This is the same as scenario 1, but using ISA Server 2004 instead of
ISA Server 2000.
9
• Scenario 4 Single portal site on two virtual servers (using ISA Server 2004), where
one virtual server is used for corporate intranet access and uses Integrated Windows
authentication, and the other virtual server is used for extranet access and uses
Basic authentication and SSL. This is the same as scenario 2, but using ISA
Server 2004 instead of ISA Server 2000.
• Scenario 5 Multiple portal sites on multiple virtual servers (using ISA
Server 2004), where one portal site is exposed over the extranet using Basic
authentication and SSL, and a second portal site is exposed over the extranet using
Basic authentication and SSL.
SharePoint Portal Server 2003 is built on Microsoft Windows® SharePoint Services

technology. There are many known issues when deploying both SharePoint Portal Server
and Windows SharePoint Services across an extranet. For detailed information about
these issues, see “Appendix A: Known Issues.”
Reverse Proxy Benefits

To publish SharePoint Portal Server across an extranet, you can use ISA Server 2000 or
ISA Server 2004 in a reverse proxy configuration, or you can use a non-Microsoft
reverse proxy server product. Using a reverse proxy server can help prevent disclosure
of internal network-specific information, such as:
• Internal IP addresses.
• Internal NetBIOS computer names.
• Internal Domain Name System (DNS) computer names.
• Internal network domain names.
Reverse proxy servers also help enable you to:
• Allow only authorized traffic into and out of the network.

• Detect and prevent hacking attempts, computer viruses, worms, etc.
• Avoid excessive internal network traffic.
• Avoid SSL overhead on Web servers.
Requirements
The steps in this paper require that you have the following:
• For the ISA Server 2000 scenarios: ISA Server 2000 installed in integrated mode
with Service Pack 1 and Feature Pack 1 installed.
• For the ISA Server 2004 scenarios: ISA Server 2004, Standard Edition.
• For both ISA Server 2000 and ISA Server 2004 scenarios: an external ISA Server
computer that is configured with two network adapters—an external network adapter
that is connected to the Internet and an internal network adapter that is connected
to a perimeter network or screened subnet. Whether you use ISA Server 2000 or ISA
Server 2004, the ISA Server computer must be a member of the perimeter network
domain. Depending on the exact network topology you use, you might have a second
internal ISA Server computer that is configured with two network adapters—a
network adapter that is connected to the perimeter network and a network adapter
10
that is connected to the corporate intranet. Configuring this internal ISA Server
computer is outside the scope of this paper.
Important Whenever an ISA Server computer is referred to in procedures in
this paper, it is the external ISA Server computer.
• SharePoint Portal Server 2003 installed on at least a single server. The steps in this
paper also apply to server farm configurations of SharePoint Portal Server
deployments.
• A public DNS computer.
• Two SSL server certificates for the external ISA Server computer.
• SSL server certificates for the portal sites being exposed to the extranet.
To perform the procedures in this paper, you must be:
• An administrator on the SharePoint Portal Server deployment to perform procedures

from central administration.
• An administrator on the portal site to perform procedures from site administration.
• A member of the local Administrators group on the SharePoint Portal Server
computer to modify settings in Internet Information Services (IIS).
• An administrator on the ISA Server computer.
What Is Not Covered

This paper does not provide prescriptive guidance for the following:
• Obtaining and installing SSL server certificates. For information about obtaining and
installing SSL certificates, see the following references:
• “Obtaining and Installing Server Certificates” in the IIS 6.0 Technical Reference at
http://go.microsoft.com/fwlink/?LinkId=37235&clcid=0x409
• “Enabling Secure Sockets Layer for SharePoint Portal Server 2003” at
• "Digital Certificates for ISA Server and Published Servers" at
• Using or configuring SSL client certificates. For information about using SSL client
certificates with SharePoint Portal Server, see “Enabling Client Certificates and Using
Client Certificates When Crawling Content with SharePoint Portal Server 2003” at
http://go.microsoft.com/fwlink/?LinkId=37912&clcid=0x409.
• Configuring access to backward-compatible document libraries over the extranet.
• Configuring or using the SharePoint Portal Server Single Sign-on feature.
• Configuring or using IPsec between the servers that compose a SharePoint Portal
Server farm.
• Configuring shared services in SharePoint Portal Server deployed over the extranet.
• Configuring network load balancing for SharePoint Portal Server medium or large
server farms.
11
• Configuring the internal ISA Server computer in a back-to-back perimeter network
extranet network topology.
• Configuring IP addressing and network routing for your perimeter network or
corporate intranet.
• Installing and configuring firewalls/proxy servers between SharePoint Portal Server
computers in a server farm.
• Forms-based authentication for SharePoint Portal Server. SharePoint Portal Server
does not support forms-based authentication.
• Procedures in SharePoint Portal Server where advanced search administration is
enabled. The steps in this paper assume that simple search administration is
enabled.
Sections in This Paper

This paper contains the following sections:
• Extranet network topologies

• Inter-server communications
• General security considerations
• Scenario 1: Single portal site on a single virtual server (using ISA Server 2000)
• Scenario 2: Single portal site on two virtual servers (using ISA Server 2000)
• Scenario 3: Single portal site on a single virtual server (using ISA Server 2004)
• Scenario 4: Single portal site on two virtual servers (using ISA Server 2004)
• Scenario 5: Multiple portal sites on multiple virtual servers (using ISA Server 2004)
• Appendix A: Known issues
• Appendix B: Troubleshooting
Extranet Network Topologies

There are many different ways to design and build an extranet network topology.
Decisions about topologies used are outside the scope of this paper. However, this
section discusses the following two examples of network topologies:
• Tri-homed perimeter network. This is also known as a single-screened subnet.

• Back-to-back perimeter network. This is also known as a dual-screened subnet.
The term “perimeter network” refers to a network that lies between the corporate
intranet and the Internet. It is a network that separates a trusted network (the
corporate intranet) from an untrusted network (the Internet). In most cases, perimeter
networks are thought of as physical networks, but in some extranet network topologies,
this is not entirely accurate. Perimeter networks are also known as screened subnets.
The topologies presented here are examples only. The topology you use is dependent
upon the policies and requirements of your organization.
The back-to-back perimeter network topology—the topology that is used for this white
paper—is widely regarded as one of the more secure extranet topologies available. In
12
this paper, the perimeter network domain is called Perimeter.Net, and the corporate
intranet domain is called Corp.Net. These domains are configured with a forest trust
relationship between the perimeter network domain (Perimeter.Net) and the corporate
intranet domain (Corp.Net).
Tri-Homed Perimeter Network

This topology is also known as a single-screened subnet because the perimeter network
is bounded by only one ISA Server computer. See Figure 1.
Figure 1 Tri-homed perimeter network, or single-screened subnet
Note For simplicity, no IP addressing is denoted in Figure 1, and only a domain

controller and a DNS computer are depicted in the corporate intranet virtual LAN.
This topology uses a single ISA Server computer to separate the Internet, the perimeter
network, and the corporate intranet. The ISA Server computer has three network
adapters: one network adapter connected to the Internet, one network adapter
connected to the perimeter network, and one network adapter connected to the
corporate intranet. Note that this topology specifies the use of a secured router between
the Internet and the ISA Server computer. Typically, ports on this router would be locked
down, as opposed to being wide open. Examples of ports that you would typically need
open to ensure correct SharePoint Portal Server functionality are:
• Port 80 for HTTP

• Port 443 for HTTPS
• Port 25 for SMTP
Additionally, you might want to have alternate ports open for HTTP or HTTPS, or both,
depending upon the needs of your organization.
13
Disadvantages of a tri-homed perimeter network include:
• The perimeter network segment must use public IP addresses. This limitation applies
to ISA Server 2000 only.
• Packets moving between the external interface (the Internet) and the perimeter
network segment are not subject to Microsoft Firewall service (Fwsrv) or Microsoft
Web Proxy (W3Proxy) service access policies. This limitation applies to ISA
Server 2000 only.
• The tri-homed perimeter network configuration constitutes a single point of failure. If
an intruder compromises the ISA Server computer in this topology, the intruder has
access to both the perimeter network and the corporate intranet.
Back-to-Back Perimeter Network

This topology is also known as a dual-screened subnet because the perimeter network is
bounded by two ISA Server computers. See Figure 2.
14
Figure 2 Back-to-back perimeter network, or dual-screened subnet
Note For simplicity, no IP addressing is denoted in Figure 2, and only the internal
ISA Server, domain controller, and DNS computers are depicted in the corporate
intranet virtual LAN.
This topology uses two ISA Server computers to separate the perimeter network from
the Internet on one side, and to separate the perimeter network from the corporate
intranet on the other side. Each ISA Server computer has two network adapters. The
external ISA Server computer has one network adapter connected to the Internet and
another network adapter connected to the perimeter network. The internal ISA Server
computer has one network adapter connected to the perimeter network and another
network adapter connected to the corporate intranet.
15
Note that this topology specifies the use of a secured router between the Internet and
the perimeter network. Typically, ports on this router would be locked down, as opposed
to being wide open. Examples of ports that you would typically need open to ensure
correct SharePoint Portal Server functionality would be:
• Port 80 for HTTP

• Port 443 for HTTPS
• Port 25 for SMTP
Additionally, you might want to have alternate ports open for HTTP or HTTPS, or both,
depending upon the needs of your organization.
Note also that there is another secured router separating the network segments that
compose the perimeter network. Although locking down this router is not as important
as locking down the router connected to the Internet, additional security can be
conferred by ensuring that non-essential ports are closed and opening only those ports
necessary to support inter-server communications for both Active Directory and
SharePoint Portal Server. For more information, see the section “Inter-Server
Communications” later in this paper.
This topology is generally considered to be one of the more secure extranet network
topologies available. Even if the perimeter network is compromised by an intruder from
the Internet, that intruder does not automatically gain access to resources in the
corporate intranet. Moreover, you can deploy additional network defenses inside the
perimeter network. (For the sake of simplicity, the additional network defenses are not
shown in Figure 2.) In this topology, an intruder must penetrate at least the external ISA
Server computer and the internal ISA Server computer before being able to gain access
to resources on the corporate intranet.
The trust shown between the perimeter network and the corporate intranet is optional,
depending on requirements. In each scenario in this paper, corporate intranet users have
access to a SharePoint Portal Server deployment in the perimeter network. If there is a
trust relationship between the perimeter network domain and the corporate intranet
domain, corporate intranet users can use their corporate intranet credentials to access
the deployment. Without this trust relationship, the corporate intranet users would
require separate accounts in the perimeter network domain. For more information about
forest trust relationships, see “Planning and Implementing Federated Forests in Windows
Server 2003” at http://go.microsoft.com/fwlink/?LinkId=37926&clcid=0x409.
Inter-Server Communications
This paper describes deploying SharePoint Portal Server inside a perimeter network. This
requires that a Microsoft Active Directory® directory service domain is deployed inside
this same perimeter network.
To do this successfully, you must know:
• The kinds of communications that take place between computers in an Active

Directory domain and computers in a SharePoint Portal Server deployment.
• The communications that take place between the domain infrastructure computers—
domain controllers, DNS computers, Dynamic Host Configuration Protocol (DHCP)
computers, etc.—and the other computers that are members of the domain
(SharePoint Portal Server computers, SQL Server™ computers).
16
The following table lists the protocols and ports used for the inter-server
communications described. These protocols and ports are provided to help ensure that
you are able to configure any internetworking devices (routers, switches, etc.) between
Active Directory domain computers and SharePoint Portal Server computers to enable
them to communicate successfully.
Protocol Ports (TCP and User Datagram Protocol)

Dynamic Host Configuration Protocol (DHCP)
Server 67/UDP
DNS 53/TCP, 53/UDP
Dynamic RPC* 1024-65535/TCP
File Replication Service (FRS) RPC Port 49152/TCP
Global Catalog 3268/TCP
Global Catalog over SSL 3269/TCP
HTTP 80/TCP
Secure HTTP (HTTPS) 443/TCP
Internet Message Access Protocol (IMAP) 143/TCP
IMAP SSL 993/TCP
Kerberos authentication protocol 88/TCP, 88/UDP
Lightweight Directory Access Protocol (LDAP) 389/UDP
LDAP SSL 636/UDP
Network Time Protocol (NTP) 123/UDP
Post Office Protocol 3 (POP3) 110/TCP
POP3 SSL 995/TCP
Remote Procedure Call (RPC) Endpoint 135/TCP, 135/UDP
Mapper
Server Message Block (SMB) over NetBIOS 137/TCP, 137/UDP, 138/UDP, 139/TCP
over TCP/IP (NBT)
SMB over TCP 445/TCP, 445/UDP
Simple Mail Transfer Protocol (SMTP) 25/TCP, 25/UDP
SMTP SSL 465/TCP, 465/UDP
Simple Network Management Protocol 161/TCP, 161/UDP, 162/TCP, 162/UDP
(SNMP)
SOCKS 1080/TCP
SQL 1433/TCP
SQL Management 1434/UDP
Static RPC (configured with registry setting) 5000-5040
17
Terminal Server 3389/TCP
Windows Internet Name Service (WINS)
Replication 42/TCP, 42/UDP
WINS Resolution 1512/TCP, 1512/UDP
*Dynamic Remote Procedure Call (RPC) It is possible to use a Windows registry

key to limit the range of the dynamic RPC ports assigned. Rather than using all of the
high-numbered ports (1024 – 65535), it is possible to limit the range of dynamic RPC
ports to a much smaller number. This is referred to as static RPC. For more information,
see:
• “Active Directory in Networks Segmented by Firewalls” at

• Article 154596, “HOW TO: Configure RPC Dynamic Port Allocation to Work with
Firewalls,” in the Knowledge Base at
Note As stated in the Introduction section of this paper, prescriptive guidance for
installing and configuring firewalls/proxy servers between SharePoint Portal Server
computers in a server farm is beyond the scope of this paper.
Named Pipes Although it is not explicitly depicted in the table above, Named Pipes
typically uses ports 137, 138, 139 and 445.
IPsec As mentioned in a previous section, this paper does not address configuring
IPsec between the servers that make up a SharePoint Portal Server farm deployment.
By default, all inter-server communications in a SharePoint Portal Server farm are “in the
clear” and not encrypted.
General Security Considerations

In a perimeter network scenario in which a SharePoint Portal Server farm deployment is
physically connected to a network segment that is part of the perimeter network
topology and whose servers are members of the perimeter network domain, perimeter
network domain accounts should be used to run the SharePoint Portal Server IIS
application pools.
However, if your SharePoint Portal Server deployment in a perimeter network needs to
access an external data source that is located in your corporate intranet, it will probably
need to do so using a corporate intranet domain account. For example, if you have a
Web Part that needs to access data in the corporate intranet in order to render a Web
page, it will probably need to use a corporate intranet domain account to do so. There is
a security risk associated with this because the corporate intranet domain account is
potentially exposed to the Internet. If an intruder were able to successfully attack and
penetrate your perimeter network, these credentials could be exposed to the intruder,
giving them access to the data in the corporate intranet.
18
Scenario 1: Single Portal Site on a Single
Virtual Server (Using ISA Server 2000)
This section describes how to configure a SharePoint Portal Server deployment with a
single portal site on a single virtual server, exposed to both the corporate intranet and to
the extranet using only Basic authentication and SSL.
In this scenario, the portal site is hosted on the Default Web Site in IIS (that is, on the
virtual server for the Default Web Site).
Before performing the steps that follow, ensure that the following are true:
• SharePoint Portal Server is installed.

• There is one portal site hosted on the Default Web Site in IIS.
• You can access the portal site from the corporate intranet.
To enable the scenario described in this section, you must do the following steps, each of
which is explained in detail later in this section:
1. Configure Basic authentication on the Default Web Site in IIS.

2. Install an SSL server certificate on the Default Web Site in IIS.
3. Verify that you can access the portal site by using an internal SSL fully qualified
domain name (FQDN) URL.
4. Configure IIS to require SSL for the Default Web Site.
5. Modify the default URL for the portal site.
6. Verify that the proxy server settings for SharePoint Portal Server search are correctly
specified.
7. Configure the SharePoint Portal Server search service to use Basic authentication
when crawling content sources.
8. Create a public DNS entry.
9. Configure the network adapters in the external ISA Server 2000 computer.
10. Configure ISA Server 2000 to not intercept HTTP requests that use the OPTIONS
verb.
11. Ensure that the appropriate SSL server certificates are installed on the external ISA
Server 2000 computer.
12. Configure the external ISA Server 2000 computer to allow outbound connections to
the Internet.
13. Edit the web.config file.
14. Configure the external ISA Server 2000 computer to listen for incoming requests on
the appropriate IP address.
15. Create a destination set on the external ISA Server 2000 computer.
16. Create a Web publishing rule on the external ISA Server 2000 computer.
17. Verify that the Web publishing rule properties are correct.
19
18. Configure an alternate access setting that uses the public (external) FQDN URL that
users will use to access the portal site.
19. Verify that you can access the portal site through the Internet.
The following sections include procedures for the major steps above.
The examples in the following table are used in the procedures for this scenario.
Element Example used in this scenario
Extranet domain name Perimeter.Net
Intranet domain name Corp.Net
Front-end Web server internal FQDN ServerName.Perimeter.Net, where
ServerName is the NetBIOS computer
name of the front-end Web server
Front-end Web server internal FQDN URL http://ServerName.Perimeter.Net, where
(HTTP) ServerName is the NetBIOS computer
Front-end Web server internal FQDN URL https://ServerName.Perimeter.Net, where
(SSL) ServerName is the NetBIOS computer
Load-balancing internal FQDN Portal.Perimeter.Net (resolves to the load-
balancing virtual IP address)
Load-balancing internal FQDN URL (HTTP) http://Portal.Perimeter.Net
Load-balancing internal FQDN URL (SSL) https://Portal.Perimeter.Net
External FQDN ExtranetPortal.Perimeter.Net (resolves to
an IP address on the external network
adapter on the external ISA Server 2000
computer)
External FQDN URL https://ExtranetPortal.Perimeter.Net
Default Web Site in IIS Hosts existing portal site, TCP port 80,
SSL port 443
Step 1: Configure Basic Authentication on

the Default Web Site in IIS
Perform the following procedure on each front-end Web server in the SharePoint Portal
Server deployment.
The procedure given below is for the Default Web Site in IIS.
Configure Basic authentication on the Default Web Site in IIS
1. Click Start, point to All Programs, point to Administrative Tools, and then click
Internet Information Services (IIS) Manager.
2. In Internet Information Services (IIS) Manager, expand ServerName, and
then expand Web Sites.
3. Right-click Default Web Site, and then click Properties.
20
4. On the Web Site tab, in the SSL port box, ensure that the port number is 443.
5. On the Directory Security tab, in the Authentication and access control section,
click Edit.
6. In the Authentication Methods dialog box, in the Authenticated access section,
clear any selected check boxes, and then select the Basic authentication
(password is sent in clear text) check box.
7. In the warning message box, click Yes.
8. Click OK to close the Authentication Methods dialog box.
9. Click OK to close the Default Web Site Properties dialog box.
10. If an Inheritance Overrides dialog box appears, click Select All, and then click
OK.
Step 2: Install an SSL Server Certificate on

On each front-end Web server in the SharePoint Portal Server deployment, you must
now install an SSL server certificate on the Default Web Site in IIS that is hosting the
existing portal site. All of the SSL certificates must meet the following criteria:
• The “Issued to” name on the certificate must match the internal FQDN that you
specify when you configure the Web publishing rule on ISA Server 2000. In this
scenario, for example, the SSL certificate must be issued to Portal.Perimeter.Net if
you have a load-balanced deployment with more than one front-end Web server, or
to ServerName.Perimeter.Net if you have only one front-end Web server.
• The certificate must not be expired.
• The ISA Server 2000 computer must trust the certification authority (CA) that issued
the SSL certificate on the front-end Web servers running SharePoint Portal Server.
To accomplish this during testing, a local CA was used to generate the certificates for the
internal SSL connections between the ISA Server 2000 computer and the front-end Web
servers running SharePoint Portal Server. This ensured that the ISA Server 2000
computer and the front-end Web servers trusted the same CA.
For more information about obtaining and installing SSL certificates, see:
Step 3: Verify that You Can Access the

Portal Site by Using an Internal SSL FQDN
URL
Before continuing, it is strongly recommended that you ensure that you can successfully
access the portal site hosted on the Default Web Site by using an internal FQDN URL
21
that uses SSL. You must do this from each front-end Web server in the SharePoint Portal
Server deployment. If you have multiple load-balanced front-end Web servers in the
SharePoint Portal Server deployment, you should also verify that you can access the
portal site by using the URL that contains the FQDN that resolves to the load-balancing
virtual IP address. If you can successfully access the portal site by following the steps in
this section, Basic authentication and SSL are both working.
Depending on the SharePoint Portal Server deployment that you have, do one of the
following:
• If you have a SharePoint Portal Server deployment with only one front-end Web
server, the URL that you use to verify access is https://ServerName.Perimeter.Net,
where ServerName is the NetBIOS computer name of the front-end Web server.
• If you have a SharePoint Portal Server deployment with multiple load-balanced front-
end Web servers, you must test the internal FQDN URL for each server (that is,
https://ServerName.Perimeter.Net) and the URL containing the load-balancing FQDN
that resolves to your load-balancing virtual IP address (that is,
https://Portal.Perimeter.Net).
Verify that you can access the portal site by using an internal SSL FQDN URL
Depending on the proxy server configurations for your intranet and your Web browser
configuration, the request you send in the following procedure might get routed through
a proxy server, and you might encounter an error. Therefore, ensure that your Web
browser bypasses your intranet proxy servers for this test.
1. On each front-end Web server, open Internet Explorer, and then in the Address bar
type the internal SSL FQDN URL to access the portal site internally, for example,
https://ServerName.Perimeter.Net.
Important At this point, if you have a load-balanced SharePoint Portal Server
deployment, a Security Alert dialog box appears that states, “The name on the
security certificate is invalid or does not match the name of the site.” This alert
appears because the name of the site (ServerName) does not match the name on
the certificate (Portal.Perimeter.Net). You can ignore this error and click Yes to
proceed. However, you must correct any of the following issues before
proceeding:
• The certificate is expired.
• The certificate is not yet valid.
• The certificate is issued by a company that you have chosen not to trust.
2. In the Connect to dialog box, type the user name and password of an account that
has access to the portal site, and then click OK.
3. Verify that the home page of the existing portal site is correctly displayed.
4. If you have a SharePoint Portal Server deployment with multiple load-balanced front-
end Web servers, you must also verify that you can access the portal site by using
the load-balancing internal SSL FQDN URL that resolves to your load-balancing
virtual IP address. To do this:
22
1. On one front-end Web server, open Internet Explorer, and then in the Address
bar, type the load-balancing internal SSL FQDN URL to access the portal site
internally, for example, https://Portal.Perimeter.Net.
Important At this point, if a Security Alert dialog box appears, you must
correct any issues before proceeding.
2. In the Connect to dialog box, type the user name and password of an account
that has access to the portal site, and then click OK.
Step 4: Configure IIS to Require SSL for the

Default Web Site
The Default Web Site in IIS is the virtual server hosting the portal site. This portal site is
to be secured with Basic authentication and SSL. After you have installed the correct SSL
server certificate on each front-end Web server in the SharePoint Portal Server
deployment, you must take the additional steps necessary to require SSL for the portal
site.
Perform the following procedure on all front-end Web servers in the SharePoint Portal
Server deployment.
Configure IIS to require SSL for the Default Web Site
4. On the Directory Security tab, in the Secure communications section, click Edit.
5. On the Secure Communications dialog box, select the Require secure channel
(SSL) check box. Do not change any other settings in this dialog box.
6. Select the Require 128-bit encryption check box. ISA Server 2000, ISA
Server 2004, and the majority of modern browsers can now support 128-bit
encryption.
7. Do not change any other settings in this dialog box.
8. Click OK to close the Secure Communications dialog box.
OK.
Step 5: Modify the Default URL for the

Portal Site
When the portal site is created, a default URL entry is created in the SharePoint Portal
Server alternate access settings table. The default URL is the URL that was specified on
23
the Create Portal Site for ServerName page when the portal site was created. Typically,
this URL is http://ServerName, where ServerName is the NetBIOS computer name.
When you configure the Default Web Site in IIS to require SSL, you must modify the
default URL for the portal site to use HTTPS and to include the internal FQDN of the
SharePoint Portal Server deployment.
For example:
• If the SharePoint Portal Server deployment contains only one front-end Web server,
the default URL is https://ServerName.Perimeter.Net, where ServerName is the
NetBIOS computer name of the front-end Web server.
• If the SharePoint Portal Server deployment contains multiple network load-balanced
front-end Web servers, you must ensure that the default URL for the portal site
corresponds to the load-balancing virtual IP address by using the load-balancing
internal FQDN for that IP address in the URL, for example,
https://Portal.Perimeter.Net. The SharePoint Portal Server crawling process then uses
the load-balancing virtual IP address, which yields better performance and provides
failover for crawling if a front-end Web server becomes unavailable.
The steps that follow include instructions that apply regardless of how many front-end
Web servers you have in the SharePoint Portal Server deployment.
• For deployments containing only one front-end Web server, the steps in the following
procedure assume that:
• The internal FQDN is ServerName.Perimeter.Net.
• The internal FQDN URL is https://ServerName.Perimeter.Net, where ServerName
is the NetBIOS computer name of the front-end Web server.
• For deployments containing more than one front-end Web server, the steps in the
following procedure assume that:
• There is a load-balancing internal FQDN of Portal.Perimeter.Net.
• This FQDN resolves to the load-balancing virtual IP address.
• The load-balancing internal FQDN URL is https://Portal.Perimeter.Net.
Modify the default URL for the portal site
1. On the SharePoint Portal Server Central Administration for ServerName page, in the
Portal Site and Virtual Server Configuration section, click Configure alternate
portal site URLs for intranet, extranet, and custom access.
2. On the Configure Alternate Portal Access Settings page, rest the pointer on Default
Web Site, and then click the arrow that appears.
3. On the menu that appears, click Edit.
4. On the Change Alternate Access Setting page, in the Default URL box, do one of the
following:
• If you have only one front-end Web server in the SharePoint Portal Server
deployment, change the URL to use HTTPS instead of HTTP and ensure that the
internal FQDN for your deployment is included (for example,
https://ServerName.Perimeter.Net).
24
• If the SharePoint Portal Server deployment contains more than one front-end
Web server and you are using network load-balancing, change the default URL to
use HTTPS instead of HTTP and ensure that the FQDN corresponding to your
load-balancing virtual IP address is used (for example,
5. Click OK.
Step 6: Verify that the Proxy Server

Settings for SharePoint Portal Server
Search Are Correctly Specified
You can specify proxy server settings that are used by the search service for SharePoint
Portal Server. However, it is possible to incorrectly specify the settings, resulting in the
crawl failing.
You specify the proxy server settings for SharePoint Portal Server search in the Proxy
Server Settings section on the Configure Server Farm Account Settings page in
SharePoint Portal Server Central Administration. If you specify a proxy server for
crawling external (non-intranet) content, but you do not want to crawl through the proxy
server when crawling internal (intranet) content, you can specify a bypass proxy setting.
If you specify a setting that begins with an asterisk, the crawl will still go through the
proxy server and might fail as a result. For example, if you specify *.Perimeter.Net, the
crawl will still go through the proxy server that you have specified and might fail as a
result.
Before proceeding, verify that the search proxy server settings are correct.
Verify that the proxy server settings for SharePoint Portal Server search are
correctly specified
Server Configuration section, click Configure Server Farm Account Settings.
2. On the Configure Server Farm Account Settings page, in the Proxy Server Settings
section, if you have specified a proxy server address in the Address box and you
want to bypass the proxy server for local (intranet) addresses, do the following:
1. Select the Bypass proxy server for local (intranet) addresses check box.
2. In the Do not use proxy server for addresses beginning with box, type the
addresses for which you want to bypass the proxy server. You can specify
multiple addresses, separated by semicolons.
Important The address specified must not begin with an asterisk (*). For
example, specify https://*.Perimeter.Net as the address, and do not specify
*.Perimeter.Net. If you specify *.Perimeter.Net, the crawl will still go through
the proxy server and might fail as a result.
3. Click OK.
25
Step 7: Configure the SharePoint Portal
Server Search Service to Use Basic
Authentication when Crawling Content
Sources
When SharePoint Portal Server crawls content sources, it does so by calling SharePoint
Portal Server Web services. This requires access to the Web site in IIS that is hosting the
portal site. Whatever authentication method is used by that Web site in IIS must be
used by the search service when those Web service calls are made. If this Web site in
IIS is secured with Basic authentication, the search service must also be configured to
use Basic authentication, or the crawl will fail with an Access denied error.
Perform the following procedure from a front-end Web server in the SharePoint Portal
Server deployment. In this procedure, you will:
• Configure SharePoint Portal Server search to use Basic authentication when crawling
non-portal content.
portal content.
• Perform a full update on both non-portal content and portal content.
Configure the SharePoint Portal Server search service to use Basic

authentication when crawling content sources
1. On the Site Settings page, in the Search Settings and Indexed Content section,
click Configure search and indexing.
2. On the Configure Search and Indexing page, in the General Content Settings and
Indexing Status section, next to Exclude and include, click other content.
3. On the Exclude and Include Content for Non_Portal_Content page, do the following
for every group or rule that is included:
1. Verify that the protocol designation for any included item is HTTPS and not HTTP.
If the protocol is not HTTPS, the default URL for this portal site in the alternate
access settings table is incorrect. Ensure that you have specified the default URL
correctly. For more information, see the instructions for modifying the default URL
for the portal site earlier in this scenario.
2. Rest the pointer on the rule or group that is included, and then click the arrow
that appears.
3. On the menu, click Edit.
4. On the Edit Rule page, in the Specify Authentication section, click Specify
crawling account.
5. In the Account box, type the user name or ID that can access the resources in
this URL space in the format DOMAIN\UserName.
6. In the Password box, type the password for this user name.
Your password is protected and can be used only to access the needed resources
for the purpose of crawling content.
26
7. In the Confirm password box, type the password for this user name again.
8. Ensure that the Do not allow Basic authentication check box is cleared.
Important Clearing the Do not allow Basic authentication check box
might cause your password to be easily determined.
9. Click OK.
10. Repeat steps 3.2 through 3.9 for each group or rule that is included
4. On the Exclude and Include Content for Non_Portal_Content page, click Configure
Search and Indexing in the breadcrumbs.
5. On the Configure Search and Indexing page, in the Other Content Sources section,
click Manage content sources.
6. On the Manage Content Sources page, rest the pointer on This portal, and then
click the arrow that appears.
8. On the Existing Web page or Web site content source page, click Advanced.
9. On the Configure Web page or Web site Content Source page, click Exclude and
Include Content.
10. On the Exclude and Include Content for Portal_Content page, do the following for
every group or rule that is included:
access settings table is incorrect. Ensure that you have specified the default URL
correctly. For more information, see the instructions for modifying the default URL
for the portal site earlier in this scenario.
that appears.
crawling account.
9. Click OK.
10. Repeat steps 10.2 through 10.9 for each group or rule that is included.
27
11. Perform a full update on portal content and non-portal content. To do this:
1. On the Configure Search and Indexing page, in the General Content Settings
and Indexing Status section, next to Start portal content update, click Full.
and Indexing Status section, next to Start non portal content update, click
Full.
12. Ensure that the updates succeed. If either update fails, the most likely causes are
the following:
• The default URL for the portal site is incorrect. Ensure that you have specified the
default URL correctly. For more information, see the instructions for modifying the
default URL for the portal site earlier in this scenario.
• The crawling account or password is incorrect. Verify that you have correctly
specified each.
• The crawling is using an incorrect authentication method. Ensure that you
performed the procedure in this section correctly.
• The crawling is using the incorrect protocol. Ensure that you have correctly
specified the protocol (for example, HTTP or HTTPS) for the default URL. For more
information, see the instructions for modifying the default URL for the portal site
earlier in this scenario.
• The search proxy server settings are incorrect. Ensure that you have correctly
specified the settings. For more information, see the instructions for verifying
that the proxy server settings are correct earlier in this scenario.
Step 8: Create a Public DNS Entry

After setting up SharePoint Portal Server and creating the portal site, you must create a
public DNS entry to map the public (external) FQDN to the IP address for the public
(external) interface of the external ISA Server 2000 computer. The URL containing the
FQDN is the URL that users will use to access the portal site across the extranet.
For example, you can map ExtranetPortal.Perimeter.Net to 111.11.111.11. When a client
attempts to connect to ExtranetPortal.Perimeter.Net, it will ask the public DNS server
what IP address corresponds to ExtranetPortal.Perimeter.Net. The public DNS server
would then point it to 111.11.111.11, which is the public IP address for your ISA
Server 2000 computer. The client will then attempt to establish a connection to
111.11.111.11.
For more information about creating a DNS entry or a wildcard DNS entry, see your DNS
documentation.
Step 9: Configure the Network Adapters in

the External ISA Server 2000 Computer
The external ISA Server 2000 computer must have the following two network adapters:
• A public, or external, network interface, which is exposed to the clients that will
attempt to connect to the portal site (usually over the Internet).
28
• A private, or internal, network interface, which is exposed to the servers that it is
protecting.
You must assign one or more IP addresses on the external interface and at least one
IP address on the internal interface.
Configure the network adapters in the external ISA Server 2000 computer
1. On the ISA Server 2000 computer, click Start, point to Settings, and then click
Network Connections.
2. Right-click the external network connection, and then click Properties.
3. On the Properties page, on the General tab, in the This connection uses the
following items list, click Internet Protocol (TCP/IP), and then click
Properties.
4. On the Internet Protocol (TCP/IP) Properties page, configure the IP addresses and
DNS server addresses as appropriate for the network to which the network adapter is
attached.
Note You should not use the option to obtain an IP address automatically.
5. Click OK to close the Properties page.
6. Click OK to close the Properties page for the network connection.
7. Repeat steps 2 through 6 for the internal network connection.
Step 10: Configure ISA Server 2000 to not

Intercept HTTP Requests that Use the OPTIONS
Verb
By default, ISA Server 2000 is configured to intercept HTTP requests that use the
OPTIONS verb. Therefore, the following might fail:
• Explorer View
• Web Distributed Authoring and Versioning (WebDAV)
• Shared Workspace task pane in Microsoft Office System programs
• Opening and saving files from Office programs to the site
To configure ISA Server 2000 to not intercept HTTP OPTIONS requests, you can add a
registry key. For more information, see article 304340, “The ISA Server Response to
Client Options Requests Is Limited to a Predefined Set,” in the Knowledge Base at
http://go.microsoft.com/fwlink/?linkid=37445&clcid=0x409.
Step 11: Ensure that the Appropriate SSL

Server Certificates Are Installed on the
External ISA Server 2000 Computer
As previously mentioned, the external ISA Server 2000 computer must trust the CA that
issued the SSL certificates on the front-end Web servers in the SharePoint Portal Server
deployment. Prescriptive guidance about installing certificates such that the ISA
29
Server 2000 computer trusts the CA that issued the SSL certificates on the front-end
Web servers in the SharePoint Portal Server deployment is beyond the scope of this
white paper.
You must also install another SSL certificate on the ISA Server 2000 computer. This SSL
certificate must match the public (external) FQDN that clients will use to connect to the
portal site.
For more information, see "Digital Certificates for ISA Server and Published Servers," at
Step 12: Configure the External ISA

Server 2000 Computer to Allow Outbound
Connections to the Internet
You must configure the external ISA Server 2000 computer to allow SharePoint Portal
Server to make connections to the Internet when necessary. This is required, for
example, to crawl content that is on the Internet. You do this by configuring the ISA
Server 2000 computer to allow outbound connections to the Internet from the
Note Depending on your configuration, steps 8-14 are optional. For more
information about the process of creating a Web publishing rule and the choices you
can make during this process, see the ISA Server 2000 documentation at
Configure the external ISA Server 2000 computer to allow outbound

connections to the Internet
1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA
Management.
2. In the left pane, expand Servers and Arrays, and then expand ServerName.
3. Right-click ServerName, and then click Properties.
4. On the Outgoing Web Requests tab, under Identification, select one of the
following:
• Use the same listener configuration for all internal IP addresses
• Configure listeners individually per IP address
5. If you selected Configure listeners individually per IP address in the previous
step, and if a listener has not already been defined, click Add, and then do the
following:
1. In the Server list, select the name of the computer running ISA Server 2000.
2. In the IP Address list, select the IP address on the server that listens for
outgoing Web requests.
3. Click OK.
6. Click OK to close the Properties dialog box.
30
7. In the message box that indicates that the Web proxy service needs to be restarted,
select either choice and click OK.
If you chose to not restart the service, you must restart the service manually before
the changes can take effect.
8. In the left pane, expand Policy Elements.
9. Right-click Client Address Sets, point to New, and then click Set.
10. In the Client Set dialog box, in the Name box, type a descriptive name for your
server environment such as SharePoint Portal Server computers.
11. Click Add.
12. In the Add/Edit IP Addresses box, in the From and To boxes, type the IP address
range of the computers running the index component of SharePoint Portal Server. If
the deployment has only one SharePoint Portal Server computer, type the IP address
of that computer. If the deployment has more than one SharePoint Portal Server
computer running the index component, type the addresses of all servers running
the index component.
For example, if the IP addresses for the computers running the SharePoint Portal
Server index component are 192.168.1.1, 192.168.1.2, and 192.168.1.3, type the
following:
From: 192.168.1.1
To: 192.168.1.3
13. Click OK to close the Add/Edit IP Addresses box.
14. Click OK to close the Client Set dialog box.
15. Expand Access Policy.
16. Right-click Protocol Rules, point to New, and then click Rule.
17. On the Welcome page of the New Protocol Rule Wizard, in the Protocol rule name
box, type a protocol rule name such as Allow Web servers access to Internet,
and then click Next.
18. On the Rule Action page, click Allow, and then click Next.
19. On the Protocols page, in the Apply this rule to list, click Selected protocols, and
then in the Protocols list, select the HTTP and HTTPS check boxes, and then click
Next.
20. On the Schedule page, in the Use this schedule list, click Always, and then click
Next.
21. On the Client Type page, do one of the following:
• If you did not complete steps 8-14, click Any request, and then click Next.
• If you completed steps 8-14, click Specific computers (client address sets),
and then click Next. On the Client Sets page, click Add, and in the Defined Sets
pane, select the client set you created earlier, and then click Add. Click OK to
close the Add Client Sets dialog box. Click Next.
22. On the completion page, click Finish.
31
Step 13: Edit the web.config File
After the proxy server is configured to allow outbound connections to the Internet, you
must configure Windows SharePoint Services to allow connections to the Internet so that
the Web Capture Web Part and the online Web Part gallery work correctly. You do this by
editing the web.config file on each front-end Web server in the SharePoint Portal Server
deployment.
Edit the web.config file
1. On each front-end Web server, go to the web.config file in the root of the virtual
server that hosts the portal site. In this scenario, for example, the path to the
web.config file is C:\Inetpub\wwwroot\web.config.
2. Open web.config in Notepad.
3. After the </SharePoint> tag, add the following tags to configure Windows
SharePoint Services to make connections to the Internet through your outbound
proxy server, using the proxy server name and TCP port number required to connect
to the Internet:
<system.net>
<defaultProxy>
<proxy proxyaddress="http://ProxyServer:Port" bypassonlocal="true" />
</defaultProxy>
</system.net>
4. Save the file.

Server 2000 Computer to Listen for
Incoming Requests on the Appropriate IP
Address
Now you must configure the external ISA Server 2000 computer to listen to the requests
coming in on the public network interface. After the server is listening, it can apply the
rules you set up later in this process.
Configure the external ISA Server 2000 computer to listen for incoming
requests on the appropriate IP address
Management.
4. On the Incoming Web Requests tab, under Identification, select one of the
following:
• Use the same listener configuration for all IP addresses
32
5. If you selected Use the same listener configuration for all IP addresses, do the
following:
1. Ensure that the Enable SSL listeners check box is selected, and ensure that
SSL port is 443.
2. In the Connections section, select the Ask unauthenticated users for
identification check box. This setting forces the listener to authenticate users on
the domain before the request gets to the front-end Web servers that are
protected by the external ISA Server 2000 computer.
3. In the list, select the server, and then click Edit.
4. Select the Use a server certificate to authenticate to web clients check box,
and then click Select.
5. Select the server certificate that matches the name of the public (external) FQDN
that clients will use to access the portal site across the extranet, and then click
OK.
6. Under Authentication, select the Basic with this domain check box.
7. In the ISA Server Configuration warning dialog box, click Yes.
8. Click Select domain, and then in the Domain Name box, type the name of or
browse for the extranet domain to which the SharePoint Portal Server computers
are joined, and then click OK. For example, in this scenario the name of the
extranet domain is Perimeter.Net.
9. Under Authentication, ensure that the following check boxes are cleared:
• Digest with this domain
• Integrated
• Client certificate (secure channel only)
10. Click OK to close the Add/Edit Listeners dialog box.
12. In the message box, select Save the changes and restart the service(s), and
then click OK.
You can also select Save the changes, but don’t restart the service(s), but
then you must restart the services later.
6. If you selected Configure listeners individually per IP address, do the following:
SSL port is 443.
3. Click Add.
4. In the Add/Edit dialog box, in the Server list, select the name of the computer
running ISA Server 2000.
33
5. In the IP Address list, select the public IP address on the server that listens for
incoming Web requests.
6. In the Display Name box, type a display name.
8. In the Certificates list, select the server certificate that matches the name of the
public (external) FQDN that clients will use to access the portal site across the
extranet, and then click OK.
• Integrated
15. In the ISA Server Warning message box, select Save the changes and
restart the service(s), and then click OK.
Step 15: Create a Destination Set on the

A destination set is used to categorize incoming requests so that the external ISA
Server 2000 computer or firewall can then apply rules to that request. In this step you
create a destination set for the public (external) FQDN of your portal site so that you can
later use it in a Web publishing rule to publish your portal site.
Create a destination set on the external ISA Server 2000 computer
Management.
2. In the left pane, expand Servers and Arrays, expand ServerName, and then
expand Policy Elements.
3. Right-click Destination Sets, point to New, and then click Set.
4. In the Name box, type a name for this destination set, such as SharePoint Portal
Server Internet-facing sites.
34
5. Click Add.
6. Click Destination, and then type the server name that clients will use to access your
site, such as ExtranetPortal.Perimeter.Net.
7. Click OK to close the Add/Edit Destination dialog box.
8. Click OK to close the New Destination Set dialog box.
Step 16: Create a Web Publishing Rule on

This Web publishing rule forwards requests, complete with host headers, from the ISA
Server 2000 computer to a front-end Web server.
Create a Web publishing rule on the external ISA Server 2000 computer
Management.
expand Publishing.
3. Right-click Web Publishing Rules, point to New, and then click Rule.
4. On the Welcome page of the New Web Publishing Rule Wizard, in the Web
publishing rule name box, type a name for the rule, such as ExtranetRule, and
then click Next.
5. On the Destination Sets page, do the following:
1. In the Apply this rule to list, click Specified destination set.
2. In the Name list, click the destination set name you created earlier (for example,
SharePoint Portal Server Internet-facing sites).
3. Click Next.
6. On the Client Type page, click Any request, and then click Next.
7. On the Rule Action page, do the following:
1. Click Redirect the request to this internal Web server (name or IP
address), and then in the text box, type the internal DNS name for the server or
server farm running SharePoint Portal Server.
2. Select the Send the original host header to the publishing server instead
of the actual one (specified above) check box.
3. Verify that the port settings for the protocols are correct for the server or server
farm running SharePoint Portal Server, for example, TCP port 80 for HTTP, TCP
port 443 for SSL.
4. Click Next.
35
Step 17: Verify that the Web Publishing
Rule Properties are Correct
After creating the Web publishing rule, you must confirm that all the properties are
correct. You will also specify additional settings in the following procedure.
Verify that the Web publishing rule properties are correct
Management.
expand Publishing.
3. Click the Web Publishing Rules folder.
4. In the details pane, double-click the Web publishing rule that you created in the
previous step in this paper (for example, ExtranetRule).
5. On the Destinations tab, ensure the following:
1. In the This rule applies to list, Selected destination set is selected.
2. In the Name list, the correct destination set is shown.
6. On the Action tab, ensure the following:
1. The Redirect the request to this internal Web server (name or IP
address) option is specified as the internal FQDN of the SharePoint Portal Server
computer or server farm.
2. The Send the original host header to the publishing server instead of the
actual one (specified above) check box is selected.
3. The Allow delegation of basic authentication credentials check box is
selected.
4. The port settings for the protocols are correct for the server or server farm
running SharePoint Portal Server (for example, TCP port 80 for HTTP, TCP port
443 for SSL).
7. On the Bridging tab, do the following:
1. In the Redirect HTTP requests as section, ensure that HTTP requests is
selected.
2. In the Redirect SSL requests as section, ensure that SSL requests (establish
a new secure channel to the site) is selected.
3. Select the Require secure channel (SSL) for published site check box.
encryption.
5. Ensure that the Use a certificate to authenticate to the SSL Web server
check box is cleared.
8. Click OK.
36
Step 18: Configure an Alternate Access
Setting that Uses the Public (External)
FQDN URL that Users Will Use to Access the
Portal Site
Alternate access settings provide a mechanism for server farm administrators to identify
the different ways in which users access portal sites, to help ensure that URLs are
displayed appropriately for the manner in which the user accesses the portal site.
You must configure an alternate access setting to enable users to access the portal site
across the extranet and to ensure that links returned in portal site pages can be
reached.
Configure an alternate access setting that uses the public (external) FQDN URL
that users will use to access the portal site
4. On the Change Alternate Access Setting page, in the Extranet URL box, type the
extranet URL. This URL is the public (external) FQDN that clients will use to access
the portal site over the extranet, for example, https://ExtranetPortal.Perimeter.Net.
5. Click OK.

Portal Site Through the Internet
A computer connected to the Internet must be able to access the portal site in the
extranet domain by using a URL containing the public (external) FQDN. For this scenario,
https://ExtranetPortal.Perimeter.Net is the URL containing the public FQDN.
To verify that you can access the extranet from the Internet, do the following from a
client computer that has Internet connectivity.
Verify that you can access the portal site through the Internet
1. Open a Web browser, and in the Address bar type the public (external) FQDN that
clients will use to access the portal site through the Internet. For example, in this
scenario, the URL is https://ExtranetPortal.Perimeter.Net.
has access to the portal site, and then click OK. Verify that the home page of the
portal site appears.
37
Scenario 2: Single Portal Site on Two Virtual
Servers (Using ISA Server 2000)
Many organizations want to host the same portal site content for both corporate intranet
users and for users outside the external corporate firewall.
This section of the paper describes how to configure a SharePoint Portal Server
deployment to host the same portal site on two virtual servers (that is, on two Web sites
in IIS). In this configuration, one virtual server is used for corporate intranet access, and
the other virtual server is used for extranet access. When you have completed this
scenario:
• Users connected to the corporate intranet will be able to access the portal site by
using Integrated Windows authentication.
• Users outside the external corporate firewall will be able to access the portal site by
using Basic authentication with SSL.

• There is one portal site hosted on the Default Web Site in IIS using Integrated
Windows authentication.
• The Default Web Site is using TCP port 80.
The steps in this section are those required to host the same portal site on a new virtual
server that is created for users outside of the external corporate firewall/proxy server. To
enable the scenario described in this section, you must do the following steps, each of
1. Verify that the default URL for the portal site is correctly specified.
specified.
3. Create a new Web site in IIS to host the existing portal site.
4. Delete the SSL port designation for the Default Web Site in IIS.
5. Configure the new Web site in IIS to use TCP port 443 for SSL.
6. Configure Basic authentication on the new Web site in IIS.
7. Extend the new Web site in IIS to host the existing portal site.
8. Verify that the new Web site in IIS is correctly hosting the existing portal site.
9. Install an SSL server certificate on the new Web site in IIS.
10. Verify that you can access the portal site hosted on the new Web site by using an
internal SSL FQDN URL.
11. Configure IIS to require SSL for the new Web site.
38
14. Configure ISA Server 2000 to not intercept HTTP requests that use the OPTIONS
verb.
the Internet.
19. Create a destination set on the external ISA Server 2000 computer.
20. Create a Web publishing rule on the external ISA Server 2000 computer.
21. Verify that the Web publishing rule properties are correct.
computer)
Default Web Site in IIS Hosts existing portal site, TCP port 80, no
SSL port
39
New Web site in IIS BasicWebSite, TCP port 8080, SSL port
443 (will host the existing portal site)
Step 1: Verify that the Default URL for the

Portal Site Is Correctly Specified
This step is provided if the SharePoint Portal Server deployment has more than one
front-end Web server and you are using network load-balancing. If this does not apply to
your deployment, go to the next step.
When a portal site is created, a default URL entry is created in the SharePoint Portal
If the SharePoint Portal Server deployment contains multiple network load-
balanced front-end Web servers, ensure that the default URL for your portal site
corresponds to the load-balancing virtual IP address. This ensures that the SharePoint
Portal Server crawling process uses the load-balancing virtual IP address, which yields
better performance and provides failover for crawling in case a front-end Web server
becomes unavailable.
The following procedure applies only if you have a SharePoint Portal Server deployment
with more than one front-end Web server.
The steps in the following procedure assume that there is a load-balancing internal
FQDN of Portal.Perimeter.Net and that this FQDN resolves to the load-balancing virtual IP
address. The load-balancing internal FQDN URL is therefore http://Portal.Perimeter.Net.
Verify that the default URL for the portal site is correctly specified
4. On the Change Alternate Access Setting page, in the Default URL box, ensure that
the default URL of the portal site is set to http://Portal.Perimeter.Net.
5. Click OK.

crawl failing.
You specify the search service settings for SharePoint Portal Server in the Proxy Server
Settings section on the Configure Server Farm Account Settings page in SharePoint
40
Portal Server Central Administration. If you specify a proxy server for crawling external
(non-intranet) content, but you do not want to crawl through the proxy server when
crawling internal (intranet) content, you can specify a bypass proxy setting. If you
specify a setting that begins with an asterisk, the crawl will still go through the proxy
server and might fail as a result. For example, if you specify *.Perimeter.Net, the crawl
will still go through the proxy server that you have specified and might fail as a result.
Verify that the SharePoint Portal Server search proxy server settings are
correctly specified
Server Configuration section, click Configure Server Farm Account Settings.
2. In the Do not use proxy server for addresses beginning with box, type the
addresses for which you want to bypass the proxy server. Multiple addresses can
be specified, separated by semicolons.
example, specify http://*.Perimeter.Net as the address, and do not specify
3. Click OK.
Step 3: Create a New Web Site in IIS to

Host the Existing Portal Site
create a new Web site in IIS. This Web site will host the existing portal site (that is, the
portal site that is also hosted on the Default Web Site in IIS). The descriptions, TCP
ports, and other settings specified in this step must be the same on each front-end Web
server.
Create a new Web site in IIS to host the existing portal site
3. Right-click Web Sites, point to New, and then click Web Site.
4. On the Welcome page of the Web Site Creation Wizard, click Next.
5. On the Web Site Description page, type a description for the new Web site, such as
BasicWebSite, and then click Next.
6. On the IP Address and Port Settings page, in the Enter the IP address to use for
this Web site list, leave the setting at the default of (All Unassigned).
41
7. In the TCP port this Web site should use (Default 80) box, type a new TCP port
number. This port number must be unique and cannot be used by any other Web site
in IIS. Because the Default Web Site in IIS already uses TCP port 80, you must
specify a value other than 80, for example, 8080. This step is required because
SharePoint Portal Server cannot use virtual servers that are bound to discrete IP
addresses. For more information, see “Appendix A: Known Issues.”
8. Do not specify a host header for this Web site.
9. Click Next.
10. On the Web Site Home Directory page, type a path to the home directory for this
new Web site, for example, C:\Inetpub\wwwroot\BasicWebSite.
11. Clear the Allow anonymous access to this Web site check box, and then click
Next.
12. On the Web Site Access Permissions page, click Next. Do not change any of the
default permission settings.
Step 4: Delete the SSL Port Designation for

In a scenario that uses Windows SharePoint Services, SharePoint Portal Server, and ISA
Server 2000, only one SSL-secured portal site can be published by using ISA
Server 2000. The new Web site that you created to host the existing portal site for
extranet access must use SSL port 443. Web sites in IIS cannot use the same port
numbers, so you must delete the SSL port designation for the Default Web Site in IIS
and use that SSL port number for the new Web site that was created (BasicWebSite in
this example).
Important Although different Web sites in IIS can use the same port numbers if
they are differentiated by using IIS host headers, you cannot use IIS host headers
with SSL. This is by design in IIS. For more information, see article 187504, “HTTP
1.1 Host Headers Are Not Supported When You Use SSL,” in the Knowledge Base at
Server deployment.
Delete the SSL port designation for the Default Web Site in IIS
4. On the Web Site tab, in the Web site identification section, clear the SSL port
text box.
5. Click Apply.
42
Step 5: Configure the New Web Site in IIS

to Use TCP Port 443 for SSL
configure the new Web site (BasicWebSite in this example) to use TCP port 443 for SSL.
The SSL port specified in this step must be the same on each front-end Web server.
Configure the new Web site in IIS to use TCP port 443 for SSL
3. Right-click the name of the Web site that you just created (BasicWebSite in this
example), and then click Properties.
4. On the Web Site tab, in the Web site identification section, in the SSL port box,
type 443.
5. Click Apply.
6. Close OK to close the Properties page.

the New Web Site in IIS
configure Basic authentication for the new Web site in IIS.
The procedure given below is for the new Web site that you created (for example,
BasicWebSite).
Configure Basic authentication on the new Web site in IIS
click Edit.
43
OK.
Step 7: Extend the New Web Site in IIS to

extend the new Web site in IIS (also called the virtual server) that you created so that it
can host the existing portal site.
Extend the new Web site in IIS to host the existing portal site
Portal Site and Virtual Server Configuration section, click Extend an existing
virtual server from the Virtual Server List page.
2. On the Virtual Server List page, click the name of the new virtual server that you
created previously, for example BasicWebSite.
3. On the Extend Virtual Server page, click Extend and map to another virtual
server.
4. On the Extend and Map to Another Virtual Server page, in the Server Mapping
section, in the Host name or IIS virtual server name list, ensure that Default
Web Site is selected.
5. In the Application Pool section, click Use an existing application pool, and then
select the application pool that is used by the existing portal site.
6. Click OK.
Step 8: Verify that the New Web Site in IIS

Is Correctly Hosting the Existing Portal Site
Before going further, verify that the new Web site in IIS (BasicWebSite) is correctly
hosting the existing portal site from the intranet. Do this from each front-end Web
server in the SharePoint Portal Server deployment. The existing portal site hosted on the
new Web site in IIS is accessible by using a URL composed of the server name and the
TCP port number of the virtual server, for example, http://ServerName:8080.
Verify that the new Web site in IIS is correctly hosting the existing portal site
1. On each front-end Web server, open Internet Explorer, and then in the Address bar
type http://ServerName:PortNumber.
44
now install an SSL server certificate on the new Web site in IIS (BasicWebSite) that is
hosting the existing portal site. Each of the SSL certificates must meet the following
criteria:
• The ISA Server 2000 computer must trust the CA that issued the SSL certificate on
the front-end Web servers running SharePoint Portal Server.
For more information about obtaining and installing SSL certificates, see the following:

Portal Site Hosted on the New Web Site by
Using an Internal SSL FQDN URL
access the portal site hosted on the new Web site in IIS by using an internal FQDN URL
following:
45
Verify that you can access the portal site hosted on the new Web site by using
an internal SSL FQDN URL
1. On each front-end Web server, open Internet Explorer, and then in the Address bar,
proceeding:
• The certificate was issued by a company that you have chosen not to trust.
Step 11: Configure IIS to Require SSL for

the New Web Site
The new Web site in IIS (BasicWebSite) that you created earlier is the virtual server that
is hosting the existing portal site. Because this new Web site is to be secured with Basic
46
authentication and SSL, after you have installed the correct SSL server certificate on this
Web site, you can take the additional steps necessary to require SSL for the new Web
site.
Server deployment.
Configure IIS to require SSL for the new Web site
3. Right-click BasicWebSite, and then click Properties.
5. In the Secure Communications dialog box, select the Require secure channel
(SSL) check box.
encryption.
7. Do not change any other settings in this dialog box.
9. Click OK to close the BasicWebSite Properties dialog box.
OK.

For example, you could map ExtranetPortal.Perimeter.Net to 111.11.111.11. When a
client attempts to connect to ExtranetPortal.Perimeter.Net, it will ask the public DNS
server what IP address corresponds to ExtranetPortal.Perimeter.Net. The public DNS
server would then point it to 111.11.111.11, which is the public IP address for your ISA
111.11.111.11.
documentation.

47
attempt to connect to the portal site (usually over the Internet).
protecting.
Properties.
attached.
Step 14: Configure ISA Server 2000 to not

Intercept HTTP Requests that Use the OPTIONS
Verb
By default, ISA Server 2000 is configured to intercept HTTP requests that use the
OPTIONS verb. Therefore, the following might fail:
• Explorer View
• Web Distributed Authoring and Versioning (WebDAV)
• The Shared Workspace task pane in Microsoft Office System programs
• Opening and saving files from Office programs to the site
To configure ISA Server 2000 to not intercept these requests, you can add a registry
key. For more information, see article 304340, “The ISA Server response to client
options requests is limited to a predefined set,” in the Knowledge Base at
48
As mentioned previously, the external ISA Server 2000 computer must trust the CA that
deployment. Prescriptive guidance about installing a certificate such that the ISA
white paper.
portal site.
For more information, see "Digital Certificates for ISA Server and Published Servers" at

Note Depending on your configuration, steps 8-14 in the following procedure are
optional. For more information about the process of creating a Web publishing rule
and the choices you can make during this process, see the ISA Server 2000
documentation at http://go.microsoft.com/fwlink/?LinkId=38039&clcid=0x409.

Management.
2. In the left pane, expand Servers and Arrays and then expand ServerName.
4. On the Outgoing Web Requests tab, under Identification, select one of the
following:
• Use the same listener configuration for all internal IP addresses
5. If you selected Configure listeners individually per IP address in the previous
step, and if a listener has not already been defined, click Add, and then do the
following:
49
1. In the Server list, select the name of the computer running ISA Server 2000.
2. In the IP Address list, select the IP address on the server that listens for
outgoing Web requests.
3. Click OK.
7. In the message box that indicates that the Web proxy service needs to be restarted,
select either choice, and then click OK.
If you chose to not restart the service, you must restart the service manually before
the changes can take effect.
8. In the left pane, expand Policy Elements.
9. Right-click Client Address Sets, point to New, and then click Set.
10. In the Client Set dialog box, in the Name box, type a descriptive name for your
server environment such as SharePoint Portal Server computers.
11. Click Add.
12. In Add/Edit IP Addresses box, in the From and To boxes, type the IP address
range of the computers running the index component of SharePoint Portal Server. If
your deployment has only one SharePoint Portal Server computer, type the IP
address of that computer. If your deployment has more than one SharePoint Portal
Server computer running the index component, type the range of addresses of all
servers running the index component.
For example, if the IP addresses for the computers running the SharePoint Portal
Server index component are 192.168.1.1, 192.168.1.2, and 192.168.1.3, type the
following:
From: 192.168.1.1
To: 192.168.1.3
13. Click OK to close the Add/Edit IP Addresses dialog box.
14. Click OK to close the Client Set dialog box.
15. Expand Access Policy.
16. Right-click Protocol Rules, point to New, and then click Rule.
17. On the Welcome page of the New Protocol Rule Wizard, in the Protocol rule name
box, type a protocol rule name such as Allow Web servers access to Internet,
and then click Next.
18. On the Rule Action page, click Allow, and then click Next.
19. On the Protocols page, in the Apply this rule to list, click Selected protocols, and
then in the Protocols list, select the HTTP and HTTPS check boxes, and then click
Next.
20. On the Schedule page, in the Use this schedule list, click Always, and then click
Next.
21. On the Client Type page, do one of the following:
50
• If you did not complete steps 8-14, click Any request, and then click Next.
• If you completed steps 8-14, click Specific computers (client address sets),
and then click Next. On the Client Sets page, click Add, and in the Defined Sets
pane, select the client set you created earlier, and then click Add. Click OK to
close the Add Client Sets dialog box. Click Next.

deployment.
1. On each front-end Web server, go to the web.config file in the root of each virtual
server that hosts the portal site. In this scenario, for example, the paths to the two
web.config files are:
C:\Inetpub\wwwroot\web.config
C:\Inetpub\wwwroot\BasicWebSite\web.config
to the Internet:
<system.net>
<defaultProxy>
</defaultProxy>
</system.net>
4. Save the file.

Address
51
Management.
4. On the Incoming Web Requests tab, under Identification, select one of the
following:
• Use the same listener configuration for all IP addresses
5. If you selected Use the same listener configuration for all IP addresses, do the
following:
SSL port is 443.
2. Ensure that the TCP port is 8080. This listener will be used by a Web publishing
rule that will direct requests to the new Web site in IIS only. Although you will not
access the new Web site by using HTTP, the TCP port number is 8080, not 80.
4. In the list, select the server, and then click Edit.
6. Select the server certificate that matches the name of the public (external) FQDN
(for example, ExtranetPortal.Perimeter.Net) that clients will use to access the
portal site across the extranet, and then click OK.
8. In the ISA Server Configuration warning box, click Yes.
• Integrated
13. In the message box, select Save the changes and restart the service(s), and
then click OK.
52
6. If you selected Configure listeners individually per IP address, do the following:
SSL port is 443.
2. Ensure that the TCP port is 8080. This listener will be used by a Web publishing
rule that will direct requests to the new Web site in IIS only. Although you will not
access the new Web site by using HTTP, the TCP port number is 8080, not 80.
4. Click Add.
5. In the Add/Edit dialog box, in the Server list, select the name of the computer
running ISA Server 2000.
6. In the IP Address list, select the public IP address on the server that listens for
incoming Web requests.
7. In the Display Name box, type a display name.
9. In the Certificates list, select the server certificate that matches the name of the
public (external) FQDN (for example, ExtranetPortal.Perimeter.Net) that clients
will use to access the portal site across the extranet, and then click OK.
• Integrated
16. In the ISA Server Warning message box, select Save the changes and
restart the service(s), and then click OK.
53
Step 19: Create a Destination Set on the
A destination set is used to categorize incoming requests so that the external ISA
Server 2000 computer or firewall can then apply rules to that request. In this step, you
create a destination set for the public (external) FQDN of your portal site so that you can
later use it in a Web publishing rule to publish your portal site.
Create a destination set on the external ISA Server 2000 computer
Management.
expand Policy Elements.
3. Right-click Destination Sets, point to New, and then click Set.
4. In the Name box, type a name for this destination set, such as SharePoint Portal
Server Internet-facing sites.
5. Click Add.
6. Click Destination, and then type the external FQDN that clients will use to access
your site (for example ExtranetPortal.Perimeter.Net).
7. Click OK to close the Add/Edit Destination dialog box.
8. Click OK to close the New Destination Set dialog box.
Step 20: Create a Web Publishing Rule on

This Web publishing rule forwards requests, complete with host headers, from the ISA
Server 2000 computer to a front-end Web server.
Create a Web publishing rule on the external ISA Server 2000 computer
Management.
expand Publishing.
3. Right-click Web Publishing Rules, point to New, and then click Rule.
4. On the Welcome page of the New Web Publishing Rule Wizard, in the Web
publishing rule name box, type a name for the rule, such as ExtranetRule, and
then click Next.
5. On the Destination Sets page, do the following:
1. In the Apply this rule to list, click Specified destination set.
2. In the Name list, click the destination set name you created earlier (for example,
SharePoint Portal Server Internet-facing sites).
3. Click Next.
54
6. On the Client Type page, click Any request, and then click Next.
7. On the Rule Action page, do the following:
1. Click Redirect the request to this internal Web server (name or IP
address), and then in the text box, type the internal FQDN for the server or
server farm running SharePoint Portal Server.
2. Select the Send the original host header to the publishing server instead
of the actual one (specified above) check box.
3. Verify that the port settings for the protocols are correct for the server or server
farm running SharePoint Portal Server. For this scenario, the port settings are TCP
port 8080 for HTTP, TCP port 443 for SSL.
4. Click Next.
Step 21: Verify that the Web Publishing

Rule Properties are Correct
After creating the Web publishing rule, you must confirm that all the properties are
correct. You will also specify additional settings in the following procedure.
Verify that the Web publishing rule properties are correct
Management.
expand Publishing.
3. Click the Web Publishing Rules folder.
4. In the details pane, double-click the Web publishing rule that you created in the
previous step in this paper (for example, ExtranetRule).
5. On the Destinations tab, ensure the following:
1. In the This rule applies to list, Selected destination set is selected.
2. In the Name list, the correct destination set is shown.
6. On the Action tab, ensure the following:
1. The Redirect the request to this internal Web server (name or IP
address) option is specified as the internal FQDN of the SharePoint Portal Server
deployment.
2. The Send the original host header to the publishing server instead of the
actual one (specified above) check box is selected.
3. The Allow delegation of basic authentication credentials check box is
selected.
4. The port setting for Connect to this port when bridging request as SSL is
correct. This scenario uses TCP port 443 for SSL.
7. On the Bridging tab, do the following:
55
1. In the Redirect HTTP requests as section, ensure that HTTP requests is
selected.
2. In the Redirect SSL requests as section, ensure that SSL requests (establish
a new secure channel to the site) is selected.
3. Select the Require secure channel (SSL) for published site check box.
encryption.
5. Ensure that the Use a certificate to authenticate to the SSL Web server
check box is cleared.
8. Click OK.

Portal Site
the different ways in which users access portal sites, ensuring that URLs are displayed
appropriately for the manner in which users access the portal site.
reached.
5. Click OK.

Portal Site through the Internet
extranet domain by using a URL containing the public (external) FQDN. For example,
56
1. Open a Web browser, and in the Address bar type the public (external) FQDN that
clients will use to access the portal site. For example, in this scenario, the URL would
be https://ExtranetPortal.Perimeter.Net.
Scenario 3: Single Portal Site on a Single

Virtual Server (Using ISA Server 2004)
deployment with a single portal site on a single virtual server, exposed to both the
corporate intranet and to the extranet using Basic authentication and SSL only.
In this scenario, the portal site is hosted on the Default Web Site in IIS (that is, on the
virtual server for the Default Web Site).

• There is one portal site hosted on the Default Web Site in IIS.
• You can access the portal site from your corporate intranet.
To enable the scenario described in this section, you must do the following steps, each of
1. Configure Basic authentication on the Default Web Site in IIS.

2. Install an SSL server certificate on the Default Web Site in IIS.
3. Verify that you can access the portal site by using an internal SSL FQDN URL.
4. Configure IIS to require SSL for the Default Web Site.
5. Modify the default URL for the portal site.
specified.
when crawling content sources.
the Internet.
57
14. Create a secure Web server publishing rule on the external ISA Server 2004
computer.
15. Verify that the secure Web server publishing rule properties are correct.
computer)
Default Web Site in IIS Hosts existing portal site, TCP port 80,
SSL port 443

Server deployment.
The procedure given below is for the Default Web Site in IIS.
58
Configure Basic authentication on the Default Web Site in IIS
4. On the Web Site tab, in the SSL port box, ensure that the port number is 443.
click Edit.
OK.

now install an SSL server certificate on the Default Web Site in IIS that is hosting the
existing portal site. Each SSL certificate must meet the following criteria:
For more information about obtaining and installing SSL certificates, see the following:
59
Portal Site by Using an Internal SSL FQDN
URL
access the portal site hosted on the Default Web Site by using an internal FQDN URL
following:
server, the URL that you would use to verify access would be
https://ServerName.Perimeter.Net, where ServerName is the NetBIOS computer
name of the front-end Web server.
Verify that you can access the portal site by using an internal SSL FQDN URL
type the internal SSL FQDN URL to access the portal site internally. For example,
proceeding:
60
1. On one front-end Web server, open Internet Explorer, and in the Address bar
type the load-balancing internal SSL FQDN URL to access the portal site

Default Web Site
The Default Web Site in IIS is the virtual server hosting the portal site. This portal site is
to be secured with Basic authentication and SSL. After you have installed the correct SSL
server certificate on each front-end Web server in the SharePoint Portal Server
deployment, you must take the additional steps necessary to require SSL for the portal
site.
Server deployment.
Configure IIS to require SSL for the Default Web Site
(SSL) check box.
encryption. Do not change any other settings in this dialog box.
OK.
61
Step 5: Modify the Default URL for the
Portal Site
When you configure the Default Web Site in IIS to require SSL, you must modify the
default URL for the portal site to use HTTPS and to include the internal FQDN of the
For example:
the default URL would be https://ServerName.Perimeter.Net, where ServerName is
the NetBIOS computer name of the front-end Web server.
https://Portal.Perimeter.Net. The SharePoint Portal Server crawling process then uses
the load-balancing virtual IP address, which yields better performance and provides
failover for crawling in case a front-end Web server becomes unavailable.
• The internal FQDN URL is https://ServerName.Perimeter.Net, where ServerName
is the NetBIOS computer name of the front-end Web server.
• The load-balancing internal FQDN URL is https://Portal.Perimeter.Net.
following:
62
internal FQDN for your deployment is included, for example,
load-balancing virtual IP address is used (for example,
5. Click OK.

crawl failing.
You specify the settings Proxy Server Settings section on the Configure Server Farm
Account Settings page in SharePoint Portal Server Central Administration. If you specify
a proxy server for crawling external (non-intranet) content, but you do not want to crawl
through the proxy server when crawling internal (intranet) content, you can specify a
bypass proxy setting. If you specify a setting that begins with an asterisk, the crawl will
still go through the proxy server and might fail as a result. For example, if you specify
*.Perimeter.Net, the crawl will still go through the proxy server that you have specified
and might fail as a result.
Verify that the proxy server settings for SharePoint Portal Server search are
correctly specified
Server Configuration section, click Configure server farm account settings.
2. In the Bypass proxy server for local (intranet) addresses box, specify the
example, specify https://*.Perimeter.Net as the address, and do not specify
3. Click OK.
63
Sources
IIS is secured with Basic authentication, then the search service must be configured to
non-portal content.
portal content.

for every group or rule that is included:
access settings table is incorrect. Ensure that you have correctly specified the
default URL. For more information, see the instructions for modifying the default
URL for the portal site earlier in this scenario.
that appears.
crawling account.
5. In the Account box, type the user name that can access the resources in this
URL space in the format DOMAIN\UserName.
64
9. Click OK.
4. On the Exclude and Include Content for Non_Portal_Content page, click Configure
Search and Indexing in the breadcrumbs.
Include Content.
10. On the Exclude and Include Content for Portal_Content page, do the following for
every group or rule that is included:
access settings table is incorrect. Ensure that you have correctly specified the
default URL. For more information, see the instructions for modifying the default
URL for the portal site earlier in this scenario.
that appears.
crawling account.
9. Click OK.
65
Full.
12. Ensure that the updates succeed. If either update fails, the most likely causes are
the following:
• The default URL for the portal site is incorrect. Ensure that you have specified the
default URL correctly. For more information, see the instructions for modifying the
default URL for the portal site earlier in this scenario.
• The crawling account or password is incorrect. Verify that you have correctly
specified each.
• The crawling is using an incorrect authentication method. Ensure that you
correctly performed the procedure in this section.
• The crawling is using the incorrect protocol. Ensure that you have correctly
specified the protocol (for example, HTTP or HTTPS) for the default URL. For more
information, see the instructions for modifying the default URL for the portal site
earlier in this scenario.
• The search proxy server settings are incorrect. Ensure that you have correctly
specified the settings. For more information, see the instructions for verifying
that the proxy server settings are correct earlier in this scenario.

server then points it to 111.11.111.11, which is the public IP address for your ISA
Server 2004 computer. The client then attempts to establish a connection to
111.11.111.11.
documentation.

attempt to connect to your portal site (usually over the Internet).
66
protecting.
Properties.
attached.

white paper.
You must also install an additional SSL certificate on the ISA Server 2004 computer. This
additional SSL certificate must match the public (external) FQDN that clients will use to
connect to the portal site.

67
Server Management.
2. In the left pane, expand ServerName, expand Configuration, and then click
Networks.
3. In the details pane, click the Networks tab, and then click the network for which
you want to allow outgoing requests. Typically, this would be the internal network
(the network protected by the ISA Server 2004 computer).
4. On the Tasks tab, click Edit Selected Network to display the Properties page for
that network.
5. On the Web Proxy tab, ensure the following:
1. The Enable Web Proxy clients check box is selected.
2. The Enable HTTP check box is selected.
3. HTTP port is correctly specified for your network.
6. Click Authentication.
7. In the Method list, select the applicable authentication method, and then click OK.
8. Click OK to close the Properties page for the network.
9. Click Apply to save changes and update the configuration.

deployment.
web.config file is C:\Inetpub\wwwroot\web.config.
to the Internet:
<system.net>
<defaultProxy>
68
</defaultProxy>
</system.net>
4. Save the file.

Address
Server Management.
2. In the left pane, expand ServerName, and then click Firewall Policy.
3. On the Toolbox tab, click Network Objects.
4. Right-click Web Listeners, and then click New Web Listener.
5. On the Welcome page of the New Web Listener Definition Wizard, type a name for
the Web listener, and then click Next.
6. On the IP Addresses page, do the following:
1. In the Listen for requests from these networks list, select the network from
which you want to listen for requests. Typically, this is the External network.
2. Click Address.
3. In the External Network Listener IP Selection dialog box, click Specified IP
addresses on the ISA Server computer in the selected network.
4. In the Available IP Addresses list, select the IP address that you added to the
external network adapter in a previous step, and then click Add to move the
address to the Selected IP Addresses list.
5. Click OK.
6. Click Next.
7. On the Port Specification page, do the following:
1. Ensure that the Enable HTTP check box is selected.
2. In the HTTP port box, ensure that the port is 80.
3. Select the Enable SSL check box.
4. In the SSL port box, ensure that the port is 443.
5. Next to the Certificate box, click Select.
69
6. In the Select Certificate dialog box, select a certificate from the list, and then
click OK.
Important The name on the certificate that you select must match the
public (external) FQDN that clients will use to connect to your portal site.
7. Click Next.
Step 14: Create a Secure Web Server

Publishing Rule on the External ISA
Server 2004 Computer
This secure Web server publishing rule forwards requests, complete with host headers,
from the ISA Server 2004 computer to a front-end Web server.
Create a secure Web server publishing rule on the external ISA Server 2004
computer
Server Management.
2. In the left pane, expand ServerName, and then click Firewall Policy to refresh the
details pane.
3. Right-click Firewall Policy, point to New, and then click Secure Web Server
Publishing Rule.
4. On the Welcome page of the New SSL Web Publishing Rule Wizard, type a name for
the publishing rule, and then click Next. For example, the name of the rule could be
ExtranetRule.
5. On the Publishing Mode page, ensure that SSL Bridging is selected, and then click
Next.
6. On the Select Rule Action page, ensure that Allow is selected, and then click Next.
7. On the Bridging Mode page, ensure that Secure connection to clients and Web
server is selected, and then click Next.
8. On the Define Website to Publish page, do the following:
1. In the Computer name or IP address box, type or browse for the internal
FQDN of the SharePoint Portal Server deployment. If the deployment has only
one front-end Web server, this would be ServerName.Perimeter.Net, where
ServerName is the NetBIOS computer name of the front-end Web server. If the
deployment has multiple load-balanced front-end Web servers, this would be the
load-balancing internal FQDN (for example, Portal.Perimeter.Net).
2. Select the Forward the original host header instead of the actual one
(specified above) check box.
3. In the Path box, type /* to include all files and subfolders.
4. Click Next.
70
9. On the Public Name Details page, do the following:
1. In the Accept requests for list, ensure that This domain name (type below)
is selected.
2. In the Public name box, type the external FQDN that clients will use to access
the portal site, for example, ExtranetPortal.Perimeter.Net.
3. Ensure that the Path is /*.
4. Click Next.
10. On the Select Web Listener page, do the following:
1. In the Web listener list, select the Web listener that you created previously, and
then click Edit.
2. On the Properties page, click the Networks tab, and then verify that the correct
network and IP address are selected.
3. On the Preferences tab, ensure that the Enable HTTP check box is selected
and that the HTTP port is 80.
4. Ensure that the Enable SSL check box is selected and that the SSL port is 443.
5. Ensure that the name on the certificate shown matches the public (external)
FQDN that clients will use to connect to your portal site.
7. In the Authentication dialog box, in the Method list, clear the Integrated
check box, and then click OK on the warning message.
8. In the Method list, click Basic, and then click Yes on the ISA Server
Configuration warning message that appears.
9. Select the Require all users to authenticate check box.
10. In the Authentication Servers section, click Select Domain.
11. In the Select Domain dialog box, type or browse for the name of your internal
domain (for example, Perimeter.Net), and then click OK.
12. In the Authentication dialog box, click OK.
14. Click Next.
11. On the User Sets page, do the following:
1. Select All Users, and then click Remove.
2. Click Add.
3. In the Add Users dialog box, select All Authenticated Users, click Add, and
then click Close.
4. Click Next.
71
Step 15: Verify that the Secure Web Server
Publishing Rule Properties are Correct
After creating the secure Web server publishing rule, you must confirm that all the
properties are correct. You will also specify some additional settings in the following
procedure.
Verify that the secure Web server publishing rule properties are correct
Server Management.
3. In the details pane, right-click the secure Web server publishing rule that you created
in the previous step in this paper (for example, ExtranetRule), and then click
Properties.
4. On the Properties page, on the From tab, do the following:
1. In the This rule applies to traffic from these sources list, click Anywhere,
and then click Remove.
2. Click Add.
3. In the Add Network Entities dialog box, expand Networks, click External,
click Add, and then click Close.
5. On the Traffic tab, do the following:
1. Ensure that the Notify HTTP users to use HTTPS instead check box is
selected.
2. Ensure that the Require 128-bit encryption for HTTPS traffic check box is
selected. ISA Server 2000, ISA Server 2004, and the majority of modern
browsers can now support 128-bit encryption.
3. Click Filtering, and then click Configure HTTP.
4. In the Configure HTTP policy for rule dialog box, on the General tab, in the
URL Protection section, ensure that the Verify normalization check box and
the Block high bit characters check box are cleared, and then click OK.
Important Windows SharePoint Services and SharePoint Portal Server do
not function with this level of HTTP filtering. If you do not clear the check
boxes to disable these two settings, Windows SharePoint Services and
SharePoint Portal Server will not function correctly.
6. On the Users tab, do the following:
1. In the This rule applies to requests from the following user sets list, click
All Users, and then click Remove.
2. Click Add.
3. In the Add Users dialog box, click All Authenticated Users, click Add, and
then click Close.
72
4. Select the Forward Basic authentication credentials (Basic delegation)
check box.
7. Click OK.

Portal Site
reached.
5. Click OK.

Portal Site Through the Internet
extranet domain by using a URL containing the public (external) FQDN. For this scenario,
1. Open a Web browser, and then in the Address bar, type the public (external) FQDN
that clients will use to access the portal site through the Internet. For example, in
this scenario, the URL would be https://ExtranetPortal.Perimeter.Net.
73
Scenario 4: Single Portal Site on Two Virtual

Servers (Using ISA Server 2004)
Many organizations want to host the same portal content for both corporate intranet
users and for users outside the external corporate firewall.
deployment to host the same portal site on two virtual servers (that is, on two Web sites
in IIS). In this scenario, one virtual server is used for corporate intranet access, and the
other virtual server is used for extranet access. When you have completed this scenario:
• Users connected to the corporate intranet will be able to access the portal site by
using Integrated Windows authentication.
• Users outside the external corporate firewall will be able to access the portal site by
using Basic authentication with SSL.

• There is one portal site hosted on the Default Web Site in IIS using Integrated
Windows authentication. The Default Web Site is using TCP port 80.
The steps in this section are those required to host the same portal site on a new virtual
server that is created for users outside of the external corporate firewall/proxy server. To
enable the scenario described in this section, you must do the following steps, each of
1. Verify that the default URL for the portal site is correctly specified.
specified.
3. Create a new Web site in IIS to host the existing portal site.
4. Delete the SSL port designation for the Default Web Site in IIS.
5. Configure the new Web site in IIS to use TCP port 443 for SSL.
7. Extend the new Web site in IIS to host the existing portal site.
8. Verify that the new Web site in IIS is correctly hosting the existing portal site.
10. Verify that you can access the portal site hosted on the new Web site by using an
internal SSL FQDN URL.
74
the Internet.
computer.
computer)
Default Web Site in IIS Hosts existing portal site, TCP port 80, no
SSL port
75
New Web site in IIS BasicWebSite, TCP port 8080, SSL port
443 (will host the existing portal site)
Step 1: Verify that the Default URL for the

Portal Site is Correctly Specified
This step is provided if the SharePoint Portal Server deployment has more than one
front-end Web server and you are using network load balancing. If this does not apply to
your deployment, go to the next step.
When a portal site is created, a default URL entry is created in the SharePoint Portal
If the SharePoint Portal Server deployment contains multiple network load-balanced
front-end Web servers, ensure that the default URL for your portal site corresponds to
the load-balancing virtual IP address. This ensures that the SharePoint Portal Server
crawling process uses the load-balancing virtual IP address, which yields better
performance and provides failover for crawling in case a front-end Web server becomes
unavailable.
The following procedure applies only if you have a SharePoint Portal Server deployment
with more than one front-end Web server.
The steps in the following procedure assume that there is a load-balancing internal
FQDN of Portal.Perimeter.Net and that this FQDN resolves to the load-balancing virtual IP
address. The load-balancing internal FQDN URL is therefore http://Portal.Perimeter.Net.
Verify that the default URL for the portal site is correctly specified
4. On the Change Alternate Access Setting page, in the Default URL box, ensure that
the default URL of the portal site is set to http://Portal.Perimeter.Net.
5. Click OK.

crawl failing.
You specify the settings in the Proxy Server Settings section on the Configure Server
Farm Account Settings page in SharePoint Portal Server Central Administration. If you
76
specify a proxy server for crawling external (non-intranet) content, but you do not want
to crawl through the proxy server when crawling internal (intranet) content, you can
specify a bypass proxy setting. If you specify a setting that begins with an asterisk, the
crawl will still go through the proxy server and might fail as a result. For example, if you
specify *.Perimeter.Net, the crawl will still go through the proxy server that you have
specified and might fail as a result.
Verify that the SharePoint Portal Server search proxy server settings are
correctly specified
Server Configuration section, click Configure server farm account settings.
2. In the Bypass proxy server for local (intranet) addresses box, specify the
example, specify http://*.Perimeter.Net as the address, and do not specify
3. Click OK.

create a new Web site in IIS. This Web site will host the existing portal site (that is, the
portal site that is also hosted on the Default Web Site in IIS). The descriptions, TCP
ports, and other settings specified in this step must be the same on each front-end Web
server.
Create a new Web site in IIS to host the existing portal site
this Web site list, leave the setting at the default of (All unassigned).
77
number. This port number must be unique and cannot be used by any other IIS Web
site. Because the Default Web Site in IIS already uses TCP port 80, you must specify
a value other than 80, for example, 8080. This step is required because SharePoint
Portal Server cannot use virtual servers that are bound to discrete IP addresses. For
more information, see “Appendix A: Known Issues.”
9. Click Next.
Next.
Step 4: Delete the SSL Port Designation for

In a scenario that uses Windows SharePoint Services, SharePoint Portal Server, and ISA
Server 2000, only one SSL-secured portal site can be published by using ISA
Server 2000. Although this limitation does not exist when using ISA Server 2004, if you
do not do this step, you must use a URL that contains a non-standard SSL port number
to access the portal site (for example, the URL might be
https://ExtranetPortal.Perimeter.Net:8081). For this scenario, the new Web site that was
created to host the existing portal site for extranet access uses SSL port 443. Because
Web sites in IIS cannot use the same port numbers, you must delete the SSL port
designation for the Default Web Site in IIS and use that SSL port number for the new
Web site that was created (BasicWebSite in this example).
Note Although it is true that Web sites in IIS can use the same port numbers if
they are differentiated by using IIS host headers, you cannot use IIS host headers
Server deployment.
Delete the SSL port designation for the Default Web Site in IIS
78
4. On the Web Site tab, in the Web site identification section, clear the SSL port
box.
5. Click Apply.
Step 5: Configure the New Web Site in IIS

to Use TCP Port 443 for SSL
configure the new Web site (BasicWebSite in this example) to use TCP port 443 for SSL.
The SSL port specified in this step must be the same on each front-end Web server.
Configure the new Web site in IIS to use TCP port 443 for SSL
type 443.
5. Click Apply.
6. Close OK to close the Properties page.

configure Basic authentication for the new Web site in IIS.
The procedure given below is for the new Web site that you created, for example,
BasicWebSite.
click Edit.
79
OK.
Step 7: Extend the New Web Site in IIS to

extend the new Web site in IIS (also called the virtual server) that you created so that it
can host the existing portal site.
Extend the new Web site in IIS to host the existing portal site
Portal Site and Virtual Server Configuration section, click Extend an existing
virtual server from the Virtual Server List page.
2. On the Virtual Server List page, click the name of the new virtual server that you
created previously (for example, BasicWebSite).
3. On the Extend Virtual Server page, click Extend and map to another virtual
server.
4. On the Extend and Map to Another Virtual Server page, in the Server Mapping
section, in the Host name or IIS virtual server name list, ensure that Default
Web Site is selected.
5. In the Application Pool section, click Use an existing application pool, and then
select the application pool that is used by the existing portal site.
6. Click OK.
Step 8: Verify that the New Web Site in IIS

Is Correctly Hosting the Existing Portal Site
Before proceeding, verify that the new Web site in IIS (BasicWebSite) is correctly
hosting the existing portal site from the intranet. Do this from each front-end Web
server in the SharePoint Portal Server deployment. The existing portal site hosted on the
new Web site in IIS is accessible by using a URL composed of the server name and the
TCP port number of the virtual server, for example, http://ServerName:8080.
Verify that the new Web site in IIS is correctly hosting the existing portal site
type http://ServerName:PortNumber.
80
hosting the existing portal site. Each SSL certificate must meet the following criteria:

SharePoint Portal Server deployment, also verify that you can access the portal site by
using the URL that contains the FQDN that resolves to the load-balancing virtual IP
address. If you can successfully access the portal site by following the steps in this
section, Basic authentication and SSL are both working.
following:
server, the URL that you would use to verify access would be
https://ServerName.Perimeter.Net, where ServerName is the NetBIOS computer
name of the front-end Web server.
81
type the internal SSL FQDN URL to access the portal site internally (for example,
https://ServerName.Perimeter.Net).
proceeding:
4. If you have a SharePoint Portal Server deployment with multiple, load-balanced
front-end Web servers, you must also verify that you can access the portal site by
using the load-balancing internal SSL FQDN URL that resolves to your load-balancing
internally (for example, https://Portal.Perimeter.Net).
Step 11: Configure IIS to Require SSL for

the New Web Site
is hosting the existing portal site. Because this new Web site is to be secured with Basic
82
authentication and SSL, after you have installed the correct SSL server certificate on this
Web site, you can take the additional steps necessary to require SSL for the new Web
site.
Server deployment.
(SSL) check box.
OK.

server then points it to 111.11.111.11, which is the public IP address for your ISA
111.11.111.11.
documentation.

The external ISA Server 2004 computer must have two network adapters. It has a
public, or external, network interface, which is exposed to the clients that will attempt to
connect to the portal site (usually over the Internet). It also has a private, or internal,
network interface, which is exposed to the servers that it is protecting. You must assign
83
one or more IP addresses on the external interface and at least one IP address on the
internal interface.
Properties.
attached.

white paper.
portal site.

84
Server Management.
Networks.
4. On the Tasks tab, click Edit Selected Network to display the Properties page for
that network.

deployment.
1. On each front-end Web server, go to the web.config file in the root of each virtual
server that hosts the portal site. In this scenario, for example, the paths to the two
Web.config files are:
C:\Inetpub\wwwroot\web.config
C:\Inetpub\wwwroot\BasicWebSite\web.config
to the Internet:
<system.net>
<defaultProxy>
85
</defaultProxy>
</system.net>
4. Save the file.

Address
You must configure the external ISA Server 2004 computer to listen to the requests
Server Management.
2. Click Address.
5. Click OK.
6. Click Next.
86
click OK.
public (external) FQDN that clients will use to connect to your portal site.
7. Click Next.

Server 2004 Computer
computer
Server Management.
details pane.
Publishing Rule.
ExtranetRule.
Next.
1. In the Computer name or IP address box, type the internal FQDN of the
SharePoint Portal Server deployment. If the deployment has only one front-end
Web server, this would be ServerName.Perimeter.Net, where ServerName is the
NetBIOS computer name of the front-end Web server. If the deployment has
multiple load-balanced front-end Web servers, this would be the load-balancing
internal FQDN, for example, Portal.Perimeter.Net.
87
4. Click Next.
is selected.
the portal site, for example, ExtranetPortal.Perimeter.Net.
4. Click Next.
then click Edit.
2. On the Properties page, click the Networks tab and verify that the correct
4. Ensure that the Enable SSL check box is selected and that the SSL port is 443.
check box, and click OK on the warning message.
14. Click Next.
2. Click Add.
then click Close.
4. Click Next.
88

Publishing Rule Properties Are Correct
properties are correct. You will also specify additional settings in the following procedure.
Server Management.
3. In the details pane, right-click the secure Web server publishing rule that you created
in the previous step in this paper (for example, ExtranetRule), and then click
Properties.
2. Click Add.
selected.
4. In the Configure HTTP policy for rule dialog box, in the URL Protection
section, ensure that the Verify normalization check box and the Block high
bit characters check box are cleared, and then click OK.
not function with this level of HTTP filtering. If you do not disable these two
settings, Windows SharePoint Services and SharePoint Portal Server will not
function correctly.
2. Click Add.
then click Close.
89
check box.
7. Click OK.

Portal Site
reached.
5. Click OK.

Portal Site through the Internet
that clients will use to access the portal site. For example, in this scenario, the URL
would be https://ExtranetPortal.Perimeter.Net.
90
Scenario 5: Multiple Portal Sites on Multiple

Virtual Servers (Using ISA Server 2004)
The ability to host multiple portal sites on a SharePoint Portal Server deployment is a
standard SharePoint Portal Server feature. In this scenario, you will expose two portal
sites over the extranet using Basic authentication and SSL.
Scenario 3 is used as the starting point for this scenario. After you have performed the
steps in Scenario 3, you will do the following to enable scenario 5:
• Create a new Web site in IIS.

• Create a new portal site on the new Web site.
• Expose the new portal site over the extranet.
The steps in this scenario will result in a deployment in which:
• A portal site, hosted on the Default Web site in IIS, is exposed over the extranet
using Basic authentication and SSL. You do this by performing the steps in Scenario
3.
• A second portal site, hosted on a new Web site in IIS, is exposed over the extranet
using Basic authentication and SSL. You do this by performing the additional steps in
this section.
Important Before performing the steps that follow, ensure that you have
performed the steps in Scenario 3.
To enable the scenario described in this section, you must do the following steps after
performing the steps in Scenario 3. Each of the steps is explained in detail later in this
section.
1. Create a new Web site in IIS to host a new portal site.

2. Specify a unique TCP port for SSL for the new Web site.
3. Create a new portal site on the new Web site in IIS.
6. Verify that you can access the new portal site hosted on the new Web site by using
an internal SSL FQDN URL.
8. Modify the default URL for the new portal site.
when crawling content sources (new portal site).
91
11. Create a public DNS entry for the new portal site that will be exposed over the
extranet.
the Internet.
computer for the new portal site.
19. Verify that you can access the new portal site through the Internet.
External FQDN NewExtranetPortal.Perimeter.Net (resolves
to an IP address on the external network
computer)
External FQDN URL https://NewExtranetPortal.Perimeter.Net
Default Web Site in IIS Hosts existing portal site from Scenario 3,
TCP port 80, SSL port 443
92
New Web site in IIS BasicWebSite, hosts new portal site, TCP
port 8080, SSL port 8081
New portal site BasicNewPortal, hosted on BasicWebSite
in IIS

Host a New Portal Site
create a new Web site in IIS. This Web site will host a new portal site. The descriptions,
TCP ports, and other settings specified in this step must be the same on each front-end
Web server.
Create a new Web site in IIS to host a new portal site
this Web site list, leave the setting at the default (All unassigned).
number. This port number must be unique and cannot be used by any other IIS Web
site. Because the Default Web Site in IIS already uses TCP port 80, you must specify
a value other than 80, for example, 8080. This step is required because SharePoint
Portal Server cannot use virtual servers that are bound to discrete IP addresses. For
more information, see “Appendix A: Known Issues.”
9. Click Next.
Next.
93
Step 2: Specify a Unique TCP Port for SSL
for the New Web Site
You must specify a TCP port for SSL for the new Web site. This TCP port must be unique.
It cannot be used for HTTP or HTTPS by any other Web site that is configured in IIS. This
step is required because the Default Web Site in IIS uses TCP port 443 for SSL.
Important Different Web sites in IIS can use the same port numbers if they are
differentiated by using IIS host headers. However, you cannot use IIS host headers
This new TCP port number for SSL must be used in the URL that clients use to access
the new portal site. Although ISA Server 2004 can redirect requests coming in on one
port from the outside to a different port on the inside, this results in client and server
URLs that do not match. If the URL received by the SharePoint Portal Server deployment
does not match the URL used by the client, neither Windows SharePoint Services nor
SharePoint Portal Server will function correctly. For more information, see “Appendix A:
Known Issues.”
This step must be done on all front-end Web servers in the SharePoint Portal Server
deployment. The SSL port and other settings specified in this step must be the same on
each front-end Web server.
Specify a unique TCP port for SSL for the new Web site
type a TCP port for SSL to use. Because the Default Web Site in IIS already uses TCP
port 443 for SSL, you must specify a unique value other than 443, for example,
8081. This step is required because SharePoint Portal Server cannot use virtual
servers that are bound to discrete IP addresses. For more information, see “Appendix
A: Known Issues.”
5. Click OK.
Step 3: Create a New Portal Site on the New

Web Site in IIS
In this step, you create a new portal site on the new Web site that you previously
created.
Server deployment.
Create a portal site
94
Portal Site and Virtual Server Configuration section, click Create a portal site.
2. On the Create Portal Site for ServerName page, in the Portal Creation Options
section, click Create a portal.
3. In the Site Name section, in the Name box, type a name for the portal site, for
example, BasicNewPortal.
4. In the Site URL section, do the following:
1. In the Virtual server list, click the new virtual server that you created
previously, for example, BasicWebSite.
2. In the URL box, type the correct URL. In this example, the URL is
http://ServerName:8080, where ServerName is the NetBIOS computer name.
5. In the Owner section, do the following:
1. In the Account name box, type the account name for the portal site owner in
the format DOMAIN\UserName.
2. In the E-mail address box, type the e-mail address for the portal site owner.
6. Click OK.
7. On the Create Portal Site Confirmation for ServerName page, click OK to begin
creating the portal site.
If the SharePoint Portal Server deployment has only one front-end Web server, an
Operation Successful page will be displayed. In the Portal Site Addresses section, click
the link for the home page, and verify that you can successfully access the home page of
the portal site.
If the SharePoint Portal Server deployment has multiple load-balanced front-end Web
servers, an Operation Successful page will be displayed with one or more links to extend
the virtual server on the other front-end Web servers. You must ensure that the virtual
server (BasicWebSite) is extended on all load-balanced front-end Web servers. For
more information, see the Microsoft Office SharePoint Portal Server 2003 Administrator’s
Guide.

Server deployment.
95
click Edit.
OK.

hosting the new portal site. All of the SSL certificates must meet the following criteria:
Step 6: Verify that You Can Access the New

96
SharePoint Portal Server deployment, also verify that you can access the portal site by
using the URL that contains the FQDN that resolves to the load-balancing virtual IP
address. If you can successfully access the portal site by following the steps in this
section, Basic authentication and SSL are both working.
following:
proceeding:
4. If you have a SharePoint Portal Server deployment with multiple, load-balanced
front-end Web servers, you must also verify that you can access the portal site by
using the load-balancing internal SSL FQDN URL that resolves to your load-balancing
1. On one front-end Web server, open Internet Explorer, and in the Address bar
type the load-balancing internal SSL FQDN URL to access the portal site internally
(for example, https://Portal.Perimeter.Net).
97

New Web Site
is hosting one of the two portal sites that will be exposed over the extranet. Because this
new Web site is to be secured with Basic authentication and SSL, after you have
installed the correct SSL server certificate on this Web site, you can take the additional
steps necessary to require SSL for the new Web site.
Server deployment.
(SSL) check box.
OK.
Step 8: Modify the Default URL for the New

Portal Site
When you configure the new Web site in IIS (BasicWebSite in this example) to require
SSL, you must modify the default URL for the portal site to use HTTPS and to include the
internal FQDN of the SharePoint Portal Server deployment. Because this new Web site
98
uses a non-standard TCP port for SSL (that is, it does not use port 443), that port
number must be part of the default URL.
For example:
the default URL would be https://ServerName.Perimeter.Net:8081, where
ServerName is the NetBIOS computer name of the front-end Web server.
https://Portal.Perimeter.Net:8081. The SharePoint Portal Server crawling process
then uses the load-balancing virtual IP address, which yields better performance and
provides failover for crawling in case a front-end Web server becomes unavailable.
• The internal FQDN URL is https://ServerName.Perimeter.Net:8081, where
ServerName is the NetBIOS computer name of the front-end Web server.
• The load-balancing internal FQDN URL is https://Portal.Perimeter.Net:8081.
following:
internal FQDN for your deployment is included (for example,
https://ServerName.Perimeter.Net:8081).
99
load-balancing virtual IP address is used, for example,
https://Portal.Perimeter.Net:8081.
5. Click OK.

Sources (New Portal Site)
IIS is secured with Basic authentication, then the search service must be configured to
non-portal content.
portal content.

1. On the home page of the new portal site that you created (BasicNewPortal), click
Site Settings.
for any groups or rules that are included:
that appears.
crawling account.
100
Important Clearing the Do not allow Basic authentication check box might
cause your password to be easily determined.
8. Click OK.
9. Repeat steps 4.1 through 4.8 for each group or rule that is included
5. On the Exclude and Include Content for Non_Portal_Content page, in the
breadcrumbs, click Configure Search and Indexing.
Include Content.
11. On the Exclude and Include Content for Portal_Content page, do the following for any
groups or rules that are included:
that appears.
crawling account.
8. Click OK.
101
Full.
13. Ensure that the updates succeed. If either update fails with an Access denied error,
ensure that the crawling account and password are correct.

attempt to connect to your portal site (usually over the Internet).
protecting.
You must assign at least one IP address on the internal interface.
For this scenario, you must have at least two addresses on the external interface. One IP
address is used to support Scenario 3, and the other IP address is used to support the
new portal site created in this section of the paper. The reason for this is that ISA Server
listeners can only be configured to listen to one port per protocol. In Scenario 3, the
listener is listening for SSL on port 443. In this scenario, the listener must listen for SSL
on port 8081.
Properties.
attached.
102
Step 11: Create a Public DNS Entry for the
New Portal Site that Will Be Exposed Over
the Extranet
After creating the new portal site, you must create a new public DNS entry to map the
public (external) FQDN to the IP address for the public (external) interface of the
external ISA Server 2004 computer. The URL containing the FQDN is the URL that users
will use to access the portal site across the extranet.
Important In this scenario, this new DNS entry must correspond to the external IP
address that ISA Server 2004 will use to listen for SSL on port 8081.
You must map the public FQDN (for example, NewExtranetPortal.Perimeter.Net) to the
new external IP address that you previously configured. When a client attempts to
connect to NewExtranetPortal.Perimeter.Net, it will ask the public DNS server what IP
address corresponds to that FQDN. The public DNS server then points it to the new
external IP address, which is the public IP address for the external ISA Server 2004
computer. The client then attempts to establish a connection to that IP address.
documentation.

white paper.
You must also install an additional SSL certificate on the ISA Server 2004 computer. This
additional SSL certificate must match the public (external) FQDN that clients will use to
connect to the portal site.

103
Server Management.
Networks.
4. On the Tasks tab, click Edit Selected Network to display the properties page for
that network.

deployment.
Web.config file is C:\Inetpub\wwwroot\BasicWebSite\web.config.
to the Internet:
<system.net>
<defaultProxy>
</defaultProxy>
104
</system.net>
4. Save the file.

Address
Server Management.
2. Click Address.
5. Click OK.
6. Click Next.
105
click OK.
public (external) FQDN that clients will use to connect to your new portal site.
7. Click Next.

Server 2004 Computer for the New Portal
Site
computer for the new portal site
Server Management.
details pane.
Publishing Rule.
NewExtranetRule.
Next.
1. In the Computer name or IP address box, type or browse for the internal
FQDN of the SharePoint Portal Server deployment. If the deployment has only
one front-end Web server, this is ServerName.Perimeter.Net, where ServerName
is the NetBIOS computer name of the front-end Web server. If the deployment
has multiple load-balanced front-end Web servers, this is the load-balancing
internal FQDN, for example, Portal.Perimeter.Net.
106
4. Click Next.
is selected.
the portal site, for example, NewExtranetPortal.Perimeter.Net.
4. Click Next.
then click Edit.
2. On the Properties page, click the Networks tab and verify that the correct
4. Ensure that the Enable SSL check box is selected and that the SSL port is
8081.
check box, and then click OK on the warning message.
14. Click Next.
2. Click Add.
then click Close.
4. Click Next.
107

Publishing Rule Properties Are Correct
properties are correct. You will also specify additional settings in the following procedure.
Server Management.
3. In the details pane, right-click the Web publishing rule that you created in the
previous step in this paper (for example, NewExtranetRule), and then click
Properties.
2. Click Add.
selected.
4. In the Configure HTTP policy for rule dialog box, in the URL Protection
section, ensure that the Verify normalization check box and the Block high
bit characters check box are cleared, and then click OK.
not function with this level of HTTP filtering. If you do not disable these two
settings, Windows SharePoint Services and SharePoint Portal Server will not
function correctly.
2. Click Add.
108
then click Close.
check box.
7. Click OK.

Portal Site
reached.
2. On the Configure Alternate Portal Access Settings page, rest the pointer on the
mapping name for the Web site in IIS for the new portal site (in this example,
BasicWebSite), and then click the arrow that appears.
the portal site over the extranet, for example,
https://NewExtranetPortal.Perimeter.Net:8081.
5. Click OK.

New Portal Site Through the Internet
https://NewExtranetPortal.Perimeter.Net:8081 is the URL containing the public FQDN.
109
that clients will use to access the portal site, for example,
https://NewExtranetPortal.Perimeter.Net:8081.
110
Appendix A: Known Issues
Windows SharePoint Services
Issue
SharePoint Portal Server 2003 is built on Windows SharePoint Services technology.
Because of this, many of the known issues with exposing Windows SharePoint Services
sites over an extranet also apply to SharePoint Portal Server.
Resolution
For known issues with deploying Windows SharePoint Services over an extranet, see
“Reverse Proxy Configurations for Windows SharePoint Services and Internet Security
and Acceleration Server” at
Absolute URLs
Issue
In a reverse proxy configuration, the client sends HTTP or HTTPS requests to the reverse
proxy server as if the reverse proxy server were the Web server. A traditional reverse
proxy server approach allows the client and server URLs to differ. By default, ISA Server
does not include the host header received from the client when it sends the client
request to the server. By configuring host-header forwarding in ISA Server, ISA Server
then forwards the HTTP or HTTPS packets to the Web server while preserving the original
host header (sent by the client) in the packets. On the Web server, Windows SharePoint
Services—and therefore SharePoint Portal Server—uses the host header information to
generate hyperlinks on pages that will be reachable by the client. The Web server then
sends HTTP or HTTPS responses through the reverse proxy server to the client.
Note As described, proper use of ISA Server host-header forwarding ensures that
the URLs received by the portal site match the URLs sent by the client. This, in
conjunction with other guidance provided by this paper, ensures that links contained
in pages returned to the client will be reachable through the Internet. However, this
does not mean that the internal NetBIOS name or FQDN for the SharePoint Portal
Server deployment must match the external name used by the client to access the
portal site, nor does it mean that the names on SSL certificates must match end-to-
end. That is, the only requirements for SSL certificate naming are:
• The name on the certificate used by the listener on ISA Server must match the
name used by the client when a connection is attempted.
• The internal name to which ISA Server will send a client request matches the
name on the certificate installed on the Web site in IIS that hosts the portal site
being accessed.
111
Resolution
The ISA Server reverse proxy configurations described in this paper use an ISA Server
feature called host-header forwarding to keep the URLs received by the server the same
as those sent by the client.
For SharePoint Portal Server, do the following:
• Use ISA Server host-header forwarding.

• Do not use ISA Server path mapping or link translation.
• Use the SharePoint Portal Server alternate access setting feature.
This ensures that the URL received by the SharePoint Portal Server deployment
matches the URL used by the client, and that URLs contained in links on portal site
pages are reachable over the Internet.
SSL Termination and SSL Bridging

Issue
SSL termination that does not occur on a front-end Web server breaks SharePoint Portal
Server functionality.
In a typical SSL termination configuration, a reverse proxy server terminates the SSL
connection from the client, and then forwards the request to a Web server by using
HTTP. This configuration ends the SSL connection between the client and the Web server
at the reverse proxy server.
For example, if an HTTPS client request comes in to the proxy server, and SSL is
terminated at the proxy server and sent to the SharePoint Portal Server deployment as
HTTP, links returned in portal site pages might contain HTTP prefixes instead of HTTPS
prefixes.
However, because Windows SharePoint Services uses absolute URLs, the URL from the
client and the URL sent to the server must match, as described in the “Absolute URLs”
section earlier in this appendix. When using ISA Server, to keep the URL sent from the
client to the ISA Server computer the same as the URL sent from the ISA Server
computer to the Web server, a new SSL connection can be established between the ISA
Server computer and the Web server. In ISA Server, this feature is called SSL bridging or
SSL-to-SSL bridging.
Resolution
Each scenario in this paper that provides guidance for configuring SSL connections to
portal sites exposed over the extranet uses ISA Server SSL-to-SSL bridging. Moreover,
the scenarios contain instructions for configuring the correct setting for the portal site in
the SharePoint Portal Server alternate access settings table. This ensures that the URL
received by the SharePoint Portal Server deployment matches the URL used by the
client, and that URLs contained in links on portal pages are reachable over the Internet.
112
IP-Bound Virtual Servers
Issue
If you want to host multiple portal sites on multiple virtual servers, those virtual servers
cannot be bound to discrete IP addresses. This is a limitation with Windows SharePoint
Services and is therefore a limitation in SharePoint Portal Server.
Resolution
Create the virtual servers using alternate TCP and SSL ports. For example, the TCP and
SSL ports for the Default Web Site are 80 and 443, respectively. If you want to create a
portal site on a new virtual server, create that virtual server using alternate TCP and SSL
ports (for example, 8080 for TCP and 8081 for SSL). If you create a virtual server that
uses alternate TCP and SSL ports, the URL used to access the portal site must contain
the port number (for example, http://ServerName:8080 or https://ServerName:8081),
and you must use the correct setting for the portal site in the SharePoint Portal Server
alternate access settings table. This ensures that the URL received by the SharePoint
Portal Server deployment matches the URL used by the client, and that URLs contained
in links on portal site pages are reachable over the Internet.
SharePoint Portal Server Central

Administration
Issue
SharePoint Portal Server Central Administration does not work through a reverse proxy
server.
The instructions in this paper are for the content virtual servers and do not apply to the
virtual server that hosts the SharePoint Portal Server Central Administration site.
Resolution
None; SharePoint Portal Server Central Administration does not work through a reverse
proxy server.
URLs in Alerts E-Mail Messages

Issue
Alerts e-mails sent by SharePoint Portal Server include the URL used when the alert was
created. If the portal site is accessible on both the corporate intranet and over the
extranet, there is no way for the system to determine where the user is when an alerts
e-mail is sent. Therefore, the user might receive an e-mail hyperlink that is not
reachable from their current location.
Resolution
None.
113
Requiring SSL
Issue
If you want to require SSL for SharePoint sites, and you only use the ISA Server “require
SSL” property in a Web publishing rule for that site, links in SharePoint sites might not
contain HTTPS.
In ISA Server, you need to configure the following settings:
• In ISA Server 2000, Require secure channel (SSL) for published site and
Require 128-bit encryption.
• In ISA Server 2004, Notify HTTP users to use HTTPS instead and Require 128-
bit encryption for HTTPS traffic.
Resolution
To make links in SharePoint sites include HTTPS (instead of HTTP), you must configure
the Require secure channel (SSL) setting in the IIS settings for the virtual server
(that is, Web site in IIS) hosting the site. You cannot control this setting from the proxy
server. The scenarios in this paper that require SSL give prescriptive guidance about how
to configure this in IIS. This ensures that URLs contained in links on portal pages are
reachable over the Internet.
Bypass Proxy Server Settings for

SharePoint Portal Server Search
Issue
crawl failing.
You specify the settings in the Proxy Server Settings section on the Configure Server
Farm Account Settings page in SharePoint Portal Server Central Administration. If you
specify a proxy server for crawling external (non-intranet) content, but you do not want
to crawl through the proxy server when crawling internal (intranet) content, you can
specify a bypass proxy setting. If you specify a setting that begins with an asterisk, the
crawl will still go through the proxy server and might fail as a result. For example, if you
specify *.Perimeter.Net, the crawl will still go through the proxy server that you have
specified and might fail as a result.
Resolution
Each scenario in this paper provides guidance for correctly configuring a bypass proxy
setting.
114
Appendix B: Troubleshooting
Much of the information that you might need to troubleshoot issues is contained in
“Appendix A: Known Issues,” earlier in this paper.
In general, it is best to adopt a sequential approach to troubleshooting difficulties you
might encounter when publishing SharePoint Portal Server deployments behind an ISA
Server computer or any proxy server. You should ensure that the SharePoint Portal
Server deployment is operating correctly and that it can be successfully accessed from
the corporate intranet before attempting to publish it by means of a proxy server. With
respect to the scenarios addressed by this paper, this includes ensuring that:
1. You can successfully access the portal site by using Basic authentication.
2. The proper SSL certificates are installed on the SharePoint Portal Server deployment
and on the external ISA Server computer.
3. You can successfully access the portal site over SSL, using the internal FQDN URL.
4. The default URL for the portal site that you are publishing is correctly configured.
5. The proxy server settings for SharePoint Portal Server search are correctly
configured.
6. Your SharePoint Portal Server deployment is crawling portal content without errors.
If any of the above steps are not validated prior to publishing the portal site behind any
proxy server, there is little chance of success. Although you might actually publish the
portal site and be able to access it, if each of the above steps have not been validated in
sequence, you might have a portal site for which search does not work.
The scenarios in this paper include a sequential approach to testing all of the above
steps before the final steps of ISA Server Web publishing. If you follow this sequential
approach in your deployment, you can successfully publish your portal sites behind ISA
Server or any proxy server.
SSL Configuration Issues

There are many references to SSL configuration throughout this paper that you should
read and understand so that you can successfully configure SSL for your SharePoint
Portal Server deployment.
One particularly prevalent SSL-related error when attempting to access a SharePoint
Portal Server deployment published behind an ISA Server is a browser error page
containing the following error text:
500 Internal Server Error - The target principal name is incorrect. (-2146893022)
For information about the cause of and steps required to correct this issue, see article
328917, “You receive a ‘The target principal name is incorrect’ error message when you
connect to a Web site that was published by using ISA Server 2000 Web publishing,” in
the Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=38452&clcid=0x409.
Note that the information in this article pertains to both ISA Server 2000 and ISA
Server 2004.
115
Authentication Issues
You might encounter an authentication problem when attempting to initially browse to a
portal site that you have published using either ISA Server 2000 or ISA Server 2004.
You might get prompted for authentication credentials repeatedly and never successfully
get to the home page of the portal site. This is usually because of an incorrectly
configured ISA Server. The scenarios in this paper include the following ISA Server
configuration instructions:
• For ISA Server 2000:

1. In the step for configuring the ISA Server 2000 computer to listen for incoming
requests, select the Ask unauthenticated users for identification check box.
2. In the step for verifying that the Web publishing rule properties are correct,
select the Allow delegation of basic authentication credentials check box.
• For ISA Server 2004:
1. In the step for creating a secure Web server publishing rule, select the Require
all users to authenticate check box when configuring the Web listener
properties.
2. In the step for verifying that the secure Web server publishing rule properties are
correct, select the Forward Basic authentication credentials (Basic
delegation) check box.
If you follow step 1 but do not follow step 2 for either version of ISA Server, ISA Server
requires users to authenticate on the domain before it sends a request to the published
portal site. However, when ISA Server then sends that request, the authentication
information provided will not be sent to the published portal site. This leads to a
situation in which no users can successfully access the published portal site. To avoid
this problem, ensure that you follow both steps. You must ensure that the listener
authenticates users and that the Web publishing rule forwards those credentials to the
published portal site.
Note Forwarding credentials only works with Basic authentication. You cannot
forward credentials for any other authentication method supported by either ISA
Server 2000 or ISA Server 2004.
For information about troubleshooting ISA Server 2000 Web publishing, see “ISA Server
Feature Pack: Troubleshooting Web Publishing on ISA Server” at
For information about troubleshooting ISA Server 2004 Web publishing, see “Publishing
Web Servers Using ISA Server 2004” at

116

Dep SPSXnet

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dep SPSXnet

Uploaded by

Copyright:

Available Formats

1

Deploying SharePoint Portal Server 2003

Published: January 2005

Writers/Technical Contributors: Mark Grossbard, Emily Schroeder

Published: January 2005

SharePoint Portal Server 2003 is built on Microsoft Windows® SharePoint Services

Reverse Proxy Benefits

Reverse proxy servers also help enable you to:

• Allow only authorized traffic into and out of the network.

To perform the procedures in this paper, you must be:

• An administrator on the SharePoint Portal Server deployment to perform procedures

What Is Not Covered

Sections in This Paper

• Extranet network topologies

Extranet Network Topologies

• Tri-homed perimeter network. This is also known as a single-screened subnet.

Tri-Homed Perimeter Network

Figure 1 Tri-homed perimeter network, or single-screened subnet

Note For simplicity, no IP addressing is denoted in Figure 1, and only a domain

• Port 80 for HTTP

Back-to-Back Perimeter Network

• Port 80 for HTTP

• The kinds of communications that take place between computers in an Active

Protocol Ports (TCP and User Datagram Protocol)

*Dynamic Remote Procedure Call (RPC) It is possible to use a Windows registry

• “Active Directory in Networks Segmented by Firewalls” at

General Security Considerations

• SharePoint Portal Server is installed.

1. Configure Basic authentication on the Default Web Site in IIS.

Step 1: Configure Basic Authentication on

Step 2: Install an SSL Server Certificate on

Step 3: Verify that You Can Access the

Step 4: Configure IIS to Require SSL for the

Step 5: Modify the Default URL for the

Modify the default URL for the portal site

Step 6: Verify that the Proxy Server

Configure the SharePoint Portal Server search service to use Basic

Step 8: Create a Public DNS Entry

Step 9: Configure the Network Adapters in

Step 10: Configure ISA Server 2000 to not

Step 11: Ensure that the Appropriate SSL

Step 12: Configure the External ISA

Configure the external ISA Server 2000 computer to allow outbound

Step 14: Configure the External ISA

Step 15: Create a Destination Set on the

Step 16: Create a Web Publishing Rule on

Step 19: Verify that You Can Access the

• SharePoint Portal Server is installed.

Step 1: Verify that the Default URL for the

Step 2: Verify that the Proxy Server

Step 3: Create a New Web Site in IIS to

Step 4: Delete the SSL Port Designation for

Step 5: Configure the New Web Site in IIS

Step 6: Configure Basic Authentication on

Step 7: Extend the New Web Site in IIS to

Step 8: Verify that the New Web Site in IIS

Step 10: Verify that You Can Access the

Step 11: Configure IIS to Require SSL for

Step 12: Create a Public DNS Entry

Step 13: Configure the Network Adapters in

Step 14: Configure ISA Server 2000 to not

Step 16: Configure the External ISA