Вы находитесь на странице: 1из 42

ISA Server 2006 Configuration Guide for:

Publishing SharePoint/OWA via Standalone ISA Server

Document Abstract:
This document provides a step-by-step guide to properly configure publish SharePoint through ISA using
LDAPS for authentication.

Author(s):
Elias Hill

Janalent
knowledge . wisdom . performance
Copyright Janalent North America LLC, All rights reserved
Document Control & Sign-off
Document Properties
Item Details
Document Title ISA Server 2006 Configuration Guide for: - Publishing SharePoint/OWA via Standalone ISA Server
Creation Date 12/13/08
Last Updated 07/09/09
Authors Elias Hill

Date 12/13/08
Version number 0.0.1

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
2 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Table of Contents

Document Control & Sign-off ........................................................................................................................................2


About the Authors .....................................................................................................................................................4
Overview ........................................................................................................................................................................5
Document Scope .......................................................................................................................................................5
Assumptions ..............................................................................................................................................................5
High Level Processes .................................................................................................................................................6
Procedures .....................................................................................................................................................................7
Install an Enterprise Root CA in the Authenticating Domain ....................................................................................7
Configure ISA for LDAPS Authentication .................................................................................................................14
Publish the SharePoint Sites in ISA ..........................................................................................................................18
Test Connectivity to LDAPS Server (fail) ..................................................................................................................23
Enable Certificate Auto-Enrollment in the Domain .................................................................................................25
Export CA Root Certificate and Install on the ISA server .........................................................................................27
Test Connectivity to LDAPS Server (success) ...........................................................................................................37
Validate Site Access, SSO and File Upload Functionality .........................................................................................39
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
3 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
About the Authors

Elias Hill, Manager of Solutions Architecture, Janalent North America

Eli is an Enterprise Solutions Architect and is a multi-disciplined expert in messaging & collaboration system
solutions and network engineering. He has over 10 years experience in designing, deploying, and maintaining
directory, messaging, and network systems in large, complex, global enterprises.

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
4 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
ISA S ERVER 2006 C ONFIGURATION G UIDE FOR :

Overview
In many deployments of SharePoint or OWA, it is common to publish sites using an ISA server that might be a
member of a domain. As a member of the domain, an ISA server can authenticate users without much
configuration. However, in most enterprise environments, it is atypical to have the perimeter network
infrastructure leveraging an ISA server; more frequently, appliance firewalls (Cisco, Juniper, Checkpoint, etc) are
deployed. In these scenarios, the ISA server would likely be deployed as a reverse proxy for published client access
for Microsoft applications, including Exchange, SharePoint, and Office Communication Server. In this context, the
reverse proxy is often located in a DMZ, where traffic is tightly managed. Here, not only would it likely violate the
security policy, but is also unsupported and impractical to open up all the necessary ports to support a domain
member across a firewall. A more desirable solution would have the ISA server authenticating users via LDAPS
(secure LDAP, tcp/636), which is characterized by two operational parameters:

1. The client and server establish TLS before any LDAP messages are transferred
2. Once TLS closes, the LDAPS connection must be closed

Furthermore, by leveraging HTTPS to client access applications and LDAPS to a designated domain controller, users
can change passwords and be informed of password expiration. In this way, one can approach enterprise clients
with a solution that not only achieves advertised features of Microsoft client access applications, but also satisfies
security policies (i.e. two (2) standards-based, encrypted ports: tcp/443 and tcp/636). Note: Although outside the
scope of this document, two-factor authentication mechanisms are also supported in this context.

Document Scope
This document provides a step-by-step guide to demonstrate and explain how to publish SharePoint sites, using
LDAPS as the authentication mechanism for domain users. There are a few sections that deviate from a “perfect”
installation to provide the reader with troubleshooting procedures. This content of this document is generic and
may not fit every scenario.

Assumptions
 Domain controllers are running Windows Server 2008.
ISA Server 2006 Configuration Guide for:

 A wildcard certificate has been procured (e.g. *.genericcompany.com).


 The public-facing DNS zone file has been updated with host entries for all published sites.
 SharePoint is running on MOSS 2007; in this scenario, there are five (5) sites with distinct host headers
ending with the same domain suffix. Each site has been properly configured for SSL, including AAM
(Alternate Access Mapping). Note: SharePoint configuration is outside the scope of this document.
 The firewall, running ISA Server 2006, is not a member of the eApps domain; instead, it is member of the
Janalent production domain.
 All client-server/server-server interactions must be encrypted.
 SSO (single sign-on) and FBA (forms-based authentication) must be enabled. Note: SharePoint
configuration is outside the scope of this document.
 Users must be able to change passwords through the published web interface.

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
5 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
High Level Processes
The following procedures will be described:

1. Install an Enterprise Root CA in the Authenticating Domain


2. Configure ISA for LDAPS Authentication
3. Publish the SharePoint Sites in ISA
4. Test Connectivity to LDAPS Server (fail)
5. Enable Certificate Auto-Enrollment in the Domain (optional); just be sure that the CA has issued to the
domain controller used for LDAPS inquiries by the ISA server
6. Export CA Root certificate and Install on the ISA server
7. Test Connectivity to LDAPS Server (success)
8. Validate Site Access, SSO and File Upload Functionality

Internet
Client
H
(tc TT
p/ PS
44
3)

ISA Server
(tcp TPS
3)

S
AP 36)
/44
HT

LD p/6
(tc

Domain Controller MOSS or SharePoint

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
6 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Figure 1 Considered network topology for ISA using LDAPS for authentication

Procedures
Install an Enterprise Root CA in the Authenticating Domain
On the designated domain controller (used for LDAPS), launch computer management and add a new role. Check
Active Directory Certificate Services.
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
7 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Click Next

Select Certification Authority and click Next

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
8 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Select Enterprise and click Next

Select Root CA and click Next


ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
9 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Select Create a new private key and click Next

Accept the default cryptographic settings (RSA#Microsoft Software Key Storage Provide, sha1, 2048) and click Next

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
10 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
The default common name is acceptable, but note that the name cannot be altered in the future without
rebuilding the entire certificate chain. Click Next.

Set the validity period to an acceptable value (in this case, 10 years) and click Next
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
11 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Select the locations for the certificate database and log files (here, defaults) and click Next

Review the configuration, noting the warning about changing the name of the server, and click Install

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
12 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Note the successful installation and click Close
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
13 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Configure ISA for LDAPS Authentication
On the ISA server, populate the HOSTS file referencing the LDAPS provider by its FQDN; later on, the certificate
auto-enrollment process on enterprise CA will issue a certificate to the domain controller (in this case, to itself)
using the FQDN so using any other name in the LDAPS authentication will result in an error.

In the ISA 2006 console, navigate to Configuration  General and select Specify RADIUS and LDAP Servers

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
14 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Select the LDAP Servers tab and click Add…

Provide the FQDN of the domain controller that will server that will respond to LDAPS. Server description is
optional. The default timeout is 5 seconds. Click OK.
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
15 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Provide the correct domain name for the authenticating domain, check Connect LDAP servers over secure
connection, provide a credential to access the directory (domain user is sufficient), and click OK

Provide login expressions to direct authentication query to the correct provider and click OK

In this case, EAPPS\* (NetBIOS) and *@eapps.local (UPN)

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
16 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Click Apply, wait for the changes to commit and click OK
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
17 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Publish the SharePoint Sites in ISA
Launch the ISA 2006 console and create a new Web Listener, provide a descriptive name, and click the Listener tab

Create a new listener with a descriptive name.

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
18 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
On the Authentication tab, select HTML Form Authentication, select LDAP (Active Directory), click Advanced…

Check Require all users to authenticate and click OK


ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
19 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
On the Forms tab, check Allow users to change their passwords

On the SSO tab, check Enable Singe Sign On, click Add... and provide the appropriate URL suffix. Note the extra
pre-pended period.

.genericdomain.com

Click OK

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
20 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
On the Authentication Delegation tab, select NTLM authentication

Click OK
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
21 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Click Apply, wait for the changes to commit and click OK

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
22 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Test Connectivity to LDAPS Server (fail)
To use LDAPS, a server certificate must be installed on the LDAP server and the root certificate from the issuing CA
needs to be installed on the ISA Server computer. This section demonstrates what happens in the absence of the
proper certificates.

LDAPS functionality can be validated using LDP.

Select Connection  Connect…


ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
23 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Provide the FQDN of the designated domain controller, specify the LDAPS port (636), and check SSL.

Note that the LDAPS connection fails with a vague error.

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
24 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Enable Certificate Auto-Enrollment in the Domain
To satisfy the appropriate requirements for LDAPS, a server certificate must be issued to the domain controller.
Later, the issuing CA root certificate will be installed on the ISA server as a trusted root authority.

In the domain, configure a GPO that automatically enrolls each domain controller with a certificate. Launch Group
Policy Management Editor and edit the Default Domain Controllers Policy. Navigate to Computer Configuration 
Policies  Windows Settings  Security Settings  Public Key Policies  Certificate Services Client – Auto-
Enrollment
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
25 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Select Enable from the Configuration Model drop-down and check “Renew expired certificates, update pending
certificates, and remove revoked certificates”. Click OK.

Immediately apply the GPO to the domain controller by running gpupdate from the command line.

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
26 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Export CA Root Certificate and Install on the ISA server
On the enterprise root certificate authority, run MMC.

Select, Add/Remove Snap-in…

Select Certificates and click Add >


ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
27 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Select Computer account and click Next

Select Local computer: (the computer this console is running on) and click Finish

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
28 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Navigate to PersonalCertificates and be sure to select the root certificate, indicated by the Certificate Template
(Root Certification Authority). Right-click All Tasks  Export…

Click Next
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
29 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Select No, do not export the private key. Exporting the private key would unnecessarily compromise the security
of the certificate.

Leave the default encoding and click Next

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
30 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Provide a filename and click Save

Click Next
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
31 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Note the settings and click Finish

Click OK

Copy the exported certificate file to the ISA server. Launch MMC, add the Certificates snap-in for the local
computer, and, under Trusted Root Certification Authorities, right-click  All Tasks  Import…

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
32 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
33 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Click Next

Browse and locate the certificate file and click Next

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
34 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Select Place all certificates in the following store, ensure that Trusted Root Certification Authorities is displayed,
and click Next

Note the settings and click Next


ISA Server 2006 Configuration Guide for:

Click OK

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
35 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Note that the root certificate is now listed under Trusted Root Certification Authorities

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
36 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Test Connectivity to LDAPS Server (success)
LDAPS functionality can be validated using LDP.

Select Connection  Connect…

Provide the FQDN of the designated domain controller, specify the LDAPS port (636), and check SSL.
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
37 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Note that the output indicates a successful connection; all error codes are zero.

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
38 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Validate Site Access, SSO and File Upload Functionality
Launch IE on an external computer, browse to a published website and provide an appropriate credential. Note the
FBA interface.
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
39 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Browse to Share Documents

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
40 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
Upload individual and multiple documents.
ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance


Janalent North America LLC
41 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved
To test SSO functionality, manually type another site within the same domain suffix and MOSS instance (i.e.
https://extranet.genericdomain.com/default.aspx)

Janalent– Knowledge, Wisdom, Performance


Janalent North America, LLC
42 7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128
Phone: +1.888.290.4870 | web: www.janalent.com | email: info@janalent.com
Copyright 2008 – Janalent North America LLC. All rights reserved