Janalent Kb Isa Ldaps Configuration Guide

ISA Server 2006 Configuration Guide for: Publishing SharePoint/OWA via Standalone ISA Server

Document Abstract: This document provides a step-by-step guide to properly configure publish SharePoint through ISA using LDAPS for authentication.

Author(s): Elias Hill

Janalent knowledge . wisdom . performance Copyright Janalent North America LLC, All rights reserved

Document Control & Sign-off Document Properties Item

Details

Document Title

ISA Server 2006 Configuration Guide for: - Publishing SharePoint/OWA via Standalone ISA Server

Creation Date

12/13/08

Last Updated

07/09/09

Authors

Elias Hill

Date

12/13/08

Version number

0.0.1

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

2

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Table of Contents Document Control & Sign-off ........................................................................................................................................2 About the Authors .....................................................................................................................................................4 Overview ........................................................................................................................................................................5 Document Scope .......................................................................................................................................................5 Assumptions ..............................................................................................................................................................5 High Level Processes .................................................................................................................................................6 Procedures .....................................................................................................................................................................7 Install an Enterprise Root CA in the Authenticating Domain ....................................................................................7 Configure ISA for LDAPS Authentication .................................................................................................................14 Publish the SharePoint Sites in ISA ..........................................................................................................................18 Test Connectivity to LDAPS Server (fail) ..................................................................................................................23 Enable Certificate Auto-Enrollment in the Domain .................................................................................................25 Export CA Root Certificate and Install on the ISA server .........................................................................................27 Test Connectivity to LDAPS Server (success) ...........................................................................................................37

ISA Server 2006 Configuration Guide for:

Validate Site Access, SSO and File Upload Functionality .........................................................................................39

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

3

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

About the Authors Elias Hill, Manager of Solutions Architecture, Janalent North America Eli is an Enterprise Solutions Architect and is a multi-disciplined expert in messaging & collaboration system solutions and network engineering. He has over 10 years experience in designing, deploying, and maintaining directory, messaging, and network systems in large, complex, global enterprises.

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

4

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

ISA S ERVER 2006 C ONFIGURATION G UIDE FOR :

Overview In many deployments of SharePoint or OWA, it is common to publish sites using an ISA server that might be a member of a domain. As a member of the domain, an ISA server can authenticate users without much configuration. However, in most enterprise environments, it is atypical to have the perimeter network infrastructure leveraging an ISA server; more frequently, appliance firewalls (Cisco, Juniper, Checkpoint, etc) are deployed. In these scenarios, the ISA server would likely be deployed as a reverse proxy for published client access for Microsoft applications, including Exchange, SharePoint, and Office Communication Server. In this context, the reverse proxy is often located in a DMZ, where traffic is tightly managed. Here, not only would it likely violate the security policy, but is also unsupported and impractical to open up all the necessary ports to support a domain member across a firewall. A more desirable solution would have the ISA server authenticating users via LDAPS (secure LDAP, tcp/636), which is characterized by two operational parameters: 1. 2.

The client and server establish TLS before any LDAP messages are transferred Once TLS closes, the LDAPS connection must be closed

Furthermore, by leveraging HTTPS to client access applications and LDAPS to a designated domain controller, users can change passwords and be informed of password expiration. In this way, one can approach enterprise clients with a solution that not only achieves advertised features of Microsoft client access applications, but also satisfies security policies (i.e. two (2) standards-based, encrypted ports: tcp/443 and tcp/636). Note: Although outside the scope of this document, two-factor authentication mechanisms are also supported in this context.

Document Scope This document provides a step-by-step guide to demonstrate and explain how to publish SharePoint sites, using LDAPS as the authentication mechanism for domain users. There are a few sections that deviate from a “perfect” installation to provide the reader with troubleshooting procedures. This content of this document is generic and may not fit every scenario.

ISA Server 2006 Configuration Guide for:

Assumptions    

   

Domain controllers are running Windows Server 2008. A wildcard certificate has been procured (e.g. *.genericcompany.com). The public-facing DNS zone file has been updated with host entries for all published sites. SharePoint is running on MOSS 2007; in this scenario, there are five (5) sites with distinct host headers ending with the same domain suffix. Each site has been properly configured for SSL, including AAM (Alternate Access Mapping). Note: SharePoint configuration is outside the scope of this document. The firewall, running ISA Server 2006, is not a member of the eApps domain; instead, it is member of the Janalent production domain. All client-server/server-server interactions must be encrypted. SSO (single sign-on) and FBA (forms-based authentication) must be enabled. Note: SharePoint configuration is outside the scope of this document. Users must be able to change passwords through the published web interface.

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

5

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

High Level Processes The following procedures will be described: 1. 2. 3. 4. 5. 6. 7. 8.

Install an Enterprise Root CA in the Authenticating Domain Configure ISA for LDAPS Authentication Publish the SharePoint Sites in ISA Test Connectivity to LDAPS Server (fail) Enable Certificate Auto-Enrollment in the Domain (optional); just be sure that the CA has issued to the domain controller used for LDAPS inquiries by the ISA server Export CA Root certificate and Install on the ISA server Test Connectivity to LDAPS Server (success) Validate Site Access, SSO and File Upload Functionality

Internet Client H (tc TT p/ PS 44 3)

S AP 36) LD p/6 (tc

Domain Controller

HT (tcp TPS /44 3)

ISA Server

MOSS or SharePoint

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

6

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Figure 1 Considered network topology for ISA using LDAPS for authentication

Procedures Install an Enterprise Root CA in the Authenticating Domain

ISA Server 2006 Configuration Guide for:

On the designated domain controller (used for LDAPS), launch computer management and add a new role. Check Active Directory Certificate Services.

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

7

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Click Next

Select Certification Authority and click Next

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

8

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Select Enterprise and click Next

ISA Server 2006 Configuration Guide for:

Select Root CA and click Next

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

9

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Select Create a new private key and click Next

Accept the default cryptographic settings (RSA#Microsoft Software Key Storage Provide, sha1, 2048) and click Next

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

10

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

The default common name is acceptable, but note that the name cannot be altered in the future without rebuilding the entire certificate chain. Click Next.

ISA Server 2006 Configuration Guide for:

Set the validity period to an acceptable value (in this case, 10 years) and click Next

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

11

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Select the locations for the certificate database and log files (here, defaults) and click Next

Review the configuration, noting the warning about changing the name of the server, and click Install

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

12

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

ISA Server 2006 Configuration Guide for:

Note the successful installation and click Close

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

13

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Configure ISA for LDAPS Authentication On the ISA server, populate the HOSTS file referencing the LDAPS provider by its FQDN; later on, the certificate auto-enrollment process on enterprise CA will issue a certificate to the domain controller (in this case, to itself) using the FQDN so using any other name in the LDAPS authentication will result in an error.

In the ISA 2006 console, navigate to Configuration  General and select Specify RADIUS and LDAP Servers

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

14

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Select the LDAP Servers tab and click Add…

ISA Server 2006 Configuration Guide for:

Provide the FQDN of the domain controller that will server that will respond to LDAPS. Server description is optional. The default timeout is 5 seconds. Click OK.

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

15

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Provide the correct domain name for the authenticating domain, check Connect LDAP servers over secure connection, provide a credential to access the directory (domain user is sufficient), and click OK

Provide login expressions to direct authentication query to the correct provider and click OK In this case, EAPPS\* (NetBIOS) and *@eapps.local (UPN)

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

16

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

ISA Server 2006 Configuration Guide for:

Click Apply, wait for the changes to commit and click OK

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

17

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Publish the SharePoint Sites in ISA Launch the ISA 2006 console and create a new Web Listener, provide a descriptive name, and click the Listener tab

Create a new listener with a descriptive name.

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

18

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

On the Authentication tab, select HTML Form Authentication, select LDAP (Active Directory), click Advanced…

ISA Server 2006 Configuration Guide for:

Check Require all users to authenticate and click OK

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

19

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

On the Forms tab, check Allow users to change their passwords

On the SSO tab, check Enable Singe Sign On, click Add... and provide the appropriate URL suffix. Note the extra pre-pended period. .genericdomain.com

Click OK

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

20

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

On the Authentication Delegation tab, select NTLM authentication

ISA Server 2006 Configuration Guide for:

Click OK

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

21

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Click Apply, wait for the changes to commit and click OK

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

22

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Test Connectivity to LDAPS Server (fail) To use LDAPS, a server certificate must be installed on the LDAP server and the root certificate from the issuing CA needs to be installed on the ISA Server computer. This section demonstrates what happens in the absence of the proper certificates. LDAPS functionality can be validated using LDP.

ISA Server 2006 Configuration Guide for:

Select Connection  Connect…

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

23

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Provide the FQDN of the designated domain controller, specify the LDAPS port (636), and check SSL.

Note that the LDAPS connection fails with a vague error.

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

24

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Enable Certificate Auto-Enrollment in the Domain To satisfy the appropriate requirements for LDAPS, a server certificate must be issued to the domain controller. Later, the issuing CA root certificate will be installed on the ISA server as a trusted root authority.

ISA Server 2006 Configuration Guide for:

In the domain, configure a GPO that automatically enrolls each domain controller with a certificate. Launch Group Policy Management Editor and edit the Default Domain Controllers Policy. Navigate to Computer Configuration  Policies  Windows Settings  Security Settings  Public Key Policies  Certificate Services Client – AutoEnrollment

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

25

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Select Enable from the Configuration Model drop-down and check “Renew expired certificates, update pending certificates, and remove revoked certificates”. Click OK.

Immediately apply the GPO to the domain controller by running gpupdate from the command line.

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

26

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Export CA Root Certificate and Install on the ISA server On the enterprise root certificate authority, run MMC.

Select, Add/Remove Snap-in…

ISA Server 2006 Configuration Guide for:

Select Certificates and click Add >

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

27

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Select Computer account and click Next

Select Local computer: (the computer this console is running on) and click Finish

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

28

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Navigate to PersonalCertificates and be sure to select the root certificate, indicated by the Certificate Template (Root Certification Authority). Right-click All Tasks  Export…

ISA Server 2006 Configuration Guide for:

Click Next

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

29

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Select No, do not export the private key. Exporting the private key would unnecessarily compromise the security of the certificate.

Leave the default encoding and click Next

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

30

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Provide a filename and click Save

ISA Server 2006 Configuration Guide for:

Click Next

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

31

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Note the settings and click Finish

Click OK

Copy the exported certificate file to the ISA server. Launch MMC, add the Certificates snap-in for the local computer, and, under Trusted Root Certification Authorities, right-click  All Tasks  Import…

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

32

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

ISA Server 2006 Configuration Guide for:

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

33

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Click Next

Browse and locate the certificate file and click Next

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

34

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Select Place all certificates in the following store, ensure that Trusted Root Certification Authorities is displayed, and click Next

ISA Server 2006 Configuration Guide for:

Note the settings and click Next

Click OK

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

35

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Note that the root certificate is now listed under Trusted Root Certification Authorities

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

36

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Test Connectivity to LDAPS Server (success) LDAPS functionality can be validated using LDP.

Select Connection  Connect…

ISA Server 2006 Configuration Guide for:

Provide the FQDN of the designated domain controller, specify the LDAPS port (636), and check SSL.

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

37

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Note that the output indicates a successful connection; all error codes are zero.

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

38

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Validate Site Access, SSO and File Upload Functionality

ISA Server 2006 Configuration Guide for:

Launch IE on an external computer, browse to a published website and provide an appropriate credential. Note the FBA interface.

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

39

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

Browse to Share Documents

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

40

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

ISA Server 2006 Configuration Guide for:

Upload individual and multiple documents.

Janalent – Knowledge, Wisdom, Performance Janalent North America LLC

41

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved

To test SSO functionality, manually type another site within the same domain suffix and MOSS instance (i.e. https://extranet.genericdomain.com/default.aspx)

Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC

42

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] Copyright 2008 – Janalent North America LLC. All rights reserved