ISA Server 2006 Configuration Guide for: Publishing SharePoint/OWA via Standalone ISA Server
Document Abstract: This document provides a step-by-step guide to properly configure publish SharePoint through ISA using LDAPS for authentication.
Author(s): Elias Hill
Janalent knowledge . wisdom . performance Copyright Janalent North America LLC, All rights reserved
Document Control & Sign-off Document Properties Item
Details
Document Title
ISA Server 2006 Configuration Guide for: - Publishing SharePoint/OWA via Standalone ISA Server
Creation Date
12/13/08
Last Updated
07/09/09
Authors
Elias Hill
Date
12/13/08
Version number
0.0.1
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
2
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Table of Contents Document Control & Sign-off ........................................................................................................................................2 About the Authors .....................................................................................................................................................4 Overview ........................................................................................................................................................................5 Document Scope .......................................................................................................................................................5 Assumptions ..............................................................................................................................................................5 High Level Processes .................................................................................................................................................6 Procedures .....................................................................................................................................................................7 Install an Enterprise Root CA in the Authenticating Domain ....................................................................................7 Configure ISA for LDAPS Authentication .................................................................................................................14 Publish the SharePoint Sites in ISA ..........................................................................................................................18 Test Connectivity to LDAPS Server (fail) ..................................................................................................................23 Enable Certificate Auto-Enrollment in the Domain .................................................................................................25 Export CA Root Certificate and Install on the ISA server .........................................................................................27 Test Connectivity to LDAPS Server (success) ...........................................................................................................37
ISA Server 2006 Configuration Guide for:
Validate Site Access, SSO and File Upload Functionality .........................................................................................39
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
3
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
About the Authors Elias Hill, Manager of Solutions Architecture, Janalent North America Eli is an Enterprise Solutions Architect and is a multi-disciplined expert in messaging & collaboration system solutions and network engineering. He has over 10 years experience in designing, deploying, and maintaining directory, messaging, and network systems in large, complex, global enterprises.
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
4
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
ISA S ERVER 2006 C ONFIGURATION G UIDE FOR :
Overview In many deployments of SharePoint or OWA, it is common to publish sites using an ISA server that might be a member of a domain. As a member of the domain, an ISA server can authenticate users without much configuration. However, in most enterprise environments, it is atypical to have the perimeter network infrastructure leveraging an ISA server; more frequently, appliance firewalls (Cisco, Juniper, Checkpoint, etc) are deployed. In these scenarios, the ISA server would likely be deployed as a reverse proxy for published client access for Microsoft applications, including Exchange, SharePoint, and Office Communication Server. In this context, the reverse proxy is often located in a DMZ, where traffic is tightly managed. Here, not only would it likely violate the security policy, but is also unsupported and impractical to open up all the necessary ports to support a domain member across a firewall. A more desirable solution would have the ISA server authenticating users via LDAPS (secure LDAP, tcp/636), which is characterized by two operational parameters: 1. 2.
The client and server establish TLS before any LDAP messages are transferred Once TLS closes, the LDAPS connection must be closed
Furthermore, by leveraging HTTPS to client access applications and LDAPS to a designated domain controller, users can change passwords and be informed of password expiration. In this way, one can approach enterprise clients with a solution that not only achieves advertised features of Microsoft client access applications, but also satisfies security policies (i.e. two (2) standards-based, encrypted ports: tcp/443 and tcp/636). Note: Although outside the scope of this document, two-factor authentication mechanisms are also supported in this context.
Document Scope This document provides a step-by-step guide to demonstrate and explain how to publish SharePoint sites, using LDAPS as the authentication mechanism for domain users. There are a few sections that deviate from a “perfect” installation to provide the reader with troubleshooting procedures. This content of this document is generic and may not fit every scenario.
ISA Server 2006 Configuration Guide for:
Assumptions
Domain controllers are running Windows Server 2008. A wildcard certificate has been procured (e.g. *.genericcompany.com). The public-facing DNS zone file has been updated with host entries for all published sites. SharePoint is running on MOSS 2007; in this scenario, there are five (5) sites with distinct host headers ending with the same domain suffix. Each site has been properly configured for SSL, including AAM (Alternate Access Mapping). Note: SharePoint configuration is outside the scope of this document. The firewall, running ISA Server 2006, is not a member of the eApps domain; instead, it is member of the Janalent production domain. All client-server/server-server interactions must be encrypted. SSO (single sign-on) and FBA (forms-based authentication) must be enabled. Note: SharePoint configuration is outside the scope of this document. Users must be able to change passwords through the published web interface.
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
5
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
High Level Processes The following procedures will be described: 1. 2. 3. 4. 5. 6. 7. 8.
Install an Enterprise Root CA in the Authenticating Domain Configure ISA for LDAPS Authentication Publish the SharePoint Sites in ISA Test Connectivity to LDAPS Server (fail) Enable Certificate Auto-Enrollment in the Domain (optional); just be sure that the CA has issued to the domain controller used for LDAPS inquiries by the ISA server Export CA Root certificate and Install on the ISA server Test Connectivity to LDAPS Server (success) Validate Site Access, SSO and File Upload Functionality
Internet Client H (tc TT p/ PS 44 3)
S AP 36) LD p/6 (tc
Domain Controller
HT (tcp TPS /44 3)
ISA Server
MOSS or SharePoint
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
6
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Figure 1 Considered network topology for ISA using LDAPS for authentication
Procedures Install an Enterprise Root CA in the Authenticating Domain
ISA Server 2006 Configuration Guide for:
On the designated domain controller (used for LDAPS), launch computer management and add a new role. Check Active Directory Certificate Services.
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
7
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Click Next
Select Certification Authority and click Next
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
8
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Select Enterprise and click Next
ISA Server 2006 Configuration Guide for:
Select Root CA and click Next
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
9
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Select Create a new private key and click Next
Accept the default cryptographic settings (RSA#Microsoft Software Key Storage Provide, sha1, 2048) and click Next
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
10
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
The default common name is acceptable, but note that the name cannot be altered in the future without rebuilding the entire certificate chain. Click Next.
ISA Server 2006 Configuration Guide for:
Set the validity period to an acceptable value (in this case, 10 years) and click Next
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
11
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Select the locations for the certificate database and log files (here, defaults) and click Next
Review the configuration, noting the warning about changing the name of the server, and click Install
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
12
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
ISA Server 2006 Configuration Guide for:
Note the successful installation and click Close
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
13
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Configure ISA for LDAPS Authentication On the ISA server, populate the HOSTS file referencing the LDAPS provider by its FQDN; later on, the certificate auto-enrollment process on enterprise CA will issue a certificate to the domain controller (in this case, to itself) using the FQDN so using any other name in the LDAPS authentication will result in an error.
In the ISA 2006 console, navigate to Configuration General and select Specify RADIUS and LDAP Servers
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
14
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Select the LDAP Servers tab and click Add…
ISA Server 2006 Configuration Guide for:
Provide the FQDN of the domain controller that will server that will respond to LDAPS. Server description is optional. The default timeout is 5 seconds. Click OK.
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
15
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Provide the correct domain name for the authenticating domain, check Connect LDAP servers over secure connection, provide a credential to access the directory (domain user is sufficient), and click OK
Provide login expressions to direct authentication query to the correct provider and click OK In this case, EAPPS\* (NetBIOS) and *@eapps.local (UPN)
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
16
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
ISA Server 2006 Configuration Guide for:
Click Apply, wait for the changes to commit and click OK
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
17
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Publish the SharePoint Sites in ISA Launch the ISA 2006 console and create a new Web Listener, provide a descriptive name, and click the Listener tab
Create a new listener with a descriptive name.
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
18
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
On the Authentication tab, select HTML Form Authentication, select LDAP (Active Directory), click Advanced…
ISA Server 2006 Configuration Guide for:
Check Require all users to authenticate and click OK
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
19
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
On the Forms tab, check Allow users to change their passwords
On the SSO tab, check Enable Singe Sign On, click Add... and provide the appropriate URL suffix. Note the extra pre-pended period. .genericdomain.com
Click OK
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
20
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
On the Authentication Delegation tab, select NTLM authentication
ISA Server 2006 Configuration Guide for:
Click OK
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
21
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Click Apply, wait for the changes to commit and click OK
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
22
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Test Connectivity to LDAPS Server (fail) To use LDAPS, a server certificate must be installed on the LDAP server and the root certificate from the issuing CA needs to be installed on the ISA Server computer. This section demonstrates what happens in the absence of the proper certificates. LDAPS functionality can be validated using LDP.
ISA Server 2006 Configuration Guide for:
Select Connection Connect…
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
23
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Provide the FQDN of the designated domain controller, specify the LDAPS port (636), and check SSL.
Note that the LDAPS connection fails with a vague error.
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
24
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Enable Certificate Auto-Enrollment in the Domain To satisfy the appropriate requirements for LDAPS, a server certificate must be issued to the domain controller. Later, the issuing CA root certificate will be installed on the ISA server as a trusted root authority.
ISA Server 2006 Configuration Guide for:
In the domain, configure a GPO that automatically enrolls each domain controller with a certificate. Launch Group Policy Management Editor and edit the Default Domain Controllers Policy. Navigate to Computer Configuration Policies Windows Settings Security Settings Public Key Policies Certificate Services Client – AutoEnrollment
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
25
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Select Enable from the Configuration Model drop-down and check “Renew expired certificates, update pending certificates, and remove revoked certificates”. Click OK.
Immediately apply the GPO to the domain controller by running gpupdate from the command line.
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
26
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Export CA Root Certificate and Install on the ISA server On the enterprise root certificate authority, run MMC.
Select, Add/Remove Snap-in…
ISA Server 2006 Configuration Guide for:
Select Certificates and click Add >
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
27
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Select Computer account and click Next
Select Local computer: (the computer this console is running on) and click Finish
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
28
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Navigate to PersonalCertificates and be sure to select the root certificate, indicated by the Certificate Template (Root Certification Authority). Right-click All Tasks Export…
ISA Server 2006 Configuration Guide for:
Click Next
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
29
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Select No, do not export the private key. Exporting the private key would unnecessarily compromise the security of the certificate.
Leave the default encoding and click Next
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
30
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Provide a filename and click Save
ISA Server 2006 Configuration Guide for:
Click Next
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
31
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Note the settings and click Finish
Click OK
Copy the exported certificate file to the ISA server. Launch MMC, add the Certificates snap-in for the local computer, and, under Trusted Root Certification Authorities, right-click All Tasks Import…
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
32
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
ISA Server 2006 Configuration Guide for:
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
33
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Click Next
Browse and locate the certificate file and click Next
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
34
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Select Place all certificates in the following store, ensure that Trusted Root Certification Authorities is displayed, and click Next
ISA Server 2006 Configuration Guide for:
Note the settings and click Next
Click OK
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
35
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Note that the root certificate is now listed under Trusted Root Certification Authorities
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
36
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Test Connectivity to LDAPS Server (success) LDAPS functionality can be validated using LDP.
Select Connection Connect…
ISA Server 2006 Configuration Guide for:
Provide the FQDN of the designated domain controller, specify the LDAPS port (636), and check SSL.
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
37
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Note that the output indicates a successful connection; all error codes are zero.
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
38
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Validate Site Access, SSO and File Upload Functionality
ISA Server 2006 Configuration Guide for:
Launch IE on an external computer, browse to a published website and provide an appropriate credential. Note the FBA interface.
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
39
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
Browse to Share Documents
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
40
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
ISA Server 2006 Configuration Guide for:
Upload individual and multiple documents.
Janalent – Knowledge, Wisdom, Performance Janalent North America LLC
41
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved
To test SSO functionality, manually type another site within the same domain suffix and MOSS instance (i.e. https://extranet.genericdomain.com/default.aspx)
Janalent– Knowledge, Wisdom, Performance Janalent North America, LLC
42
7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128 Phone: +1.888.290.4870 | web: www.janalent.com | email:
[email protected] Copyright 2008 – Janalent North America LLC. All rights reserved