Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2

Posted by on Jun 12, 2009 in ISA, SharePoint, SharePoint 2007

Do you want to provide your information workers access to your SharePoint Site whilst out of the office easily from any internet connection without compromising security?  Do you want to accomplish this without complicated client-site VPN setups.  In this 2 part series I will be providing you with step by step instructions explaining how you can leverage Microsoft’s Internet Security and Acceleration Server (ISA) 2006 and the out of the box SharePoint publishing rule to provide secure access for your corporate users using SSL.  YES! That’s right! Whether you like it or not, Microsoft ISA is a great reverse web proxy application firewall in which HTTP/HTTPS traffic from the internet is inspected first before it is forwarded onto the destination server, in our case our SharePoint web servers.  Microsoft ISA is also more than capable in providing you with a secure edge firewall as well.

Providing reverse web proxy is something that most major firewall vendors cannot accomplish out of the box including some of the big players like Checkpoint and Cisco.  ISA is an ideal choice of reverse proxy to place in between your existing edge firewall and your SharePoint server due to the application layer inspection filtering that is also provided.  Our ISA 2006 server should be domain joined in this instance as it will be acting as a dedicated reverse proxy and there are a lot of articles at isaserver.org supporting my case.

The below diagram is an example of how ISA can be strategically placed within your network.  In our example, all servers are running Windows Server 2008, SharePoint 2007 and ISA 2006 with the latest Service Packs applied at the time of this writing.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

Our goal at the end of this 2 part series is to setup Forms-Based Authentication (FBA) (screen capture below) where users are forced to authenticate successfully with Active Directory first before being passed on to the SharePoint Server.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

So let’s begin. This post is assuming that you already have your current SharePoint Site setup correctly in IIS and Central Administration assigned to the Default Zone with Windows being our assigned Membership Provider. Our goal is to now be able to access the same SharePoint site outside of the corporate LAN via the World Wide Web using the same authentication method, i.e. via <DOMAIN>\<Password> . In order to do so, we need to extend the current site, ensure that the Alternate Access Mapping (AAM) is setup correctly and secure the extended site using  SSL via a 3rd party root certificate.

Extend your existing SharePoint Site

Browse to Central Administration / Application Management and under SharePoint Web Application Management, select

  • · Create or extend Web application
    · Click on Extend an existing Web application
    · Select an existing Web application to Extend
    · Create a new IIS web site and type in your description
    · Port should be set to 443 (SSL)
    · Specify a Host Header : yousite.externalfullyqualifieddomain.com
    · Select Yes Use Secure Sockets Layer (SSL)
    · Select Internet for your Zone as requests are coming from world wide web
    · Click OK

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

Alternate Access Mappings (AAM)

The Alternate access mappings for the zone should have been created for you and you can confirm this via Central Administration / Operations / Global Configuration / Alternate access mappings.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

More detailed information on Alternate Access Mappings (which I highly recommend) can be found at this TechNet Article http://technet.microsoft.com/en-us/library/cc288609.aspx (Plan alternate access mappings)

By default your Alternate access mappings for all 5 zones (Default, Intranet, Internet, Custom, Extranet) are set to use Windows as your Membership Provider Name which is what is required in this example. Recall that we want our users to authenticate using their Active Directory credentials. You can confirm the Membership provider for your zones via Central Administration / Application Management / Authentication Providers. Ensure the correct Web Application in question is selected first.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

Please also note that the extended Website will have been automatically created and listed in IIS Manager (Windows 2008)

SSL and Certificate Creation

We now need to create a certificate request that we will pass on to our preferred Certificate Authority (CA). Please note that it is best practice  to use an external CA to avoid SSL warnings and errors for your users when browsing to the site.  My preference is Godaddy.com who provide decently priced certificates, and no I am not a Godaddy reseller simple smile Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

In IIS 7 Windows 2008 this is done via Server Certificates located under the properties page of the IIS Server.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

  • · Click on Server Certificates, under the IIS heading
    · Under Actions, Click on Create Certificate Request
    · Fill in the details; please note the Common name is important and should be the fully qualified domain name that is being accessed from the World Wide Web.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

  • · Select your Cryptographic Service Provider Properties.
    · Specify the filename and location to output the certificate request (The contents of this file (MODIFIED EXAMPLE BELOW) is important as it will be required by your Certificate Authority. In my case I am using a 3rd Party Certificate Authority that will issue the certificate.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

  • · Once you have been issued with your certificate file from your Certificate Authority, go back into IIS Manager and re-launch Server Certificates and this time under Actions select Complete Certificate Request
    · Browse for the File Name and specify a Friendly name

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

Upon completion of the wizard your certificate will appear beside the already self signed machine certificate in IIS7.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

You will now need to apply the new certificate against the recently extended website.

  • · Click on the Site you wish to apply the certificate and then click on SSL Settings.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

  • · Select Require SSL and Require 128-bit SSL for your SSL settings and click on Apply

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

We now need to apply our newly imported certificate to the extended site by clicking again on the extended site, and under Actions select Bindings and then click on Edit.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

Select the newly added SSL certificate from the drop down and ensure the port and IP address settings are correct.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2 sharepoint 2007 sharepoint isa

Our site is now secure and ready to be accessed via the World Wide Web, well almost!  Stay tuned for next week for part 2 of this article, in which we will be focusing on the configuration of ISA 2006 and how we can leverage the inbuilt SharePoint Publishing Wizard to allow external access to our SharePoint site via SSL and Windows Forms Based Authentication.

___________________________________________

Articles in this series

  1. Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2
  2. Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2