Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2

In the second and last part of this series we will be focusing our efforts in securing our SharePoint Site through setting up a publishing rule in ISA 2006.  If you recall in the first article, we began our setup by extending the default SharePoint site into the Internet Zone, created a certificate request via IIS to be sent to a 3rd Party Certificate Authority and applied the certificate to our newly created extended site.  If you missed it, you can access part 1 here.

So let’s begin the second part of our setup!  The first item we need to address is the newly created certificate that has been applied to our site in IIS.  ISA also needs to be aware of this certificate so we need to export it from IIS and then import it to the certificate store on the ISA server.  This certificate will be required when creating the web listener in the ISA rule later below.

To export the certificate, select it in IIS and select Export under Actions.

Specify the export path and enter a password.

After exporting the certificate, copy it to your ISA server and then launch the Certificate MMC snap-in from the ISA Server.

Right click on the Personal Folder and select All Tasks /  Import.  This will invoke the Import Certificate Wizard.

Click Next.  Browse for the certificate file that we exported and copied earlier.

Click Next.  Enter the password that we supplied to the exported certificate.

Click Next and ensure that the certificate is placed in the Personal Certificate Store.

Now that we have done the pre-work for ISA, it’s time to launch the ISA Server Management Console in order to create our SharePoint Publishing Rule.

• · Right click on Firewall Policy and select New / SharePoint Site Publishing Rule
• · Specify a SharePoint publishing rule name
• · Select your Publishing Type, in my case I selected Publish a single Web site or load balancer.
• · Click on Use SSL to connect to the published Web server or server farm

Type the Internal site name: The warning here states that the site name must match the common name or subject alternative name on the certificate. This should be the World Wide Web Address.

Then click on Use a computer name or IP address to connect to the published server and enter the correct details. This could potentially be a single server  IP or the IP address of your Network Load Balanced Cluster.

Specify the Public domain name.

We will now create a New Web Listener by clicking New. This will invoke the New Web Listener Wizard

• · Provide your web listener with a friendly name. e.g SharePoint FBA
• · Select Require SSL secured connections with clients in the Client Connection Security Window

• - Specify the Web Listener Internal IP address.  If you recall from part 1, this is a domain joined ISA server sitting in the internal network in between an existing edge firewall and your SharePoint Site.

The next step requires you to select your SSL certificate. Depending on the number of certificates your ISA server is storing you will either select Single certificate (in the event you are using a SAN or wild card certificate) or assign a certificate for each IP address. In my case I am using singular certificates for my SharePoint Sites so I will assign a specific certificate against a unique IP address.

You now need to select your Authentication Settings for the web listener. We are providing Forms based Authentication for our SharePoint Sites so I will select HTML Form Authentication and then select how ISA server will validate these. I am selecting Windows (Active Directory in my instance).

• · Specify your Single Sign On Settings, Click Finish.
• · Select your Authentication Delegation. In my case I am selecting NTLM

• · Select “SharePoint AAM is already configured on the SharePoint server. We completed this step after extending our site in Part 1 of this series.

• · Select your User Sets

• · Then Click Finish to complete the Wizard.

One of the great enhancements to ISA 2006 Service Pack 1, is the ability to test your rules automatically within the ISA Management console.  This will do the hard work for you and ensure that your rule is correctly setup and that your certificates are correctly in place.  All you need to do is right click on the rule that we have just created and select properties.

Under the General tab, click on the Test Rule button.

You should get green ticks as per below.

We are done!  Our internal users can now navigate to the external published URL and get directed to ISA’s Forms Based Authentication screen as per below. After successfully authenticating with Active Directory via the ISA server the users will be automatically redirected to the SharePoint site.

Some important points to emphasise;

• Ensure your Alternate Access Mappings (AAM) are setup correctly for the correct zone.
• Ensure your certificate common name matches the fully qualified external domain name which in turn matches the AAM in SharePoint.
• Ensure that you have successfully exported the certificate from IIS Manager and Imported it to your Certificate store on the ISA Server.
• Use the Test Rule Button in ISA 2006 SP1 to test your rule, so ensure you are running the latest Service Pack for your ISA server.

___________________________________________

Articles in this series

1. Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2
2. Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2