Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2

Posted by on Jun 19, 2009 in ISA, SharePoint, SharePoint 2007

In the second and last part of this series we will be focusing our efforts in securing our SharePoint Site through setting up a publishing rule in ISA 2006.  If you recall in the first article, we began our setup by extending the default SharePoint site into the Internet Zone, created a certificate request via IIS to be sent to a 3rd Party Certificate Authority and applied the certificate to our newly created extended site.  If you missed it, you can access part 1 here.

So let’s begin the second part of our setup!  The first item we need to address is the newly created certificate that has been applied to our site in IIS.  ISA also needs to be aware of this certificate so we need to export it from IIS and then import it to the certificate store on the ISA server.  This certificate will be required when creating the web listener in the ISA rule later below.

To export the certificate, select it in IIS and select Export under Actions.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

Specify the export path and enter a password.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

After exporting the certificate, copy it to your ISA server and then launch the Certificate MMC snap-in from the ISA Server.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

Right click on the Personal Folder and select All Tasks /  Import.  This will invoke the Import Certificate Wizard.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

Click Next.  Browse for the certificate file that we exported and copied earlier.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

Click Next.  Enter the password that we supplied to the exported certificate.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

Click Next and ensure that the certificate is placed in the Personal Certificate Store.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

Now that we have done the pre-work for ISA, it’s time to launch the ISA Server Management Console in order to create our SharePoint Publishing Rule.

  • · Right click on Firewall Policy and select New / SharePoint Site Publishing Rule
  • · Specify a SharePoint publishing rule name
  • · Select your Publishing Type, in my case I selected Publish a single Web site or load balancer.
  • · Click on Use SSL to connect to the published Web server or server farm

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

Type the Internal site name: The warning here states that the site name must match the common name or subject alternative name on the certificate. This should be the World Wide Web Address.

Then click on Use a computer name or IP address to connect to the published server and enter the correct details. This could potentially be a single server  IP or the IP address of your Network Load Balanced Cluster.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

Specify the Public domain name.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

We will now create a New Web Listener by clicking New. This will invoke the New Web Listener Wizard

  • · Provide your web listener with a friendly name. e.g SharePoint FBA
  • · Select Require SSL secured connections with clients in the Client Connection Security Window

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

  • – Specify the Web Listener Internal IP address.  If you recall from part 1, this is a domain joined ISA server sitting in the internal network in between an existing edge firewall and your SharePoint Site.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

The next step requires you to select your SSL certificate. Depending on the number of certificates your ISA server is storing you will either select Single certificate (in the event you are using a SAN or wild card certificate) or assign a certificate for each IP address. In my case I am using singular certificates for my SharePoint Sites so I will assign a specific certificate against a unique IP address.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

You now need to select your Authentication Settings for the web listener. We are providing Forms based Authentication for our SharePoint Sites so I will select HTML Form Authentication and then select how ISA server will validate these. I am selecting Windows (Active Directory in my instance).

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

  • · Specify your Single Sign On Settings, Click Finish.
  • · Select your Authentication Delegation. In my case I am selecting NTLM

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

  • · Select “SharePoint AAM is already configured on the SharePoint server. We completed this step after extending our site in Part 1 of this series.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

  • · Select your User Sets

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

  • · Then Click Finish to complete the Wizard.

One of the great enhancements to ISA 2006 Service Pack 1, is the ability to test your rules automatically within the ISA Management console.  This will do the hard work for you and ensure that your rule is correctly setup and that your certificates are correctly in place.  All you need to do is right click on the rule that we have just created and select properties.

Under the General tab, click on the Test Rule button.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

You should get green ticks as per below.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

We are done!  Our internal users can now navigate to the external published URL and get directed to ISA’s Forms Based Authentication screen as per below. After successfully authenticating with Active Directory via the ISA server the users will be automatically redirected to the SharePoint site.

 Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2 sharepoint 2007 sharepoint isa

Some important points to emphasise;

  • Ensure your Alternate Access Mappings (AAM) are setup correctly for the correct zone.
  • Ensure your certificate common name matches the fully qualified external domain name which in turn matches the AAM in SharePoint.
  • Ensure that you have successfully exported the certificate from IIS Manager and Imported it to your Certificate store on the ISA Server.
  • Use the Test Rule Button in ISA 2006 SP1 to test your rule, so ensure you are running the latest Service Pack for your ISA server.

___________________________________________

Articles in this series

  1. Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2
  2. Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2