Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2

Posted by on Jun 19, 2009 in ISA, SharePoint, SharePoint 2007

In the second and last part of this series we will be focusing our efforts in securing our SharePoint Site through setting up a publishing rule in ISA 2006.  If you recall in the first article, we began our setup by extending the default SharePoint site into the Internet Zone, created a certificate request via IIS to be sent to a 3rd Party Certificate Authority and applied the certificate to our newly created extended site.  If you missed it, you can access part 1 here.

So let’s begin the second part of our setup!  The first item we need to address is the newly created certificate that has been applied to our site in IIS.  ISA also needs to be aware of this certificate so we need to export it from IIS and then import it to the certificate store on the ISA server.  This certificate will be required when creating the web listener in the ISA rule later below.

To export the certificate, select it in IIS and select Export under Actions.

export certificate isa sharepoint

Specify the export path and enter a password.

export certificate

After exporting the certificate, copy it to your ISA server and then launch the Certificate MMC snap-in from the ISA Server.

certificate MMC Store

Right click on the Personal Folder and select All Tasks /  Import.  This will invoke the Import Certificate Wizard.

welcome to the certificate import wizard

Click Next.  Browse for the certificate file that we exported and copied earlier.

Certificate Import Qizard

Click Next.  Enter the password that we supplied to the exported certificate.

certificate import wizard ISA

Click Next and ensure that the certificate is placed in the Personal Certificate Store.

Personal Certificate Import Wizard

Now that we have done the pre-work for ISA, it’s time to launch the ISA Server Management Console in order to create our SharePoint Publishing Rule.

  • · Right click on Firewall Policy and select New / SharePoint Site Publishing Rule
  • · Specify a SharePoint publishing rule name
  • · Select your Publishing Type, in my case I selected Publish a single Web site or load balancer.
  • · Click on Use SSL to connect to the published Web server or server farm

SharePoint Publishing Rule ISA

Type the Internal site name: The warning here states that the site name must match the common name or subject alternative name on the certificate. This should be the World Wide Web Address.

Then click on Use a computer name or IP address to connect to the published server and enter the correct details. This could potentially be a single server  IP or the IP address of your Network Load Balanced Cluster.

New SharePoint Publishing Rule Wizard

Specify the Public domain name.

Public Name Details FQDN

We will now create a New Web Listener by clicking New. This will invoke the New Web Listener Wizard

  • · Provide your web listener with a friendly name. e.g SharePoint FBA
  • · Select Require SSL secured connections with clients in the Client Connection Security Window

New Web Listener Definition Wizard

  • – Specify the Web Listener Internal IP address.  If you recall from part 1, this is a domain joined ISA server sitting in the internal network in between an existing edge firewall and your SharePoint Site.

New Web Listener Definiton Wizard ISA SharePoint

The next step requires you to select your SSL certificate. Depending on the number of certificates your ISA server is storing you will either select Single certificate (in the event you are using a SAN or wild card certificate) or assign a certificate for each IP address. In my case I am using singular certificates for my SharePoint Sites so I will assign a specific certificate against a unique IP address.

SharePoint ISA

You now need to select your Authentication Settings for the web listener. We are providing Forms based Authentication for our SharePoint Sites so I will select HTML Form Authentication and then select how ISA server will validate these. I am selecting Windows (Active Directory in my instance).

SharePoint ISA

  • · Specify your Single Sign On Settings, Click Finish.
  • · Select your Authentication Delegation. In my case I am selecting NTLM

New SharePoint Publishing Rile ISA

  • · Select “SharePoint AAM is already configured on the SharePoint server. We completed this step after extending our site in Part 1 of this series.

ALternate Access Mapping AAM ISA SharePoint

  • · Select your User Sets

New SharePoint Publishing Rule ISA

  • · Then Click Finish to complete the Wizard.

One of the great enhancements to ISA 2006 Service Pack 1, is the ability to test your rules automatically within the ISA Management console.  This will do the hard work for you and ensure that your rule is correctly setup and that your certificates are correctly in place.  All you need to do is right click on the rule that we have just created and select properties.

Under the General tab, click on the Test Rule button.

Web Publishing Rule

You should get green ticks as per below.

Test Rule ISA Server

We are done!  Our internal users can now navigate to the external published URL and get directed to ISA’s Forms Based Authentication screen as per below. After successfully authenticating with Active Directory via the ISA server the users will be automatically redirected to the SharePoint site.

ISA Forms Based Authentication

Some important points to emphasise;

  • Ensure your Alternate Access Mappings (AAM) are setup correctly for the correct zone.
  • Ensure your certificate common name matches the fully qualified external domain name which in turn matches the AAM in SharePoint.
  • Ensure that you have successfully exported the certificate from IIS Manager and Imported it to your Certificate store on the ISA Server.
  • Use the Test Rule Button in ISA 2006 SP1 to test your rule, so ensure you are running the latest Service Pack for your ISA server.


Articles in this series

  1. Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2
  2. Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2