Wednesday, September 27, 2006

Design Sharepoint and ISA Server 2004

Recently I have been working on a Sharepoint Portal Server 2003 implementation at a customer. The requirements of this customer were:

  1. The portal must be available internally and externally.
  2. One single url of entry. All users must access the portal using the same url.
  3. Internal users must not be bothered with logging onto the portal.
  4. Internal users must use the same entry path as the external users, because the Sharepoint servers are behind firewalls (yes, AD traffic is going through the firewalls).
  5. To be able to use the domainname for different purposes, they would like to use the path mapping functionality in ISA Server 2004. For example: the portal can be accessed externally using www.domain.com/portal.

To meet the requirements we had do the following:

  1. Publish the site externally and internally using ISA Server 2004.
  2. For external users basic authentication must be configured. ISA Server presents a login box to the user and using "basic delegation" sends these credentials to the Sharepoint server if valid. If the user does not enter valid credentials, ISA Server does not allow the user to connect to the webserver.
  3. For internal user integrated authentication must be configured. Using integrated authentication Internet Explorer is able to send the current logged on credentials to the server, automatically logging on the user.
  4. Use https (SSL) for both internal as external users. A single entry point will be maintainted.

To accomplish this several technical limitations had to be resolved:

  • The two authentication methods cannot be configured on the same publishing rule in ISA Server. Two seperate paths must be created, one configured with basic authentication, the other with integrated authentication.
  • When you configure integrated authentication on both the ISA Server and IIS, users can experience multiple login boxes during browsing of the site. This is because ISA uses the same HTTP headers as the webserver (see link 1). This can be solved various ways:
    1. Use basic authentication for internal users as well - This is not an option because the users will have to login when accessing the portal and documents.
    2. Connect to the Sharepoint servers directly, not using the ISA Server - This is not an option from architectural point of view.
    3. Use ISA Server 2006 which is able to do delegation of integrated authentication - This is not an option because ISA Server 2006 is currently in Beta and the customer does not want to use beta software in production environments.
    4. Switch off authentication on the ISA Server and only authenticate on the IIS server - This is the easiest way to go. Only internal users use this path, so validation by the ISA Server is not an absolute requirement.
  • The path mapping functionality is not supported with Sharepoint (see link 2). This requirement had to be dropped.



The final design we came to is:

  1. Configure two ip addresses on the ISA Server
  2. Configure two listeners and corresponding rules:
    * the first listner/rule for the internal ip address and no authentication (IIS/Sharepoint will handle the authentication)
    * the second listner/rule for the external ip address and basic authentication
  3. Configure the Sharepoint web server on both integrated and basic authentication.
  4. Configure a split DNS situation. Externally the domainname sharepoint.domain.com points to the second ip address, internally to the first ip address.


Link 1: Users Repeatedly Prompted for Credentials
Link 2: Reverse Proxy Configurations for WSS and ISA Server