SharePoint 2010 and Forefront TMG


Ever wanted to published SharePoint 2010 externally and found it difficult to understand and even harder to find good documentation? I’ve worked on this particular issue several times in the past few months, so thought it was time to put fingers to keyboard and provide a few tips.

These notes cover publishing SharePoint 2010 with either ISA 2006 or Forefront TMG.

Before you begin:

Commonly your internal SharePoint farm will be accessed over HTTP whilst external access is via HTTPS.
In this example I will use the following configuration:

SharePoint URL: http://sharepoint.domain.local

MySites URL: http://mysites.domain.local

Wildcard digital certificate: *.internetdomain.com

Two external DNS records pointing to the same external IP address on the ISA server:
• SharePoint.internetdomain.com
• Mysites.internetdomain.com

SharePoint Steps:
1. Extend the SharePoint and MySites web applications (in Central Admin)
2. Install your digital certificate (and root certificate) on the Web Front End Server
3. Using PowerShell add two Alternative Access Mappings (AAM’s):

4. In IIS edit the binding on the Extended web application – change from HTTP to HTTPS and select the certificate above. Once done remove the HTTP (listening on port 443) binding, this isn’t needed.
5. Make sure the new sites have started an IISReset may be required.

Forefront TMG or ISA Server Steps:
1. Create a web listener

  • HTTPS
  • Redirect HTTP to HTTPS
  • Use the same certificate installed on SharePoint above
  • Configure SSO = .internetdomain.com (this ensures only one login to TMG or ISA is required for all sites on that listener with matching domains)

2. Create two publishing rules, one for SharePoint and the other for MySites

  • Use the same web listener for both
  • Forward the original host headers
  • Bridge the connection using HTTPS (keep the protocols the same between the external URL and the internal URL)

In some instances you may need to create translation rules for HTTP to HTTPS. This can be done on the publishing rule.

Access rules can be used to block access to specific sub-URL’s.

Advertisements

5 comments

  1. Only if the access is unauthenticated. If users are authenticated then the internet connector license isn’t required, however the user does require a CAL.

  2. I am assuming in step 2 under ‘sharepoint steps’ above, you are referring to the domain controller as the location where the certificate and root certificate need to be installed or is it the sharepoint server itself?

  3. SR, the certificates need to be installed on the SharePoint Web Front End Server if you have more than one server in your SharePoint Farm. If you have only one SharePoint server, then install the certificates on that server. The certificates are added to the bindings on the SharePoint website in IIS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s