ISA Server

SharePoint 2010 and Forefront TMG

Ever wanted to published SharePoint 2010 externally and found it difficult to understand and even harder to find good documentation? I’ve worked on this particular issue several times in the past few months, so thought it was time to put fingers to keyboard and provide a few tips.

These notes cover publishing SharePoint 2010 with either ISA 2006 or Forefront TMG.

Before you begin:

Commonly your internal SharePoint farm will be accessed over HTTP whilst external access is via HTTPS.
In this example I will use the following configuration:

SharePoint URL: http://sharepoint.domain.local

MySites URL: http://mysites.domain.local

Wildcard digital certificate: *.internetdomain.com

Two external DNS records pointing to the same external IP address on the ISA server:
• SharePoint.internetdomain.com
• Mysites.internetdomain.com

SharePoint Steps:
1. Extend the SharePoint and MySites web applications (in Central Admin)
2. Install your digital certificate (and root certificate) on the Web Front End Server
3. Using PowerShell add two Alternative Access Mappings (AAM’s):

4. In IIS edit the binding on the Extended web application – change from HTTP to HTTPS and select the certificate above. Once done remove the HTTP (listening on port 443) binding, this isn’t needed.
5. Make sure the new sites have started an IISReset may be required.

Forefront TMG or ISA Server Steps:
1. Create a web listener

  • HTTPS
  • Redirect HTTP to HTTPS
  • Use the same certificate installed on SharePoint above
  • Configure SSO = .internetdomain.com (this ensures only one login to TMG or ISA is required for all sites on that listener with matching domains)

2. Create two publishing rules, one for SharePoint and the other for MySites

  • Use the same web listener for both
  • Forward the original host headers
  • Bridge the connection using HTTPS (keep the protocols the same between the external URL and the internal URL)

In some instances you may need to create translation rules for HTTP to HTTPS. This can be done on the publishing rule.

Access rules can be used to block access to specific sub-URL’s.