Microsoft KB Archive/917064

= How to configure SharePoint Portal Server 2003 for off-box SSL termination by using ISA Server 2004 =

Article ID: 917064

Article Last Modified on 12/22/2006

-

APPLIES TO


 * Microsoft Office SharePoint Portal Server 2003

-





SUMMARY
''This article describes how to configure Microsoft Office SharePoint Portal Server 2003 for off-box SSL termination by using Microsoft Internet Security and Acceleration (ISA) Server 2004. (The steps in this article may also work for other SSL termination devices. For more information, see the &quot;Known Issues&quot; section.) SharePoint Portal Server 2003 Service Pack 2 (SP2) supports advanced extranet configurations. This includes configurations that use reverse proxy, alternate URLs, and off-box Security Sockets Layer (SSL) termination. The advanced extranet configuration that is described in this article uses SharePoint Portal Server 2003 SP2, Microsoft Windows SharePoint Services Service Pack 2 (SP2), and ISA Server 2004.''



INTRODUCTION
This article discusses how to configure SharePoint Portal Server 2003 for off-box SSL termination by using ISA Server 2004.



MORE INFORMATION
If your organization wants to implement extranet deployments of SharePoint Portal Server 2003, you can use a reverse proxy and load balancers to help protect and manage access to the front end servers that host the virtual servers. However, this kind of configuration may change the protocol, the host header, or the port that is received by SharePoint Portal Server 2003. Several functions in SharePoint Portal Server 2003 generate links and e-mail messages that are based on the host header that is received from the client. If the host header is changed, an incorrect URL is returned to the client.

In the original release version of SharePoint Portal Server 2003 and of SharePoint Portal Server Service Pack 1 (SP1), any configuration that changes the protocol, the host header, or the port causes SharePoint Portal Server 2003 to return an incorrect URL to the client. This action occurs because SharePoint Portal Server 2003 generates replies that are based on the protocol, on the host header, or on the port that is received in the client request. Therefore, the original release version of SharePoint Portal Server 2003 and of SharePoint Portal Server 2003 Service Pack 1 (SP1) do not support advanced extranet configurations.

SharePoint Portal Server 2003 Service Pack 2 (SP2) supports advanced extranet configurations. This includes configurations that use a reverse proxy, alternate URLs, and off-box SSL termination. This article describes an example that you can use to configure SharePoint Portal Server 2003 SP2 for off-box SSL termination by using ISA Server 2004. This example assumes that all the following conditions are true, in the order that they are presented:
 * The Web site is published as an SSL site by using ISA Server 2004 Web publishing. You access the Web site internally as a non-SSL site by using HTTP on port 80.
 * The external client sends requests to https://www.contoso.com, where the SSL session is ended. Then, the client forwards the request to http://www.contoso.com.
 * The server that is running SharePoint Portal Server 2003 SP2 receives the incoming request from the server that is running ISA Server. Then, this server uses URL mapping rules to generate the outgoing links as https://www.contoso.com.
 * The internal client sends a request to http://sharepoint. This request bypasses the server that is running ISA Server.
 * The server that is running SharePoint Portal Server 2003 SP2 receives the incoming request from the internal client. Then, this server uses URL mapping rules to generate the outgoing links as http://sharepoint.
 * SharePoint Portal Server 2003 SP2 uses alternate URL mappings to determine the URL zone from which a particular request originated. SharePoint Portal Server 2003 SP2 also uses these mappings to generate correct links.

How to configure off-box SSL termination
To configure off-box SSL termination, you must configure Microsoft Windows SharePoint Services Service Pack 2 (SP2), ISA Server 2004, and SharePoint Portal Server 2003 SP2. This example uses the following URLs:
 * The incoming URL from the client is https://www.contoso.com.
 * The incoming URL from the server that is running ISA Server is http://www.contoso.com.
 * The portal site URL is http://sharepoint.
 * The name and the URL of the server that is running ISA Server is http://.

Step 1: Configure Windows SharePoint Services
Use the Stsadm.exe command-line tool to configure the incoming URL and the outgoing URL in Windows SharePoint Services. To do this, follow these steps:  Click Start, click Run, type cmd, and then click OK. Type the following line at the command prompt, and then press ENTER:

cd /d %commonprogramfiles%\Microsoft Shared\Web Server Extensions\60\Bin

 Configure an alternate URL for the incoming URL from the client. To do this, type the following line at the command prompt, and then press ENTER:

stsadm.exe –o addalternatedomain –url http://sharepoint –urlzone extranet –incomingurl http://www.contoso.com

 Configure the outgoing URL for the extranet zone. To do this, type the following line at the command prompt, and then press ENTER:

stsadm.exe –o addzoneurl –url http://sharepoint –urlzone extranet –zonemappedurl https://www.contoso.com

 Restart Microsoft Internet Information Services (IIS) 6.0. To do this, type iisreset at the command line, and then press ENTER.

Step 2: Configure ISA Server 2004
Create a Web publishing rule in ISA Server 2004. To do this, follow these steps:  Install an SSL certificate for www.contoso.com on the server that is running ISA Server.</li> Create a Web publishing rule to publish http://www.contoso.com as https://www.contoso.com.</li> Right-click the Web publishing rule that you created, and then click Properties.</li> Click the To tab, and then make sure that the Forward the original host header instead of the actual one (specified above) check box is selected.

If the check box is not already selected, click to select this check box.</li> Click the Traffic tab, click Filtering, and then click Configure HTTP. Make sure that the Verify normalization check box and the Block High Bit Characters check box are not selected.

If these check boxes are selected, click to clear these check boxes.</li> Click OK.</li></ol>

If you have only Windows SharePoint Services and do not have SharePoint Portal Server 2003, this completes the setup. If you have SharePoint Portal Server 2003, go to step 3.

Step 3: Configure SharePoint Portal Server 2003
Configure alternate URLs for intranet access and for extranet access. To do this, follow these steps:  Start SharePoint Central Administration.</li> Under Portal Site and Virtual Server Configuration, click Configure alternate portal site URLs for intranet, extranet, and custom access.</li> Add intranet and extranet URLs to the default access setting. To do this, follow these steps:  Move the pointer over the default access setting, click the down arrow that appears, and then click Edit.</li> On the Change Alternate Access Setting page, type http://sharepoint in the Intranet URL box, and then type https://www.contoso.com in the Extranet URL box.</li> Click OK.</li></ol>

Important Make sure that you do not modify the URL that appears in the Default URL box.</li> Add a new access setting named &quot;Dummy Mappings&quot;. To do this, follow these steps: <ol> <li>Click New Access Setting.</li> <li>On the Add Alternate Access Setting page, type Dummy Mappings in the Mapping name box, and then type http:// in the Default URL box. Then, type http://www.contoso.com in the Extranet URL box.</li> <li>Click OK.</li></ol> </li> <li>Restart IIS 6.0. To do this, type iisreset at the command line, and then press ENTER.</li></ol>

Known Issues
After you complete these steps, you will still encounter the following two known issues: <ul> <li>The Edit Page link that appears under Actions in the left area of Web pages on the portal site redirects you to the wrong URL. For more information about how to fix this issue, click the following article number to view the article in the Microsoft Knowledge Base:

926224 Description of the SharePoint Portal Server 2003 post-Service Pack 2 hotfix package: October 2, 2006

</li> <li>When you perform a search from the Search Results page, you are redirected to the wrong URL. Also, the search eventually times out.

To fix this issue, create the following link translation rule:

Note These steps are specific to ISA. <ol style="list-style-type: lower-alpha;"> <li>Select the Web publishing rule that you created under &quot;Step 2: Configure ISA Server 2004.&quot; Then, click Properties</li> <li>Click the Link Translation tab, click to select the Replace absolute links in Web pages check box, and then click Add.</li> <li>Add a link translation rule as follows, and then click OK: <ul> <li>In the Replace this text box, type the following:

http:\ / \ /www.contoso.com

</li> <li>In the With this text box, type the following:

https:\ / \ /www.contoso.com

</li></ul> </li></ol> </li></ul>

<div class="references_section">