Friday, August 14, 2009

Publishing SharePoint Web Applications in ISA Server


This article assumes SharePoint Web applications are configured with NTLM Authentication, that multiple Web applications are being published outside a company's firewall, and ISA Server is being used as a firewall. The scenario described also assumes that a one set of Windows credentials has access to multiple SharePoint Web applications.


It is common for a SharePoint environment to include multiple Web Applications. Since each Web Application requires its own IIS Web site and may have its own IP address and host header, having mutliple Web applications does create some complexity and therefore requires some consideration.

It gets a bit more complicated when multiple Web applications need to be made accessible outside of a company's local network, such as an extranet or public internet scenario. In this case, firewall rules and NAT must be configured for each Web application to protect the organization and the application being published.

Then comes the user experience. Inside the network, client computers often times belong to the same domain as the SharePoint servers, or at least a trusted domain. Furthermore, the domain URLs are considered either "Local Intranet" or "Trusted" by the users' internet browser. In this environment, a user can navigate from Web application to Web application without receiving an authentication prompt. Life is good on the local network.

This all changes when Web applications are published outside the company's firewall. First, client computers accessing the sites no longer belong to the same domain as the SharePoint servers. Second, the users' browsers aren't configured to automatically log users into the Web applications. The challenge this creates for the user is if a contiguous user experience requires accessing multiple Web applications, the user is going to receive an authentication prompt for each application.


ISA Server allows Rules to share Listeners. What this means is that you can create one Listener and add multiple Web applications to that Listener. Then, you can create a Rule for each unique Web application, associating these Rules with the Listener.

The result of this is that users can access multiple, externally facing SharePoint Web applications, without requiring to authenticate to each one.


Mark said...

It would seem like you would also need a wildcard cert being that the webapps have different urls if not you will start getting common names errors



Nicholas Bisciotti said...

I agree Mark.

peter kenneth said...

Thank you for taking the precious time to write it up ..congratulations!!!!

Blog Archive