Alexander’s Blog

The other day I was working on my Microsoft Office SharePoint Server (MOSS) 2007 and discovered that when I clicked on a new content type that I created, it gave me the following error in my browser.

Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter. Contact the server administrator.

First I looked at various settings on my SharePoint server just to make sure that everything was in order. I couldn’t find anything suspicious on the server so I proceeded to the next step and looked into the error message. The error indicated that my request was rejected by the HTTP filter so I knew I have to troubleshoot the problem on my ISA Server 2006 which filters the HTTP requests. After doing a little bit of research I discovered that clearing the option to verify normalization might help solve my problem, and luckily it did. Normalization is the process of decoding URL-encoded requests. By clearing this option, I would not be blocking requests with URLs that contain escaped characters after normalization. Here’s the step-by-step procedure.

1. Start ISA Server 2006 Management Console.
2. Go to the Firewall Policy.
3. Right-click the Web policy rule that allows access to the SharePoint server and select Configure HTTP.
4. Clear the box Verify normalization, as shown below.
   
5. You don’t have to change the option to Block high bit characters as shown in the screen shot. You can leave it to the default option on your server. On my server I have selected the option to specify that URLS with high-bit characters are blocked because it can help block some attacks on Web servers running Internet Information Services (IIS). The downside to selecting this option is that it may also block requests and responses that contain characters from one of several languages that require high-bit characters.
6. Apply the change made to your ISA Server 2006 and the error on your SharePoint server should go away immediately.

If you are curious about the verify normalization option, here’s some more information from Microsoft TechNet.

Web servers receive requests that are URL encoded. This means that certain characters may be replaced with a percent sign (%) followed by a particular number. For example, %20 corresponds to a space, so a request for http://myserver/My%20Dir/My%20File.htm is the same as a request for http://myserver/My Dir/My File.htm. Normalization is the process of decoding URL-encoded requests.

Because the % can be URL encoded, an attacker can submit a carefully crafted request to a server that is basically double-encoded. If this occurs, Internet Information Services (IIS) may accept a request that it would otherwise reject as not valid. When you select Verify Normalization, the HTTP filter normalizes the URL two times. If the URL after the first normalization is different from the URL after the second normalization, the filter rejects the request. This prevents attacks that rely on double-encoded requests.

Note that while we recommend that you use the Verify Normalization function, it may also block legitimate requests that contain a %.

Best Practices

1. As a best practice, always make sure that you document the changes made to your server. Documenting server configuration takes a little bit of your time but it can save you hours or even days or weeks at a later time.
2. When you create a SharePoint site, list or library, make sure that you do not use a space. You can always go back and create spaces in the name after the fact to make it more readable. By using this method, the URL will not contain the extra “garbage” %20 characters and your users will still be able to find your list and library names readable. Spaces in SharePoint URLs causes several potential problems. The space character is replaced with %20. Not only it makes the URL difficult to read, it also increases the length of the URL, which may cause you to go over the upper limit. For example, a file or folder name in a URL cannot contain more than 128 characters in WSS 2.0/3.0 and MOSS. Although SharePoint URLs can be up to 260 characters, as a best practice I discourage people from using more than 256 characters because link list items cannot be more than 256 characters.
3. Keep the names of your SharePoint sites, lists and libraries short. Instead of creating a library called Human Resources, call it HR. After creating the library you can change the name under Title and Description to Human Resources. Moral of the story: Avoid spaces in SharePoint URLs and be happy!

My students are always asking me where to get the evaluation copies of various Microsoft products. I’ve put together a list of some of the latest software evaluation downloads. My goal is to try and keep this list updated but frankly it is going to be challenging because Microsoft is known for changing the URLs without any redirection. Here is a list of either free or trial editions of some of the popular Microsoft products. A typical Microsoft evaluation software includes a 180-day trial but some are limited to 60 or 90 days.

1. Exchange Server 2010 (120-Day Trial)
2. Forefront Threat Management Gateway (TMG) 2010 (180-day Trial)
3. Internet Security and Acceleration (ISA) Server 2006 (180-day Trial)
4. Office Communications Server 2007 R2 (180-Day Trial)
5. Office Professional Plus 2010 (60-day Trial)
6. Project Professional 2010 (60-day Trial)
7. SharePoint Foundation 2010 (Free)
8. SharePoint Server 2010 (180-day Trail)
9. Small Business Server 2008 (60-day Trial)
10. SQL Server 2008 Enterprise (180-day Trial)
11. SQL Server 2008 R2 (180-day Trial)
12. System Center Data Protection Manager 2010 (180-day Trial)
13. System Center Essentials 2010 (180-day Trial)
14. System Center Virtual Machine Manager 2008 R2 (180-day Trial)
15. Visio Premium 2010 (60-day Trial)
16. Windows 7 Enterprise (90-day Trial)
17. Windows Server 2008 R2 (180-day Trial)

WARNING! I should warn you that sometimes when you download a trial software you may think that you are opting out of receiving phone calls and e-mails from Microsoft but you are not. For more information read my blog post: When Microsoft Says No, It May Mean Yes.

Microsoft offers more free products to consumers than any software manufacturer I know. And I am not talking about free evaluation software, I am talking about free tools, utilities and various products and services. Besides software, Microsoft offers these free TechNet and MSDN labs. These are a series of guided, hands-on labs which can be completed in 90 minutes or less. SharePoint Foundation 2010, which I included in the above list for convenience, is a free product from Microsoft. In the past, it was known as Windows SharePoint Services (WSS).

Last Updated: May 27, 2011

Microsoft ISA Server blog has posted an article on this topic that goes into details on how to deal with this issue of not being able to check out a document in MOSS 2007. Here’s an excerpt:

“Troubleshooting SharePoint/MOSS 2007 publishing through ISA Server can be really challenging, mainly because most of the times the argument is: but it works just fine internally. Although this can be a good argument it doesn’t prove that the issue is on ISA Sever. The reason why it doesn’t prove is because most of the time while publishing MOSS 2007 through ISA Server 2006 the Alternate Access Mappings is controlled by MOSS. This is a key element in this type of publishing scenario, so before we move further on this issue I strong recommend you to read the following article: Plan alternate access mappings (Office SharePoint Server). This article has all the concepts that you need to plan your AAM without hurting your publishing rule through ISA Server.”

Read the rest of the article here.

If you’ve configured your SharePoint site with a specific URL (host header), e.g. http://webportal and then later decided that you want to change it to another URL, such as sharepoint.seattlepro.com, you can use the Alternate Access Mapping feature of Microsoft Office SharePoint  Server (MOSS) 2007. Here’s how.

1. Start SharePoint 3.0 Central Administration.

2. Click on the Operations tab.

3. Under Global Configuration section click on Alternate access mappings.

4. Click on Show All in the upper right-hand corner and then click on Change Alternate Access Mapping Collection.

5. From Select An Alternate Access Mapping Collection window, click the URL that you would like to change, e.g. http://webportal.

6. Click Edit Public URLs.

7. Change the URL listed in the Default box to the one you want. For example, change it from http://webportal to http://sharepoint.seattlepro.com.

8. Click Save.

9. The next step is to update the information in Internet Information Services (IIS). Start IIS Manager. In our example, we will assume you are running IIS 7.

10. Highlight the Web site whose URL you want to change.

11. In the Actions pane click Bindings (or right-click the Web site and select Edit Bindings).

12. Highlight the entry in the Edit Site Binding window and then click Edit.

13. In the Host Name box enter the new URL that you would like to use. For example, sharepoint.seattlepro.com.

14. Click OK, then click Close.

15. Go to the command prompt and run iisreset to restart Internet services.

16. You should now be able to use the new host header and access the site with the new URL (e.g. http://sharepoint.seattlepro.com).

NOTE: If your Web site needs to be accessible from the Internet and you are using Microsoft ISA Server, or another firewall, you need to make sure that you update the DNS server and the ISA Server rule that allows you to access the Web site from the external network. For example, you need to add a host record for sharepoint.seattlepro.com in a DNS server that is accessible from the Internet and add the URL sharepoint.seattlepro.com on the Public Name tab of the ISA Server rule that is publishing the Web site.

Using Alernate Access Mapping to Configure a Different URL for Internal Use

If you want to use a different URL for the intranet site internally (e.g. http//intranet), you can add that URL in step 6. On the Alternate Access Mappings page, instead of clicking on Edit Public URLs, click on the link Add Internal URLs. In the Add Internal URL box type the URL that you want to add, e.g. http://intranet, then click Save. You still need to go to IIS Manager and in step 13 add a Site Binding for intranet. Your site bindings will look like this.  Notice that you don’t need to type http:// in the Host Name box. Simply type the host header that you want to use (in our case its intranet).

Make sure you don’t forget step 15 after modifying the bindings. That’s it. Now your users can access the intranet site internally by typing http://intranet and externally by typing http://intranet.seattlepro.com.

This is one of many examples of how Alternate Access Mappings can be used in MOSS 2007. It demonstrates how the end user may type a different URL to access the site then the URL that is received by the Internet Information Services (IIS). With Alternate Access Mapping you can also associate multiple internal URLs with a single public URL, using one of 5 different authentication zones: Default, Intranet, Internet, Custom, and Extranet.

I am working on securing the entire network for one of my clients. I ran into this article on TechNet that targets the specific area of extranet and how you can best secure it. The article is full of valuable information for securing your extranet environment and is called Plan security hardening for extranet environments.

Part of the article discusses this extranet hardening tool that’s offered by Microsoft. It’s called Extranet hardening planning tool: back-to-back perimeter (http://go.microsoft.com/fwlink/?LinkId=85533&clcid=0×409).

The tool will help you figure out which ports are required for our ISA Server, routers and firewalls. This tool is a Microsoft Office Visio file that you can edit to customize for your own environment. For example, here are some things that you can do with this tool:

• Add your custom port numbers, where applicable.
• Where a choice of protocols or ports is provided, indicate which ports you will use.
• Indicate the specific ports that are used for database communication in your environment.
• Add or remove requirements for ports based on:
  1. Whether you are configuring e-mail integration.
  2. Which layer you deploy the query role to.
  3. If you are configuring a domain trust relationship between the perimeter domain and the corporate domain.