Alexander’s Blog

Microsoft ISA Server blog has posted an article on this topic that goes into details on how to deal with this issue of not being able to check out a document in MOSS 2007. Here’s an excerpt:

“Troubleshooting SharePoint/MOSS 2007 publishing through ISA Server can be really challenging, mainly because most of the times the argument is: but it works just fine internally. Although this can be a good argument it doesn’t prove that the issue is on ISA Sever. The reason why it doesn’t prove is because most of the time while publishing MOSS 2007 through ISA Server 2006 the Alternate Access Mappings is controlled by MOSS. This is a key element in this type of publishing scenario, so before we move further on this issue I strong recommend you to read the following article: Plan alternate access mappings (Office SharePoint Server). This article has all the concepts that you need to plan your AAM without hurting your publishing rule through ISA Server.”

Read the rest of the article here.

If you’ve configured your SharePoint site with a specific URL (host header), e.g. http://webportal and then later decided that you want to change it to another URL, such as sharepoint.seattlepro.com, you can use the Alternate Access Mapping feature of Microsoft Office SharePoint  Server (MOSS) 2007. Here’s how.

1. Start SharePoint 3.0 Central Administration.

2. Click on the Operations tab.

3. Under Global Configuration section click on Alternate access mappings.

4. Click on Show All in the upper right-hand corner and then click on Change Alternate Access Mapping Collection.

5. From Select An Alternate Access Mapping Collection window, click the URL that you would like to change, e.g. http://webportal.

6. Click Edit Public URLs.

7. Change the URL listed in the Default box to the one you want. For example, change it from http://webportal to http://sharepoint.seattlepro.com.

8. Click Save.

9. The next step is to update the information in Internet Information Services (IIS). Start IIS Manager. In our example, we will assume you are running IIS 7.

10. Highlight the Web site whose URL you want to change.

11. In the Actions pane click Bindings (or right-click the Web site and select Edit Bindings).

12. Highlight the entry in the Edit Site Binding window and then click Edit.

13. In the Host Name box enter the new URL that you would like to use. For example, sharepoint.seattlepro.com.

14. Click OK, then click Close.

15. Go to the command prompt and run iisreset to restart Internet services.

16. You should now be able to use the new host header and access the site with the new URL (e.g. http://sharepoint.seattlepro.com).

NOTE: If your Web site needs to be accessible from the Internet and you are using Microsoft ISA Server, or another firewall, you need to make sure that you update the DNS server and the ISA Server rule that allows you to access the Web site from the external network. For example, you need to add a host record for sharepoint.seattlepro.com in a DNS server that is accessible from the Internet and add the URL sharepoint.seattlepro.com on the Public Name tab of the ISA Server rule that is publishing the Web site.

Using Alernate Access Mapping to Configure a Different URL for Internal Use

If you want to use a different URL for the intranet site internally (e.g. http//intranet), you can add that URL in step 6. On the Alternate Access Mappings page, instead of clicking on Edit Public URLs, click on the link Add Internal URLs. In the Add Internal URL box type the URL that you want to add, e.g. http://intranet, then click Save. You still need to go to IIS Manager and in step 13 add a Site Binding for intranet. Your site bindings will look like this.  Notice that you don’t need to type http:// in the Host Name box. Simply type the host header that you want to use (in our case its intranet).

Make sure you don’t forget step 15 after modifying the bindings. That’s it. Now your users can access the intranet site internally by typing http://intranet and externally by typing http://intranet.seattlepro.com.

This is one of many examples of how Alternate Access Mappings can be used in MOSS 2007. It demonstrates how the end user may type a different URL to access the site then the URL that is received by the Internet Information Services (IIS). With Alternate Access Mapping you can also associate multiple internal URLs with a single public URL, using one of 5 different authentication zones: Default, Intranet, Internet, Custom, and Extranet.

I am working on securing the entire network for one of my clients. I ran into this article on TechNet that targets the specific area of extranet and how you can best secure it. The article is full of valuable information for securing your extranet environment and is called Plan security hardening for extranet environments.

Part of the article discusses this extranet hardening tool that’s offered by Microsoft. It’s called Extranet hardening planning tool: back-to-back perimeter (http://go.microsoft.com/fwlink/?LinkId=85533&clcid=0×409).

The tool will help you figure out which ports are required for our ISA Server, routers and firewalls. This tool is a Microsoft Office Visio file that you can edit to customize for your own environment. For example, here are some things that you can do with this tool:

• Add your custom port numbers, where applicable.
• Where a choice of protocols or ports is provided, indicate which ports you will use.
• Indicate the specific ports that are used for database communication in your environment.
• Add or remove requirements for ports based on:
  1. Whether you are configuring e-mail integration.
  2. Which layer you deploy the query role to.
  3. If you are configuring a domain trust relationship between the perimeter domain and the corporate domain.

If you are trying to get your external NIC on the ISA Server obtain an IP address from a DHCP server and can’t, check out this KB article 841141 from Microsoft. This solution applies to both ISA Server 2004/2006.

The external network adapter on your ISA Server 2006 or ISA Server 2004 computer cannot obtain an IP address from a DHCP server

SYMPTOMS
When you try to configure the external network adapter on your Microsoft Internet Security and Acceleration (ISA) Server 2006 computer or on your ISA Server 2004 computer to obtain its Internet Protocol (IP) address from a Dynamic Host Configuration Protocol (DHCP) server, the external network adapter does not receive a valid IP address.

CAUSE
This behavior occurs because the default ISA Server system policy does not permit DHCP replies from external DHCP servers to the ISA Server computer.

RESOLUTION
To resolve this behavior, follow these steps:
1.    Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2.    In the console tree, click Firewall Policy.
3.    In the right pane, click the Tasks tab, and then click Show System Policy Rules.
4.    Click Allow DHCP replies from DHCP servers to ISA Server.
5.    In the details pane, click Edit System Policy.
6.    Click the From tab.
7.    Click Add.
8.    If you know the IP address of the external DHCP server, follow these steps:
a.     In the New list, click Computer.
b.     In the New Computer Rule Element dialog box, type a name for the DHCP computer rule element in the Name box, type the IP address of the DHCP server in the Computer IP Address box, and then click OK.
c.     Expand Computers, click the DHCP computer rule element that you just created, click Add, and then click Close.
To add the external network instead of the specific DHCP server, expand Networks, click External, click Add, and then click Close.

Note Microsoft recommends that you add the specific DHCP server instead of the external network to make the ISA Server computer less susceptible to external attacks.
9.    Click OK, and then click Apply to save the changes and update the configuration.
Note This procedure is for renewals only. If you do not have an IP address, you may want to allow DHCP traffic from any network until an address is leased. If you do not already have a lease, the “specific DHCP server” setting in step 8 will not work because Windows will be forced into DHCP Discover mode. This mode is strictly for broadcast traffic.

If you haven’t used ISA Server 2006 Capacity Planner you might want to check it out. It’s an online tool that lets you plan secure publishing, branch office gateway, and Web access protection.The tool recommends how many CPUs, amount of disk space and amount of memory that will be suitable for you based on the questions that you answer. While you can argue that the tool is not really exact science but it is a great place to start if you are trying to figure out what kind of hardware you will need to configure and ISA Server in your environment.

You can check out ISA Server Capacity Planner here.