SharePoint
sites comprise one of the more common types of content that are secured
by the Forefront Edge line. This stems from the critical need to
provide remote document management while at the same time securing that
access. Although Forefront UAG is the preferred solution for reverse
proxy of a SharePoint environment, the Forefront TMG product is also a
highly capable product that allows for reverse proxy functionality. Both
products are covered in this article, but this section illustrates the
creation of a Forefront TMG publishing rule for a SharePoint site for
clients with an investment in Forefront TMG but without a Forefront UAG
environment.
Note
Organizations with legacy
ISA Server 2006 can still use it to secure inbound traffic to SharePoint
2010 because it is still a supported product. The steps to secure a
SharePoint site with ISA 2006 are nearly identical to the steps used
with Forefront TMG. Just follow the same instructions listed here or
refer to SharePoint 2007 Unleashed, which describes the process of ISA Server 2006.
Forefront TMG can be used to
secure a SharePoint implementation can be deployed in multiple
scenarios, such as an edge firewall, an inline firewall, or a dedicated
reverse-proxy server. In all these scenarios, Forefront TMG secures
SharePoint traffic by “pretending” to be the SharePoint server itself,
scanning the traffic that is destined for the SharePoint server for
exploits, and then repackaging that traffic and sending it on, such as
what is illustrated in Figure 1.
Forefront TMG performs
this type of securing through a SharePoint site publishing rule, which
automatically sets up and configures a listener on the Forefront TMG
server. A listener is a Forefront TMG component that listens to
specifically defined IP traffic and processes that traffic for the
requesting client as if it were the actual server itself. For example, a
SharePoint listener on Forefront TMG would respond to SharePoint HTTP/HTTPS
requests made to it by scanning them for exploits and then repackaging
them and forwarding them on to the SharePoint server itself. Using
listeners, the client cannot tell the difference between the Forefront
TMG server and the SharePoint server itself.
Forefront TMG is also one of
the few products, along with Forefront UAG, that has the capability to
secure web traffic with SSL encryption from end to end. It does this by
using the SharePoint server’s own certificate to re-encrypt the traffic
before sending it on its way. This also allows for the “black box” of
SSL traffic to be examined for exploits and viruses at the application
layer, and then re-encrypted to reduce the chance of unauthorized
viewing of the traffic. Without the capability to scan this SSL traffic,
exploits bound for a SharePoint server could simply hide themselves in
the encrypted traffic and pass right through traditional firewalls.
This article covers one
common scenario that Forefront TMG server is used for: securing a
SharePoint site collection (in this example, home.companyabc.com) using
Forefront TMG. The steps outlined here describe this particular
scenario, although Forefront TMG can also be used for multiple other
securing scenarios as necessary.
Configuring the Alternate Access Mapping Setting for the External URL
Before external access can be
granted to a site, an alternate access mapping (AAM) must be established
for the particular web application. An AAM is a host header value (such
as https://portal.companyabc.com, http://server4, https://home.companyabc.com,
and so on) that must be consistently applied to the site across all
links. If it is not put into place, external clients will not be able to
access internal links.
To configure the AAM in this scenario, home.companyabc.com, on a web application, perform the following steps:
1. | Open the SharePoint Central Admin Tool.
|
2. | Click the System Settings link in the links provided on the left of the screen.
|
3. | Under Farm Management, click the Configure Alternate Access Mappings link.
|
4. | Click Edit Public URLs.
|
5. | Under
Alternate Access Mapping Collection, select the AAM Collection that
corresponds to the web application for home.companyabc.com.
|
6. | Enter the https:// AAM needed under the Internet box, as shown in Figure 2. In this example, we enter https://home.companyabc.com. If the web application will be addressed by other names, enter all possible names here. Click Save.
|
7. | Review the AAMs listed on the page for accuracy, and then close the SharePoint Central Admin tool.
|
