How to configure SharePoint Portal Server 2003 for off-box SSL termination by using ISA Server 2004

This article discusses how to configure SharePoint Portal Server 2003 for off-box SSL termination by using ISA Server 2004.

If your organization wants to implement extranet deployments of SharePoint Portal Server 2003, you can use a reverse proxy and load balancers to help protect and manage access to the front end servers that host the virtual servers. However, this kind of configuration may change the protocol, the host header, or the port that is received by SharePoint Portal Server 2003. Several functions in SharePoint Portal Server 2003 generate links and e-mail messages that are based on the host header that is received from the client. If the host header is changed, an incorrect URL is returned to the client.

In the original release version of SharePoint Portal Server 2003 and of SharePoint Portal Server Service Pack 1 (SP1), any configuration that changes the protocol, the host header, or the port causes SharePoint Portal Server 2003 to return an incorrect URL to the client. This action occurs because SharePoint Portal Server 2003 generates replies that are based on the protocol, on the host header, or on the port that is received in the client request. Therefore, the original release version of SharePoint Portal Server 2003 and of SharePoint Portal Server 2003 Service Pack 1 (SP1) do not support advanced extranet configurations.

SharePoint Portal Server 2003 Service Pack 2 (SP2) supports advanced extranet configurations. This includes configurations that use a reverse proxy, alternate URLs, and off-box SSL termination. This article describes an example that you can use to configure SharePoint Portal Server 2003 SP2 for off-box SSL termination by using ISA Server 2004. This example assumes that all the following conditions are true, in the order that they are presented:

• The Web site is published as an SSL site by using ISA Server 2004 Web publishing. You access the Web site internally as a non-SSL site by using HTTP on port 80.
• The external client sends requests to https://www.contoso.com, where the SSL session is ended. Then, the client forwards the request to http://www.contoso.com.
• The server that is running SharePoint Portal Server 2003 SP2 receives the incoming request from the server that is running ISA Server. Then, this server uses URL mapping rules to generate the outgoing links as https://www.contoso.com.
• The internal client sends a request to http://sharepoint. This request bypasses the server that is running ISA Server.
• The server that is running SharePoint Portal Server 2003 SP2 receives the incoming request from the internal client. Then, this server uses URL mapping rules to generate the outgoing links as http://sharepoint.
• SharePoint Portal Server 2003 SP2 uses alternate URL mappings to determine the URL zone from which a particular request originated. SharePoint Portal Server 2003 SP2 also uses these mappings to generate correct links.

How to configure off-box SSL termination

To configure off-box SSL termination, you must configure Microsoft Windows SharePoint Services Service Pack 2 (SP2), ISA Server 2004, and SharePoint Portal Server 2003 SP2. This example uses the following URLs:

• The incoming URL from the client is https://www.contoso.com.
• The incoming URL from the server that is running ISA Server is http://www.contoso.com.
• The portal site URL is http://sharepoint.
• The name and the URL of the server that is running ISA Server is http://ISAServer_server_name.

Step 1: Configure Windows SharePoint Services

Use the Stsadm.exe command-line tool to configure the incoming URL and the outgoing URL in Windows SharePoint Services. To do this, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. Type the following line at the command prompt, and then press ENTER:
   cd /d %commonprogramfiles%\Microsoft Shared\Web Server Extensions\60\Bin
3. Configure an alternate URL for the incoming URL from the client. To do this, type the following line at the command prompt, and then press ENTER:
   stsadm.exe –o addalternatedomain –url http://sharepoint –urlzone extranet –incomingurl http://www.contoso.com
4. Configure the outgoing URL for the extranet zone. To do this, type the following line at the command prompt, and then press ENTER:
   stsadm.exe –o addzoneurl –url http://sharepoint –urlzone extranet –zonemappedurl https://www.contoso.com
5. Restart Microsoft Internet Information Services (IIS) 6.0. To do this, type iisreset at the command line, and then press ENTER.

Step 2: Configure ISA Server 2004

Create a Web publishing rule in ISA Server 2004. To do this, follow these steps:

1. Install an SSL certificate for www.contoso.com on the server that is running ISA Server.
2. Create a Web publishing rule to publish http://www.contoso.com as https://www.contoso.com.
3. Right-click the Web publishing rule that you created, and then click Properties.
4. Click the To tab, and then make sure that the Forward the original host header instead of the actual one (specified above) check box is selected.
   
   If the check box is not already selected, click to select this check box.
5. Click the Traffic tab, click Filtering, and then click Configure HTTP. Make sure that the Verify normalization check box and the Block High Bit Characters check box are not selected.
   
   If these check boxes are selected, click to clear these check boxes.
6. Click OK.

If you have only Windows SharePoint Services and do not have SharePoint Portal Server 2003, this completes the setup. If you have SharePoint Portal Server 2003, go to step 3.

Step 3: Configure SharePoint Portal Server 2003

Configure alternate URLs for intranet access and for extranet access. To do this, follow these steps:

1. Start SharePoint Central Administration.
2. Under Portal Site and Virtual Server Configuration, click Configure alternate portal site URLs for intranet, extranet, and custom access.
3. Add intranet and extranet URLs to the default access setting. To do this, follow these steps:
   1. Move the pointer over the default access setting, click the down arrow that appears, and then click Edit.
   2. On the Change Alternate Access Setting page, type http://sharepoint in the Intranet URL box, and then type https://www.contoso.com in the Extranet URL box.
   3. Click OK.
   Important Make sure that you do not modify the URL that appears in the Default URL box.
4. Add a new access setting named "Dummy Mappings". To do this, follow these steps:
   1. Click New Access Setting.
   2. On the Add Alternate Access Setting page, type Dummy Mappings in the Mapping name box, and then type http://ISAServer in the Default URL box. Then, type http://www.contoso.com in the Extranet URL box.
   3. Click OK.
5. Restart IIS 6.0. To do this, type iisreset at the command line, and then press ENTER.

Known Issues

After you complete these steps, you will still encounter the following two known issues:

• The Edit Page link that appears under Actions in the left area of Web pages on the portal site redirects you to the wrong URL. For more information about how to fix this issue, click the following article number to view the article in the Microsoft Knowledge Base:
  926224  (http://support.microsoft.com/kb/926224/ ) Description of the SharePoint Portal Server 2003 post-Service Pack 2 hotfix package: October 2, 2006
• When you perform a search from the Search Results page, you are redirected to the wrong URL. Also, the search eventually times out.
  
  To fix this issue, create the following link translation rule:
  
  Note These steps are specific to ISA.
  1. Select the Web publishing rule that you created under "Step 2: Configure ISA Server 2004." Then, click Properties
  2. Click the Link Translation tab, click to select the Replace absolute links in Web pages check box, and then click Add.
  3. Add a link translation rule as follows, and then click OK:
     • In the Replace this text box, type the following:
       http:\ / \ /www.contoso.com
     • In the With this text box, type the following:
       https:\ / \ /www.contoso.com

Support for advanced extranet configurations was first included in SharePoint Portal Server 2003 SP2 and in Windows SharePoint Services SP2. For more information, visit the following Microsoft Web sites:For more information about the Stsadm.exe command-line tool, see the "Command-Line Operations" topic, the "Command-Line Parameters" topic, and the Command-Line-Properties" topic in the "Reference" chapter of the Microsoft Windows SharePoint Services Administrator's Guide. To obtain this guide, visit the following Microsoft Web site: