Microsoft Forefront UAG – Publishing Microsoft Sharepoint Server 2010
In a previous article published at www.isaserver.org I demonstrated how to create a portal trunk in Forefront UAG to publish internal applications like Microsoft Exchange, Microsoft CRM and many more. In this article we will use a newly created Forefront UAG portal trunk to publish an internal Microsoft Office SharePoint Server 2010.
What are the differences between publishing a Microsoft SharePoint Server with Forefront TMG and Microsoft Forefront UAG?
Forefront TMG also allows you to publish a SharePoint Server but Forefront UAG has some capabilities for publishing a SharePoint Server. In addition to the Forefront TMG capabilities, Forefront UAG comes with the following major enhancements:
- Accessing a SharePoint Server through a portal with different authentication providers
- Forefront UAG application optimizers to control access from the client to the SharePoint Server through Forefront UAG
- Deeper HTTP and application aware filtering
- Forefront UAG Endpoint access policies
- More granular and deeper session monitoring
To publish a Microsoft SharePoint Server, start the Microsoft Forefront UAG Management Console and go to the HTTPS portal trunk created in advance. Click Add under the Applications window to start a wizard which will help you publish different applications in the Forefront UAG portal.
Select Web – Microsoft Office SharePoint Portal Server 2010 to publish the internal SharePoint Server 2010 or a farm of SharePoint servers.
Figure 1: Sharepoint publishing wizard
Next, we must specify a name for the new application. In Step 3 it is possible to configure Endpoint policies for the application. Forefront UAG allows you to create Endpoint policies at the port trunk level and at the application level to control access to the portal and the application from external clients. If you are unfamiliar with UAG Endpoint policies leave the settings unchanged.
Figure 2: UAG endpoint policies
Next, click configure an application server. In Step 5 enter the FQDN of the internal Microsoft SharePoint Server 2010 and the port you would like to use when Forefront UAG should access the internal SharePoint Server. If you want to restrict access to a specific path you are able to do this in the UAG configuration wizard.
Figure 3: Specify internal Sharepoint server
In Step 6 we can use different authentication mechanisms. However, we want to enable SSO (Single Sign On) for users which access the Forefront UAG portal to use the internal Sharepoint Server.
Figure 4: SSO for Sharepoint
We would like to add a portal and toolbar link, and if you want to open the SharePoint Server application in a new window then, enable this checkbox.
Figure 5: Portal name
In Step 8 it is possible to configure the authorization settings that allow users to access the application in the portal. If you would like to grant all authenticated users access to the SharePoint application leave the default settings. If you want to only grant specific users and user groups access to the Sharepoint application then, uncheck the checkbox, and select the users and usergroups from the previously created repository.
Figure 6: UAG authorization
We must now save the configuration to store the changes to the UAG configuration. Click the floppy symbol to save the configuration. Next, we can activate the configuration so that all changes will be effective after a short amount of time. To activate the configuration, click the button on the right of the floppy symbol.
We are now able to customize the settings of the SharePoint application. I will only give you some high level steps for application customization.
Figure 7: UAG portal with Sharepoint application
The Web Settings tab allows you to verify URLs used or to allow WebDAV methods to the published server and many more settings.
Figure 8: Web settings
The Download / upload tab allows you to control the download of content to the published Sharepoint Server.
Figure 9: Download/upload settings
The Web Server Security tab allows you to activate the smuggling protection feature and the maximum size of the POST request. HRS can be used to block requests if the following conditions apply:
- The method is POST
- The content-type is not listed in the content-type list
- The length is greater than the specified maximum length
This option should be enabled only for servers that are vulnerable to HRS attacks. If this option is enabled when it is not required, applications may not behave as expected.
Figure 10: Web server security
The Cookie Encryption tab allows you to enable Cookie encryption to hide cookie names and values.
Figure 11: Cookie encryption
After all settings have been configured you can test the connection from an external client. Open the portal website. If you visit the website the first time a set of ActiveX controls or Java applets, depending on the browser version you use, will be installed. These components are called the endpoint detection components which interacts with the Forefront UAG Server for applying Endpoint policies and for local interacting between the Forefront UAG Server and the client.
Figure 12: Portal endpoint detection
The user must enter the user name and the password.
Figure 13: Logon to the portal
After the user has been authenticated he will get access to the Forefront UAG portal and can now use the published SharePoint application.
Figure 14: UAG portal accessing Sharepoint
Depending on the Forefront UAG configuration, the SharePoint website will be opened in the same portal window or in another window.
Figure 15: Sharepoint access through Forefront UAG
In this article we published a Microsoft Office SharePoint Server 2010 using Microsoft Forefront UAG. As you have seen, publishing a Microsoft Office SharePoint Server with Forefront UAG provides much more capabilities and customization as to publish a Microsoft Office SharePoint Server with Microsoft Forefront TMG.
- Microsoft Forefront UAG – Overview of Microsoft Forefront UAG
- Forefront UAG technical overview
- SharePoint publishing solution guide