Re: SharePoint 3.0: problems with external access

Hi costas,
not sure if you're still watching this thread but I do have one more
question. Everything is working fine. The boss wants to change the address
from http://SERVERNAME:8084 to http://companyweb3 Where do I need to make
the changes?


"Costas" <cpstechgroup@xxxxxxxxx> wrote in message
news:91BED75F-C356-4E08-BB2A-38D6B2EBC8BA@xxxxxxxxxxxxxxxx
For anyone interested..... (Allen's setup is complete)

Here are the steps to publish a WSS 3.0 application behind ISA Server.

Let's assume that you created a new WSS 3.0 application, that listens to
port 80, and the host header is 'Intranet'. Go to IIS Manager and make
sure that the IP address of the site is set to the IP address of the
server.

Create an A record in the DNS that points to the IP address of the server
(internal) with name "intranet".

Run the wizard to create a new SSL certificate for the site. Give the
certificate the name 'intranet.<domain>.local' and assign it to any SSL
port (e.g. 5050)

In ISA create a new SSL Web Publishing rule. Complete the wizard and make
sure that the tabs of the rule are set as follows:

The 'To' tab: the server name should be: intranet.<domain>.local. The
'Forward the original host header...." should be checked and the 'Requests
appear to come from the original client' should be selected.

The 'Listener' tab: create a new listener, for the
'intranet.<domain>.local' certificate listening to port 5050

The 'Bridging' tab: Check 'Redirect Requests to SSL port' and set it to
port 5050

The 'Public Name' tab: Set the name that your server listens to
externally. (https://server.publicdomain.com)

Open the 5050 port on the firewall and forward it to the external IP of
SBS.


That should do it.


--
Costas


"AllenM" <noreply@xxxxxxxxxxx> wrote in message
news:uVedUlSsIHA.2292@xxxxxxxxxxxxxxxxxxxxxxx
Costas,
Can you email me so I can reply back and send you some screen shots to
view. I know my error is within one of these shots and perhaps your keen
eye can see what I don't see. Thanks.
Allen


"Costas" <cpstechgroup@xxxxxxxxx> wrote in message
news:127FAE40-499F-4D62-BC4E-A8CEC656B505@xxxxxxxxxxxxxxxx
In one of the tabs of the publishing rule there is an option to set that
the requests come from the client and not from the ISA computer. Check
this option and see if that solves the problem. As I mentioned in my
previous post, I currently don't have access to an ISA server but it
seems to me that you are very close to make it work

--
Costas


"AllenM" <noreply@xxxxxxxxxxx> wrote in message
news:uhbZSxIsIHA.4360@xxxxxxxxxxxxxxxxxxxxxxx
OK I tink I'm also there. I can type in htts://FQDN:8889 and get
prompted for a login. Sometimes I get the web certificate error and
installing it doesn't help. After entering my credentials it tells me
page not found. Am I getting closer?


"AllenM" <noreply@xxxxxxxxxxx> wrote in message
news:OnPvDbIsIHA.1872@xxxxxxxxxxxxxxxxxxxxxxx
Costas,
Do you have an email address you can post for me to send you some
screen shots of my ISA rule and Web Certificate for you to look at.
Perhaps you can see where I'm erroring. thanks. Allen.

You can email me at ajmiyake@xxxxxxxxx and I'll reply to that address.
thanks.

"Costas" <cpstechgroup@xxxxxxxxx> wrote in message
news:5FE72440-8401-4093-8940-2970FDFE0DD4@xxxxxxxxxxxxxxxx
Allen,

For now, let's forget the wildcard certificate. That has to do with
ISA not the actual IIS site.

The reason you can't see your site when you click 'Browse' in IIS
Manager, is because you didn't create it in the root of the
application. You, instead, created it under the 'Sites' managed path.
If you want to be able to see your site, you have to create a new
application and, if you want, I can provide the steps for you.

Since the certificate is created, listening to port 8889, go to ISA
and create a new SSL Web Publishing Rule. When it comes down to
selecting the Web Listener, create a new one, using the certificate
you just created at port 8889. Apply the changes and try to access
the site from the Internet.

See if that will work

--
Costas


"AllenM" <noreply@xxxxxxxxxxx> wrote in message
news:ejc1LFGsIHA.3804@xxxxxxxxxxxxxxxxxxxxxxx
OK I just got a bit more confused re-reading your posts. After you
suggest I create the server certificate (which I successfully did)
your next step is to create a "wildcard" certificate"?

"AllenM" <noreply@xxxxxxxxxxx> wrote in message
news:%238MAmBGsIHA.5576@xxxxxxxxxxxxxxxxxxxxxxx
OK So I think I've got this portion out of the way. Here's what
I've done so far.

Under SP 3.0 Central Administration/Operations/Alternate Access
Mappings/Public Zone URLs, I have
1) http://servername:8084 for Default Zone
2) https://FQDN:8889 where the port number is the assigned SSL port
in IIS for Internet Zone

I created the Web Certificate and assigned it port 8889 (thanks for
the suggestion on how to create it)

So before I move onto the ISA portion of this I got a few
interesting questions.
1. From IIS when I go to the WSS3.0 website and click "Browse" I
cannot get a page.
2. To access my WSS3.0 website internally the URL is
http://servername:8084/sites/companyweb3 which leads me dumbfounded
over why my default zone is http://servername:8084 This link
takes me nowhere as it is incomplete. Is this all correct so far?



"Costas" <cpstechgroup@xxxxxxxxx> wrote in message
news:OueGHqFsIHA.4376@xxxxxxxxxxxxxxxxxxxxxxx
Is Certificate Services installed on your server? Go to
Administrative Tools, Certificate Services.

If the services is not installed, go to Control Panel, Add/Remote
Programs, Add or Remove Windows Components and add the Certificate
Services component. When it asks you for the name, give it the
name of your business. This will allow you to issue certificates.
Try running the SSL wizard again and see if the options is
visible.

--
Costas


"AllenM" <noreply@xxxxxxxxxxx> wrote in message
news:u0aPhkFsIHA.4476@xxxxxxxxxxxxxxxxxxxxxxx
Well it appears it does not allow me to "create a new
certificate". I do not have the option to 'Send the request
immediately....' so if I select the given to create now and send
later when I'm through going through the process it appears it
does not create it because when I come back in I cannot "View
Certificate".


"Costas" <cpstechgroup@xxxxxxxxx> wrote in message
news:emLg5O%23rIHA.672@xxxxxxxxxxxxxxxxxxxxxxx
Allen,

Click on delete pending request and then start the wizard again.
Click on 'Create a new certificate', select the option 'Send the
request immediately....', under name give a name for the
certificate (e.g, mysite.publicdomain.com), give the name of
your organization, and organization unit, under common name,
type the public name of the domain (e.g.
mysite.publicdomain.com), provide the location, then the port
(this is the port where the site will listen to for SSL
requests), and under certification authority, you should select
the certification authority of your domain (it should be in the
format server.domain.local\Name of Authority).

That will create a certificate for the web site.

--
Costas


"AllenM" <noreply@xxxxxxxxxxx> wrote in message
news:uDDSjH8rIHA.4952@xxxxxxxxxxxxxxxxxxxxxxx
thanks costas,
Here's where I am a bit confused. After starting the
certificate wizard it get to the window box "Pending
certificate Request" with 2 options.

1. Process the pending request and install certificate
(default)
2. Delete pending request.

So I accept the default and select option 1. Now here is where
it becomes confusing to me. The next window that pops up
is........
Process a pending certificate request by retrieving the file
that contains the certification authority's response.
Path and file name:
C:\*.cer

with a Browse button. Where do I browse to or do I simply type
a new name for a new certificate and if so where shall I save
it to?

"Costas" <cpstechgroup@xxxxxxxxx> wrote in message
news:uQsyk$7rIHA.2492@xxxxxxxxxxxxxxxxxxxxxxx
Allen,

Since the WSS site is functional internally, go to IIS
Manager, right click on the site, select 'Directory Security',
click 'Server Certificate' and create a new server
certificate. Give it the port number (e.g. 5000) on which you
want the site to respond to.

After that you need to create a wildcard certificate, to be
able to have different sites behind ISA. There is one more
possibility but I'm not sure if it will work. Instead of
creating a wild card certificate, use the publishing.xxx.xxx
certificate that ISA creates when you run CEICW. I'll have to
test that and I'll post back.

When I had ISA installed the WSS 3.0 site was on a different
server. I created a wildcard certificate and the server will
listen to two different URLs. When I was typing
myremote.mydomain.com it will go to SBS and when I was typing
myportal.mydomain.com it will forward the request to
SharePoint on the member server.

I'll have to test the scenario I mentioned earlier and let you
know

--
Costas


"AllenM" <noreply@xxxxxxxxxxx> wrote in message
news:OxyKwa7rIHA.1872@xxxxxxxxxxxxxxxxxxxxxxx
Costas,
Please excuse my ignorance but I am having some problems
understanding the correct procedures to do this. I know your
time is valuable but if you can take a few moments here to
walk me through this I sure would appreciate it.

What would be my first step?
Create a new certificate for the WSS 3.0 website? I'm a bit
confused or lack the knowledge to do so correctly.

"Costas" <cpstechgroup@xxxxxxxxx> wrote in message
news:egNpSL7rIHA.2064@xxxxxxxxxxxxxxxxxxxxxxx
That is in the SharePoint 3.0 Central Administration, under
'Operations'.

--
Costas


"AllenM" <noreply@xxxxxxxxxxx> wrote in message
news:eljT7G7rIHA.2208@xxxxxxxxxxxxxxxxxxxxxxx
Where is this located?
"Go to 'Alternate Access Mappings' and in the 'Internet
Zone' for your
application,type: https://remote.domain.com:8000



"Costas" <cpstechgroup@xxxxxxxxx> wrote in message
news:C7B8291E-C694-41CF-A387-87A89408E707@xxxxxxxxxxxxxxxx
Allen,

Port 443 won't work because it is already used by the
Default Web Site. What you need to do is create a wildcard
certificate and use it in ISA. This will allow you to have
multiple web sites behind ISA. The steps are outlined in
the following document
http://www.microsoft.com/technet/isa/2004/maintain/wildcard.mspx

If I remember correctly, when I used to run CEICW, it used
to overwrite the certificate with the publishing.x.x so I
had to reset it.

I'll try to find sometime to see if there is any other way
to do that but I don't believe there is. ISA
'complicates' things a bit for small business environment
but that's only because it's designed to be very secure


--
Costas


"AllenM" <noreply@xxxxxxxxxxx> wrote in message
news:udDIKJ6rIHA.5096@xxxxxxxxxxxxxxxxxxxxxxx
Thanks Costas. Quick question regarding the SSL port to
use and the ISA rule. Does it require a certain SSL port
to use? Any preferred port for SSL? 443? Also what
protocaol/Listener do I use when creating the ISA rule.
SBS Web Listener?


"Costas" <cpstechgroup@xxxxxxxxx> wrote in message
news:05EBDF02-207C-42C0-8973-A039FED53701@xxxxxxxxxxxxxxxx
Allen,

The steps to publish WSS 3.0 applications behind ISA
2004 are the same as those that I posted earlier. The
additional step would be to create a secure web server
publishing rule in ISA Server to forward the requests to
the site. I had a similar setup up to recently but I
don't currently have any installations with ISA
installed to be able to guide you step-by-step.

If you have any problem configuring ISA let me know and
I'll do my best to help. There is also a document you
might want to take a look at (
http://www.microsoft.com/downloads/details.aspx?FamilyID=4C5BF9DD-3EFB-451D-B213-98ED039190BF&displaylang=en )
This talks bout Portal Server 2003, but the steps as far
as ISA 2004 is concerned are the same. Actually I think
the document is more complicated than the process to
setup the rules :-)

As far as linking to the application from within
companyweb, first you must complete the above steps and
then add a link, in companyweb, to the external URL.
That should do it.

--
Costas


"AllenM" <noreply@xxxxxxxxxxx> wrote in message
news:eKPp%23b5rIHA.1768@xxxxxxxxxxxxxxxxxxxxxxx
Pardon my intrusion here but I've been following this
thread as it is similiar to what I am trying to
accomplish. Costas you seem to have a good knowledge of
WSS 3.0 and publishing it for external access. So
instead of posting my own thread if you all don't mind
I'll post as a continuation here. thanks.

Here's my situation. Like Charles I have installed WSS
3.0 in a side by side configuration as suggested by MS.
Everything works fine as well as my WSS 2.0 companyweb.
I have SBS 2003 Premium server SP1 and am using ISA
2004 SP2. My WSS 2.0 companyweb is accessable from
internal as well as external.

http://companyweb (internal)
https://FQDN:444 (external)

I want to be able to access my WSS 3.0 externally as
well. So I thought the easiest way to do it was to add
a link to my WSS 2.0 companyweb that points to my WSS
3.0 website. Works fine. Internally only. I was wrong
to think that it would work externally. So my question
to you all would be.........

1. How would I get the link on my WSS 2.0 companyweb
pointing to my WSS 3,0 website to work externally.
2.How would I publish the WSS 3.0 website to access
externally direct.

http://servername:8084/sites/companyweb3/default.aspx
(internal URL for WSS 3,0 website)


"Costas" <cpstechgroup@xxxxxxxxx> wrote in message
news:%23cG1173rIHA.548@xxxxxxxxxxxxxxxxxxxxxxx
Charles,

Glad to hear external access worked. As far as
editing directly the IP address in IIS, that is
something that isn't recommended with SharePoint
sites. Anything you need to do, you must do from
within Central Administration.

If the application didn't work internally, having as
IP address the 'All Unassigned', that most probably
means, that you didn't provide a host header name when
you created the application. If a host header is
defined, IIS knows where to router the requests for
'http://mysite'

--
Costas


"Charles" <Charles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:BEBDDCE0-1ADB-4407-B003-D6B4F80C03ED@xxxxxxxxxxxxxxxx
Costas,
Many thanks, this is exactly the input I needed. So
the port number one
needs in the external address is in fact the port
used by SSL! Of course of
course. So I did exactly that and...it works
externally, great !

I had an issue with internal access as a result of
the changes, but I think
I will able to solve it on my own (or so I hope-;):
under the SP 3.0 website
in IIS, I had to tweak the IP address under
properties (from undetermined to
192.168.16.2) so that I regained internally access.
Any thoughts on that?
Correct you think?

Unfortunately I cannot test external access right now
because I am on the
LAN and that my computer at home is not available for
VPN (btw, do you any
easy way to test remote access other than VPNing a
specific computer off the
LAN?)

Anyway I will keep you posted on external+internal
access but the hardest
part is behind me now, thanks again
"Costas" wrote:

Charles,

Let's say that your Internet facing side responds
to:
https://remote.domain.com (in other words in order
to access RWW you type
https://remote.domain.com/remote)

In IIS, go to the web site that SharePoint is using
and create a certificate
that listens to port 8000 (as per your example).
Make sure that next to
SSL, it shows 8000, in the Properties section.

Go to 'Alternate Access Mappings' and in the
'Internet Zone' for your
application,type: https://remote.domain.com:8000

Open the port 8000 on the firewall and forward it to
the server's internal
IP.

That should do it

--
Costas


"Charles" <Charles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message
news:64EB8D07-F5FA-43C8-9BEE-DC5764A67553@xxxxxxxxxxxxxxxx
Hi all,
We have SBS 2003 standard SP2 behind a Sonicwall
TZ 180.

We installed SharePoint 3.0 side-by-side with SP
2.0, no problem during
installation, we followed the MS instructions for
SP 3.0 on SBS 2003.
Everything works fine internally. We like SP 3.0,
which we find a great
improvement over SP 2.0. So far so good.

The trouble is with external access, which we find
incredibly complex to
set
up and so far does not work. Here is what we did :
- Under SP 3.0 Central
Administration/Operations/Alternate Access
Mappings/Public Zone URLs, we have 1) under
«default » the internal url ;
2)
under « internet » https://ip-address:portnumber,
where the port number
was
the one allocated to the site during the initial
set up of the intranet
following the MS intructions (ie "25364") and the
ip-address is our static
external address (also used to access RWW without
difficulty, for
example).
- Under IIS, we found the SP 3.0 web site created
during setup, but with
no
Certificate, which we then added (we used the
existing cert also used for
RWW), and specified a SSL port different from the
TCP one (which is the
above
25364, so that the SSL is, for example, 8000). I
think that I don't
really
understand how the SSL port works and what it is
for, so I suspect that I
am
doing something wrong here.
- In the Sonicwall, we opened both the 25364 and
the 8000 ports
After trying different combinations of the above
(for example : no
specification of the SSL port. ?), the SP 3.0 site
still does not work
externally.
What I am doing wrong or missing ?
Thanks for your help
Charles




































.