janalent kb isa ldaps configuration guide

8/14/2019 Janalent KB ISA LDAPS Configuration Guide

1/42

Janalent

knowledge . wisdom . performanceCopyright Janalent North America LLC, All rights reserved

ISA Server 2006 Configuration Guide for:Publishing SharePoint/OWA via Standalone ISA Server

Document Abstract:This document provides a step-by-step guide to properly configure publish SharePoint through ISA using

LDAPS for authentication.

Author(s):

Elias Hill


2/42

Janalent Knowledge, Wisdom, PerformanceJanalent North America, LLC

7251 W Lake Mead Blvd, Suite 300 | Las Vegas, NV 89128

Phone: +1.888.290.4870 | web: www.janalent.com | email: [email protected] 2008 Janalent North America LLC. All rights reserved

2

Document Control & Sign-off

Document Properties

Item Details

Document Title ISA Server 2006 Configuration Guide for: - Publishing SharePoint/OWA via Standalone ISA Server

Creation Date 12/13/08

Last Updated 07/09/09

Authors Elias HillDate 12/13/08

Version number 0.0.1
mailto:[email protected]:[email protected]:[email protected]


3/42

Janalent Knowledge, Wisdom, PerformanceJanalent North America LLC



ISAS

erver2006C

onfigurationGuidefor:

3

Table of Contents

Document Control & Sign-off ........................................................................................................................................ 2

About the Authors ..................................................................................................................................................... 4

Overview ........................................................................................................................................................................ 5

Document Scope ....................................................................................................................................................... 5

Assumptions .............................................................................................................................................................. 5

High Level Processes ................................................................................................................................................. 6

Procedures ..................................................................................................................................................................... 7

Install an Enterprise Root CA in the Authenticating Domain .................................................................................... 7

Configure ISA for LDAPS Authentication ................................................................................................................. 14

Publish the SharePoint Sites in ISA .......................................................................................................................... 18

Test Connectivity to LDAPS Server (fail) .................................................................................................................. 23

Enable Certificate Auto-Enrollment in the Domain ................................................................................................. 25

Export CA Root Certificate and Install on the ISA server ......................................................................................... 27

Test Connectivity to LDAPS Server (success) ........................................................................................................... 37

Validate Site Access, SSO and File Upload Functionality ......................................................................................... 39


4/42




4

About the Authors

Elias Hill, Manager of Solutions Architecture, Janalent North America

Eli is an Enterprise Solutions Architect and is a multi-disciplined expert in messaging & collaboration system

solutions and network engineering. He has over 10 years experience in designing, deploying, and maintaining

directory, messaging, and network systems in large, complex, global enterprises.


5/42




ISAS

erver2006C


5

ISA SERVER 2006 CONFIGURATIONGUIDE FOR:

OverviewIn many deployments of SharePoint or OWA, it is common to publish sites using an ISA server that might be a

member of a domain. As a member of the domain, an ISA server can authenticate users without much

configuration. However, in most enterprise environments, it is atypical to have the perimeter network

infrastructure leveraging an ISA server; more frequently, appliance firewalls (Cisco, Juniper, Checkpoint, etc) are

deployed. In these scenarios, the ISA server would likely be deployed as a reverse proxy for published client access

for Microsoft applications, including Exchange, SharePoint, and Office Communication Server. In this context, the

reverse proxy is often located in a DMZ, where traffic is tightly managed. Here, not only would it likely violate the

security policy, but is also unsupported and impractical to open up all the necessary ports to support a domain

member across a firewall. A more desirable solution would have the ISA server authenticating users via LDAPS

(secure LDAP, tcp/636), which is characterized by two operational parameters:

1. The client and server establish TLS before any LDAP messages are transferred2. Once TLS closes, the LDAPS connection must be closed

Furthermore, by leveraging HTTPS to client access applications and LDAPS to a designated domain controller, users

can change passwords and be informed of password expiration. In this way, one can approach enterprise clients

with a solution that not only achieves advertised features of Microsoft client access applications, but also satisfies

security policies (i.e. two (2) standards-based, encrypted ports: tcp/443 and tcp/636). Note: Although outside the

scope of this document, two-factor authentication mechanisms are also supported in this context.

Document ScopeThis document provides a step-by-step guide to demonstrate and explain how to publish SharePoint sites, using

LDAPS as the authentication mechanism for domain users. There are a few sections that deviate from a perfect

installation to provide the reader with troubleshooting procedures. This content of this document is generic andmay not fit every scenario.

Assumptions

Domain controllers are running Windows Server 2008. A wildcard certificate has been procured (e.g. *.genericcompany.com). The public-facing DNS zone file has been updated with host entries for all published sites. SharePoint is running on MOSS 2007; in this scenario, there are five (5) sites with distinct host headers

ending with the same domain suffix. Each site has been properly configured for SSL, including AAM

(Alternate Access Mapping). Note: SharePoint configuration is outside the scope of this document.

The firewall, running ISA Server 2006, is not a member of the eApps domain; instead, it is member of theJanalent production domain.

All client-server/server-server interactions must be encrypted. SSO (single sign-on) and FBA (forms-based authentication) must be enabled. Note: SharePoint

configuration is outside the scope of this document.

Users must be able to change passwords through the published web interface.


6/42




6

High Level ProcessesThe following procedures will be described:

1. Install an Enterprise Root CA in the Authenticating Domain2. Configure ISA for LDAPS Authentication3. Publish the SharePoint Sites in ISA4. Test Connectivity to LDAPS Server (fail)5. Enable Certificate Auto-Enrollment in the Domain (optional); just be sure that the CA has issued to the

domain controller used for LDAPS inquiries by the ISA server

6. Export CA Root certificate and Install on the ISA server7. Test Connectivity to LDAPS Server (success)8. Validate Site Access, SSO and File Upload Functionality

Internet

LDAP

S

(tcp/63

6)

HTTP

S

(tcp/443)

HTTPS

(tcp/443)

ISA Server

Domain Controller MOSS or SharePoint

Client


7/42




ISAS

erver2006C


7

Figure 1 Considered network topology for ISA using LDAPS for authentication

Procedures

Install an Enterprise Root CA in the Authenticating DomainOn the designated domain controller (used for LDAPS), launch computer management and add a new role. Check

Active Directory Certificate Services.


8/42




8

Click Next

Select Certification Authority and click Next


9/42




ISAS

erver2006C


9

Select Enterprise and click Next

Select Root CA and click Next


10/42




10

Select Create a new private key and click Next

Accept the default cryptographic settings (RSA#Microsoft Software Key Storage Provide, sha1, 2048) and click Next


11/42




ISAS

erver2006C


11

The default common name is acceptable, but note that the name cannot be altered in the future without

rebuilding the entire certificate chain. Click Next.

Set the validity period to an acceptable value (in this case, 10 years) and click Next


12/42




12

Select the locations for the certificate database and log files (here, defaults) and click Next

Review the configuration, noting the warning about changing the name of the server, and click Install


13/42




ISAS

erver2006C


13

Note the successful installation and click Close


14/42




14

Configure ISA for LDAPS AuthenticationOn the ISA server, populate the HOSTS file referencing the LDAPS provider by its FQDN; later on, the certificate

auto-enrollment process on enterprise CA will issue a certificate to the domain controller (in this case, to itself)

using the FQDN so using any other name in the LDAPS authentication will result in an error.

In the ISA 2006 console, navigate to Configuration General and select Specify RADIUS and LDAP Servers


15/42




ISAS

erver2006C


15

Select the LDAP Servers tab and click Add

Provide the FQDN of the domain controller that will server that will respond to LDAPS. Server description is

optional. The default timeout is 5 seconds. Click OK.


16/42




16

Provide the correct domain name for the authenticating domain, check Connect LDAP servers over secure

connection, provide a credential to access the directory (domain user is sufficient), and click OK

Provide login expressions to direct authentication query to the correct provider and click OK

In this case, EAPPS\* (NetBIOS) and *@eapps.local (UPN)


17/42




ISAS

erver2006C


17

Click Apply, wait for the changes to commit and click OK


18/42




18

Publish the SharePoint Sites in ISALaunch the ISA 2006 console and create a new Web Listener, provide a descriptive name, and click the Listener tab

Create a new listener with a descriptive name.


19/42




ISAS

erver2006C


19

On the Authentication tab, select HTML Form Authentication, select LDAP (Active Directory), click Advanced

Check Require all users to authenticate and click OK


20/42




20

On the Forms tab, check Allow users to change their passwords

On the SSO tab, check Enable Singe Sign On, click Add... and provide the appropriate URL suffix. Note the extra

pre-pended period.

.genericdomain.com

Click OK


21/42




ISAS

erver2006C


21

On the Authentication Delegation tab, select NTLM authentication

Click OK


22/42




22

Click Apply, wait for the changes to commit and click OK


23/42




ISAS

erver2006C


23

Test Connectivity to LDAPS Server (fail)To use LDAPS, a server certificate must be installed on the LDAP server and the root certificate from the issuing CA

needs to be installed on the ISA Server computer. This section demonstrates what happens in the absence of the

proper certificates.

LDAPS functionality can be validated using LDP.

Select ConnectionConnect


24/42




24

Provide the FQDN of the designated domain controller, specify the LDAPS port (636), and check SSL.

Note that the LDAPS connection fails with a vague error.


25/42




ISAS

erver2006C


25

Enable Certificate Auto-Enrollment in the DomainTo satisfy the appropriate requirements for LDAPS, a server certificate must be issued to the domain controller.

Later, the issuing CA root certificate will be installed on the ISA server as a trusted root authority.

In the domain, configure a GPO that automatically enrolls each domain controller with a certificate. Launch Group

Policy Management Editor and edit the Default Domain Controllers Policy. Navigate to Computer Configuration

PoliciesWindows Settings Security Settings Public Key Policies Certificate Services Client Auto-

Enrollment


26/42




26

Select Enable from the Configuration Model drop-down and check Renew expired certificates, update pending

certificates, and remove revoked certificates. Click OK.

Immediately apply the GPO to the domain controller by running gpupdate from the command line.


27/42




ISAS

erver2006C


27

Export CA Root Certificate and Install on the ISA serverOn the enterprise root certificate authority, run MMC.

Select, Add/Remove Snap-in

Select Certificates and click Add >


28/42




28

Select Computer account and click Next

Select Local computer: (the computer this console is running on) and click Finish


29/42




ISAS

erver2006C


29

Navigate to PersonalCertificates and be sure to select the root certificate, indicated by the Certificate Template(Root Certification Authority). Right-click All TasksExport

Click Next


30/42




30

Select No, do not export the private key. Exporting the private key would unnecessarily compromise the security

of the certificate.

Leave the default encoding and click Next


31/42




ISAS

erver2006C


31

Provide a filename and click Save

Click Next


32/42




32

Note the settings and click Finish

Click OK

Copy the exported certificate file to the ISA server. Launch MMC, add the Certificates snap-in for the local

computer, and, under Trusted Root Certification Authorities, right-click All TasksImport


33/42




ISAS

erver2006C


33


34/42




34

Click Next

Browse and locate the certificate file and click Next


35/42




ISAS

erver2006C


35

Select Place all certificates in the followingstore, ensure that Trusted Root Certification Authorities is displayed,

and click Next

Note the settings and click Next

Click OK


36/42




36

Note that the root certificate is now listed under Trusted Root Certification Authorities


37/42




ISAS

erver2006C


37

Test Connectivity to LDAPS Server (success)LDAPS functionality can be validated using LDP.

Select ConnectionConnect

Provide the FQDN of the designated domain controller, specify the LDAPS port (636), and check SSL.


38/42




38

Note that the output indicates a successful connection; all error codes are zero.


39/42




ISAS

erver2006C


39

Validate Site Access, SSO and File Upload FunctionalityLaunch IE on an external computer, browse to a published website and provide an appropriate credential. Note the

FBA interface.


40/42




40

Browse to Share Documents


41/42




ISAS

erver2006C


41

Upload individual and multiple documents.


42/42

To test SSO functionality, manually type another site within the same domain suffix and MOSS instance (i.e.

https://extranet.genericdomain.com/default.aspx)
https://extranet.marketframes.com/default.aspxhttps://extranet.marketframes.com/default.aspxhttps://extranet.marketframes.com/default.aspx