Techblurt: Privacy & Security Perspectives

Configuring SharePoint 2010 Alternate Access Mappings and My Sites with a Reverse Proxy (e.g. TMG/ISA)

Today I stumbled across an old issue that has been around since MOSS 2007 & ISA server; in principle the same pitfalls exist in SharePoint 2010 and Threat Management Gateway (TMG).

One of our partners uses TMG as a proxy to any internal systems such as SharePoint or Outlook Web Access and I confused myself when troubleshooting external access to their My Sites.

The company in question is not a big organisation (~50 employees), they have a setup as follows:

Internal Url: http://sharepoint/

My Sites Url: http://sharepoint/my/etc.

External Acccess via TMG: https://remote.domain.com/

Initially you might be forgiven for thinking that either:

1. Your reverse proxy server can (solely) handle the link translation from https://remote.domain.com to http://sharepoint

OR

2. You could use Alternate Access Mappings (AAM) to add https://remote.domain.com to the Internet zone in SharePoint 2010

However, even TMG is unable to manage all the links that SharePoint outputs (eg Alerts or My Sites), and using AAM on its own will not allow TMG to do the required link translation without HTTP/HTTPS mixed content issues (at minimum!).

In fact both above suggestions are part solutions – they must both be implemented as follows:

1. Setup a new internal domain, using the same protocol (HTTPS in this case) that TMG can map to. In this case we used https://sharepoint.domain.local/. This can be using a self-signed cert if necessary.

2. Setup AAM such that both the new domain AND the external domain are in the same (Internet) zone, so:

https://remote.domain.com (Internet Zone, Public Url)
https://sharepoint.domain.local (Internet Zone, Internal Url)

3. Setup TMG to map requests from https://remote.domain.com to https://sharepoint.domain.local with “Forward the original Host header” turned on

IISReset never did any harm at this point either Winking smile 

At this point, My Sites should work fine if the site collection uses the same domain as the main SharePoint site (as it does it in this case). If a mysites.domain.com approach has been taken, similar steps must be repeated for this domain.

For a fuller explanation the original post series involving MOSS 2007 & ISA Server by Troy Starr (great name, even better post series!) can be found here (with broken images at the time of writing; I’m guessing “somebody’s” migration to 2010 cut corners?!):

http://sharepoint.microsoft.com/blog/Pages/BlogPost.aspx?pID=804

Hope that helps!

Posted

in

,

by

Gus Fraser

Tags:

, , , , , , ,

Comments

One response to “Configuring SharePoint 2010 Alternate Access Mappings and My Sites with a Reverse Proxy (e.g. TMG/ISA)”

  1. Lync 2010 People Search with SharePoint 2010 and TMG « TechBlurt.com

    […] About « Configuring SharePoint 2010 Alternate Access Mappings and My Sites with a Reverse Proxy (e.g. TMG/IS… […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *