We help IT Professionals succeed at work.

WSS 3.0 Alternate Access Mappings and Login

SvenIA asked

I have a server running with Win2k3 and WSS 3.0. I use the server as a sort of ftp server, where my collegues can share files with external people.

I configured an alternate access mapping in WSS Central Administration to publish the site on the internet. I configured a public URL 'http://extranet.mydomain.com' for zone Internet. Then I forwarded port 443 to the server IP in my firewall. I tested the connection trough the internet, and everything seem to work fine. I can connect to my WSS website.

This gives me 2 URL's to the site.

- one for accessing from insite the network - http://extranet
- one for accessing from outside the network - https://extranet.mydomain.com

Question 1:

Hope I can make myself clear on this one..... When I add a picture or an icon to the website, I set it on the internal URL. So that people inside the network can see it. People who logon from outside the network cannot see the icon or picture, because it is linked to an internal URL where they don't have access to.

Is this the right way to publish a WSS site on the internet for these purposes?  Is there a way that external users see my custom website icons?

Question 2:

For every external user, I have to create seperate logon accounts. Usually it involves clients or resellers. I create these account manually using Active Directory. In my opinion that can't be the best way to do that.

Is there a better way to grant access to external users?

Watch Question

Greg BessoIT Solutions Engineer

For the first part, the one solution is to use a Reverse Proxy such as Microsoft's ISA / TMG server solutions. Then publish the site with the external FQDN, which is publishing the internal server name or FQDN. It will handle the translations.

The second solution of the first part is to disconnect your content database(s), delete the web application, and recreate it. Specify the URL as the external FQDN when initially creating the web app. Then always use the external URL regardless of where the user is connecting from.

For the second question, you always should be using AD logins for all users. That is how SharePoint is supposed to work. There are workarounds such as creating local Windows users on the SP server (if SQL is on same box), or using Forms Based Authentication but there are headaches and limitations with those workarounds. Plus they won't save you any time anyway, so unless your AD security is not configured properly you are better off using AD anyway.


Thanks for your reply....

Can I just delete the webapplication and recreate it? Without deleting anything important?
Justin SmithSr. System Engineer
Top Expert 2012

I'm a bit confused.  What exactly are your Alternate Access Mappings configured as in Central Admin?  Do these have corresponding Host Header entries in IIS?  As long as AAM is set up correctly, and your icon/picture is in a picture library, they should be able to see it externally.

Best Practice is to store external users in a seperate directory.  Most popular options are a SQL Database or an instance of ADAM or Lightweight Active Directory.  You would then use Forms Based Authentication on your external URL to authenticate external people to these directories.


My exact Alternate Access Mappings are,

Default Zone - http://extranet
Internet Zone - http://extranet.mydomain.com

Pictures I add to the site in a Picture Webpart show up when I access the site from the internet. But the website icon, that I add with an internal URL pointed to a document library on the same site, will not show. I get a red cross, as you see when a picture on a site is not found.

Sr. System Engineer
Top Expert 2012
Instead of specifiying an exact URL, use a relative.  /library/picturefilename.jpg


This is the right solution for me! Thanks!