Solved

Sharepoint Foundation 2010 Configuring External Access

Posted on 2013-11-22
23
1,477 Views
Last Modified: 2013-12-04
Hello experts,

We are currently rebuilding and redesigning our intranet, moving from a Joomla based CMS to Sharepoint Foundation 2010.  I've been all over Google and read numerous articles on Forms-Based Authentication and such.  We have a need to "extend" the web applications of SP to external users in our company, that are not on the main domains.  We have our SP set up in the following way:

2 Win 2008R2 servers

Primary server:  SP Foundation 2010, MSSQL 2008, main SP database and site collections
Secondary server:  SP Foundation 2010 (same farm), content pages.  (These are not online yet.)

Sharepoint itself works fine internally.  Also, I've been able to successfully set up forms based authentication on a test site collection and it also works fine internally.

Now, at this point, we'd like to extend the main web application (Sharepoint - 8080) to the outside with a custom domain name (http://mysite.mydomain.com, for example).

I have taken the following steps:

1.  Converted the original web app from Windows authentication to Claims authentication.
2.  Extended the web app through the following process:
     a.  From Manage Web Applications in Central Admin, I clicked on the main site, and clicked "Extend.
     b.  I followed the screen, creating a new site, using the my external URL as the name, port 80 for the default port, the external url as the host header, Yes to Allow Anonymous, No to SSL (testing for now), checked both Enable Windows Auth and Enable FBA, filled in my provider name and manager name from the working config, and accepted all other defaults.
3.  FBA was previously configured through a test site and is confirmed to be working on that site, but I cannot test on the new site.

I am unable to access the new extended site internally to test FBA, I get a 404 error on that site.

I've been spending a lot of time on this and I'm pretty fried.  Hoping someone can help me out here.

Thanks!
0
Comment
Question by:dossaviation
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 8
23 Comments
 
LVL 8

Expert Comment

by:vaderj
ID: 39675534
Lots of things to check here, but first :

Is this environment load balanced?

When you resolve the DNS address, does it resolve to the same IP internally as it does externally?

Does the IIS site (on all of your web front ends) for your newly extended web app contain in the IIS bindings, the host header?

From your web front end, can you directly access your user store? (whether that be the SQL DB, the AD-LDS instance, or otherwise)

What are the zones that you extended your web application to, along with their associated Authentication Provider settings? (I know you mentioned this, this is more to spur you to just make sure that they are associated correctly for your environment)
0
 
LVL 1

Author Comment

by:dossaviation
ID: 39675602
vaderj,

First, thank you for taking a moment to help me.

Answers, in order:

The environment is not load balanced yet.  It is still in testing.  We do plan to implement this as we move into production.

The DNS does not resolve internally, and I suspect that is because we have not created an internal zone for it yet.  However, I can't reach the extended site via IP address either.  Also, our external DNS provider (network solutions) does not resolve the new name to IP yet.

Yes.  IIS has the host headers correct, external address of skyXXX.XXXXX.net (name purposely hidden) and IP of the internal server.  (I think that's correct?)

I cannot access the front end of the newly extended site, so I can't test the user store.  I can't access that by IP or by name.  The successful test of the user store can be done on another site collection that is not connected to the extended site.  Sorry for any confusion there.

The web application is currently in the Default and Internet zones.  The extended one, of course, is the Internet zone.  Both are set to Claims Based Authentication.  The Internet zone has Enable Windows Authentication, Integrated Windows Authentication with NTLM, Enable Forms Based Authentication, with an ASP.NET membership name of LDAPMembers.  Like I said, I have no way to test this authentication.  It does work on the other test site, so I think it's a good configuration.

That being said, I'm not 100% sure that these settings are correct.  I freely admit to being a little Sharepoint dumb.  

Thanks again for your help!
0
 
LVL 8

Expert Comment

by:vaderj
ID: 39675709
So lets step back and get the external site in an accessible state:

1.)  Try disabling your FBA providers so that only NTLM is enabled

2.) in your IIS binding for the extended web app, remove the IP from the binding definition such that only the host header is present.  

Your test servers do not have an external IP they are directly associated with correct?  Is there some form of reverse proxy between your WFE (web front end) and the internet?  Is your RevProxy configured to correctly forward all requests for the particular host header over to your WFE?

For testing purposes as well, it may be benificial to grab a VM in the same domain as the test WFE and insert a HOSTS file entry (c:\windows\system32\drivers\etc\hosts )
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 
LVL 1

Author Comment

by:dossaviation
ID: 39675717
OK.  Let me try your suggestions.  I'll post back ASAP.  Thanks!
0
 
LVL 1

Author Comment

by:dossaviation
ID: 39675726
Also, there are no proxies in between.  I have not yet forwarded the ports from our Cisco ASA to the servers as I wanted to get this working internally first.
0
 
LVL 1

Author Comment

by:dossaviation
ID: 39678174
OK, I was able to perform all the steps you asked for, and I'm still unable to access the site internally.  I expect my network guys to have the external ports open today that we need, so I'll try testing from the outside as well.  Do you have any other suggestions?

One other thing I was thinking...do you think I should extend the app again into the Intranet zone for internal access?  Right now its only in two zones, Default and Internet.

Thanks!
0
 
LVL 8

Expert Comment

by:vaderj
ID: 39678238
that should not be necessary.
Do the alternate access mappings correspond with the Authentication Providers?
Can you even ping the server?
0
 
LVL 1

Author Comment

by:dossaviation
ID: 39678297
Hmmm...I did not check the AAM yet.  Let me do that.  Yes, I can ping the server.
0
 
LVL 1

Author Comment

by:dossaviation
ID: 39682221
Well, I think I may just start over.  I've actually succeeded in rendering the entire site collection unavailable now.  I'm going to delete it and try again.  I'll keep you posted on our progress.  Thanks.
0
 
LVL 1

Author Comment

by:dossaviation
ID: 39693159
So I've recreated a new site, and extended it per the instructions.  I can browse internally just fine via the new outside address (http://sharepoint.company.net) but that same address does not work externally.  I set up a record in DNS so that internal users would use the external address.

I can ping sharepoint.company.net from an external machine and it resolves just fine.  Ping replies as well.  My firewall is configured correctly and is pointing that external IP to the internal server address.

My AAMs are set for:

Default Zone:  Internal URL is http://server:8080.  Public URL is http://server:8080.
Extranet Zone:  Internal URL is http://sharepoint.company.net.  Public URL is http://sharepoint.company.net.

Yet I cannot browse the external site from outside.

This is so frustrating.

Thanks.
0
 
LVL 8

Expert Comment

by:vaderj
ID: 39693182
what are you getting? 404? server responding at all?

Have you ran an IISReset?
Maybe restart everything between your SharePoint WFE and the internet connection?
0
 
LVL 1

Author Comment

by:dossaviation
ID: 39693214
Getting a blank page.  No 404 or response at all.  

Chrome says Server Sent No Data.

I did run an iisreset.  I restarted everything, even the server itself.  I have a Cisco ASA, and I'm not going to bounce that one.

Thanks!
0
 
LVL 8

Expert Comment

by:vaderj
ID: 39693237
oh dear - I have had multiple nightmarish experiences with ASA's (5505's) - Do you have any other sites behind the ASA that you are able to access externally?

From my experience, ASA's do not have any reverse proxy functionality - what are you using to translate the external subdomain and forward the request to the proper server?

Fortunately, there should be absolutely no reason to restart the ASA - if there is anything to be said about them, its that they are stable!
0
 
LVL 1

Author Comment

by:dossaviation
ID: 39693242
Yeah, we've had our fair share of ASA issues as well...but we have two other sites that translate through it and work fine.

No other devices stand between the gateway and the server.  It's all on the ASA.
0
 
LVL 8

Expert Comment

by:vaderj
ID: 39693531
can you try this - can you disable the SHarePoint IIS site in IIS Manager, enable the default site and attempt to access it externally?
0
 
LVL 1

Author Comment

by:dossaviation
ID: 39693566
I must be doing something wrong...I now get a 404 page internally, still same condition externally...no data received.
0
 
LVL 1

Author Comment

by:dossaviation
ID: 39693573
Apologies...I had not started the default site.  I have an IIS7 splash page internally, nothing externally.  Same condition.
0
 
LVL 8

Expert Comment

by:vaderj
ID: 39693606
OK so it sounds as though somthing is preventing the completion of the request.  Can you try completely disabling the Windows Firewall for just a moment to do a test?  It sounds like its beyond SharePoint since the prior test also failed.
0
 
LVL 1

Author Comment

by:dossaviation
ID: 39693620
Already disabled it.  None of our servers run the Windows Firewall.
0
 
LVL 8

Accepted Solution

by:
vaderj earned 500 total points
ID: 39693624
I guess what should be next is to, from your external connection, get Fiddler going and make the request, see if there is anything you can see there.  maybe install NetMon on the WFE as well to see if there is any incoming requests to the server when you make your request externally
0
 
LVL 1

Author Comment

by:dossaviation
ID: 39693635
Got it.  I just finished running a packet tracer from my ASDM...and I show a dropped NAT packet.  I'm working on that now to see what I can do.  I'll keep you posted.
0
 
LVL 1

Author Comment

by:dossaviation
ID: 39697141
vaderj,

It was indeed my ASA.  We had recently upgraded our ASA from version 8.2 to version 9.  You may or may not be aware of all the changes in the code to the new version, but in a nutshell, all of our NAT statements were incorrect for the new server.  All is fine now and we were able to successfully browse our test sites from an external computer.

Not really a solution, I know, but I'm awarding you the points for your help and patience.

Thank you very much!
0
 
LVL 1

Author Closing Comment

by:dossaviation
ID: 39697144
Ultimately, our external Cisco ASA was not configured correctly for static NAT.  vaderj was on the right track with looking at external requests.  I'm awarding points based on his/her help and patience.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SharePoint 2013 List Content Type 3 44
Sharepoint list to Access database 9 76
Compatibility view list registry key 1 42
Add Promise to Existing Code 6 27
The vision: A MegaMenu for a SharePoint portal home page The mission: Make it easy to maintain. Allow rich content and sub headers as well as standard links. Factor in frequent changes without involving developers or a lengthy Dev/Test/Prod rel…
Introduction: Sometimes when I receive a call from my users to solve their problems it is very difficult for me to found their computer IP address. Even finding their computer Host to provide remote support can be a problem.  So I resorted to Goo…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question