Solved

Sharepoint Foundation 2010 Configuring External Access

Posted on 2013-11-22
23
1,424 Views
Last Modified: 2013-12-04
Hello experts,

We are currently rebuilding and redesigning our intranet, moving from a Joomla based CMS to Sharepoint Foundation 2010.  I've been all over Google and read numerous articles on Forms-Based Authentication and such.  We have a need to "extend" the web applications of SP to external users in our company, that are not on the main domains.  We have our SP set up in the following way:

2 Win 2008R2 servers

Primary server:  SP Foundation 2010, MSSQL 2008, main SP database and site collections
Secondary server:  SP Foundation 2010 (same farm), content pages.  (These are not online yet.)

Sharepoint itself works fine internally.  Also, I've been able to successfully set up forms based authentication on a test site collection and it also works fine internally.

Now, at this point, we'd like to extend the main web application (Sharepoint - 8080) to the outside with a custom domain name (http://mysite.mydomain.com, for example).

I have taken the following steps:

1.  Converted the original web app from Windows authentication to Claims authentication.
2.  Extended the web app through the following process:
     a.  From Manage Web Applications in Central Admin, I clicked on the main site, and clicked "Extend.
     b.  I followed the screen, creating a new site, using the my external URL as the name, port 80 for the default port, the external url as the host header, Yes to Allow Anonymous, No to SSL (testing for now), checked both Enable Windows Auth and Enable FBA, filled in my provider name and manager name from the working config, and accepted all other defaults.
3.  FBA was previously configured through a test site and is confirmed to be working on that site, but I cannot test on the new site.

I am unable to access the new extended site internally to test FBA, I get a 404 error on that site.

I've been spending a lot of time on this and I'm pretty fried.  Hoping someone can help me out here.

Thanks!
0
Comment
Question by:dossaviation
  • 15
  • 8
23 Comments
 
LVL 8

Expert Comment

by:vaderj
Comment Utility
Lots of things to check here, but first :

Is this environment load balanced?

When you resolve the DNS address, does it resolve to the same IP internally as it does externally?

Does the IIS site (on all of your web front ends) for your newly extended web app contain in the IIS bindings, the host header?

From your web front end, can you directly access your user store? (whether that be the SQL DB, the AD-LDS instance, or otherwise)

What are the zones that you extended your web application to, along with their associated Authentication Provider settings? (I know you mentioned this, this is more to spur you to just make sure that they are associated correctly for your environment)
0
 
LVL 1

Author Comment

by:dossaviation
Comment Utility
vaderj,

First, thank you for taking a moment to help me.

Answers, in order:

The environment is not load balanced yet.  It is still in testing.  We do plan to implement this as we move into production.

The DNS does not resolve internally, and I suspect that is because we have not created an internal zone for it yet.  However, I can't reach the extended site via IP address either.  Also, our external DNS provider (network solutions) does not resolve the new name to IP yet.

Yes.  IIS has the host headers correct, external address of skyXXX.XXXXX.net (name purposely hidden) and IP of the internal server.  (I think that's correct?)

I cannot access the front end of the newly extended site, so I can't test the user store.  I can't access that by IP or by name.  The successful test of the user store can be done on another site collection that is not connected to the extended site.  Sorry for any confusion there.

The web application is currently in the Default and Internet zones.  The extended one, of course, is the Internet zone.  Both are set to Claims Based Authentication.  The Internet zone has Enable Windows Authentication, Integrated Windows Authentication with NTLM, Enable Forms Based Authentication, with an ASP.NET membership name of LDAPMembers.  Like I said, I have no way to test this authentication.  It does work on the other test site, so I think it's a good configuration.

That being said, I'm not 100% sure that these settings are correct.  I freely admit to being a little Sharepoint dumb.  

Thanks again for your help!
0
 
LVL 8

Expert Comment

by:vaderj
Comment Utility
So lets step back and get the external site in an accessible state:

1.)  Try disabling your FBA providers so that only NTLM is enabled

2.) in your IIS binding for the extended web app, remove the IP from the binding definition such that only the host header is present.  

Your test servers do not have an external IP they are directly associated with correct?  Is there some form of reverse proxy between your WFE (web front end) and the internet?  Is your RevProxy configured to correctly forward all requests for the particular host header over to your WFE?

For testing purposes as well, it may be benificial to grab a VM in the same domain as the test WFE and insert a HOSTS file entry (c:\windows\system32\drivers\etc\hosts )
0
 
LVL 1

Author Comment

by:dossaviation
Comment Utility
OK.  Let me try your suggestions.  I'll post back ASAP.  Thanks!
0
 
LVL 1

Author Comment

by:dossaviation
Comment Utility
Also, there are no proxies in between.  I have not yet forwarded the ports from our Cisco ASA to the servers as I wanted to get this working internally first.
0
 
LVL 1

Author Comment

by:dossaviation
Comment Utility
OK, I was able to perform all the steps you asked for, and I'm still unable to access the site internally.  I expect my network guys to have the external ports open today that we need, so I'll try testing from the outside as well.  Do you have any other suggestions?

One other thing I was thinking...do you think I should extend the app again into the Intranet zone for internal access?  Right now its only in two zones, Default and Internet.

Thanks!
0
 
LVL 8

Expert Comment

by:vaderj
Comment Utility
that should not be necessary.
Do the alternate access mappings correspond with the Authentication Providers?
Can you even ping the server?
0
 
LVL 1

Author Comment

by:dossaviation
Comment Utility
Hmmm...I did not check the AAM yet.  Let me do that.  Yes, I can ping the server.
0
 
LVL 1

Author Comment

by:dossaviation
Comment Utility
Well, I think I may just start over.  I've actually succeeded in rendering the entire site collection unavailable now.  I'm going to delete it and try again.  I'll keep you posted on our progress.  Thanks.
0
 
LVL 1

Author Comment

by:dossaviation
Comment Utility
So I've recreated a new site, and extended it per the instructions.  I can browse internally just fine via the new outside address (http://sharepoint.company.net) but that same address does not work externally.  I set up a record in DNS so that internal users would use the external address.

I can ping sharepoint.company.net from an external machine and it resolves just fine.  Ping replies as well.  My firewall is configured correctly and is pointing that external IP to the internal server address.

My AAMs are set for:

Default Zone:  Internal URL is http://server:8080.  Public URL is http://server:8080.
Extranet Zone:  Internal URL is http://sharepoint.company.net.  Public URL is http://sharepoint.company.net.

Yet I cannot browse the external site from outside.

This is so frustrating.

Thanks.
0
 
LVL 8

Expert Comment

by:vaderj
Comment Utility
what are you getting? 404? server responding at all?

Have you ran an IISReset?
Maybe restart everything between your SharePoint WFE and the internet connection?
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 1

Author Comment

by:dossaviation
Comment Utility
Getting a blank page.  No 404 or response at all.  

Chrome says Server Sent No Data.

I did run an iisreset.  I restarted everything, even the server itself.  I have a Cisco ASA, and I'm not going to bounce that one.

Thanks!
0
 
LVL 8

Expert Comment

by:vaderj
Comment Utility
oh dear - I have had multiple nightmarish experiences with ASA's (5505's) - Do you have any other sites behind the ASA that you are able to access externally?

From my experience, ASA's do not have any reverse proxy functionality - what are you using to translate the external subdomain and forward the request to the proper server?

Fortunately, there should be absolutely no reason to restart the ASA - if there is anything to be said about them, its that they are stable!
0
 
LVL 1

Author Comment

by:dossaviation
Comment Utility
Yeah, we've had our fair share of ASA issues as well...but we have two other sites that translate through it and work fine.

No other devices stand between the gateway and the server.  It's all on the ASA.
0
 
LVL 8

Expert Comment

by:vaderj
Comment Utility
can you try this - can you disable the SHarePoint IIS site in IIS Manager, enable the default site and attempt to access it externally?
0
 
LVL 1

Author Comment

by:dossaviation
Comment Utility
I must be doing something wrong...I now get a 404 page internally, still same condition externally...no data received.
0
 
LVL 1

Author Comment

by:dossaviation
Comment Utility
Apologies...I had not started the default site.  I have an IIS7 splash page internally, nothing externally.  Same condition.
0
 
LVL 8

Expert Comment

by:vaderj
Comment Utility
OK so it sounds as though somthing is preventing the completion of the request.  Can you try completely disabling the Windows Firewall for just a moment to do a test?  It sounds like its beyond SharePoint since the prior test also failed.
0
 
LVL 1

Author Comment

by:dossaviation
Comment Utility
Already disabled it.  None of our servers run the Windows Firewall.
0
 
LVL 8

Accepted Solution

by:
vaderj earned 500 total points
Comment Utility
I guess what should be next is to, from your external connection, get Fiddler going and make the request, see if there is anything you can see there.  maybe install NetMon on the WFE as well to see if there is any incoming requests to the server when you make your request externally
0
 
LVL 1

Author Comment

by:dossaviation
Comment Utility
Got it.  I just finished running a packet tracer from my ASDM...and I show a dropped NAT packet.  I'm working on that now to see what I can do.  I'll keep you posted.
0
 
LVL 1

Author Comment

by:dossaviation
Comment Utility
vaderj,

It was indeed my ASA.  We had recently upgraded our ASA from version 8.2 to version 9.  You may or may not be aware of all the changes in the code to the new version, but in a nutshell, all of our NAT statements were incorrect for the new server.  All is fine now and we were able to successfully browse our test sites from an external computer.

Not really a solution, I know, but I'm awarding you the points for your help and patience.

Thank you very much!
0
 
LVL 1

Author Closing Comment

by:dossaviation
Comment Utility
Ultimately, our external Cisco ASA was not configured correctly for static NAT.  vaderj was on the right track with looking at external requests.  I'm awarding points based on his/her help and patience.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I have put this article together as i needed to get all the information that might be available already into one general document that could be referenced once without searching the Internet for the different pieces. I have had a few issues where…
I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now