ISA / Forefront and Sharepoint 2010

I am in the process of decommissioning our old ISA 2006 server and not using Forefront but a Citrix Netscaler. Here is my question.

If I understand the ISA server correctly it authenticates users up front then pass the user along to the internal sharepoint site. I have set this up in test with the netscaler and cannnot and presented with a simple windows login box.

here is my question. What are the pros / cons from have the ISA server or Netscaler handle authenticaoin instead of passing it to the Sharepoint servers
LVL 21
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Sharepoint has mainly Windows or form authentication and even SAML token-based authentication. For ISA, the authentication like KCD (Kerberos Constrained Delegation) is used (where you see the windows login pop out if not login yet) to enable published Web servers to authenticate users by Kerberos, after they are check by the ISA Server using a non-Kerberos authentication method. When used in this way, KCD can eliminate the need for requiring users to provide credentials twice.

In fact upgrade for ISA is TMG per se and a comparison for TMG and UAG is useful. by the way, TMG also allow option for SSL Client Certificate Authentication, or no Delegation / authentication at the TMG Server. But note that Forefront TMG 2010 is no longer sold by Microsoft but will be supported through 4/14/2020. For more information, see Microsoft Support Lifecycle information for TMG 2010.

Microsoft also shared the reverse proxy candidates include TMG, F5 and Netscalar too -

Back to Netscalar, to be specific is Netscalar Access Gateway which does fare better than TMG (ISA successor) as the latter only strong will be towards in built-in wizards that helped admins provide Exchange services, SharePoint, and Lync. Otherwise, NAG does offers more as you can catch the comparison table in this wp

However, the cost may be steep so it will be good to optimise and deem what is needed for Sharepoint which the authentication, traffic/content filtering, load balancing, publishing, and HTTP director role (rewrite) will serve as necessity to start off, the remaining will be on the "wants" (as I see it).

Regardless, TMG is already not available as mentioned earlier so other than staying with ISA which I do not recommend, it is comparing other reverse proxy candidate such as F5 ...but leave this to tech sale to educate you as customer then...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Author Commented:
Thanks for the great response... I guess my question is, is it safe / ok to setup a normal vserver on the Netscaler and have users from the outside login via the Windows Login prompt? What are the con's of doing this over having the Netscaler front the authentication.

One downside for having the backend sharepoint servers handle the authentication is the fact I have no way to customize the login screen since users are so used to seeing our company branded Sharepoint ISA server portal page..
btanExec ConsultantCommented:
noted, for use on Kerberos, it is definitely not for an Internet-facing system. i also do not advise that as it can expose the Windows login credential for external n/w access. Otherwise, it is still can be Kerberos or NTLM based which can then SSO into the appls. Citrix written quite extensively in the deployment guide and paper - worth catching them. Citrix has e AppExpert Template for Sharepoint support

Microsoft SharePoint 2013 with Citrix NetScaler Deployment Guide (see pg 10 on auth type - there is webauth, ldap, radius, saml, negotiate (shd be ntlm/kerberos), etc)

Microsoft SharePoint Deployment Guide Utilizing the Acceleration and Optimization Features of Citrix NetScaler

Other Info
a) form login (F5 should be able to have such capability but of another module added on if I recall correctly for F5, it called access policy mgr, APM) from vip of the Netscalar through a portal and have some SSO into the necessary backend services.

b) use of SAML login and this required further planning of the ADFS or other claim based authentication. more for external facing with federation of identity intended and interoperability to relying party

c) Or even to consider the use of SSL VPN instead as the base channel protection if it is for remote Enterprise user (and really public user) as a whole. Then establish the necessary app login or simply some can support per app vpn straight off rather than doing the former means for channel first then appls.
compdigit44Author Commented:
Great feedback...

Here is some background info on our Sharepoint farm.  I did not set it up like this and is something inherited and know it is a mess which is a different topic

-Two WFE's
-One App server
-One DB
-Was setup for claims- authentication but was never setup correctly and not even using Kerbose since that was not setup correctly and is using NTLM with a secure store...

We already have clustered Netscaler in place an have been reading up on how to setup a AAA vserver / policy to handle authentication using LDAP. The only part I do not like is the fact you need to have an external DNS entery for the LDAP server which is not known by the user but needed for authentication. We do have ADFS but read the using SAML is a be tricky to setup and people recommend using LDAP instead..

When you say the user login credentials could be exposed? Are they exposed when the log into the ISA server???
btanExec ConsultantCommented:
more in simplistic form whereby the assumption there is no SSL VPN tunnel or app VPN and credential over the wire. applies likewise when the ldap call to AD (assuming no SSL) and binding to sharepoint if credential sent in clear to Sharepoint ... but if the wires throughout is secured either by SSL or LDAPS then I see it fine.

Note the secure store having Kerberos required the DNS (required primarily for the spn as stated in below. But I also understand that Kerberos is not required for Secure Store Services in intranet environment. In fact, Secure Store Services is one of the double-hop solutions in a NTLM environment. Regardless, (also not to "rock the boat" unnecessarily) just sticking with what is inherited then for decision have been made...

and in the same article, it also highlighted the with NTLM the client credential is only able to “hop” one step hence can get a failure when the SharePoint server is trying to access our database server. That is on the setup without any proxy in between...Do think the Netscalar service can be better utilised and good to check out with them (pardon though I not a NS folk)
compdigit44Author Commented:
I for got to mention that all internal and external access to the site is over HTTPS

Your explained is so detailed that I am not sure if you are saying it is ok or not to have sharepoint authenticate users instead of the Netscaler...

btanExec ConsultantCommented:
pardon me, it is ok and authentication is a must either way. Netscalar provide more option and layer with others and it is alright to leverage on it. kerberos is still preferred if for local user but form based is simpler. either way, eventually both can work with netscalar
compdigit44Author Commented:
Thanks so it sounds like I can use the backend sharepoint server to authenication.

SO there is so way to customize the default WIndows login prompt user would see from the outside? Right now they are use to seeing the company branded ISA portal page? Since our site is some basic I do not see what extending the site would give me
btanExec ConsultantCommented:
Claims authentication still uses NTLM or Kerberos. SharePoint can communicate with it's backend SQL Server via NTLM. Likewise, it can also communicate with outside data sources via NTLM (an account in connection string) or use an account in your Secure Store. The details as shared in prev posting
Configure SharePoint 2013 BI services we avoided this double hop scenario by specifying a service account in our datasource or use a pre-configured unattended service account in SharePoint Secure Store service application.


Via Netscalar as mentioned in prev posting to extend using its form based type portal (like ISA portal), need those folks to advice further on deployment. I am sure they can give better insights

Overall, note the requirement from Sharept itself
If you use Windows authentication internally, there are at least two options to ensure that users can log on with the same account internally and externally:
Use forms-based authentication on the firewall or gateway product to collect Windows credentials that are forwarded to the SharePoint farm. This works in environments that use classic-mode authentication in which forms-based authentication for SharePoint sites is not supported.
Using Secure Sockets Layer (SSL) to implement only one URL that can be used both internally and externally. In other words, employees use the same zone that is configured for SSL regardless of where they are located.
compdigit44Author Commented:
Thanks so it sounds that both of my options are sound
btanExec ConsultantCommented:
good to engage netscalar since they are already "paid" to do the load balancing, will be good to push limit of that box if poss
compdigit44Author Commented:
ok thank for everything.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.