I have been totally unsuccessful in publishing SBS 2003 Sharepoint through a standalone ISA 2004 server. I have SBS connected via a single NIC to the internal network, the intent being to avoid the server having to deal with Internet traffic from the clients. I have followed instructions from multiple books and sources, but nothing I have done has allowed me to access the first page from the Internet. I have changed settings on both SBS server and ISA server so many times I have difficulty in remembering the current configuration! My last effort was to obtain a SSL for the ISA server and generate a private SSL for the SBS server. What I would like to know is:
As I now have ISA 2006, should I go ahead and load it, and will it help my efforts at publishing SBS Sharepoint?
Can you direct me to a guide for setting up SBS Sharepoint access through a separate ISA server? I believe that everything I have seen so far assumes that ISA is running on the same server, although I saw several articles that says installing both on the same server is not ideal, either for security or performance.
Should I activate the second NIC on the SBS and separate the internal LAN from its current direct connection to the ISA server?
As far as that goes, I also have the SBS 2003 R2 now. Should I go ahead and load it also?
Too many questions, but I have been working on this for weeks, to no avail. I need a new direction!
I saw that you had started explaining the process of publishing SBS through ISA, but was never finished, or I simply could not find it. I have purchased several of your books (besides liking your writing style, I believe in proper support of those that help me), and have attempted to use that knowledge to get this working. No luck in publishing the secure portion, which is what I really need. I even purchased a certificate, but still no joy. I will delete ISA 2004 and load ISA 2006. Did you ever complete a tutorial, or publish a book that I am unaware of that will assist me? I suspect it is something quite simple that I am overlooking, but that is small comfort.
Thanks for your time, I can only imagine how spread out you must stay!
I never finished that series because the SBS MVPs were harassing me beyond recognition with dumb questions and inflammatory commentary. It wasn't worth it to me, so I bagged the project, which made them happy since they seem to prefer to keep the SBS community in the dark
Anyhow, what kind of problems are you having with publishing SPS? I've published a few SPS machines (including my own) and haven't run into a issues, although there were all just single machine deployments, not the complex stuff you see in larger orgs.
Sorry about taking so long to get back to you. I installed ISA 2006 last night, just finished getting all the adjustments done so the business can actually get some work completed! After that, I went ahead and completed the Publish SharePoint Sites wizard, and have made a few adjustments, as it did not work. When I enter https://office.the-wizards.com, I get a Microsoft Internet Security & Accelerator Server 2006 sign in screen. I sort of expected the normal SBS remote sign in screen, but this is going through ISA, so I guess this is normal. The problem is, I cannot sign in. Here are the properties for this rule: From: Anywhere To: https://prime.hq-noc.computerwizards.local/Remote "Forward original host header" and "Requests appear to come from original client" are both checked on. Traffic: HTTPS nothing else is checked. Listener: named Prime Remote Access networks on External and Local Host Port HTTP disabled Port HTTPS is set to 443. I also tried 444, no screen at all then. I have a certificate for office.the-wizards.com from GoDaddy. Authentication Methods: FBA with AD Always Authenticate: No Domain for Authentication: hq-noc.computerwizards.local not sure if this is correct. Single Sign On is checked. Public Name: office.the-wizards.com Paths: defaults made by wizard Authentication Delication: NTLM Application Settings: defaults made by wizard Bridging: Web Server checked, redirect requests to SSL Port 444 Link Translation is checked on, no other link translations selected.
I hope this is enough information for you to steer me in the right direction!
No, it is not. My understanding (what there is) is that the ISA Server being a member of the domain would be a security issue. Is this incorrect? Or if correct, what should I do to alliviate the security issues? The TechNet article Publishing Windows SharePoint Services with Microsoft Internet Security and Acceleration (ISA) Server 2004 links to http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stse10.mspx?mfr=true for a discussion on Configuring Authentication and does not mention that being a domain member is required, which may be why I could never get it to work! I am not going to make the ISA Server a member of the domain as an experiment until I hear from you. You've got tons more experience than I on maintaining security!
What???? Where did you get that false impression? Beware of ABM'ers bringing gifts.
Domain membership makes the ISA Firewall more secure -- only dumbass "hardware" guys think it makes it less secure, and they actually have no idea, but it's an effective way for them to reduce the level of security the ISA Firewall can provide, which makes their products look better.
For the real information and the only thoughtful analysis ever done on this subject check out:
OK, great, I can make that happen. Now my problem is that, for the life of us, we cannot get the Windows Update or Windows Activation to work. I realize that this is not a huge problem for most folks, but we repair computers on a twenty-station bench and do reloads all day long! I have opened up everything I can imagine to the repair bench, and it still will not work. The weird thing is however, that it was! It seems like it decided to "break" on its own. I am about ready to go back to ISA 2004 until I can figure this out.
I have made so many changes that I am concerned that I have lost track. I still cannot get the perimeter network to perform Windows updates. I did try the proxycfg, but am unfamiliar with it so I am not sure of what, if anything, I accomplished. I am having to unplug the switch on the perimiter network and plug it into the internal network during the day so that we can get work accomplished. I am so puzzled about ISA 2004 seeming to work so smoothly and ISA 2006 seeming to be so buggy. Is it just me? Are there significant advantages to ISA 2006 that I do not see?
Second part, I did get external access to my SBS, sort of. When I log in from outside the firewall, I get the SharePoint companyweb page, instead of the "Welcome to Windows Small Business Server 2003" screen that I expected. I figured out that was due to my redirecting to port 444, so I changed it to 443. Now when I try it, I get ISA 2006 login, then I get the SBS login screen. When I try to log into it, it sends me back to ISA 2006 login. I rememer something about "using up authentications" from reading your materials, but I certainly do not remember. So, am I warmer?
While waiting for responses, I keep experimenting, looking for the magic fix. I now have External access to the SBS Remote Web Workspace page!
Always a catch, though. I have to do three logins to get to it. While annoying, I can at least get work done. I changed the access rule "Authentication Method" to No delegation, but client may authenticate directly. I changed the listener "Authentication" to HTTP Authentication with Basic and Windows (Active Directory) checked.
So now when I type in the public address, I get the typical Windows sign-in block, in which I have to enter both domain and user name. That brings up the Remote Web Workspace login screen, which in turn immediatly brings up another Windows sign-in block. After all three, I finally get a real Remote Web Workspace screen. I am hoping that there are changes that can be made to reduce this to a single log-in, but no combination I tried would allow it. Suggestions?