Publish MOSS 2007 farm with ISA 2006 single NIC (Full Version)

All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing



Message


vkumar_72 -> Publish MOSS 2007 farm with ISA 2006 single NIC (2.Jun.2009 8:10:47 PM)

I need to publish MOSS server farm on ISA 2006 with single NIC.

The scenario is:

1. ISA 2006 with single NIC in DMZ (workgroup).
2. MOSS 2007 with 2 Frontend webservers in internal network (member of domain).
3. Need SSL.
4. I need to use third party load balancer (F5) for 2 web servers.

Could someone give me details of the ISA configuration and also steps for publishing 2 MOSS web servers for same sharepoint site?

Also the configuration for certificates to be used.

I will appreciate help.

Thanks,
Jai




vkumar_72 -> RE: Publish MOSS 2007 farm with ISA 2006 single NIC (3.Jun.2009 4:35:36 PM)

can anyone help on the above scenario?

Jai




Jason Jones -> RE: Publish MOSS 2007 farm with ISA 2006 single NIC (3.Jun.2009 6:38:42 PM)

Hi,

You have a fair bit of work to do for that solution and there are potentially quite a few areas that could go wrong...here's a few pointers to get you started... 

In terms of publishing configuration, have a look at the SharePoint section of this document: http://technet.microsoft.com/en-us/library/bb794854.aspx

You may get better results using server farm load balancing in ISA than your F5, as this is a native feature designed for when publishing Exchange and SharePoint web farms. http://technet.microsoft.com/en-us/library/bb794841.aspx

For the recommended deployment which uses SSL bridging, you will need certificates on ISA and each of the SharePoint web servers. The ISA certs will need to be from a public CA, but the SharePoint certs could be from an internal CA.

As your ISA server is not in the domain, you will need to look at using LDAP authentication to authenticate users against Active Directory. http://technet.microsoft.com/en-us/library/bb794722.aspx

Good luck!

Cheers

JJ




ClintD -> RE: Publish MOSS 2007 farm with ISA 2006 single NIC (15.Jun.2009 1:13:33 PM)

I use F5s 6400E running 9.4 at work and have a similar setup and configured it with no problems. My ISA Server is a part of the domain (we use NTLM on the outside 'hop and Kerberos on the inside 'hop') so that's the main difference.

The LB has a virtual server that listens on 443 which ISA bridges to. On this virtual server, we use the standard HTTP profile and Cookie persistence as well as the standard OneConnect profile. Works just fine. You'll run into problems with NTLM auth with the OneConnect profile but from your config, it doesn't sound like you're going to be using NTLM.

Shoot me a private message if you want to talk about this offline.




vkumar_72 -> RE: Publish MOSS 2007 farm with ISA 2006 single NIC (15.Jun.2009 6:10:50 PM)

Thanks Clint.. I am able to publish sharepoint farm in my above scenario using ldap.

There is a new requirement. I am trying to publish sharepoint farm on ISA 2006 (Single NIC) with Windows Integrated authentication to avoid password prompts to users.

My understanding is that ISA needs to be domain for this. Correct me if I am wrong.

I have setup ISA 2006 with sigle NIC in domain and trying to publish sharepoint farm with windows integrated authentication.

I have a confusion between Windows (Active Directory) authentication and HTTP Authentication with integrated checked with Windows (Active Directory) in Web Listener properties in Authentication Tab.

Which one do I need to use? Also, Why I try to select HTTP Authentication with integrated checked with Windows (Active Directory), ISA server is not letting me apply the changes and says "The authentication settings of the Web listener used in the rule are not compatible with the type of credentials delegation configured for this rule."

I would really appreciate your help on this.

Thanks,
Jai




ClintD -> RE: Publish MOSS 2007 farm with ISA 2006 single NIC (16.Jun.2009 3:33:04 PM)

What delegation option do you have specified? You can't specify NTLM on the 'outside' hop and try to delegate this - you have to either change it to use Kerberos Delegation or not have ISA challenge the user and rely on the web servers to challenge the users 'directly'.

If you want to, email me at clintDOTdenhamATpbsgDOTcom and we can hash it out.




Page: [1]