Using RSA Web Agent 5.3 to secure your SharePoint 2007 SP1 for Extranet Security 

Tags:

SharePoint doesn't allow for IP Binding directly when creating web applications your choices are to use ports or HostHeaders when creating your Web Applications. I always the FQDN foe the name of the WebApplication, IIS Site, and the HostHeader. This will create the directory structure of the Hostheader80 as the installation location. However, If you are using HostHeaders for your MySite and SharedServices once you install the RSA Web Agent you will no longer be able to browse to MySites or SharedServices, this is true for x64 and x86 installations. What's interesting is that the primary portal though using HostHeaders is always still available.

 

This is due to when an IIS Web Application (IIS Web Site) has been extended either being created. The IIS configuration that would be common across the WFEs is stored in the configuration database, this design is for consistency at the time of creation.  When you make changes to an IIS Web site directly through IIS Manager instead of SharePoint, SharePoint won't be aware of those new settings.  When you stop the SharePoint Web Application service, SharePoint will delete those IIS Web sites from the server.  When you then start the SharePoint Web Application service again, SharePoint will recreate those IIS Web sites based on the settings when they were originally created. (stored in the config db.) So, you have to restore the IIS Metabase to apply the changes to the bindings, certificate assignments, etc., that you made in IIS Manager. 

 

In order to make the sites accessible and retain the RSA Installation for your Extranet you will need to add two additional IP Addresses to your NIC and Bind them to each of your IIS Virtual Servers remove HostHeaders. However, since SharePoint isn't aware of any changes that are made with IIS Manager, you will need to ensure that you back up your IIS Metabase Regularly so that you be able to restore the IP Bindings quickly. Also use IP Binding on all IIS Virtual Servers that represent your Web Applications or there will need inconsistent behavior with the SharePoint environment with RSA Installed

 

Note: I am assuming that you have extended Web Applications for the extranet, assigned an SSL Certificate to the Extended Extranet IIS Virtual Server, and enabled the RSA Web Agent on the Extended Extranet Web Applications only and I have explained the use of a single WFE and not included the NLB configuration

 

For more information read Joels Blog on Relationship between the IIS Metabase and SharePoint Configuration Database and KB Article 927376

 

 

-Ivan

 
Posted by Ivan Sanders on 22-Mar-08
0 Comments  |  Trackback Url  |  Link to this post | Bookmark this post with:        
 

Links to this post

Comments

Name

Url

Email

Comments

CAPTCHA Image Validation