Wednesday, November 12, 2008

Create a New Web Site in IIS


You must create a new Web site for each security model that you want. For example, if you want to have both Anonymous access and Basic authentication, you must create two Web sites. On one site you would specify Anonymous access, and on the other site you would specify Basic authentication.

Note that you should not modify settings on the Default Web Site. Specifically, SharePoint Portal Server requires the Default Web Site to use port 80 as the TCP port. Do not change the port to an alternative HTTP port (such as 8000 or 8080) after installation. Ensure that port 80 is specified and remains as the primary port for the server.

To create a new Web site

1. On the taskbar, click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.

2. Expand the node for the SharePoint Portal Server computer.

3. Right-click the name of the SharePoint Portal Server computer, point to New, and then click Web Site. The Web Site Creation Wizard appears.

4. Click Next, and then follow the instructions in the wizard:

· Type a description of the Web site, and then click Next. The description appears in the tree view of the console. For example, if this Web site is to be used for Anonymous access, you could type AdventureWorksAnon as the description.

· Select the IP address. Do not select (All Unassigned).

· Type 80 for the TCP port number.

· Type the external FQDN as the host header. The host header is of the form external_server_name.external_domain_name. For example, if the external server name for your SharePoint Portal Server computer is AdventureWorks, and the external domain name is adventure-works.com, you would type AdventureWorks.adventure-works.com as the host header.

· Click Next.

· Enter the path for your home directory. It is strongly recommended that the home directory be under the Inetpub directory. For example, the path can be C:\Inetpub\AdventureWorks. See “Test the Extranet from Your Intranet” in this paper for instructions on creating a default Web page.

· If you do not want to allow Anonymous access to SharePoint Portal Server, clear the Allow anonymous access to this Web site check box. For more detailed information about specifying security on the new Web site, see “Modify the Security Settings on the New Web Site” in this paper.

· Click Next.

· On the Web Site Access Permissions page, click Next. Do not change the default access permissions.

· Click Finish. The new Web site appears.

5. Expand Default Web Site, and then note the following five virtual directories (nodes on the tree): Exchweb, SharePoint Portal Server, Public, MSOffice, and YourWorkspace, where YourWorkspace represents the name of the virtual directory for your workspace. For example, if your workspace is named Marketing, look at the Marketing virtual directory. Write down the local path for each of these virtual directories (or use copy and paste while performing the steps). You need this path to complete steps 6 through 8. To find the local path, do this for each of the five virtual directories:

· Right-click the virtual directory, and then click Properties.

· On the Virtual Directory tab, note (or copy) the path shown in Local Path.

· Close the Properties page.

6. Right-click the new Web site that you created in step 4, point to New, and then click Virtual Directory. The Virtual Directory Creation Wizard appears.

7. Click Next, and then follow the instructions in the wizard:

· In Alias, type Exchweb and then click Next.

· In Directory, type (or paste) the path for Exchweb from step 5, and then click Next.

· On the Access Permissions page, click Next. Do not change the default access permissions.

· Click Finish.

8. Repeat steps 6 and 7 to create a virtual directory for SharePoint Portal Server, Public, MSOffice, and for YourWorkspace, where YourWorkspace represents the name of the virtual directory for your workspace.

Important The names of the new virtual directories must match exactly the names of the original virtual directories under the Default Web Site. Do not rename the virtual directories.

9. After creating the virtual directories, for the Public and YourWorkspace virtual directories on the new Web site that you created, do the following:

· Right-click the virtual directory, and then click Properties.

· Click the Virtual Directory tab.

· In Application Protection, select Low (IIS Process).

· On the Virtual Directory tab, click Configuration.

· On the App Mappings tab, click Add.

· In Executable, type the path to the msdmisap.dll file. You can also browse to the msdmisap.dll file. By default, this file is located in the SharePoint Portal Server \Bin directory. For example, if you installed SharePoint Portal Server to Program Files\SharePoint Portal Server, this file is in Program Files\SharePoint Portal Server\Bin.

Important In Executable, ensure that path entered follows the 8.3 naming convention. For example, if the msdmisap.dll file is in the Program Files\SharePoint Portal Server\Bin directory on drive D, type the path in Executable as D:\Progra~1\ShareP~1\Bin\msdmisap.dll

· In Extension, type * and then click OK.

· Clear the Check that file exists check box.

· Click OK to close Application Configuration.

· Click OK to close the Properties page.

10. For the YourWorkspace virtual directory on the Web site that you created, do the following:

· Right-click the virtual directory, and then click Properties.

· On the Virtual Directory tab, select the Write check box.

· Click the HTTP Headers tab, and then click Add.

· In Custom Header Name, type MicrosoftTahoeServer

· In Custom Header Value, type 1.0

· Click OK.

· Click OK to close the Properties page.

11. For the MSOffice virtual directory on the Web site that you created, do the following:

· Right-click the virtual directory, and then click Properties.

· Click the Virtual Directory tab.

· In Execute Permissions, select Scripts and Executables.

· Click OK to close the Properties page.

12. Right-click YourVirtualWeb, where YourVirtualWeb is the name of the new Web site you just created, and then click Start. If YourVirtualWeb is already started, omit this step.

Enable Discussions on the New Web Site

To use Web discussions on your SharePoint Portal Server computer from the Internet or extranet, you must modify the registry.

Use Web discussions to discuss a document with other users. Web discussions allow users to add remarks about a document without modifying the document itself. Discussions are threaded — replies to a discussion remark appear directly underneath the original remark. In addition, multiple discussions about the same document can occur at the same time. SharePoint Portal Server consolidates comments in a single location, allowing them to be easily reviewed.

To enable discussions on the new Web site

1. On the taskbar, click Start, and then click Run.

2. Type regedit, and then click OK.

Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

3. In Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\9.0\Web Server\1.

4. On the Registry menu, click Export Registry File.

5. Save the file as EnableDiscussions on your desktop.

6. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\9.0\Web Server\1.

7. Right-click 1 and then click Rename.

8. Type number and then press ENTER. Number is determined from the following procedure:

· On the taskbar, click Start, point to Programs, point to Accessories, and then click Command Prompt.

· Navigate to the directory where adsutil.vbs is located. Typically, this is in the Inetpub\AdminScripts directory on the operating system drive.

· Type cscript adsutil.vbs enum W3SVC/number, where number is 1, 2, etc. Type each number in order until the properties display the name of the new Web site. Typically, W3SVC/1 is the Default Web Site, W3SVC/2 is the Administration Web Site, and W3SVC/3 is the new Web site. If W3SVC/3 is the new Web site, you type 3 as number when renaming the registry key in this step.

9. Click Web Server.

10. On the Registry menu, click Import Registry File.

11. Import EnableDiscussions that you saved to the desktop previously.

12. Click OK.

13. Click 3, right-click Server Root Url in the right pane, and then click Modify.

14. In Value data, type the external FQDN of the server, and then click OK. For example, type http://AdventureWorks.adventure-works.com.

15. Close Registry Editor.

16. Restart the server.

Modify the Security Settings on the New Web Site

By default, SharePoint Portal Server uses NTLM authentication (on the Default Web Site in IIS). To use SharePoint Portal Server on the Internet or extranet, you must modify the security settings on the new Web site to Basic authentication or Anonymous.

Do not specify both Basic authentication and Anonymous access on the same Web site. If you want both Basic authentication and Anonymous access, create two Web sites.

For example, if you want to use both Basic authentication and Anonymous, configure the security settings as follows:

· For the Default Web Site in IIS, leave the default of NTLM authentication.

· Create a new Web Site in IIS and specify Basic authentication access.

· Create a second new Web Site in IIS and specify Anonymous access.

SharePoint Portal Server does not support both NTLM and Anonymous authentication on the same Web site.

In addition, if you modify the security setting to Anonymous, users cannot create subscriptions from the dashboard site.

Note that SharePoint Portal Server licensing requires that all devices accessing the server have a valid license. Nothing in this white paper is meant to waive or modify any rights or requirements under the end user license agreement or other applicable license agreement for SharePoint Portal Server.

Caution Do not run Windows 2000 Internet Server Security Tool (available for download from http://www.microsoft.com/TechNet/security/tools.asp) after installing SharePoint Portal Server. Running this tool may disable the dashboard site. For the latest information about implementing IIS security configurations to secure your server, see http://www.microsoft.com/SharePoint.

To modify the security settings on the new Web site

1. On the taskbar, click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.

2. Expand the node for the SharePoint Portal Server computer.

3. Right-click YourVirtualWeb, where YourVirtualWeb is the name of the new Web site you created, and then click Properties.

4. Click the Directory Security tab.

5. In Anonymous access and authentication control, click Edit.

6. In Authentication Methods, select the authentication method you want for the new Web site:

· To enable Anonymous access, select the Anonymous access check box. Clear all other check boxes. Do not specify both Anonymous access and Basic authentication on the same Web site.

· To enable Basic authentication, select the Basic authentication (password is sent in clear text) check box, and then click Yes when prompted. Clear all other check boxes. Do not specify both Basic authentication and Anonymous access on the same Web site.

Note All information, including passwords, sent over the Internet is in a readable format. To secure your transmissions, use SSL. For more information, see “Enable SSL” in this paper.

7. Click OK.

8. Click OK to close the Properties page.

If you use Anonymous access, you must also assign the Internet Guest Access account to the reader role on each workspace for which you want Anonymous access. If you are configuring Basic authentication only, you do not need to assign the Internet Guest Access account to the reader role.

To assign the Internet Guest Access account to the reader role

1. On the taskbar, click Start, point to Programs, point to Administrative Tools, and then click SharePoint Portal Server Administration.

2. In the console tree, click to expand the server, and then select the workspace.

3. On the Action menu, click Properties.

You can also right-click the workspace name, and then click Properties on the shortcut menu.

4. Click the Security tab.

5. Click Add.

6. From Select Users or Groups, select the name of your server from Look in.

7. From the list of names, select the name IUSR_server_name, where server_name is the NetBIOS name of your server.

8. Click Add, and then click OK.

9. Click Apply. The account is added to the Reader role.

If you close the Properties page, open it, and then click the Security tab, the account you just entered is listed as Internet Guest Account.

Configure the Proxy Server

If you want to use SharePoint Portal Server on the Internet and you have a proxy server, you must:

· Ensure that the external IP address of your SharePoint Portal Server computer is added to the proxy server.

· Map the internal static IP address of the server to an external static IP address. If you are using Microsoft Internet Security and Acceleration (ISA) Server 2000, this is called server publishing. Permissions pass through and the host header file is not modified.

If you are not using ISA Server, you must configure your proxy server as follows:

· Password and authentication information must be passed through the proxy server to the SharePoint Portal Server computer inside the firewall.

· The host header name must stay intact when passing through.

· Do not use SSL bridging.

Before performing the following procedures, you must know the static external IP address assigned to your SharePoint Portal Server computer. This is not the same IP address as the static internal IP address for the server. You must also have a subnet mask. You receive a range of static external IP addresses and a subnet mask when you first establish Internet access through Network Solutions or through another company authorized by the ICANN.

The following procedures apply if you are using ISA Server as your proxy server. Note that the following steps assume that you have already enabled the firewall and reverse proxy for ISA Server. Additionally, your ISA Server must allow internal users to access the Internet by using the proxy without authentication. If you have a proxy server that requires a server to provide authentication to access the Internet from your intranet, you will not be able to download a Web part from the Internet. This is because the ServerXMLHTTP object cannot access the Internet if authentication is required.

To ensure that the external static IP address of your server is added to the proxy server

1. On the desktop on the proxy server, right-click My Network Places, and then click Properties.

2. Right click the NIC that is connected to the Internet, and then click Properties.

3. Under Components checked are used by this connection, click Internet Protocol (TCP/IP), and then click Properties.

4. Click Advanced.

5. Under IP addresses, scroll through the list of IP address to ensure that the external static IP address for the SharePoint Portal Server computer is listed. This is the same external static IP address used to create the DNS entry for the server.

6. If the IP address appears in the list, no further action is required. If the external static IP address does not appear in the list of IP addresses, you must complete steps 7 through 12.

7. Click Add. The TCP/IP Address dialog box appears.

8. In IP address, enter the external static IP address.

9. In Subnet mask, enter the subnet mask for the IP address.

10. Click Add to close the TCP/IP Address dialog box, and then click OK.

11. Click OK, and then click OK to close the Properties page.

12. Restart the server.

To map an external IP address to an internal IP address

1. On the taskbar, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

2. Expand Servers and Arrays.

3. Expand the name of your proxy server.

4. Expand Publishing.

5. Right-Click Server Publishing Rules, point to View, and then click Taskpad.

6. Click Publish a Server. The New Server Publishing Rule Wizard appears.

7. In Server publishing rule name, type a name to identify the new publishing rule, and then click Next.

8. On the Address Mapping page, type the internal static IP address of the server in IP address of internal server.

9. On Address Mapping page, type the external static IP address in External IP address on ISA Server.

10. Click Next.

11. On the Protocol Settings page under Apply the rule to this protocol:

· Select HTTP Server if you have not enabled SSL.

· Select HTTPS Server if you have enabled SSL.

Note These protocols must be enabled on the proxy server. See the documentation for your proxy server for procedures to enable the protocols.

12. Click Next.

13. On the Client Type page, click Any request, and then click Next.

14. Click Finish.

15. Double-click the rule you just created, and on the General tab, ensure that the Enable check box is selected.

It may take up to 15 minutes for the mapping to be effective. If the mapping has not become effective after 15 minutes, do the following:

1. On the taskbar, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

2. Expand Servers and Arrays.

3. Expand the name of your proxy server.

4. Expand Monitoring.

5. Right-Click Services, point to View, and then click Taskpad.

6. Select the Web proxy service, and then click Stop a Service.

7. Select the Firewall service, and then click Stop a Service.

8. Select the Web proxy service, and then click Start a Service.

9. Select the Firewall service, and then click Start a Service.

If the mapping has not taken affect within 30 minutes after this procedure, restart the proxy server.

Test the Extranet from Your Intranet

This step enables you to confirm that you have set up your server correctly to access it from the extranet or Internet.

Important Perform the following procedure from the server.

To test the extranet from your intranet

1. Create a test file in the home directory for the new Web site:

· Create default.htm and place it in the home directory. Your home directory should be under the Inetpub directory. For example, the home directory can be C:\Inetpub\AdventureWorks.

· Enter some text in default.htm and save the file. For example, enter

some text, such as the external FQDN

2. Create an entry in the hosts file on the server:

· Navigate to the hosts file. Typically, this file is located in WINNT\system32\drivers\etc on the operating system drive.

· Open hosts in Notepad.

· Add the SharePoint Portal Server computer (internal static) IP address along with the external name of your server to the hosts file. For example, 10.0.0.X AdventureWorks.adventure-works.com

· Save the file.

3. Modify the proxy settings for Internet Explorer on the server:

· Open Internet Explorer.

· On the Tools menu, click Internet Options.

· Click the Connections tab, and then click LAN Settings.

· Select the Use a proxy server and Bypass proxy server for local addresses check boxes.

· Type the address and port number for the proxy server, and then click Advanced.

· In Do not use proxy server for addresses beginning with, type *root_domain_name and then click OK. An example of a root domain name is adventure-works.com, so you would type *adventure-works.com.

· Click OK, and then click OK to close Internet Options.

4. In Internet Explorer, type http://external_server_name.external domain name in Address. You should see the text that you typed in default.htm. For example, if you typed AdventureWorks in default.htm, you should see AdventureWorks displayed.

If you can access the server, you have specified the external FQDN correctly.

If you cannot access the server, ensure that the Web site is started. To do this:

1. On the taskbar, click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.

2. Expand the node for the SharePoint Portal Server computer.

3. Right-click YourVirtualWeb, where YourVirtualWeb is the name of the new Web site you created, and then click Start.

If you still cannot access the server, see “Troubleshooting” in this paper.

After you successfully access the extranet from your intranet, you should test access from the Internet.

Test the Extranet from the Internet

This step enables you to confirm that you have set up your server correctly to access it from the Internet.

Important Perform the following procedures from a computer that is not connected to your corporate local area network (LAN) or wide area network (WAN) (either directly or by dialing in to the network).

To test the extranet from the Internet

1. From the computer connected through an ISP to the Internet, type http://external_FQDN

For example, type http://AdventureWorks.adventure-works.com

The default Web page (default.htm) that you created during the previous section is displayed.

2. If the default Web page is displayed, type http://external_FQDN/workspace_name

For example, type http://AdventureWorks.adventure-works.com/Marketing

The dashboard site for the Marketing workspace is displayed.

If you cannot access the dashboard site, see “Troubleshooting” in this paper.

at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)