663 Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 Designing a Secure Mobile Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . 663 Configuring Servers for Secure Mobile Access to SharePoint Data . . . . 671 Configuring Windows Mobile Devices to Access SharePoint . . . . . . . . . 688 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690 At this point, it is certainly clear that Microsoft Office SharePoint Server 2007 focuses on the collection and distribution of data to a company’s employees. Just as certain is the fact that it is only a matter of time before that data will need to be presented to mobile users. In support of the ever-growing mobile user community, Microsoft has made great strides in the development of the Windows Mobile platform. Now with its Windows Mobile 5.0 operating system, Microsoft has opened opportunities for instant access to user data including e-mail, contacts, calendar, and tasks. From a SharePoint perspective, Microsoft has included a new Mobile URL feature wherein the URL is generated automatically for each site to provide access to mobile device users. Rather than provide a picture-rich envi- ronment, a typical SharePoint environment for the mobile URL slims the page down to its most important List feature. Windows Mobile 5.0 devices are available from all major cellular carriers and come in several different forms. Some devices use standard QWERTY keyboards to facilitate text input, while other devices use a normal phone-style number pad. Windows Mobile 5.0 is split between two similar but different operating systems: Win- dows Mobile 5.0 for PocketPC and Windows Mobile 5.0 for Smartphone. Although these devices share a similar core operating system in Windows Mobile 5.0, there are differ- ences in the feature set supported by each device. The PocketPC version of the Windows Mobile 5.0 platform includes functionality that makes these devices act more like a blend between phones and laptop computers. Windows Mobile 5.0 for PocketPC includes applications such as Mobile Word, Mobile Excel, Mobile PowerPoint, and even a Termi- 664 Part IV Integrating Additional Server Platforms nal Services client. In addition, devices that run Windows Mobile 5.0 for PocketPC have support for connecting to Wi-Fi networks to check e-mail or access Internet resources. This chapter focuses on how to configure Microsoft Internet Security and Acceleration (ISA) Server 2006 to publish a SharePoint site to a Windows Mobile device. Designing a Secure Mobile Infrastructure Network engineers face a constant battle in today’s network environments as demands for data and simplified communications continue to grow. They must find a way to man- age the delicate balance between simplifying the delivery of information to end users with the ever present mindset of ensuring that the delivery will be secure. Without ensur- ing that data can maintain security levels as outlined in company security policies, it would not be wise to publish data to areas of the network that introduce widespread exposure to unauthorized individuals. Real World Secure Access to SharePoint Server 2007 Sites The decision to publish SharePoint data to the Web using ISA Server 2006 should only come after a good amount of time has been spent evaluating the data to be published and the depth of the security measures that should be in place. In some cases you may find that the data to be published does not pose any type of vulner- ability to the company’s intellectual property, brand, or personal privacy of the employees. In this case, publishing data without being overly concerned for data security is acceptable. In many cases, however, data security is not a negligible piece of the deployment scenario. Rather, it is the key piece. In real-world implementations, the focus on security should never be absent from the task at hand. It is always best to error on the side of caution and work toward a solution that offers users access to pertinent information without jeopardizing company property. Microsoft’s intention with the ISA Server 2006 product was to provide a means of facilitating the publication of internal resources to external users while still maintaining a blanket of security that protects the company and its property. The consistent challenge in real-world deployments is to find a happy medium between data security, ease of access, and ease of implementation. In a situation such as this, you must always keep in mind that unmanaged devices such as Windows Mobile 5 Smartphones and Pocket PCs do not fall under the same constraints and restrictions of desktops and laptops that have been added as members of the domain. These devices, though manageable through the Microsoft Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 665 Exchange server deployment, are readily accessible to not only the employees who own them but also to the malicious individuals looking to obtain any piece of com- pany information. As with any deployment that involves external roaming users, security awareness training for the end-user population is a major factor in the suc- cess of the deployment. Understanding Firewall Configurations Securing resources on the internal network can be accomplished using any of three com- mon solutions: 1) the edge firewall solution, 2) the multi-homed firewall solution, and 3) the back-to-back firewall configuration. Figure 19-1 shows a simple comparison of these firewall solutions. Note Although our discussions in the text will focus on understanding the back-to-back firewall configuration, the practice and procedure for configuring SharePoint is consistent across any of the three firewall scenarios. Figure 19-1 Comparison of the three common firewall security implementations Edge Firewall Internal Network INTERNET Back-to-back Firewall Internal Network INTERNET Multi-homed Firewall Internal Network INTERNET Perimeter Network Perimeter Network 666 Part IV Integrating Additional Server Platforms The edge firewall is by far the simplest and cheapest solution as it only involves a single firewall device that established a clear line between the internal network and the Inter- net. The down side is that there is a single point of attack and failure. The multi-homed firewall, like the edge firewall, involves only one hardware device but it has at least one additional network card. The additional network card provides the opportunity to place resources on an external or perimeter network. However, there is still a single point of attack and failure in this topology. The back-to-back firewall, as you might have guessed, is the most expensive one, but it is also the solution that affords the highest level of security and the lowest level of granu- larity with our access controls. Table 19-1 outlines the pros and cons of each firewall implementation. Before you learn about the infrastructure requirements for securely publishing Share- Point to Windows Mobile users, let’s look at the network pieces that a corporation might already have employed in delivering a secure mobile messaging solution. Solutions that involve the configuration of a perimeter network with two third-party fire- wall devices often include front-end servers placed into the perimeter network while the back-end storage servers are neatly tucked away on the internal network. The firewall configuration involves a loose set of firewall policy settings on the external firewall that allows traffic from any source terminating at the front-end servers. The internal firewall, on the other hand, protects the internal resources with a much more stringent set of fire- wall policy settings that allows traffic to pass through if the source of the traffic is a server in the perimeter network and the destination is a specific server on the internal network. This is illustrated in Figure 19-2. Table 19-1 Pros and Cons of the Three Common Firewall Implementations Firewall solution Pros Cons Security rating Notes Internet Edge Low cost Not as secure Moderate Should never be member of a domain. Multi-homed Moderate cost Not as expensive High Should never be a member of a domain. Back-to-back Easily scalable High cost High knowledge level Very high Only internal firewall should be considered for membership in the internal Active Directory domain. Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 667 Figure 19-2 A messaging infrastructure deployed with two third-party firewall devices Deploying SharePoint in this fashion would be very similar. In fact, the external firewall access policy would only need to be extended to allow incoming traffic over port 80, and possibly port 443, to the front-end SharePoint server or Network Load Balancing (NLB) device. The internal firewall, however, would require an additional rule to allow the front- end SharePoint server to communicate with an internal SQL Server 2005 server. The default port of 1433 would need to be permitted from a source of the front-end Share- Point server to the back-end database server. This is illustrated in Figure 19-3. Figure 19-3 Deploying a SharePoint front-end server in a perimeter network with a back- end SQL server If you’re concerned with the idea of placing your SharePoint server in the perimeter net- work, then be assured that placing it on the internal network is even more unwise. The ramifications of placing it amongst the other internal resources are significant in that Back-end Exchange Server Front-end Exchange Server Domain Controller INTERNET Internal Network SQL Server 2005 Back-end Server SharePoint Server 2007 Front-end Server Domain Controller INTERNET Internal Network 668 Part IV Integrating Additional Server Platforms both the external and the internal firewall would have to be configured to allow Internet clients to pass through to the internal network. Indeed, unwise. So what should you do? Use Microsoft Internet Security and Acceleration (ISA) Server 2006 as the solution. Using ISA Server 2006 with SharePoint Server 2007 Implementations ISA Server 2006 comes in Standard and Enterprise Editions. The core difference in the editions lies in the scalability opportunities of Enterprise Edition. Standard Edition is lim- ited to a single server with up to 4 CPUs and 2 GB of RAM. Enterprise Edition, on the other hand, has no hardware limitations and can scale as part of a Network Load Balanc- ing (NLB) cluster with a maximum of 32 nodes. The combination of the size of the exist- ing infrastructure and your projections for growth will determine which edition is right for you. What ISA Server 2006 provides is a multi-tasking application that can exponentially enhance the security of traffic within, across, or directed to resources on your corporate network. ISA Server 2006 can function in one or all of three core roles: ■ Web Access Protection ■ Branch Office Gateway ■ Secure Application Publishing More Info You can read more about ISA Server 2006 at http://www.microsoft.com/isaserver. The secure application publishing feature of ISA Server 2006 allows organizations to pro- tect internal servers like Exchange, SharePoint, and other Web application servers. ISA Server 2006’s publishing rules can be broken down into two forms: Web publishing and server publishing. Web publishing rules are distinguished from server publishing rules in that Web publishing rules are geared toward the traditional Web-based type applications like Web servers, mail servers, and ftp servers. Server publishing rules are used when publishing services like Terminal Services or Telnet. Since SharePoint is clearly one of the Web-based applications, we will focus on the use of Web publishing rules. Web publishing rules provide a host of advantages including: ■ Reverse proxy for internal resources ■ Application layer inspection of connections to published services ■ Path redirection ■ Pre-authentication of traffic to published services Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 669 ■ Support for RADIUS, LDAP, SecurID, and more ■ Publishing multiple sites to a single IP address ■ URL re-writes ■ SSL bridging and SSL tunneling ■ Site publication scheduling ■ Reverse caching of content for external requests By the end of this chapter, you will see just how good things can be when ISA Server 2006 is part of your network infrastructure. Microsoft has done a great job of allowing admin- istrators to secure deployments with an easy-to-use interface and a helpful set of wizards to facilitate application publishing. Note It is a common debate among IT security professionals as to whether fire- wall applications such as ISA Server 2006 are as secure as hardware-based fire- wall devices. The raw answer to that debate is that a firewall is only as secure as it is configured to be. But if that isn’t enough to satisfy your curiosity, please visit http://www.microsoft.com/isaserver/hardware to see how Microsoft has worked with several vendors to bring the ease of ISA packaged with a hardware platform as a security appliance. Once you have decided that ISA Server 2006 should be a part of the network infrastruc- ture, you must decide where and how you will deploy it. As a firewall product, ISA Server 2006 fits nicely into any of the three firewall deployment scenarios mentioned earlier; edge, multi-homed, or back-to-back. When a SharePoint site is published to the Internet using ISA, it is protected because the true name and IP address of the SharePoint server are never exposed to the external, requesting user. Users will submit their requests to the ISA server which, in turn, will authenticate the user if necessary and then forward the request to the SharePoint server. For small organizations, and especially those built off of Microsoft Small Business Server 2003 Premium Edition, ISA is positioned to be the Internet edge firewall that provides a barrier of protection between the Internet and the intranet. As Figure 19-4 shows, ISA would be connected to the Internet and the intranet as it inspects all outbound and inbound traffic. 670 Part IV Integrating Additional Server Platforms Figure 19-4 ISA Server as an edge gateway Many large companies have already invested time, money, and manpower in building a secure network environment around the back-to-back firewall configuration. This does not preclude them from needing or wanting to use ISA Server 2006 in their infrastructure. As shown in Figure 19-5, ISA Server 2006 can slip nicely into an existing perimeter network. Figure 19-5 ISA Server 2006 as a compliment to an existing firewall configuration This configuration minimizes the changes that are needed on the internal and external firewalls but adds all of the elements of security that ISA provides. All resources can now SQL Server 2005 Back-end Server SharePoint Server 2007 Front-end Server Back-end Exchange Server Front-end Exchange Server ISA Server 2006 Domain Controller INTERNET Internal Network SQL Server 2005 Back-end Server SharePoint Server 2007 Front-end Server Back-end Exchange Server Front-end Exchange Server ISA Server 2006 Domain Controller INTERNET Internal Network Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 671 remain on the internal network. ISA Server 2006’s reverse proxy features will introduce a “you wait and I’ll go get it” method of handling traffic. ISA will receive the initial request as the internal firewall has allowed the passing of the traffic to ISA. ISA can then authen- ticate the user and proceed to retrieve the content on behalf of the authenticated user. Another common practice in IT security is to deploy firewalls from different vendors in the front-end and back-end solution. If such is the case, it makes great sense to install ISA Server 2006 as the internal or front-end firewall, as shown in Figure 19-6. Figure 19-6 ISA Server 2006 as a back-end firewall From small, low-budget organizations to large, well-funded organizations, there is a fire- wall deployment right for every situation. Whether it be a single firewall, multiple fire- walls, third-party devices, or ISA, planning your infrastructure to support the publication of SharePoint data is a must. Configuring Servers for Secure Mobile Access to SharePoint Data After the design phase is over and the servers have been deployed into their respective places on the physical network, it is time to configure the servers to support the delivery of SharePoint data to mobile employees. Much as the design phase takes planning and consideration, the configuration phase requires careful considerations. Moving into implementation, you will need to answer questions such as: ■ Do I have a single SharePoint site? Or an entire server farm? ■ Is my SharePoint data accessed internally and externally? SQL Server 2005 Back-end Server SharePoint Server 2007 Front-end Server Back-end Exchange Server Front-end Exchange Server ISA Server 2006 Domain Controller INTERNET Internal Network 672 Part IV Integrating Additional Server Platforms ■ Do I need to use HTTPS? If so, do I have the appropriate certificates? ■ What is the server information that we need to publish: IP address? Full qualified domain name (FQDN)? ■ What type of authentication do I require? LDAP? Forms-based? Basic? None? Having the answers to each of these questions will make the ISA configuration wizard much easier and will help ensure a smooth deployment. Since SharePoint is a Web-based service provided to the end user, it is most common to see users accessing information using fully qualified domain names like http://intranet.contoso.com. Alternate Access Mapping (AAM) is a feature of Windows SharePoint Services 3.0 (and thus Office Share- Point Server 2007) that provides users of multiple domains and even multiple networks to access the same set of content using unique URLs. SharePoint identifies the source of a request and matches that to a defined network (URL). This allows SharePoint to return a URL consistent to the FQDN provided by the user. For example, an external user refer- encing content from the URL http://companyweb.contoso.com should not receive a return URL of http://intranet.contoso.com. SharePoint uses zones as a means of manag- ing URLs and authentication providers when accessing the same content from different networks. Figure 19-7 illustrates the use of alternate access mappings for SharePoint data. Figure 19-7 Example of alternate access mappings for SharePoint The configuration in the diagram would allow users to access the content from multiple URLs including: SQL Server 2005 Back-end Server SharePoint Server 2007 Front-end Servers MOSS03 ISA Server 2006 Domain Controller intranet.contoso.com (Intranet zone) AAM: companyweb.contoso.com (Internet zone) INTERNET Internal Network Request for http://intranet.contoso.com Request for http://companyweb.contoso.com MOSS02MOSS01 [...]... single -server machine, this is a simple hand-off operation In a multiserver farm, the Excel Calculation Service Proxy is also responsible for load balancing requests between Microsoft Office SharePoint Server 20 07 servers running the Excel Calculation Services component The Report Center Template The Report Center template is the starting point for business intelligence portals in Office Server 20 07 It... Excel Services Excel Services is installed as part of SharePoint Server 20 07 but is not enabled by default To make use of Excel Services, a few additional steps are required to configure it in an SharePoint Server 20 07 installation To configure Excel Services, you must first install an instance of SharePoint Server 20 07 in either the Complete or Web Server mode Once it is installed, you need to create... ISA server and the SharePoint server hosting the site Figure 19-19 displays the two options available for the connection type between the ISA server and the SharePoint server 681 682 Part IV Integrating Additional Server Platforms Figure 19-19 Server Connection Security page in the New SharePoint Publishing Rule Wizard Using the SSL option to secure communication between the ISA server and the SharePoint. .. for mobile users Summary The ability of SharePoint Server 20 07 to deliver data on demand to mobile devices while maintaining a secure communication stream is a powerful tool for today’s telecommuters, remote workers, outside sales force, and much more Couple the power of SharePoint Server 20 07 and its data on demand with the Microsoft Exchange Server 20 07 features of e-mail on demand, and the entire staff... SharePoint server requires a certificate to be installed on the SharePoint server and that the ISA server trust the root CA that issued the certificate If there are multiple SharePoint servers in a farm that is being published, the certificate must be installed on each server in the farm It is not uncommon to use an internal Public Key Infrastructure to issue a certificate to the SharePoint server or servers... address 677 678 Part IV Integrating Additional Server Platforms Figure 19-14 Configuring Web listeners for a specific network 3 Select an authentication mechanism for the Web listener Figure 19-15 shows a typical configuration for Web listener authentication when publishing SharePoint data through ISA Figure 19-15 Selecting an authentication mechanism Chapter 19 Publishing SharePoint Server 20 07 Data... 70 0 Using Excel Services in Dashboards 70 5 Configuring Security 70 7 Performance Considerations 71 0 Accessing Data from Other Sources 71 7 Summary 72 0 Excel Services are a key component in the Microsoft. .. ISA Server 2006 and SSL tunneling 675 676 Part IV Integrating Additional Server Platforms To configure the more secure SSL bridging option, two certificates are required One certificate will be installed on the SharePoint server and one certificate on the ISA server The certificate installed on the SharePoint server should have a common name equal to that of the server (for example, moss1.contoso.com)... separate certificate installed on the ISA server and another certificate installed on the SharePoint server The certificate stored on the SharePoint server can be obtained from an internal certification authority if one exists However, the ISA server needs to be configured to trust the root certificate for the PKI that issued the Web server certificate to the SharePoint server Before purchasing a certificate... Integrating Additional Server Platforms More Info For details on configuring an SSP, see Chapter 18, “Administrating Shared Services Providers.” Enabling Excel Services Excel Services are not enabled in a default installation of SharePoint Server 20 07, so the first step is to enable the service on at least one server in the farm In a server farm with one Web front-end server and one application server, you can . now SQL Server 2005 Back-end Server SharePoint Server 20 07 Front-end Server Back-end Exchange Server Front-end Exchange Server ISA Server 2006 Domain Controller INTERNET Internal Network SQL Server. 2005 Back-end Server SharePoint Server 20 07 Front-end Server Back-end Exchange Server Front-end Exchange Server ISA Server 2006 Domain Controller INTERNET Internal Network Chapter 19 Publishing SharePoint. have a single SharePoint site? Or an entire server farm? ■ Is my SharePoint data accessed internally and externally? SQL Server 2005 Back-end Server SharePoint Server 20 07 Front-end Server Back-end Exchange Server Front-end Exchange Server ISA Server 2006 Domain Controller INTERNET Internal