SharePoint Integration with Linux Access Gateway



By: nramesh

February 23, 2010 5:09 pm

Reads: 691

Comments:0

Rating:0

Authors: Jency Flawrence and Ramesh Nerella

Content:

Introduction

When the SharePoint server is protected by the Linux Access Gateway, you could face some problems if the default rewriter configuration is used. The document outlines a proposed deployment scenario, steps to configure Linux Access Gateway and non-browser clients, Test setup used for this document and Known issues.

Deployment scenario

Fig 1: Setup of SharePoint server accelerated using LAG using Non-Redirected Login

Click to view.

  1. A non-http client requests access to the SharePoint server protected by Linux Access Gateway.
  2. The Linux Access Gateway is configured to authenticate using Non-Redirected login as the client does not support 302 redirects. So, request is forwarded to Identity Server for authentication through SOAP back channel.
  3. Once authenticated, IDP sends back success response.
  4. Linux Access Gateway forwards the user request to the SharePoint server.
  5. SharePoint server will send the response content.
  6. Linux Access Gateway forwards the response to the client.

Configuring Linux Access Gateway

Host or Domain-based Configuration

To accelerate the SharePoint server configured with basic authentication as a Host based and Domain based service with the rewriter profile configuration, do the following:

  1. Login to the Administration Console with the administrator credentials
  2. Select Access Manager > Access Gateways > Edit.
  3. Click the Reverse Proxy that you have configured.
  4. Select the HTML Rewriting tab and create a word and a character profile as follows:
    1. Make sure the default profile is enabled.
    2. Create a new word profile. To create a new word profile:
      1. Select New from HTML Rewriter Profile List, and then create a new HTML Rewriter word profile.
      2. Click the newly added word profile.
      3. Add the following content type to the And Document Content-Type Header Is section:
        application/x-vermeer-rpc
      4. Add the following values to the Variable or Attribute Name to Search for Is section:

        formvalue

        value
      5. Select Rewrite Inbound Query String Data.
      6. Select Rewrite Inbound Post Data.
      7. Select Rewrite Inbound Headers.
      8. Click OK.

      Fig 2: Word Profile Configuration

      Click to view.

    3. Create a character profile.

      A character profile must be created to rewrite absolute or relative URLs which has the following encoding formats by using Search and Replace Strings:

      1. Select New from HTML Rewriter Profile List, and then create a new HTML Rewriter character profile.
      2. Click the newly added character profile.
      3. Click New in Additional Strings to Replace section.
      4. Specify the Search and Replace strings as shown in Table 1, then click OK.
    SEARCH STRING REPLACE STRING
    \u0022http:\u002f\u002fwebserverpersistence.com:1677 \u0022http://share.lag150.com
    http%253A%252F%252Fwebserverpersistence.com %253A1677 http://share.lag150.com
    http%3A%2F%2Fwebserverpersistence%2Ecom%3A1677 http%3A%2F%2Fshare.lag150.com
    http%3a%2f%2fwebserverpersistence.com%3a1677 http://share.lag150.com
    http:%2f%2fwebserverpersistence.com http://share.lag150.com
    http:\u00252F\u00252Fwebserverpersistence.com http://share.lag150.com
    http\u00253A\u00252F\u00252Fwebserverpersistence.com\u00253A1677 http://share.lag150.com

    Table 1: Search and Replace Strings

    Note: In the table, webserverpersistence.com is an example SharePoint site with a non-default port 1677 and share.lag150.com is the accelerated DNS name.

    Fig 3: Character Profile Configuration

    Click to view.

  5. Change the order of the rewriter profiles so that custom profiles are placed on top followed by the default profile. For example, consider the 3 rewriter profiles created in step 4, reorder the profiles such that the custom word profile created in step 4b is first, followed by custom character profile created in step 4c and then the default profile.

    Fig 4: Ordering of Rewriter Profile

    Click to view.

    Note: The custom word profile “shpt_word” is the first profile, followed by the custom character profile “shpt_char”. The default profile is placed at the last.
  6. Configure authentication for non-browser clients.

    To access SharePoint resources using clients which do not support 302 redirection enabled authentication

    1. Select Access Manager > Access Gateways > Edit > Configured Reverse Proxy > Protected Resources > Authentication Procedure > Select Name/Password – Basic Method > Enable Non-Redirected Login > OK

      Fig 5: Configuring Non-Redirected Login

      Click to view.

    2. Configure the security realm if it has been configured in the IIS server running SharePoint . You can find the security realm configuration by opening IIS Administration Console, selecting the SharePoint site you are accelerating and right-click and access “Properties”. In the Directory Security tab you can find the Security realm field

      Fig 6: Security Realm Configuration in IIS Administration

      Click to view.

  7. Configure Identity Injection Policy to insert SharePoint site credentials , place the touch file /var/novell/.overwrite_AuthHeader_With_IIData and restart vmc to ensure that credentials are properly injected.
  8. Webserver Host name should be configured with the web server DNS name. Do not use the Forward received Host name option.

Path-based Configuration

To accelerate the SharePoint server configured with basic authentication as a Path-based service with the rewriter profile configuration, do the following:

  1. Login to the Administration Console with the administrator credentials
  2. Select Access Manager > Access Gateways > Edit.
  3. Click the Reverse Proxy that you have configured.
  4. Select the HTML Rewriting tab and create a word and a character profile as follows:
    1. Make sure the default profile is enabled.
    2. Create a new word profile. To create a new word profile:
      1. Select New from HTML Rewriter Profile List, and then create a new HTML Rewriter word profile.
      2. Click the newly added word profile.
      3. Add the following content type to the And Document Content-Type Header Is section:

        application/x-vermeer-rpc
      4. Add the following values to the Variable or Attribute Name to Search for Is section:

        ctx.displayFormUrl
        ctx.editFormUrl
        ctx.HttpPath
        ctx.imagesPath
        ctx.listUrlDir
        strHelpUrl
        strImageAZ
        strImagePath
        editPrmsUrl
        sDialogUrl
        formvalue
        value
        WPSC.WebPartPage.WebServerRelativeURL
        L_Menu_BaseUrl

      5. Add the following methods to the JavaScript Method to Search for Is section:

        insertitem
        UpdateFormDigest
        ProcessDefaultNavigateHierarchy

      6. Add the following search and replace entries to the String to Search for Is section:

        Word profile configuration – Strings to replace

        Click to view.

      7. Select Rewrite Inbound Query String Data.
      8. Select Rewrite Inbound Post Data.
      9. Select Rewrite Inbound Headers.
      10. Make sure that Enable Rewrite Actions remains selected.
      11. Click OK.

      Fig 7: Word Profile Configuration

      Click to view.

    3. Create a character profile.

      A character profile must be created to rewrite absolute or relative URLs which has the following encoding formats by using Search and Replace Strings:

      1. Select New from HTML Rewriter Profile List, and then create a new HTML Rewriter character profile.
      2. Click the newly added character profile.
      3. Click New in Additional Strings to Replace section.
      4. Specify the Search and Replace strings as shown in Table 1, then click OK.
    SEARCH STRING REPLACE STRING
    \u0022http:\u002f\u002fwebserverpersistence.com:1677 \u0022http:// www .lag150.com/shpt
    http%253A%252F%252Fwebserverpersistence.com%253A1677 http:// www .lag150.com/shpt
    http%3A%2F%2Fwebserverpersistence%2Ecom%3A1677 http%3A%2F%2F www .lag150.com/shpt
    http%3a%2f%2fwebserverpersistence.com%3a1677 http:// www .lag150.com/shpt
    http:%2f%2fwebserverpersistence.com http:// www .lag150.com/shpt
    http:\u00252F\u00252Fwebserverpersistence.com http:// www .lag150.com/shpt
    http\u00253A\u00252F\u00252Fwebserverpersistence.com\u00253A1677 http:// www .lag150.com /shpt
    _vti_bin/shtml.dll/_vti_rpc shpt/_vti_bin/shtml.dll/_vti_rpc
    SharePoint.OpenDocuments.3 SharePoint.OpenDocuments.2
    SX|http:// webserverpersistence.com:1677 SX|http:// webserverpersistence.com:1677/shpt

    Table 1: Search and Replace Strings

    Note: In the table, webserverpersistence.com is an example SharePoint site with a non-default port 1677, www.lag150.com is the parent accelerated DNS name and /shpt is the accelerated path.

    Fig 8: Character Profile Configuration

    Click to view.

  5. Change the order of the rewriter profiles so that custom profiles are placed on top followed by the default profile. For example, consider the 3 rewriter profiles created in step 4, reorder the profiles such that the custom word profile created in step 4b is first, followed by custom character profile created in step 4c and then the default profile.

    Fig 9: Ordering of Rewriter Profile

    Click to view.

    Note: The custom word profile “shpt_word” is the first profile, followed by the custom character profile “shpt_char”. The default profile is placed at the last.
  6. Configure authentication for non-browser clients.

    To access SharePoint resources using clients which do not support 302 redirection enabled authentication

    1. Select Access Manager > Access Gateways > Edit > Configured Reverse Proxy > Protected Resources > Authentication Procedure > Select Name/Password – Basic Method > Enable Non-Redirected Login > OK

      Fig 10: Configuring Non-Redirected Login

      Click to view.

    2. Configure the security realm if it has been configured in the IIS server running SharePoint. You can find the security realm configuration by opening IIS Administration Console, selecting the SharePoint site you are accelerating and right-click and access “Properties”. In the Directory Security tab you can find the Security realm field

      Fig 11: Security Realm Configuration in IIS Administration

      Click to view.

  7. Configure Identity Injection Policy to insert SharePoint site credentials, place the touch file /var/novell/.overwrite_AuthHeader_With_IIData and restart vmc to ensure that credentials are properly injected.
  8. If you are using a non-browser client such as Windows Network Places to access SharePoint, do the following (This step is needed only path-based configuration):
    1. Log in as the root user.
    2. Specify the following command to create a touch file:

      touch /var/novell/.spnetworkplaces
    3. Specify the following command to restart the Access Gateway Appliance:

      /etc/init.d/novell-vmc stop

      /etc/init.d/novell-vmc start
  9. Webserver Host name should be configured with the web server DNS name. Do not use the Forward received Host name option.

Configuring Non-Browser Clients to Access SharePoint Sites

You can access the SharePoint resources either by using browsers such as Internet Explorer 7 and Firefox 3.0 or non-browser clients such as Microsoft Network Place, Nautilus browser in SLES 10 SP2 or MAC finder. When you use browser access SharePoint, no additional configurations are required. But the non browser clients require certain configurations, in order to enable them to access SharePoint. The following sections describe these configuration steps.

Connecting to SharePoint Server By Using Microsoft Network Place

  1. Select Start > My Network Places.
  2. Click Add a network place in the Network Tasks section.
  3. Click Next in Add a Network Place Wizard.
  4. Leave the default option unchanged, then click Next.
  5. In the Internet or Network Address field, specify the Published DNS name in the following format, the click Next:

    http://< published DNS name>/<shared_folder>

    Fig 12: Add Network Place wizard

    Click to view.

  6. Optionally, give a name for the network place and click Next.
  7. Click Finish.
  8. Double-click on the created Network Place to browse the contents of the SharePoint folder.

Connecting to SharePoint Server By Using Nautilus File Browser

  1. Select Places > Home folder to open your home directory.
  2. Select Connect to Server in the File menu.
  3. Specify the following information in Connect to Server dialog box:

    Fig 13: Nautilus browser

    Click to view.

    • Service Type: Select either WebDAV(HTTP) or Secure WebDAV(HTTPS) depending on whether an http or https based service is accessed.
    • Server: Specify the published DNS name(without the http scheme).
    • Optional Information: Specify the port information, file folder information, username and a name for the connection.
  4. Click Connect.
  5. Double-click on the connection to browse the contents of the SharePoint folder.

Connecting to SharePoint Server By Using Mac Finder

  1. Select Go: menu > Connect to Server.
  2. Specify the published DNS name in the Server Address field, then click Connect.
  3. Fig 14: MAC Finder configuration

    Click to view.

  4. Double- click on the connection to browse the contents of the SharePoint folder.

Known Issues

  • Sharepoint site should have basic authentication configured to be integrated with LAG. Other authentication mechanisms like NTLM is not supported by LAG
  • Cross domain authentication will not work for different cookie domains
  • Re-login after logout does not happen across different cookie domains
  • Nautilus issue: SharePoint folders with names containing space characters or double byte characters cannot be accessed through Nautilus. This is a limitation of Nautilus.
  • URLs without the http scheme are not rewritten by default. The Administrator should add a character profile to rewrite such URLs.

    For example, search www.proxy-158:6296 and replace with http://www.lag150.com

Tested Scenarios

This configuration is tested with the following setup:

Servers

  • Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007
  • WSS 3.0 with Windows 2003 Server Enterprise Edition
  • MOSS 2007 with Windows 2003 Server Enterprise Edition (both Standalone and Farm installation)
  • Test area mainly covered acceleration of the SharePoint Team site configured (with basic authentication) which included Document library, Picture library, Slide Library, Calendar and Tasks. Search, Excel Calculation Services and testing with Microsoft InfoPath has not yet been done.

Clients

  • Browsers: Internet Explorer 7 and Firefox 3.0
  • Non-browser clients: Microsoft Network Place, Nautilus browser in SLES 10 SP2 and MAC finder
    • Tested SharePoint integrated with Microsoft Exchange Server 2003 for sending mails. Receiving mails from Exchange Server has not yet been tested.
    • Tested SharePoint integrated with Microsoft Office 2007 Applications: MS Word, Excel and PowerPoint.

Useful links:

Non-Redirected Login configuration:

Section 1.4.4 of Novell Access Manager 3.1 SP1 Access Gateways Guide:
http://www.novell.com/documentation/novellaccessmanager31/accessgateway/index.html?page=/documentation/novellaccessmanager31/accessgateway/data/bookinfo.html

To install MOSS 2007:
http://www.datasprings.com/Resources/ArticlesInformation/OverviewonInstallingSharepoint2007/tabid/774/language/en-US/Default.aspx

Sharepoint Mail Integration with Exchange Server 2003:
http://www.combined-knowledge.com/Downloads%202007.htm

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment