3.9 Protecting SharePoint 2010

NOTE:You will be prompted for re-authentication while opening any application from the protected SharePoint server. There is no workaround to avoid additional authentication.

3.9.1 Protecting SharePoint Using the Domain-Based Multi-Homing Proxy Service

You can configure Access Manager to provide protected access to SharePoint by using a domain-based proxy service and single sign-on access by using identity injection. You can access Sharepoint with a URL similar to this: https://<Published DNS name>:<port number if any>/path. For example, https://shpt.multibox-mag.com/default.aspx.

Perform the following configurations:

  1. Configure the proxy service type as Domain-Based Multi-Homing.

    For example, the published DNS Name = shpt.multibox-mag.com.

    For more information, see Configuring the Domain-Based Proxy Service in the NetIQ Access Manager 4.1 Administration Guide .

  2. Configure the following Web servers options:

    • Web Server Host Name: Specify the actual host name of the SharePoint server.

    • Connect Port: Specify the port that the Access Gateway should use to communicatewith Web servers.

    For more information, see Configuring Web Servers of a Proxy Service in the NetIQ Access Manager 4.1 Administration Guide .

  3. Create new HTML Rewriter profiles: one Word profile and one Character profile.

    For more information about how to create a new rewriter profile, see Creating or Modifying a Rewriter Profile in the NetIQ Access Manager 4.1 Administration Guide .

    • Create a Word rewriter and enter the following values:

      And Document Content-Type Header is: click New, then specify the following type:

      application/x-vermeer-rpc
      

      Variable or Attribute Name to Search for Is: Create the following two new attributes:

      formvalue
      
      value
      
    • Create a Character rewriter. In the Additional Strings to Replace section, specify the search and replace strings as shown in Table 3-1, then click OK.

      NOTE:win2k8-r2-64bit:32274 in tables Table 3-1 and Table 3-2 is referring to Sharepoint server's domain name and the port in which it is configured. Change it with your Sharepoint server's domain name and the port number.

      Table 3-1 Search and Replace strings

      Search String

      Replace String

      \u0022http:\u002f\u002fwin2k8-r2-64bit:32274

      \u0022https://shpt.multibox-mag.com

      http%253A%252F%252Fwin2k8-r2-64bit%253A32274

      https://shpt.multibox-mag.com

      http%3A%2F%2Fwin2k8-r2-64bit%2Ecom%3A32274

      https%3A%2F%2Fshpt.multibox-mag.com

      http%3a%2f%2fwin2k8-r2-64bit%3a32274

      https://shpt.multibox-mag.com

      http:%2f%2fwin2k8-r2-64bit

      https://shpt.multibox-mag.com

      http:\u00252F\u00252Fwin2k8-r2-64bit

      https://shpt.multibox-mag.com

      http\u00253A\u00252F\u00252Fwin2k8-r2-64bit\u00253A32274

      https://shpt.multibox-mag.com

      Save and enable this rewriter profile and move it to the top of the ordered list of profiles for this accelerator.

  4. Configure the protected resources: pr-private, pr-public, and pr-other.

    For more information, see Configuring Protected Resources in the NetIQ Access Manager 4.1 Administration Guide .

    • Protected resource: pr-private

      • Authentication Procedure: Secure Name/Password – Form type contract

      • URL Path: /default.aspx

      • Identity Injection: Enabled (injects Credential Profile LDAP name and password into the Authorization headers)

    • Protected resource: pr-public

      • Authentication Procedure: None

      • URL Path: /

    • Protected resource: pr-other

      • Authentication Procedure: WebDAV

        Create a new authentication procedure with the following settings:

        Contract: Secure Name/Password - Form

        Non-Redirected Login: enabled

        Realm: Specify the name of the realm. Ensure that the value is same as the value of the Sharepoint IIS Basic Authentication Setting.

        For example: If you have specified the value of Basic Authentication Setting value as xyz, enter the same value as the name of the realm.

        Redirect to Identity Server When No Authentication Header is Provided: disabled

      • URL Path: /*

      • Identity Injection: Enabled (injects Credential Profile LDAP name and password into the Authorization headers)

3.9.2 Protecting SharePoint for the Path-Based Multi-Homing Proxy Service

You can configure Access Manager to provide protected access to SharePoint using a path-based proxy service with the Remove Path on Fill option enabled, and single sign-on access by using identity injection. You can access Sharepoint with a URL similar to this: https://<Published DNS name>:<port number if any>/path. For example, https://multibox-mag.com/shpt/default.aspx.

When the Remove Path on Fill option is enabled, SharePoint access requires the following additional entries in the Advanced Options section for Global, Master and path-based service.

Advanced options required in the global settings include:

  • NAGGlobalOptions AllowMSWebDavMiniRedir=on

Advanced options required in the master service include:

  • NAGHostOptions primaryWebdav=/shpt

  • NAGHostOptions webdavPath=/_vti_inf.html

  • NAGHostOptions webdavPath=/_vti_bin/_vti_aut/author.dll

  • NAGHostOptions webdavPath=/_vti_bin/shtml.dll/_vti_rpc

  • NAGHostOptions webdavPath=/_vti_bin/_vti_aut/author.dll

  • NAGHostOptions webdavPath=/_vti_bin/_vti_adm/admin.dll

  • NAGHostOptions webdavPath=/_vti_bin/owssvr.dll

Advanced options required in the path-based service include:

  • NAGChildOptions WebDav=/shpt

Perform the following configurations:

  1. Configure the proxy service type as Path-Based Multi-Homing. For example, Published DNS Name= shpt.multibox-mag.com)

    • Path List: /shpt

      Remove Path on Fill: Select the check box.

      Reinsert Path in “set-cookie” Header: Select the check box.

    For more information, see Configuring a Path-Based Multi-Homing Proxy Service in the NetIQ Access Manager 4.1 Administration Guide .

  2. Configure the following options for Web servers:

    • Web Server Host Name: Enter the actual host name of the SharePoint server.

    • Connect Port: Enter the port that the Access Gateway should use to communicate with the Web servers.

    For more information, see Configuring Web Servers of a Proxy Service in the NetIQ Access Manager 4.1 Administration Guide .

  3. Create new HTML Rewriter profiles: one Word profile and one Character profile.

    For more information about how to create a new rewriter profile, see Creating or Modifying a Rewriter Profile in the NetIQ Access Manager 4.1 Administration Guide .

    • Create a Word rewriter. Keep the default values except the following:

      And Document Content-Type Header Is: click New, then specify the following type:

      application/x-vermeer-rpc
      

      Rewrite Inbound Query String Data: Select the check box.

      Rewrite Inbound POST Data: Select the check box.

      Rewrite Inbound Headers: Select the check box.

      Enable Rewriter Actions: Select the check box.

      Variable or Attribute Name to Search for Is: Specify the following attributes:

      ctx.displayFormUrl 
      ctx.editFormUrl 
      ctx.HttpPath 
      ctx.imagesPath 
      ctx.listUrlDir 
      editPrmsUrl 
      formvalue 
      L_Menu_BaseUrl 
      sDialogUrl 
      strHelpUrl 
      strImageAZ 
      strImagePath 
      value 
      webUrl 
      WPSC.WebPartPage.WebServerRelativeURL
      

      Java Script Method of Search for is: Specify the following attributes:

      insertitem 
      ProcessDefaultNavigateHierarchy 
      UpdateFormDigest
      

      String to Search for is: Specify the following attributes:

      Search=/_layouts/images
      Replace=$path/_layouts/images
      Search=/sites
      Replace=$path/sites
      Search=\u002f_layouts\u002fimages
      Replace=$path\u002f_layouts\u002fimages
      
    • Create a Character rewriter and enter the following values:.

      And Document Content-Type Header Is: application/x-vermeer-rpc

      Additional Strings to Replace: Specify the search and replace strings as shown in Table 3-2, then click OK

      Table 3-2 Search and Replace strings

      Search String

      Replace String

      \u0022http:\u002f\u002fwin2k8-r2-64bit:32274

      \u0022https://multibox-mag.com/shpt

      \u002f_layouts

      /shpt\u002f_layouts

      \u002f_vti_bin

      /shpt\u002f_vti_bin

      event,'/_layouts

      event,'/shpt/_layouts

      http%253A%252F%252Fwin2k8-r2-64bit%253A32274

      https://multibox-mag.com/shpt

      http%3A%2F%2Fwin2k8-r2-64bit%2Ecom%3A32274

      https%3A%2F%2Fmultibox-mag.com/shpt

      http%3a%2f%2fwin2k8-r2-64bit%3a32274

      https%3a%2f%2fmultibox-mag.com/shpt

      http:%2f%2fwin2k8-r2-64bit

      https://multibox-magcom/shpt

      http:\u00252F\u00252Fwin2k8-r2-64bit

      https://multibox-mag.com/shpt

      http\u00253A\u00252F\u00252Fwin2k8-r2-64bit\u00253A32274

      https://multibox-mag.com/shpt webUrl=/ webUrl=/shpt

      Save and enable this rewriter profile and move it to the top of the ordered list of profiles for this accelerator.

  4. Configure the protected resources: pr-private, pr-public, and pr-other.

    For more information, see Configuring Protected Resources in the NetIQ Access Manager 4.1 Administration Guide .

    • Protected resource: pr-private

      • Authentication Procedure: Secure Name/Password – Form type contract

      • URL Path: /shpt/default.aspx

      • Identity Injection: Enabled (injects Credential Profile LDAP name and password into the Authorization headers)

    • Protected resource: pr-public

      • Authentication Procedure: None

      • URL Path: /shpt

    • Protected resource: pr-other

      • Authentication Procedure: WebDAV

        Create an authentication procedure with the following settings:

        Contract: Secure Name/Password - Form

        Non-Redirected Login: enabled

        Realm: Sharepoint

        Redirect to Identity Server When No Authentication Header is Provided: disabled

      • URL Path: /shpt/*

      • Identity Injection: Enabled (injects Credential Profile LDAP name and password into the Authorization headers)