SharePoint extranet access with Forefront UAG is documented on Microsoft TechNet. However it might be hard to read through all the articles without having explanatory configuration screenshots. The greatest challenge for me was to get the SharePoint Alternate Access Mappings configured correctly. Therefore, this article is providing an end to end configuration example how to publish SharePoint with UAG.
The following configuration assumes that HTTPS is used between the client computer and UAG while HTTP is used between UAG and SharePoint.
- As a preparation step, a new portal trunk must be set up. Application trunks don’t support SharePoint publishing.
- Once the portal trunk is set up, add a new application to the portal.
- In Step 1 of the Add Application Wizard, select Office SharePoint Server 2007 from the list of Web applications and click Next.
- Enter the Application Name and click Next.
- Select the Endpoint Security settings and click Next.
- Select the type of Application Deployment and click Next.
- In Step 5, in the Addresses field, enter the network name of the SharePoint server. The network name must be resolvable on the UAG server.
Note: If you are using Kerberos authentication at the SharePoint server, it is mandatory to use a fully qualified host name (FQDN) in the Addresses field. You cannot use an IP address because an IP address cannot be mapped with a service principal name (SPN). For Kerberos authentication, the network name must be registered as SPN in the Active directory computer account of the SharePoint server.
In this example, HTTP is used for all communication between UAG and SharePoint, therefore port 80 is configured as HTTP port. Also, specify the public host name of the SharePoint. Note, that the public name must be configured as Alternate Access Mapping in SharePoint.
- In step 6, set the authentication server and click Next.
- In step 7, verify the settings in the portal link and ensure that the name is similar to the public URL that was configured previously. Click Next. Note, that the Application URL is using https because in this example, the portal is protected with SSL. The Application URL defines the external URL used by a client computer accessing the published SharePoint server.
- Configure authorization for the application and click Next.
- Click Finish to end the wizard.
Continue on the SharePoint server with the following configuration steps:
- Open the Central Administration.
- Click on Operations in the left pane.
- In the Global Configuration section, click on Alternate access mappings.
- Select the AAM collection that is to be published with UAG
- Click on Edit Public URLs
- In the Public Zone URLs, enter the value that was set as Application URL in UAG. You can choose any available zone. Click Save.
- Back in the Alternate Access Mappings, click Add Internal URLs.
- In the following screen enter the public URL that was configured in UAG for the application. Make sure that you use HTTP instead of HTTPS. This is because in this example, HTTP is used between UAG and SharePoint. Choose the same zone that you chose in step #6. Click Save.
- After applying the configuration for the SharePoint Alternate Access Mappings, your settings should look similar to the following screen.
At this point, the SharePoint site is published with UAG and can be tested out.
A few more word on the network names used in this configuration: f3-moss2007.f3contoso.com is used by UAG to access the SharePoint server. This name can be anything that is resolvable on the UAG server. Even an IP-address can be used unless Kerberos constraint delegation is not used. The name moss.f3contoso.com must be resolvable by the client computer, is required as application URL and public name in the UAG configuration and must be set as AAM in SharePoint.