Configuring SharePoint publishing

When Microsoft Office SharePoint Server sites are exposed to Internet users, Forefront TMG can help make these sites available to external users without compromising the security of your organization’s network. Forefront TMG protects internal content by intercepting incoming requests for Web servers and responding on their behalf.

To configure SharePoint publishing

In the Forefront TMG Management console, in the tree, click the Firewall Policy node.
In the Tasks pane, click the Toolbox tab.
On the Toolbox tab, click Network Objects, click New, and then select Web Listener to open the New Web Listener Wizard.

Complete the New Web Listener Wizard as outlined in the following table.

Page	Field or property			Setting or action
Welcome to the New Web Listener Wizard	Web listener name			Type a name for the Web listener. For example, type SharePoint Listener.
Client Connection Security				Select Require SSL secured connections with clients.
Web Listener IP Addresses	Listen for incoming Web requests on these networks			Select the External network. Click Select IP Addresses, and select Specified IP Addresses on the Forefront TMG computer in the selected network. Under Available IP Addresses, select the IP address for the SharePoint site, click Add, and then click OK.
Listener SSL Certificates			Select Use a single certificate for this Web listener, click Select Certificate, and select a certificate for which the host name that users use to access the published SharePoint site appears in the Issued To field.
Authentication Settings		Select how clients will provide credentials to Forefront TMG	Select HTTP authentication (the default option) Select Basic. If Forefront TMG is deployed in a domain, you can also select Integrated. In a workgroup deployment, you can select only Basic.
		Select how Forefront TMG will validate client credentials	If you selected Basic authentication and Forefront TMG is deployed in a domain, select Windows (Active Directory). If you selected Basic authentication in a workgroup deployment, you can select LDAP (Active Directory) or RADIUS.
Single Sign On Settings		Enable SSO for Web sites published with this listener	Single sign on is only available when forms-based authentication is used.
Completing the New Web Listener Wizard			Review the settings and click Finish.

In the Tasks pane, click the Tasks tab.
On the Tasks tab, click Publish SharePoint Sites to open the New SharePoint Publishing Rule Wizard.

Complete the New SharePoint Publishing Rule Wizard as outlined in the following table.

Page	Field or property	Setting or action
Welcome to the New SharePoint Publishing Rule Wizard	SharePoint publishing rule name	Type a name for the SharePoint publishing rule. For example, type SharePoint.
Select Rule Action	Action	Allow
Publishing Type		Select Publish a single Web site or load balancer. If you want to select Publish a server farm of load-balanced Web servers, you will need to create a server farm of SharePoint servers.
Server Connection Security		Select Use SSL to connect the published Web server or Web farm. This option requires installation on the SharePoint server of an SSL server certificate for which the host name in the Host header that Forefront TMG uses to contact the SharePoint server appears in the Issued To field.
Internal Publishing Details	Internal site name	Type the host name that internal users supply in a URL to reach the SharePoint site. If you are publishing a single SharePoint server and the internal site name specified in this field is not resolvable and is not the computer name or IP address of the published server, select Use a computer name or IP address to connect to the published server, and type the resolvable computer name or IP address of the published server.
Public Name Details	Accept requests for	Select This domain name (type below).
	Public name	Type the public fully qualified domain name (FQDN) or IP address that external users will use to access the published SharePoint site.
Select Web Listener	Web Listener	In the drop-down list, select the Web listener that you created in Step 4. You can then click Edit to modify properties of the Web listener selected.
Authentication Delegation	Select the method used by Forefront TMG to authenticate to the published Web server	Select Basic authentication.
Alternate Access Mapping Configuration		Select the applicable option.
User Sets	This rule applies to requests from the following user sets	Do not change the default All Authenticated Users.
Completing the New SharePoint Publishing Rule Wizard		Review the settings and click Finish.

In the details pane, click the Apply button to save and update the configuration, and then click OK.

Note:
For SSL connections between users and Forefront TMG, an SSL server certificate that was issued to the host name of the published SharePoint site must be installed in the Personal store for the local computer on every Forefront TMG computer in the array. For more information about obtaining and installing an SSL server certificate, see Configuring server certificates for secure Web publishing. On the Web Listener IP Addresses page of the New Web Listener Wizard, you can also select Default IP addresses for network adapters on this network. If Network Load Balancing is enabled, this option will automatically select the virtual IP address. Otherwise, the default IP address will be automatically selected for each network adapter. If you configure Integrated authentication in Forefront TMG, you cannot have Integrated authentication on the SharePoint server. With Basic authentication, you can have authentication on the Forefront TMG computer and on the SharePoint server. If you use RADIUS credentials validation, the Forefront TMG computer must be registered as a RADIUS client on the RADIUS server, and the RADIUS system policy rule must be enabled to allow RADIUS traffic from the Forefront TMG computer (Local Host network) to the Internal network. This rule assumes that the RADIUS server is located in the Internal network. If you select RADIUS or LDAP credentials validation, you must edit the properties of the Web listener that you create to specify the RADIUS or LDAP servers that will be queried for authentication. Forefront TMG treats a farm of servers behind a load balancing device as a single server. Although this option is supported for publishing a load-balanced farm, we recommend that you use the integrated load balancing support provided by a server farm created in Forefront TMG, rather than a load balancing device. Forefront TMG publishing for server farms provides improved client affinity, which can be configured to operate using a cookie, rather than depending on the client IP address. This is a distinct advantage in a situation where a device between the load balancing device and Forefront TMG, such as a NAT device, hides the client IP address. The New SharePoint Publishing Rule Wizard configures the new Web publishing rule to forward the original Host header instead of a Host header corresponding to the name or IP address specified in the Internal site name field. For information about configuring alternate access mapping, see Configuring alternate access mappings on a SharePoint server. For more information about other settings in Web publishing rules, see Planning for publishing.

Note:

For SSL connections between users and Forefront TMG, an SSL server certificate that was issued to the host name of the published SharePoint site must be installed in the Personal store for the local computer on every Forefront TMG computer in the array. For more information about obtaining and installing an SSL server certificate, see Configuring server certificates for secure Web publishing.
On the Web Listener IP Addresses page of the New Web Listener Wizard, you can also select Default IP addresses for network adapters on this network. If Network Load Balancing is enabled, this option will automatically select the virtual IP address. Otherwise, the default IP address will be automatically selected for each network adapter.
If you configure Integrated authentication in Forefront TMG, you cannot have Integrated authentication on the SharePoint server. With Basic authentication, you can have authentication on the Forefront TMG computer and on the SharePoint server.
If you use RADIUS credentials validation, the Forefront TMG computer must be registered as a RADIUS client on the RADIUS server, and the RADIUS system policy rule must be enabled to allow RADIUS traffic from the Forefront TMG computer (Local Host network) to the Internal network. This rule assumes that the RADIUS server is located in the Internal network.
If you select RADIUS or LDAP credentials validation, you must edit the properties of the Web listener that you create to specify the RADIUS or LDAP servers that will be queried for authentication.
Forefront TMG treats a farm of servers behind a load balancing device as a single server. Although this option is supported for publishing a load-balanced farm, we recommend that you use the integrated load balancing support provided by a server farm created in Forefront TMG, rather than a load balancing device. Forefront TMG publishing for server farms provides improved client affinity, which can be configured to operate using a cookie, rather than depending on the client IP address. This is a distinct advantage in a situation where a device between the load balancing device and Forefront TMG, such as a NAT device, hides the client IP address.
The New SharePoint Publishing Rule Wizard configures the new Web publishing rule to forward the original Host header instead of a Host header corresponding to the name or IP address specified in the Internal site name field.
For information about configuring alternate access mapping, see Configuring alternate access mappings on a SharePoint server.
For more information about other settings in Web publishing rules, see Planning for publishing.

To configure SharePoint publishing

Related Topics

Concepts