Juli 23, 2014
anmelden | registrieren

SBS2003.JPG
Microsoft Corporation

 

 

 

 

 

 

Abstract


This document provides information about how to configure Microsoft® Windows® Small Business Server 2003 to host a new Windows SharePoint Services Web site that can be used by people outside your local network.


Information in this document, including URL and other Internet Web site references, is subject to change without notice. The example companies, organizations, products, people, and events depicted herein are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2003 Microsoft Corporation. All rights reserved.

Microsoft, SharePoint, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.



Many organizations require an efficient way to share files, folders, and resources and easily collaborate on the same document with people outside of the network. Using the Windows SharePoint Services solution in Windows Small Business Server 2003, organizations can now easily collaborate with users outside of the local network to satisfy this business need.

This document does not include information about publishing a SharePoint site accessible to external users using Microsoft Internet Security and Acceleration (ISA) Server.

Before hosting a SharePoint Web site for collaborating with external users, you must have completed Windows Small Business Server 2003 Setup, including the Connect to the Internet task on the To Do List. In addition, you must also have a registered domain name with an accredited registrar.

This section includes information about SharePoint Services and some terms and definitions used throughout the document.

What Is Windows SharePoint Services?

SharePoint Services provides a new way for teams to work together. Because SharePoint provides the ability to upload, save, and collaborate on documents on the Web, users can communicate ideas and share information easier. By using SharePoint Services, you can create, author, and administer ad hoc team Web sites that help a team organize a project.

Terms and Definitions

Before beginning the process of hosting a SharePoint Web site, become familiar with the following terms and definitions.

Internal users Users who have access to all features of Windows Small Business Server.

External users Users who have access only to the SharePoint Web site.

Anonymous users Users who do not have a Windows Small Business Server 2003 server account on the server (for example, Web site visitors).

Authenticated users Users who have a Windows Small Business Server 2003 server account on the server.

Web site A virtual server that resides on a Web server but appears to the user as a separate Web server. Several Web sites can reside on one computer, each capable of running its own programs. Each Web site has its own fully qualified domain name, and each appears to the user as an individual Web site. Also called a virtual server.

Host header names Host header names are used to identify Web sites, such as www.wingtiptoys.com. A server running Internet Information Services (IIS) can host multiple Web sites using a single IP address. Each Web site is said to be running on a virtual server. Host header names make it possible to host multiple Web sites using one IP address and a single unique name. For example, if you register two domains (wingtiptoys.com and contoso.com), wingtiptoys.com and contoso.com can go to separate virtual servers.

Fully qualified domain name (FQDN) A domain name system (DNS) name that uniquely identifies the computer on the network.

DNS (A) resource records Also known as host address (A) resource records. A resource record maps server names with IP addresses.

Domain alias Also called a canonical name (CNAME) resource record. A CNAME resource record points a new name to an already established DNS A resource record.

Secure Sockets Layer (SSL) A protocol that supplies secure data communication through data encryption and decryption. It can be used for Web applications that require a secure link, such as e-commerce applications, or for controlling access to Web-based subscription services.

Anonymous authentication An authentication mechanism that does not require user accounts and passwords. Anonymous authentication is used on the Internet to grant visitors restricted access to predefined public resources.

Deploying a SharePoint site accessible outside of the network includes the following steps:

1.       Plan the Web site.

2.       Prepare for publishing the Web site.

3.       Create the Web site.

4.       Enable secure communication between the Web server and the client computer.

5.       Add a SharePoint site to the Web site and apply the Team Site template.

6.       Set up user accounts for external users.

7.       Enable user access to the SharePoint site.

8.       Configure the site to be accessed from the Intranet.

If you plan to publish multiple SharePoint sites on the computer running Windows Small Business Server 2003, you must complete all the preceding steps for each site.

When creating a site that is accessible to external users, obtain the following information:

1.       Determine the type of connection to the Internet You may have one of the following types of connections to the Internet.

·         Router connection and one network adapter

This broadband connection type requires a router, such as a dial-on-demand router or ISDN router. An IP address is supplied by your ISP for the external interface (the interface that connects to the Internet) of the router. The local router is the gateway and firewall to the Internet, as shown in Figure 1.

Figure 1 - Router connection and one network adapter

broadband_1.JPG
·
        
Direct broadband connection

This broadband connection type requires a network device, such as a cable modem or DSL modem. An IP address is not assigned to the actual Internet connection device. Additionally, two network adapters are required, as shown in Figure 2. One network adapter connects your computer to the Internet and the other connects your computer to the local network (and client computers).

In this configuration, your server is the gateway to the Internet.

Figure 2 - Direct broadband connection (requires two network adapters)

broadband_2.JPG
2.
      
Determine internal and external IP addresses Collect information about IP addresses for internal and external network cards on the computer running Windows Small Business Server 2003. You can use the ipconfig command to get information about the internal and external IP addresses.

3.       Determine host header names for the Web site You need to choose host header names with which you would like to access the SharePoint site for when it is being accessed from the Internet (http://extranet.wingtiptoys.com) or from the intranet (http://extranet).

4.       Determine security requirements Decide whether you want to secure your Web site by using SSL to encrypt confidential information exchanged to and from the Web server. It is highly recommended that you use SSL.

5.       Determine the site owner for the SharePoint Web site The site owner is responsible for maintaining and managing the site. The person responsible for managing the SharePoint site should be a member of either the Domain Admins group or the Domain Power Users group.

6.       Determine whether to allow anonymous access to the SharePoint site Decide whether you want users to be authenticated in order to access the Web site.

7.       Create a security group and determine the user accounts that need to be created You need to create a new security group that will have all external users as its members. Members of this security group will have access to the SharePoint site but will not have any other privileges.

In addition, you must determine the number of external user accounts that need to be created based on the number of collaborators. A separate user account may be created for each customer with whom you would like to collaborate on a project. For example, if you are collaborating on a project with three other companies, you might create three separate user accounts (company1user, company2user, and company3user) for each company.

Based on your planning decisions and your Internet connection type, you may have one of the following configurations:

u        One network adapter/without SSL

·         One network adapter/with SSL

·         Two network adapters/without SSL

·         Two network adapters/with SSL

The process steps for publishing the SharePoint Web site for external users differ, depending on how your environment is configured.

Complete Table 1 with the information collected in this section. You will need this information when publishing and configuring your SharePoint site to be accessible by external users.

Table 1. Information required for completing steps in publishing the SharePoint site for external users

Description

Item

IP address of ISP (or external) network adapter (if needed)

___________________

IP address of local (or internal) network adapter

___________________

Host header name for Web site when accessed from the Internet

___________________

Host header name for Web site when accessed from the intranet

___________________

Use SSL? (strongly recommended)

Yes/No

Site owner

___________________

Allow anonymous user access?

Yes/No

Additional purchased static IP address

___________________

Use an existing Web server certificate?

Yes/No

 

The steps involved in preparing for your Web site vary, based on the decision that you made in Step 1 regarding whether you want to secure your Web site by using SSL to encrypt confidential information exchanged to and from the Web server.

Proceed to Step 2a if you have decided to use SSL; otherwise, continue to Step 2b.

Note

We recommend enabling SSL to secure communications to and from the Web server if you are creating your SharePoint site to share business-critical information with your customers. However, using SSL requires more process steps when configuring the computer running Windows Small Business Server 2003 to publish a SharePoint site that is accessible to external users.


Step 2a. Preparing for Publishing the Web Site by Using SSL

Complete this step only if you are planning to use SSL to secure communications to and from your Web server; otherwise, proceed to step 2b.

You can secure your site by using SSL to enable encryption of data exchanged between the server hosting the Web site and the Web browser. Host headers do not function when you use SSL because IIS does not support the use of host headers with SSL.

Complete Table 1 with the information collected in this section. You will need this information when publishing and configuring your SharePoint site to be accessible by external users.

The process for preparing to publish the Web site by using SSL varies, based on whether the computer running Windows Small Business Server 2003 has one or two network adapters. If your configuration includes two network adapters, proceed to step 2a-1; otherwise, proceed to step 2a-2.

Step 2a-1. Preparing to use SSL for two network adapters/with SSL

Complete this step only if your network configuration includes two network adapters; otherwise, proceed to step 2a-2.

If your network has two network adapters, you must do the following:

·         Purchase an additional static IP address from an Internet service provider (ISP) and create an A resource record with your ISP.

·         Configure your external network adapter with the new IP address.

Purchasing an additional static IP address and adding a host (A) resource record

Contact your ISP to obtain an additional static IP address in order to access your SharePoint site from the Internet. In addition, ask them to create an (A) resource record that points to the newly purchased static IP address.

Note

Adding an additional static IP address requires that your existing IP address also be static.


Configuring your ISP (or external) network adapter with the new IP address

You must configure your external network adapter with the purchased IP address.

To configure a network adapter with an IP address

8.       Click Start, click Server Management, and then click Internet and E-mail.

9.       In the details pane, click Configure Network Connections.

10.    Under LAN or High Speed Internet, right-click Network Connection, and then click Properties.

11.    In the Network Connection Properties dialog box, click Internet Protocol (TCP/IP), and then click Properties.

12.    In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced. The Advanced TCP/IP Settings dialog box appears.

13.    In the IP address field, click Add. In the TCP/IP Address dialog box, enter the purchased IP address and subnet mask of the ISP (or external) network adapter.

After configuring your ISP (or external) network adapter with the new IP address, proceed to Step 3 to create the new Web site.

Step 2a-2. Preparing to use SSL for one network adapter/with SSL

Complete this step only if your network configuration includes one network adapter.

If your network configuration includes one network adapter and a router, you must ensure that it supports multiple IP addresses. In addition, you must do the following:

·         Purchase an additional static IP address from an Internet service provider (ISP) in order to access your SharePoint site from the Internet and create an (A) resource record with your ISP.

·         Configure your network adapter with an additional IP address.

·         Add the IP address to the router, and configure your router to forward the purchased IP address to the new internal IP address.

Purchasing an additional static IP address and adding a host (A) resource record

Contact your ISP to obtain an additional static IP address. In addition, ask them to create an (A) resource record that points to the newly purchased static IP address.

Note

Adding an additional static IP address requires that your existing IP address also be static.


Configuring your local (or internal) network adapter with the new IP address

You also need to configure your internal network adapter with an additional IP address. Ensure that the additional IP address is within the same IP address range used by the existing local network adapter’s IP address (for example, 192.168.16.2 and 192.168.16.3) and that the additional IP address is excluded from the scope of IP addresses distributed by the DHCP server.

To configure a network adapter with an IP address

14.    Click Start, click Server Management, and then click Internet and E-mail.

15.    In the details pane, click Configure Network Connections.

16.    Under LAN or High Speed Internet, right-click Network Connection, and then click Properties.

17.    In the Network Connection Properties dialog box, click Internet Protocol (TCP/IP), and then click Properties.

18.    In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced. The Advanced TCP/IP Settings dialog box appears.

19.    In the IP address field, click Add. In the TCP/IP Address dialog box, enter an additional IP address and subnet mask of the local (or internal) network adapter.

Configuring the router to allow access to the new IP address

You must configure your router to allow access to the purchased IP address. You need to map the newly purchased IP address of the router’s external interface to the newly added IP address of the local (internal) network adapter. You need to ensure that the router supports multiple IP addresses and also supports port forwarding. See the documentation included with your router to configure your router.

After configuring your router to allow access to the new IP address, proceed to Step 3 to create the new Web site.

Step 2b. Preparing for Publishing the Web Site Without Using SSL

To publish a Web site without using SSL, contact your Internet domain name registrar and ask them to create a new name record that points to the server’s external IP address.

In this step, you create your Web site by using the Web Site Creation Wizard. Your IP address and port settings information varies, depending on your network configuration.

To create a Web site

20.    Click Start, and then click Server Management.

21.    In the console tree, double-click Advanced Management, double-click Internet Information Services, double-click <servername>, and then select Web Sites.

22.    Right-click Web sites, select New, and then click Web Site. The Web Site Creation Wizard appears.

23.    Based on your network configuration type, you will use different settings to configure your server. Table 3 lists the table you should use for each network configuration type. Accept default settings if the table does not specify a setting.

Table 3. Different configuration types and their corresponding tables

Configuration type

Use

Two network adapters/without SSL

Table 4

Two network adapters/with SSL

Table 5

One network adapter/without SSL

Table 6

One network adapter/with SSL

Table 7

 

Table 4. Information needed to complete the Web Site Creation Wizard for two network adapters/without SSL configuration type.

Wizard Page

Action

Web Site Description

Type the name of the SharePoint site (for example, SharePoint Extranet) that you would like to host on this virtual server.

IP Address and Port Settings

1.      For Enter IP address to use for this Web site, select the IP address of the ISP (or external) network adapter (for example, 206.73.118.1, as shown in Figure 3) from the drop-down list.

2.      For TCP port this Web site should use (Default 80), enter 80.

3.      For Host header for this Web site (Default none), enter a host header to the Web site (for example, extranet.wingtiptoys.com).

Figure 3 - Direct broadband connection (two network adapters/without SSL configuration type).

Web Site Home Directory

Create a folder for your SharePoint site home directory.

To create a folder for the SharePoint site home directory, click Browse. Navigate to the Inetpub folder (%Systemdrive%\Inetpub), click Make New Folder, and then enter the name (for example, SharePoint Extranet) of the new folder.

Web Site Access Permissions

Select Read and Run Scripts (such as ASP).

 

Table 5. Information needed to complete the Web Site Creation Wizard for two network adapters/with SSL configuration type.

Wizard Page

Action

Web Site Description

Type the name of the SharePoint site (for example, SharePoint Extranet) that you would like to host on this virtual server.

IP Address and Port Settings

1.      For Enter IP address to use for this Web site, select the purchased IP address (for example, 206.73.118.2, as shown in Figure 4).

2.      For TCP port this Web site should use (Default 80), enter 80.

3.      For Host header for this Web site (Default none), keep the default.

Figure 4 - Direct broadband connection with purchased IP addressFigure 4 - Direct broadband connection (two network adapters/with SSL configuration type)

Web Site Home Directory

Create a folder for your SharePoint site home directory.

To create a folder for the SharePoint site home directory, click Browse. Navigate to the Inetpub folder (%Systemdrive%\Inetpub), click Make New Folder, and then enter the name (for example, SharePoint Extranet) of the new folder.

Web Site Access Permissions

Select Read and Run Scripts (such as ASP).

 

Table 6. Information needed to complete the Web Site Creation Wizard for one network adapter/without SSL configuration type.

Wizard Page

Action

Web Site Description

Type the name of the SharePoint site (for example, SharePoint Extranet) that you would like to host on this virtual server.

IP Address and Port Settings

4.      For Enter IP address to use for this Web site, select the IP address of the local network adapter (for example, 192.168.16.2, as shown in Figure 5) from the drop-down list.

5.      For TCP port this Web site should use (Default 80), enter 80.

6.      For Host header for this Web site (Default none), enter a host header to the Web site (for example, extranet.wingtiptoys.com).

Figure 5 - Router connection with one network adapter (one network adapter/without SSL configuration type)

Web Site Home Directory

Create a folder for your SharePoint site home directory.

To create a folder for the SharePoint site home directory, click Browse. Navigate to the Inetpub folder (%Systemdrive%\Inetpub), click Make New Folder, and then enter the name (for example, SharePoint Extranet) of the new folder.

Web Site Access Permissions

Select Read and Run Scripts (such as ASP).

 

Table 7. Information needed to complete the Web Site Creation Wizard for one network adapter/with SSL configuration type.

Wizard Page

Action

Web Site Description

Type the name of the SharePoint site (for example, SharePoint Extranet) that you would like to host on this virtual server.

IP Address and Port Settings

7.      For Enter IP address to use for this Web site, select the IP address of the local network adapter (for example, 192.168.16.3, as shown in Figure 6) from the drop-down list.

8.      For TCP port this Web site should use (Default 80), enter 80.

9.      For Host header for this Web site (Default none), keep the default (none).

Figure 6 - Router connection with one network adapter (one network adapter/with router/with SSL configuration type)

Web Site Home Directory

Create a folder for your SharePoint site home directory.

To create a folder for the SharePoint site home directory, click Browse. Navigate to the Inetpub folder (%Systemdrive%\Inetpub), click Make New Folder, and then enter the name (for example, SharePoint Extranet) of the new folder.

Web Site Access Permissions

Select Read and Run Scripts (such as ASP).

 

After creating the Web site, if you plan to enable secure communications to and from the Web server by using SSL, proceed to Step 4; otherwise, proceed to Step 5 to add a SharePoint site to the Web site and to apply the Team Site template.

You must enable SSL if you decided to create a secure Web site. It is highly recommended that you enable SSL in order to encrypt information exchanged to and from the Web server.

Complete this step only if you want to enable SSL on your virtual server hosting the Web site. If you do not want to enable encryption on your SharePoint site, proceed to Step 5.

To secure communications to and from the Web server, you need to do the following:

24.    Use a Web server certificate.

25.    Enable SSL on the Web site.

Step 4a. Using a Web server certificate

To allow access to the Web site on your server from the Internet by using the Configure E-mail and Internet Connection Wizard, you must use a Web server certificate. The certificate is used to configure the Secure Sockets Layer (SSL) to secure communications between a Web browser and your Web server. You can either use a Web server certificate, which is automatically created when you run the Configure E-mail and Internet Connection Wizard, or you can use a certificate that is signed by a commercial certification authority (CA), such as VeriSign.

At this point, you must have already run the Configure E-mail and Internet Connection Wizard once and must have either used the wizard to create the Web server certificate or have purchased the certificate from the CA. You can purchase a certificate for the entire domain (for example, *.wingtiptoys.com) or for a single Web server.

The procedure for assigning a Web certificate to the Web site varies, depending on whether you have a global domain certificate (for example, *.wingtiptoys.com) assigned to your entire domain name or you have a single Web server certificate assigned to your Web server.

Step 4a-1. Assigning an existing global domain Web server certificate to the extranet site

Complete this step if you have purchased a certificate for your entire domain; otherwise, proceed to Step 4a-2 to assign an existing Web server certificate.

If you have purchased a domain certificate for your entire domain (for example *.wingtiptoys.com), you can assign this global domain certificate to your extranet site.

To assign an existing global domain Web server certificate to the extranet site

26.    Click Start, and then click Server Management.

27.    In the console tree, double-click Advanced Management, double-click Internet Information Services, double-click <servername>, and then double-click Web Sites.

28.    Right-click the virtual server name (for example, SharePoint Extranet) that you want to add the existing global domain certificate to and then click Properties.

29.    On the Directory Security tab, under Secure communications, click Server Certificate.

30.    In the Web Server Certificate Wizard, complete the following:

a.        On the Server Certificate page, select Assign an existing certificate.

b.        On the Available Certificates page, select the certificate (for example, *.wingtiptoys.com) that you created for your entire domain.

31.    Follow the instructions to complete the wizard.

After assigning the existing global domain Web server certificate to your extranet site, proceed to Step 4b to enable SSL on the extranet site.

Step 4a-2. Assigning an existing Web server certificate to the extranet site

At this point, you must have already run the Configure E-mail and Internet Connection Wizard once and must have a Web server certificate that is created by the wizard or signed by a CA. This certificate is assigned to the Default Web Site and the companyweb site.

If you use your existing Web server certificate for the SharePoint site, every time a user logs on to the Web site, she or he will receive a warning stating that the name of the certificate is invalid or does not match the name of the site.

To eliminate the certificate mismatch warning message and improve user logon experience, you need to do the following:

32.    Export the certificate from the Default Web Site.

33.    Create a new certificate with the name of the extranet Web site.

34.    Add the newly created certificate to the extranet Web site.

35.    Import the original certificate to the Default Web Site.

36.    Import the original certificate to the companyweb Web site.

Exporting a certificate from the Default Web Site

In this step, you save the certificate that is currently assigned to the Default Web Site by exporting it and saving it as a *.pfx file, so that you can retrieve it at a later step.

To export a certificate from the Default Web Site

37.    Click Start, and then click Server Management.

38.    In the console tree, double-click Advanced Management, double-click Internet Information Services, double-click <servername>, and then double-click Web Sites.

39.    Right-click Default Web Site and then click Properties.

40.    On the Directory Security tab, under Secure communications, click Server Certificate.

41.    In the Web Server Certificate Wizard, complete the following:

a.        On the Modify the Current Certificate Assignment page, select Export the current certificate to a .pfx file.

b.        On the Export Certificate page, enter the path and the file name of the file to export the certificate in.

c.        On the Certificate Password page, enter and confirm the password to encrypt the exported .pfx file with.

Creating a new Web server certificate for the extranet Web site

In this step, you create a new Web server certificate for the SharePoint site. You can create a new certificate by using one of two methods:

·         Using the Configure E-mail and Internet Connection Wizard.

·         Obtaining a new certificate from a trusted authority.

Creating a new Web server certificate by using the Configure E-mail and Internet Connection Wizard

In this step, you must rerun the Configure E-mail and Internet Connection Wizard to assign the new certificate created for the SharePoint site.

Complete this step only if you want to create a Web server certificate for your SharePoint site by using the Configure E-mail and Internet Connection Wizard; otherwise, follow the procedure for obtaining a certificate from a trusted authority.

To create a new Web server certificate by using the Configure E-mail and Internet Connection Wizard

42.    Click Start, and then click Server Management.

43.    In the console tree, click Internet and E-mail. In the details pane, click Connect to the Internet.

44.    On the Connection Type page, click Do not change connection type.

45.    On the Firewall page, click Do not change firewall configuration.

46.    On the Web Server Certificate page, click Create a new Web server certificate, and then type the full Internet name (or FQDN name) of the extranet site.

47.    On the Internet E-mail page, click Do not change Internet e-mail configuration.

48.    Follow the instructions to complete the wizard.

After creating the new Web server certificate, proceed to “Adding the new certificate to the extranet Web site.”

Obtaining a certificate from a trusted authority

Complete this step if you want to obtain a certificate from a trusted authority.

To obtain a certificate from a trusted authority, you must create a certificate request by using the Web Server Certificate Wizard in Internet Information Services (IIS).

To create a certificate request

49.    Click Start, and then click Server Management. In the console tree, click Internet and E-mail. In the details pane, click Connect to the Internet.

50.    In the console tree, click Advanced Management, click Internet Information Services, click YourServerName (local computer), and then click the Web Sites folder.

51.    Right-click the virtual server name (for example, SharePoint Extranet) that you want to add the new certificate to and then click Properties.

52.    On the Directory Security tab, under Secure communications, click Server Certificate.

53.    On the Server Certificate page of the IIS Web Server Certificate Wizard, click Create a new certificate.

54.    On the Delayed or Immediate Request page, prepare a request to be sent later or immediately, as needed.

55.    On the Name and Security Settings page, in Name, type a name for the new certificate. Next, select the appropriate bit length based on your organization’s requirement. Before submitting the certificate request, verify with the CA that it supports certificates of the corresponding encryption strength.

56.    On the Organization Information page, in Organizational Name, type the legal name of your organization. In Organizational unit, type the name of your division or department. If your organization does not have a division, you can type the legal name of your organization.

57.    On the Your Site’s Common Name page, type the common name for your site, such as extranet.wingtiptoys.com, exactly as it appears to external users.

58.    On the Geographic Information page, type the required information.

59.    On the Certificate Request File Name page, type a file name.

60.    On the Request File Summary Page, click Next.

61.    Click Finish.

Once you have completed the process for obtaining the certificate, the organization will send you the certificate along with instructions for installing the certificate.

Adding the new certificate to the extranet Web site

In this step, you must assign the Web server certificate to the extranet Web site.

To add the new certificate to the extranet Web site

62.    Click Start, and then click Server Management.

63.    In the console tree, double-click Advanced Management, double-click Internet Information Services, double-click <servername>, and then double-click Web Sites.

64.    Right-click the virtual server name (for example, SharePoint Extranet) that you want to add the new certificate to and then click Properties.

65.    On the Directory Security tab, under Secure communications, click Server Certificate.

66.    In the Web Server Certificate Wizard, complete the following:

d.        On the Server Certificate page, select an already assigned certificate that you created for the Web site.

e.        On the Available Certificates page, select the Web server certificate that you created with the FQDN of the extranet site.

f.         On the SSL Port page, enter port 443 as the SSL port to be used by the Web site.

g.        Follow the instructions to complete the wizard.

Assigning the original certificate to the Default Web Site

Any time you create a new Web server certificate, it also gets assigned to the Default Web Site and the companyweb Web site by default. When you created a new certificate for the SharePoint site, the same certificate also got assigned to the Default Web Site and the companyweb Web site. Therefore, you need to reassign the original Web certificate to the Default Web Site.

You can reassign the original Web server certificate back to the Default Web Site as follows:

67.    Remove the current Web server certificate assigned to the Default Web Site.

68.    Import the original Web server certificate back to the Default Web Site.

To remove the current certificate assigned to the Default Web Site

69.    Click Start, and then click Server Management.

70.    In the console tree, double-click Advanced Management, double-click Internet Information Services, double-click <servername>, and then double-click Web Sites.

71.    Right-click Default Web Site and then click Properties.

72.    On the Directory Security tab, under Secure communications, click Server Certificate.

73.    In the Web Server Certificate Wizard, complete the following:

h.        On the Modify Current Certificate Assignment page, select Remove the current certificate.

i.         Follow the instructions to complete the wizard.

To import the original certificate into the Default Web Site

74.    Click Start, and then click Server Management.

75.    In the console tree, double-click Advanced Management, double-click Internet Information Services, double-click <servername>, and then double-click Web Sites.

76.    Right-click Default Web Site and then click Properties.

77.    On the Directory Security tab, under Secure communications, click Server Certificate.

78.    In the Web Server Certificate Wizard, complete the following:

j.         On the Server Certificate page, select Assign an existing certificate.

k.        On the Available Certificates page, select Import a certificate from a .pfx file.

l.         On the Import Certificate page, enter the path of the saved .pfx file.

m.      On the Import Certificate Password page, enter the password.

n.        On the SSL Port page, enter port 443 as the SSL port to be used by the Web site.

o.        Follow the instructions to complete the wizard.

Assigning the original certificate to the companyweb Web Site

When you created a new certificate for the SharePoint site, the certificate also got assigned to the companyweb Web site. Therefore, you need to reassign the original Web certificate back to the companyweb Web Site.

You can reassign the original Web server certificate back to the companyweb Web site as follows:

79.    Remove the current Web server certificate assigned to the companyweb Web site.

80.    Import the original Web server certificate back to the companyweb Web site.

To remove the current certificate assigned to the companyweb Web site

81.    Click Start, and then click Server Management.

82.    In the console tree, double-click Advanced Management, double-click Internet Information Services, double-click <servername>, and then double-click Web Sites.

83.    Right-click companyweb Web Site and then click Properties.

84.    On the Directory Security tab, under Secure communications, click Server Certificate.

85.    In the Web Server Certificate Wizard, complete the following:

p.        On the Modify Current Certificate Assignment page, select Remove the current certificate.

q.        Follow the instructions to complete the wizard.

To import the original certificate to the companyweb Web site

86.    Click Start, and then click Server Management.

87.    In the console tree, double-click Advanced Management, double-click Internet Information Services, double-click <servername>, and then double-click Web Sites.

88.    Right-click companyweb Web Site and then click Properties.

89.    On the Directory Security tab, under Secure communications, click Server Certificate.

90.    In the Web Server Certificate Wizard, complete the following:

r.         On the Server Certificate page, select Assign an existing certificate.

s.        On the Available Certificates page, select Import a certificate from a .pfx file.

t.         On the Import Certificate page, enter the path of the saved .pfx file.

u.        On the Import Certificate Password page, enter the password.

v.        On the SSL Port page, enter port 444 as the SSL port to be used by the Web site.

w.       Follow the instructions to complete the wizard.

After you have completed assigning the original Web server certificate back to the companyweb Web site, proceed to Step 4b to enable SSL on the Web site.

Step 4b. Enabling SSL on the Web site

After assigning a Web server certificate to your extranet site, you can secure communication to and from the Web server by enabling SSL on the Web site.

To enable SSL on the Web site

91.    Click Start, and then click Server Management.

92.    In the console tree, double-click Advanced Management, double-click Internet Information Services, double-click <servername>, and then double-click Web Sites.

93.    Right-click the virtual server name (for example, SharePoint Extranet) that you want to configure for anonymous authentication, and then click Properties.

94.    On the Directory Security tab, under Secure communications, click Server Certificate.

95.    In the Web Server Certificate Wizard, complete the following:

x.        On the Server Certificate page, select Assign an existing certificate.

y.        On the Available Certificates page, select the existing Web server certificate that you would like to use for your Web server.

z.        Follow the instructions to complete the wizard.

After enabling SSL on your Web site, proceed to Step 5 to add a SharePoint site to the Web site and to apply a Team Site template.

After the Web site has been created, you need to add a SharePoint site to the Web site. This process is known as “Extending the server” and is accomplished through the Windows SharePoint Services Central Administration page.

After you have successfully converted your Web site to a SharePoint site, you need to apply a SharePoint template to the site. Several templates are available; the Team Site template is ideal for projects requiring team collaboration. This template creates a site for teams to create, organize, and share information quickly and easily. It includes a document library (a place where you can share documents), and basic lists such as Announcements, Events, Contacts, and Quick Links.

To extend the Web site to host a SharePoint site and apply a template

96.    Click Start, click Administrative tools, and then click SharePoint Central Administration.

97.    On the Central Administration page, under Virtual Server Configuration, click Extend or upgrade virtual server.

98.    On the Virtual Server List page, under the Name column, click the Web site name (for example, SharePoint Extranet) on which you want to apply Windows SharePoint Services.

99.    On the Extend Virtual Server page, under Provisioning Options, click Extend and create a content database.

100.On the Extend Virtual Server page, do the following:

aa.     In the Application Pool section, select Use an existing application pool and select DefaultAppPool (NT AUTHORITY\NETWORK SERVICE).

bb.     In the Site Owner section, enter the user name in the User name field, and the e-mail address in the E-mail field, of the person who will manage this SharePoint site. The person responsible for managing the SharePoint site should be a member either of the Domain Admins group or the Domain Power Users group.

cc.     Scroll down to the end of the page, and then click OK.

101.On the Virtual Server Successfully Extended page, click the Web site address.

102.Enter the administrator credentials to access the Web site.

103.On the Template Selection page, from the Template list, select the Team Site template.

After adding a SharePoint site to the Web site, proceed to Step 6 to set up user accounts for external users.

External users are users who have access only to the SharePoint Web site. In order to enable external users to upload documents, add new documents, or modify existing content on the Web site, you must set up user accounts for them on your local network.

Setting up user accounts for external users includes the following:

104.Creating a security group.

105.Adding a new user template.

106.Creating user accounts based on the new template.

107.Denying local logon access to the security group.

108.Deleting folders of external users.

Use information from Table 1 in Step 1 to complete this section.

Step 6a. Creating a security group

Setting up a user account for external users includes creating a security group by using the Add a Security Group Wizard. The security group is then used to add users who will only have permissions to the SharePoint site and will not have access to any other resources on the network.

To create a security group

109.Click Start, and then click Server Management.

110.In the console tree, click Security Groups, and then in the details pane, click Add a Security Group.

111.From the taskpad in the details pane, click Add a Security Group.

112.In the Add a Security Group Wizard, do the following:

dd.     On the Security Group Information page, enter the name (for example, SharePoint External Users) and description of the security group.

ee.     On the Group Membership page, click Next.

ff.       Click Finish.

Step 6b. Adding a new user template

After creating a security group, you need to create a new template that can be used to add user accounts for external users.

To add a new template

113.Click Start, and then click Server Management.

114.In the console tree, click User Templates, and then in the details pane, click Add a Template.

115.In the Add Template Wizard, do the following:

gg.     On the Template Account Information page: for Template name, type a name for the new template (for example, STS External Users Template). For Description, type a description of the user account properties (for example, has access only to the SharePoint site on the Internet). Clear the This template should be the default option in the Add User Wizard check box.

hh.     On the Security Groups page, select the security group that you created in the previous step, and then click Add.

ii.        On the SharePoint Access page, do not choose to assign any roles.

jj.        On the Distribution Group page, do not add the users to any distribution group, and then click Next.

kk.     On the Address Information page, do not enter any information.

ll.        On the Disk Quota page, enter 1 for both Disk space limits in megabytes and Warning level in megabytes.

mm.  Click Finish, and then click Close to close the Add Template Wizard.

Step 6c. Creating user accounts based on the new user template

After creating the new user template, you need to create user accounts for external users. You can create a separate user account for each customer with whom you would like to collaborate on a project. For example, if you are collaborating on a project with three other companies, you might create a separate user account (company1user, company2user, and company3user) for each company.

To create user accounts by using the new template

116.Click Start, and then click Server Management.

117.In the console tree, click Users, and then in the details pane, click Add Multiple Users.

118.In the Add a User Wizard, do the following:

nn.     On the Template Selection page, select the new template (for example, STS External Users Template) that you created in the earlier procedure, “To add a new template.”

oo.     On the User Information page, click Add.

pp.     On the Specify the user information page, enter a user name (for example, company1user) in the First name text box, and clear the E-mail Alias field.

qq.     Repeat steps b and c until you have added all the external user accounts, and then click Next.

rr.       On the Set Up Client Computers page, select Do not set up computers at this time.

ss.      Click Finish.

119.In the details pane, for each external user account that you have created, using the new template, do the following:

tt.       Select the user account, and then click Change User Properties from the taskpad.

uu.     On the Member of tab, select the security group (for example, SharePoint Extranet) that you created for external users. In the Primary group section, click Set Primary Group, and then click Apply.

vv.      In the Name column, select Domain Users, and then click Remove.

ww.   In the Remove user from group dialog box, click Yes.

xx.      On the Dial-in tab, under the Remote Access Permissions (Dial-in or VPN) section, select Deny access.

yy.      On the Terminal Services Profile tab, clear the Allow logon to terminal server check box.

zz.      On the Account tab, under the Account expires section, select End of, and then enter the day when the account expires.

aaa.  Click Apply, and then click OK.

Step 6d. Denying local logon access

SharePoint external users should only be allowed access to the SharePoint site, but at this point, they can use the user account created in the preceding procedure to log on to any computer on the local network. You must set a Group Policy to prevent users that are members of the security group you created (for example, SharePoint Extranet) from logging on locally to the network. To do so, apply the “Deny logon locally” Group Policy setting to the security group. This ensures that members of this group only have access to the SharePoint site and cannot log on to any computer on the local network.

Complete the following procedure to apply the “Deny local logon access” Group Policy setting for the user accounts created for external users.

To deny local logon access

120.Click Start, click Administrative Tools, and then click Server Management.

121.In the console tree, double-click Advanced Management, double-click Group Policy Management, double-click Forest: forestname, double-click Domains, double-click domainname, and then double-click My Business.

122.Right-click Computers and then click Create and Link a GPO Here.

123.In the New GPO dialog box, in the Name box, type the name that you want to use for this policy (for example, Logon access denial), and then click OK.

124.In the details pane, right-click the newly created Group Policy object (GPO), and then click Edit.

125.In Group Policy Object Editor, double-click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click User Rights Assignment.

126.In the details pane, right-click Deny log on locally, and then click Properties.

127.In the Deny log on locally dialog box, select Define these policy settings, and then click Add User or Group.

128.In the Add User or Group dialog box, add the security group that you created.

129.Click Start, click Run, and then type cmd. At the command prompt, type gpupdate /force to update Group Policy.

Step 6e. Deleting folders of external users

You need to delete the folders created for accounts of the external users under the Users Shared Folders whose location is specified during Windows Small Business Server 2003 Setup because the external users do not have access to these folders. If the location for the Users Shared Folder is not specified during Setup, it is located at %systemdrive%/Users Shared Folders.

You need to configure site settings for accessing the SharePoint site based on whether the user is an anonymous user or an authenticated user. An anonymous user does not have a Windows Small Business Server 2003 server account on the server (for example, Web site visitors); an authenticated user does.

The process for configuring access to the SharePoint site varies, depending on how you want visitors to use the site. You can configure settings so that all users have to be authenticated in order to access the SharePoint site. In addition, you can configure settings so that any user can browse the Web site (such as a business card Web site) without providing any credentials.

You can enable access to the SharePoint site as follows:

130.Enable anonymous users to access the SharePoint site

131.Enable authenticated users to access the SharePoint site

Step 7a. Enabling Anonymous User Access to the SharePoint Site

You need to complete this step only if you want to allow unauthenticated users to visit the Web site; otherwise, proceed to Step 7b to enable authenticated users to access the SharePoint site.

Enabling an anonymous user to access the SharePoint site includes the following steps:

132.Enabling anonymous user access to the extranet Web site.

133.Enabling anonymous user access to the SharePoint site.

Step 7a-1. Enabling anonymous user access to the extranet Web site

In this step, the Web server is configured for anonymous authentication to allow for unauthenticated users to access the newly created SharePoint Web site. Anonymous authentication provides access to users (for example, Web site visitors) who do not have Windows Small Business Server 2003 server accounts on the server.

Use information from Table 1 in Step 1 to complete this section.

To configure the Web server to allow access to an anonymous user

134.Click Start, and then click Server Management.

135.In the console tree, double-click Advanced Management, double-click Internet Information Services, double-click <servername>, and then double-click Web Sites.

136.Right-click the Web site name (for example, SharePoint Extranet) that you want to configure for anonymous authentication, and then click Properties.

137.On the Directory Security tab, under Authentication and access control, click Edit.

138.Select Enable anonymous access, and then click OK.

139.Click Apply, and then click OK.

Step 7a-2. Enabling anonymous user access to the SharePoint Web site

In this step, you configure the settings of the SharePoint Web site to allow access for unauthenticated users.

To configure the SharePoint site to allow access for an anonymous user

140.Click Start, and then click Server Management.

141.In the console tree, double-click Advanced Server Management, double-click Internet Information Services, double-click <servername>, and then double-click Web Sites.

142.Right-click the Web site name (for example, SharePoint Extranet) that you want to configure for anonymous user access, and then click Browse.

143.In the details pane, enter administrator credentials to open the Home page of the Web site.

144.At the top of the Home page, click Site Settings.

145.On the Site Settings page, under the Administration section, click Go to Site Administration.

146.On the Top-level Site Administration page, under the Users and Permissions section, click Manage anonymous access.

147.On the Change Anonymous Access Settings: Team Web Site page, under the Anonymous Access section, select Entire Web site to allow anonymous users to visit this Web site.

After enabling anonymous user access to the Web site, proceed to Step 7b to enable authenticated user access to the SharePoint site.

Step 7b. Enabling Authenticated Users to Access the SharePoint Site

In this step, you set user permissions to access the SharePoint site. To allow users to upload, edit, or delete documents on the site, you must set permissions for authenticated users. You can set permissions on a SharePoint site by using site groups.

Site groups let you specify which of your users can perform specific actions on your site. For example, a user who is a member of the Contributor site group can add content to Windows SharePoint Services lists, such as the Task list, or to a document library.

SharePoint Services enables you to assign users to the following site groups:

·         Reader Has read-only access to the Web site.

·         Contributor Can add content to the existing document libraries and lists.

·         Web Designer Can create lists and document libraries and customize pages on the Web site.

·         Administrator Has full control of the Web site.

You can either assign different permissions to each authenticated users by making the users members of different site groups, or you can collectively assign all authenticated users the same permissions by making all of them members of the Contributor site group.

Note

If you enable both anonymous and authenticated user access on the SharePoint site, a Sign In button appears in the top right corner of your SharePoint site and enables authenticated users to contribute to the Web site based on their site group memberships.

If you enable only authenticated user access on the SharePoint site, all users are prompted for credentials in order to access the SharePoint site.


Step 7b-1. Assigning authenticated users to different site groups

If you want to assign different permissions to the authenticated users that access the SharePoint site, you can do so by using site groups. For example, if you want one external user and one internal user to be an administrator for the SharePoint site, you can assign them both to the Administrator site group. Based on the permission requirements of the various authenticated users (such as Reader, Contributor, Web Designer, or Administrator), you can assign the users to appropriate site groups.

To assign a user to a site group

148.Click Start, and then click Server Management.

149.In the console tree, double-click Advanced Server Management, double-click Internet Information Services, double-click <servername>, and then double-click Web Sites.

150.Right-click the Web site name (for example, SharePoint Extranet) that you want to configure for authenticated user access, and then click Browse.

151.In the details pane, enter administrator credentials to open the Home page of the Web site.

152.At the top of the Home page, click Site Settings.

153.On the Site Settings page, under the Administration section, click Manage Users.

154.On the Manage Users page, click Add Users.

155.On the Add Users page, do the following:

bbb.  In the Choose Users section, enter the user name (for example, Domain\Username).

ccc.  In the Choose Site Groups section, select the site group (Reader, Contributor, Web Designer, or Administrator) that you want the user to belong to, and then click Next.

ddd.  In the Send E-mail section, clear the Send the following e-mail to let the users know that they have been added check box if the user is an external user who belongs to the security group created earlier. This is because external users are not assigned any e-mail accounts.

156.Repeat steps 8a-8c if you want to assign a user to a different site group.

An authenticated user can belong to more than one site group. If you want all authenticated users to also belong to the Contributor site group so that they can add content to the existing document libraries and lists, proceed to Step 7b-2; otherwise, proceed to Step 8.

Step 7b-2. Assigning all authenticated users to the same site group

Complete this step only if you want all authenticated users to be able to add content to the existing document libraries and lists; otherwise, proceed to Step 8 to configure the site to be accessed from the intranet.

If you require all authenticated users to be contributors, you could assign them to the Contributor site group by using the following procedure.

To configure the SharePoint site to allow all authenticated users to be contributors

157.Click Start, and then click Server Management.

158.In the console tree, double-click Advanced Server Management, double-click Internet Information Services, double-click <servername>, and then double-click Web Sites.

159.Right-click the Web site name (for example, SharePoint Extranet) that you want to configure for authenticated user access, and then click Browse.

160.In the details pane, enter administrator credentials to open the Home page of the Web site.

161.At the top of the Home page, click Site Settings.

162.On the Site Settings page, under the Administration section, click Go to Site Administration.

163.On the Top-level Site Administration page, under the Users and Permissions section, click Manage anonymous access.

164.On the Change Anonymous Access Settings: Team Web Site page, under the All Authenticated Users section, select Yes to allow all authenticated users to access the site. Select Contributor from the drop-down menu to allow write access for all authenticated users.

At this point, internal users can access the SharePoint site only from the Internet. This step allows users to access the SharePoint site from the local network as well. Accessing the Web site from the intranet allows users to consume less Internet bandwidth.

165.Create a CNAME resource record.

166.Define a host header.

Use information from Table 1 in Step 1 to complete this section.

Creating a CNAME resource record

In this step, you create a CNAME record on your DNS server that points to the (A) resource record of the computer running Windows Small Business Server.

Step 8a. To create a CNAME resource record

167.Click Start, click Administrative Tools, and then click DNS.

168.In the DNS console tree, double-click <servername>, double-click Forward Lookup Zones, right-click <domainname>, and then click New Alias (CNAME).

169.In the New Resource Record dialog box, under Alias name, enter the name with which you want to access the site from within the intranet (for example http://extranet). Under fully qualified domain name (FQDN) for target host, type the fully qualified domain name of the DNS host computer (in this case, the computer running Windows Small Business Server for which this alias is to be used). This name is identical to the information in the Data field for Companyweb on the DNS records page.

Step 8b. Defining a host header

In this step, you define the host header name (for example, http://extranet) that internal domain users can use to access the SharePoint Web site within the local network.

To define a host header

170.Click Start, and then click Server Management.

171.In the console tree, double-click Advanced Management, double-click Internet Information Services, double-click <servername>, and then double-click Web Sites.

172.Right-click the Web site name (for example, SharePoint Extranet), and then click Properties.

173.On the Web site tab, do the following:

eee.  Click Advanced next to the IP address box.

fff.     In the Advanced Web Site Identification dialog box, click Add.

ggg.  In the Add/Edit Web Site Identification dialog box, for IP address, select the internal IP address of the local network adapter. In the case of one network adapter/with SSL configuration type, select the additional IP address of the local network adapter. For Port, enter 80, and for Host Header value, enter the name (for example, http://extranet) with which you would like to access the SharePoint site from the intranet. This host header value should be identical to the Alias name you entered to access the site from within the intranet when creating a CNAME resource record in Step 8a.

See the following resources for further information:

·         For more information about Windows SharePoint Services, visit Microsoft SharePoint Products and Technologies: Technical Overview at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=19723).

·         For more information about DNS, visit DNS at Microsoft.com (http://go.microsoft.com/fwlink/?LinkId=19725).

·         For an overview about IIS 6.0, visit Technical Overview of Internet Information Services (IIS) 6.0 at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=19726).

·         For the latest information about Windows Small Business Server 2003, see the Windows Small Business Server 2003 Web site (http://go.microsoft.com/fwlink/?LinkId=17117).