none
Publish Sharepoint 2013 Farm to External Through Netsclaer as Reverse Proxy

    Question

  • Environment

    Sharepoint 2013 with SP1 and CU Jan 2017

    Load balancer with Netscaler with 3 front ends

    Now we need to externalize the environment .We have imported the certificate in Netscaler and configured for https 443.Do we need to do from Sharepoint servers ,the same thing ..means do we have to import the certificate in Sharepoint front end IIS also?In specific do we have to configure AAM for internet zone??

    Internal communication should be with http 80.

    Please advise

    Wednesday, April 19, 2017 4:33 PM

Answers

  • Never use port 80. Always SSL (tcp/443). There is no reason today to be using plain-text protocols. For publishing, no you shouldn't have to do anything on the SharePoint side except switch to using SSL with a trusted certificate.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Gopakumar0 Wednesday, April 19, 2017 5:37 PM
    Wednesday, April 19, 2017 5:24 PM
    Moderator

All replies

  • Never use port 80. Always SSL (tcp/443). There is no reason today to be using plain-text protocols. For publishing, no you shouldn't have to do anything on the SharePoint side except switch to using SSL with a trusted certificate.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Gopakumar0 Wednesday, April 19, 2017 5:37 PM
    Wednesday, April 19, 2017 5:24 PM
    Moderator
  • Thanks for quick reply.We have done the configuration with https on netscaler .Nothing done from Share point side we will test the environment.Beleive all calls within sharepoint should work fine . While accessing from external.Will test.
    Wednesday, April 19, 2017 5:36 PM
  • Sorry ,just want to confirm something that we plan to configure..need advise ..

    Configured from netscaler side but when accessed from external some of the contents its not loading .

    We are enabling offload on Netscaler http to https .On Sharepoint we are planning to do nothing .Or do we have to import certificate to Sharepoint Central admin -> security -> Trust -> Public certificate.

    Saw in citrix site that we may need to configure rewrite rule so that Sharepoint will understand the conversion happening in netscaler side...Need advise on the same.Please Advise..

    Thanks & Regards

    Gops


    • Edited by Gopakumar0 Friday, April 28, 2017 2:40 PM
    Friday, April 28, 2017 5:52 AM
  • Offloading of SSL is a significant security risk; I would suggest SSL Bridging instead. It provides the benefit of SSL offloading, that is, session setup time, with none of the security risks. As SSL offloading is not a CPU performance issue (any modern Intel or AMD CPU has special instructions specifically for handling SSL) nor has it been for many years, the only advantage of using SSL Offloading or better yet, Bridging, is that session setup time.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, April 28, 2017 5:29 PM
    Moderator
  • SSL Bridging means intermediate Netscaler will not do any process right?Encryption/Decryption etc 

    Sharepoint should do all SSL related process right?Offloading means Netscaler will do the SSL process part so that Sharepoint servers performance should be increased.

    Am not sure ...Kindly guide me .Appreciate ,If you can guide me with the best practise document (step by step document) for enabling SSL on Sharepoint 2013 using Citrix Netscaler.

    Google search brought below links

    https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/microsoft-sharepoint-2013-with-citrix-netscaler.pdf

    http://c7solutions.com/2013/12/configuring-citrix-netscaler-for-sharepoint-ssl-offloading


    Thanks & Regards

    Gops

    Friday, April 28, 2017 7:44 PM
  • Bridging means the client's SSL session terminates at the reverse proxy, while the RP has an encrypted session already set up with the service endpoint (SharePoint). If capable, the RP can do inspection prior to re-encrypting the traffic to the target.

    SSL Offloading is where SharePoint listens on HTTP 80 only with no encryption.


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, April 28, 2017 7:48 PM
    Moderator