locked
Further UAG SharePoint 2007 questions RRS feed

  • Question

  • After struggling with AAM I have now managed to publish SharePoint 2007 through UAG. However, I'm not convinced that everything is well:

    1. I am still being prompted for my user credentials, even though SSO has been specified.

    2. Any endpoint policies that I set (i.e. if I set the download policy to 'Never') are not used (i.e. I can download documents with no problems).

    What could I be doing wrong? It's almost as if the traffic isn't being directed through the UAG at all and the SharePoint site is just being accessed normally (although the UAG frames are still present).

    Thursday, May 6, 2010 3:59 PM

Answers

  • Try like this.   Both the trunk url and the external sharepoint url should point to the same external IP/port.   In sharepoint AAM you want the sharepoint to know the difference between someone accessing it internally (not thru UAG) and someone accessing thru UAG, so in teh former it will leave the server name alone, but in teh latter case will translate everything to https://dallas.contoso.com for you:

     

    UAG Machine
    Name: ibiza.contoso.com (irrelevant)
    IP addresses: 10.1.1.5 int / 39.1.1.5 ext
    HTTPS trunk public host name: uag.contoso.com
    SharePoint app address: dallas (or ip or any other name that gets you to the right place)
    SharePoint app HTTP port: 81
    SharePoint app public host name: dallas.contoso.com

    Sharepoint app hostheader: dallasfromuag (or maybe dallasfromuag:81 can't remember without trying)
    SharePoint app application URL: https://dallas.contoso.com

    SharePoint Machine
    Name: dallas.contoso.com
    IP address: 10.1.1.6 / 172.16.0.100
    SharePoint AAM settings:
        http://dallas:81                          Default      http://dallas:81
        https://dallas.contoso.com    Internet    https://dallas.contoso.com
        http://dallasfromuag:81       Internet    https://dallas.contoso.com

    Client Machine
    Name: client.contoso.com
    IP address: 39.1.1.9 / 172.16.0.101
    Hosts file entries:
        39.1.1.5           uag.contoso.com
        39.1.1.5     dallas.contoso.com

    • Marked as answer by Erez Benari Wednesday, May 19, 2010 11:34 PM
    Wednesday, May 19, 2010 3:50 PM

All replies

  • Maybe your external DNS?   If you have a portal and you have one MOSS 2007 app defined, then you'll have 2 external names, that both map to the same IP in public dns.   One for the portal url itself, and one for the public sharepoint url.   If you forgot to modify the 2nd external dns record for MOSS and that name already existed in public dns and there was a way to MOSS not thru UAG, then that would explain it.

    Try opening MOSS in a new window so its not wrapped i a frame and you can seee exactly what url is being asked for.

    Thursday, May 6, 2010 6:41 PM
  • I think that may be the issue but I'm not sure how to resolve it. My setup is as follows:

    UAG Machine
    Name: ibiza.contoso.com
    IP addresses: 10.1.1.5 / 39.1.1.5
    HTTPS trunk public host name: uag.contoso.com
    SharePoint app address: dallas.contoso.com
    SharePoint app HTTP port: 81
    SharePoint app public host name: dallas.contoso.com
    SharePoint app application URL: https://dallas.contoso.com:444

    SharePoint Machine
    Name: dallas.contoso.com
    IP address: 10.1.1.6 / 172.16.0.100
    SharePoint AAM settings:
        http://dallas:81                          Default      http://dallas:81
        https://dallas.contoso.com:444    Internet    https://dallas.contoso.com:444
        http://dallas.contoso.com:81       Internet    https://dallas.contoso.com:444

    Client Machine
    Name: client.contoso.com
    IP address: 39.1.1.9 / 172.16.0.101
    Hosts file entries:
        39.1.1.5           uag.contoso.com
        172.16.0.100    dallas.contoso.com

    This means that there is a way to SharePoint from the client (https://dallas.contoso.com:444) so from what you are saying, this appears to be the problem. However, if I remove the dallas.contoso.com entry from the hosts file, the address is no longer resolvable and clicking on the SharePoint link from within the UAG reults in a 'The page cannot be displayed' error.

    Friday, May 7, 2010 10:51 AM
  • Surely this is not correct on your Client machine:

    39.1.1.5           uag.contoso.com
    172.16.0.100    dallas.contoso.com

    IMHO this is what it should look like:

    39.1.1.5    uag.contoso.com
    39.1.1.5    dallas.contoso.com

    additionally, remove the 172.16.x.y IP address from your client...there is no way an Internet client should be on the same subnet as your Intranet...all traffic must pass thru UAG on its external interface

    Also remove 172.16.x.y from your Sharepoint box

     

    Friday, May 7, 2010 12:10 PM
  • I did try that at first but because dallas.contoso.com doesn't resolve from Client, all I get is a 'The page cannot be displayed' error.Do you have any more suggestions about how to overcome this?

    By the way, just to clarify about the 172.16.x.y addresses, they have only been included for testing purposes - if this was a live system then this would be changed.

    Friday, May 7, 2010 1:03 PM
  • In your example...

    • Internet subnet is: 39.1.1.x
    • Intranet subnet is: 10.1.1.x
    • UAG will have external IP on 39.1.1.x and internal on 10.1.1.x
    • you do not need the 172.16.x.y IP's anywhere, that is why you are getting your problems. Remove 172.16.x.y from client and sharepoint

    On the client computer change HOSTS file to:

    • 39.1.1.5    uag.contoso.com
    • 39.1.1.5    dallas.contoso.com

    Further UAG TCPIP settings:

    • Default Gateway must only exist on the External network card
    • DNS client settings must only exist on the Internal network card, and point to your DNS server...do you have an AD box? it is not mentioned...how does UAG resolve the dallas.contoso.com name to an IP address?

    Then, have you published your Sharepoint Application correctly? Since your internal and external namespaces are identical, I recommend you delete your existing Trunk MOSS application and start again using this guide: http://technet.microsoft.com/en-us/library/dd861445.aspx#ConfigFFUAGSettings

    Then - to simplify things, use the default ports...HTTP=80, HTTPS=443

     Look forward to your feedback

     

    Friday, May 7, 2010 1:15 PM
  • Thanks for your assistance. I've made progress but I can't get the last step right. My setup is now:

    UAG Machine
    Name: ibiza.contoso.com
    IP addresses: 10.1.1.5 / 39.1.1.5
    HTTPS trunk public host name: uag.contoso.com
    SharePoint app address: dallas.contoso.com
    SharePoint app HTTP port: 81
    SharePoint app public host name: sharepoint.contoso.com
    SharePoint app application URL: https://sharepoint.contoso.com:444
    Hosts file entry:
        10.1.1.6           sharepoint.contoso.com

    SharePoint / AD / Exchange Machine
    Name: dallas.contoso.com
    IP address: 10.1.1.6
    SharePoint AAM settings:
        http://dallas:81                                Default      http://dallas:81
        http://sharepoint.contoso.com:81      Internet     https://sharepoint.contoso.com:444
        https://sharepoint.contoso.com:444   Internet     https://sharepoint.contoso.com:444

    Client Machine
    Name: client.contoso.com
    IP address: 39.1.1.9
    Hosts file entries:
        39.1.1.5           uag.contoso.com
        39.1.1.5           sharepoint.contoso.com

    Note that I have changed the SharePoint public host name from dallas.contoso.com to sharepoint.contoso.com (to avoid confusion), and got rid of any 172.16.x.y IPs. Also, sorry for not saying before but my AD and Exchange Server also reside on Dallas (the SharePoint box). Therefore I have to use non-standard ports 81 and 444 for SharePoint since 80 and 443 are already in use.

    However, I am still getting 'The page cannot be displayed' when accessing SharePoint through the UAG on Client. Can you spot anything else that is wrong?

    Friday, May 7, 2010 3:04 PM
  • OK, so the next step is to further isolate problem area.

     Also, what are you typing into your Client's browser when u get the error?

     

     

    Friday, May 7, 2010 5:38 PM
  • Hi S.Kwan. Thanks for taking the time out to help me. In answer to your questions:

    • Dallas - http://sharepoint.contoso.com:81 and https://sharepoint.contoso.com:444 both result in 'The page cannot be displayed' on Dallas (presumably because sharepoint.contoso.com is not in Hosts - should it be?)
    • UAG - The FQDN for dallas.contoso.com can be resolved on the UAG machine. However, nslookup on sharepoint.contoso.com results in a 'Non-existent domain'.
    • UAG - http://sharepoint.contoso.com:81 and https://sharepoint.contoso.com:444 both correctly open up SharePoint from a browser on the UAG machine (http://sharepoint.contoso.com:81 actually redirects to https://sharepoint.contoso.com:444 ).
    • Client - I don't try to directly access Sharepoint from a Client browser (although trying the URLs you suggest result in a failure for all) - I go through the UAG. The status bar shows that the URL that it attempts to follow is https://sharepoint.contoso.com:444 .
    Monday, May 10, 2010 10:10 AM
  • So you've proved that UAG can connect to and display the MOSS website correctly.

    Therefore config issue exists somewhere in UAG itself.

    Lets review your UAG config then:

    • HTTPS trunk public host name: uag.contoso.com
    • what port is you trunk listening on?
    • what ip address is your trunk on?

    Then your MOSS app:

    • Open your web server tab:
    • what address do you have?
    • what path do you have?
    • what http port ?
    • what https port?
    Monday, May 10, 2010 3:13 PM
  • Thanks. My settings are displayed below:

    UAG
    IP address: 39.1.1.5
    HTTPS trunk public host name: uag.contoso.com
    HTTPS Port: 443

    MOSS App (Web Servers tab)
    Address: dallas.contoso.com
    Paths: /
    HTTP Port: 81
    HTTPS Port: 444 (this is currently greyed out - although I have tried this instead of HTTP Port)
    Public host name: sharepoint.contoso.com

    MOSS App (Portal Link tab)
    Application URL: https://sharepoint.contoso.com:444

    Monday, May 10, 2010 3:32 PM
  • Have you tried this:

    MOSS App (Portal Link tab)
    Application URL: http://sharepoint.contoso.com:81

    and just out of curiosity...

    on Dallas - add sharepoint.contoso.com to the HOSTS file

    test again...

    Then...

    So these are the 3 different virtual environments I have in front of me:

    • company lab test environment
    • classroom test environment
    • a Microsoft IAG DVD demo environment (where the original names come from ibiza, dallas, etc)

    I have tweaked my configuration to be identical to yours and all 3 work 100%.

    Unfortunately I cannot duplicate your problem.

    Next suggestions:

    1. Perhaps some of the other guru's on this forum can spot something we didn't
    2. Remove UAG completely, reinstall it, reconfigure it, apply UAG Update 1

     

    Tuesday, May 11, 2010 11:59 AM
  • Unfortunately your latest suggestions still result in the same error. Can I ask, in the environment which you set up using the Microsoft IAG DVD demo environment, did you have to make any more changes other than the ones mentioned above (i.e. IIS settings, etc)? And presumably you used a UAG in place of the IAG? I can't understand why you've managed to get it working but I can't.

    Many thanks for all you efforts anyway. I appreciate you taking the time out to help me even if we didn't managed to solve the problem.

    Is there anything that anyone else can suggest? Are there any tools that you can recommend to let me identify what is going on where? Is there anything I should look out for in the UAG's Event Viewer?

    Tuesday, May 11, 2010 12:25 PM
  • In the first 2 labs I have UAG. Last one is still IAG. All 3 work.

    I did no further tweaks.

    Have you looked at the UAG Monitor to see what sessions are being established?

     

    Tuesday, May 11, 2010 12:47 PM
  • I am using the MS IAG lab but have replaced the old Ibiza IAG machine with a new Win2k8 R2 UAG machine (which I also called Ibiza to keep the same naming convention). So that's my only difference to your setup.

    The UAG Event Viewer shows 'Session Started' (when visting UAG), 'Application Accessed' (for the Portal), 'User Added To Session' (again on initial logon) and then 'Successful Login'. Clicking my SharePoint app results in no further events being fired.

    Tuesday, May 11, 2010 1:06 PM
  • It might sound like a silly question, but did you remove the old reference to Ibiza from AD, then joined the new Ibiza to the domain?

    Also remember, if we are using those same VHD images, they expired some time in 2007 - you need to set back your hosts and child partitions clocks.

    Just btw...they old images were VPC based, while your new one in a WS08R2 Hyper-V image...how are you running your virtual environment then?

    Tuesday, May 11, 2010 7:18 PM
  • I didn't remove the old reference but I used all the same credentials (i.e. IP, etc) so assumed this would be ok (MMC is crashing everytime I try to do this so I can't give it a go). I have OWA working with no problems. As for the VHD images, I upgraded the evaluation OS's to full versions (therefore, I didn't need to change clocks, etc). I also changed the VPC images to Hyper-V images in order to run my environment.

    I have actually just tried to publish SharePoint on my old VPC network (with IAG) and this failed as well. In your tests with this environment, did you upgrade your IAG to SP2? I believe that this SP introduced the AAM style of SharePoint publishing (in applications it is the non "backwards-compatible" option). Did you also use the non-standard ports from my example? Did you need to change anything in IIS? And did you ensure that you only had one SharePoint application in your trunk?

    Wednesday, May 12, 2010 1:56 PM
  • So is your Ibiza part of the domain or not? Did you actually add your new UAG VM to the domain? If not, please delete the AD object (Ibiza) and add the new Ibiza to the domain so that the correct internal machine trust relationship can be established.

    I have about 6 different MOSS apps running at the same time on the same trunk.

    Thursday, May 13, 2010 5:48 AM
  • I've now tried that but unfortunately I still haven't had any success.I'm surprised that the brick wall that I'm hitting my head against hasn't collapsed yet :-)

    Has anyone else got any suggestions for me to try?

    Thursday, May 13, 2010 10:15 AM
  • Try like this.   Both the trunk url and the external sharepoint url should point to the same external IP/port.   In sharepoint AAM you want the sharepoint to know the difference between someone accessing it internally (not thru UAG) and someone accessing thru UAG, so in teh former it will leave the server name alone, but in teh latter case will translate everything to https://dallas.contoso.com for you:

     

    UAG Machine
    Name: ibiza.contoso.com (irrelevant)
    IP addresses: 10.1.1.5 int / 39.1.1.5 ext
    HTTPS trunk public host name: uag.contoso.com
    SharePoint app address: dallas (or ip or any other name that gets you to the right place)
    SharePoint app HTTP port: 81
    SharePoint app public host name: dallas.contoso.com

    Sharepoint app hostheader: dallasfromuag (or maybe dallasfromuag:81 can't remember without trying)
    SharePoint app application URL: https://dallas.contoso.com

    SharePoint Machine
    Name: dallas.contoso.com
    IP address: 10.1.1.6 / 172.16.0.100
    SharePoint AAM settings:
        http://dallas:81                          Default      http://dallas:81
        https://dallas.contoso.com    Internet    https://dallas.contoso.com
        http://dallasfromuag:81       Internet    https://dallas.contoso.com

    Client Machine
    Name: client.contoso.com
    IP address: 39.1.1.9 / 172.16.0.101
    Hosts file entries:
        39.1.1.5           uag.contoso.com
        39.1.1.5     dallas.contoso.com

    • Marked as answer by Erez Benari Wednesday, May 19, 2010 11:34 PM
    Wednesday, May 19, 2010 3:50 PM
  • Just found this on: http://technet.microsoft.com/en-us/library/dd772157.aspx#BKMK_Publishing

    "When creating trunks and publishing applications, using non-standard ports is not supported; servers must listen on port 80 for HTTP, and port 443 for HTTPS"

    • Proposed as answer by D Wind Thursday, May 20, 2010 12:39 PM
    Thursday, May 20, 2010 12:39 PM
  • Mark, you're a star. Thank you very much - issue resolved. And thanks to you S.Kwan as well for all your help. Much appreciated.
    Friday, May 21, 2010 9:00 AM