locked
Problem publishing SharePoint via SSL RRS feed

  • Question

  • I am simulating a UAG array install for a client in my home lab. The setup is as follows:

    Servers and related hosts are all running in a virtual environement on 2008 Hyper-V R2
    All servers are running 2008 R2
    I have 3 networks defined and have verified routing and connectivity on all networks (Internal, Extranet, External)

    I am publishing an internal SharePoint and an Extranet SharePoint server to the external network via UAG (each belong to a unique AD domain). I have created a wildcard CSR and issued a certificate via an intermediate CA server on my internal network. I completed the cert request on the primary UAG server, then exported the cert to a file and imported the cert on the second UAG server in the array. UAG accepts the certificates and I have verified the certificates in the browser of a WIN7 pc in the external network when connecting to UAG.

    Now here is the issue. Using seperate http trunks I can publish both SharePoint sites via UAG, use single sign on to access SharePoint servers through UAG, each SharePoint server being in a different and seperate AD Domain. Everything works great until I publish the same servers via SSL. Once I delete the http trunks and create https trunks, then recreate the applications for each trunk, I am able to log on to the UAG server but when I launch the app I get a connection timed out for the SharePoint resource. The only differnce is https, I enter all other information EXACTLY the same as on the http trunks.

    I have created AAM mappings on the SharePoint servers and I modify them accordingly when I make the change to https. I am using the following format for both http and https trunks and applications when publishing.

    Internal SharePoint

    Trunk - uag.somecompanyname.com
    App   - spoint.somecompanyname.com

    Extranet SharePoint

    Trunk - extra.somecompanyname.com
    App    - clientsp.somecompanyname.com

    Anyone got any suggestions as to what I am doing wrong here or where best to begin troubleshooting this insanity?

    Regards,
    Sunday, March 14, 2010 7:12 PM

Answers

  • It would appear that something is blocking traffic on port 443 from the UAG to the SPS servers - could be TMG, or something on the backend servers. Try connecting to these two servers from the UAG server itself, and see if you are able to connect. I'm assuming your intention is to have the backend servers remain as HTTP servers, and have clients connect to UAG with HTTPS, and have it bridge to HTTP - that is how most companies do it. If so, make sure you haven't set the UAG App to try to connect to the backend servers on 443 instead.
    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Thursday, March 18, 2010 11:21 PM
    Thursday, March 18, 2010 11:21 PM

All replies

  • It would appear that something is blocking traffic on port 443 from the UAG to the SPS servers - could be TMG, or something on the backend servers. Try connecting to these two servers from the UAG server itself, and see if you are able to connect. I'm assuming your intention is to have the backend servers remain as HTTP servers, and have clients connect to UAG with HTTPS, and have it bridge to HTTP - that is how most companies do it. If so, make sure you haven't set the UAG App to try to connect to the backend servers on 443 instead.
    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Thursday, March 18, 2010 11:21 PM
    Thursday, March 18, 2010 11:21 PM
  • I am running into a similar problem publishing our internal Sharepoint 2010 site externally through UAG 2010.  Like Ben mentioned in his post above, we want the backend SharePoint servers remain as HTTP servers and have the clients route to the UAG server via HTTPS then have it redirect it over the the Sharepoint server.

    The UAG server is currently sitting behind a firewall and has two NIC's configured.  One IP is configured with an IP from our DMZ subnet and the other is configured with an IP from our server subnet.  There is a NAT rule in place on the firewall to translate a public IP to the DMZ IP.   I've set up an HTTPS trunk called SharePoint using port 443 and the DMZ IP address.  The configuration on the Sharepoint Application lists the internal hostname of our Sharepoint server under the Web tab and under the Portal Link tab, the application URL is configured for https://sharepoint.company.com.

    Is there a trick to publishing a Sharepoint site if both the external name and internal name are the same?

    My WAN IP (DMZ IP) is not routable via the Internet and I'm wondering if I need to have a public IP configured for that WAN NIC.

    Thanks!

    Tuesday, August 10, 2010 1:17 AM