Professional Documents
Culture Documents
SharePoint
Deployment and Operations Guide
Version 1.0
If you are using this documentation solely for non-commercial purposes internally within YOUR
company or organization, then this documentation is licensed to you under the Creative Commons
Attribution-NonCommercial License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543
Howard Street, 5th Floor, San Francisco, California, 94105, USA.
This documentation is provided to you for informational purposes only, and is provided to you
entirely "AS IS". Your use of the documentation cannot be understood as substituting for
customized service and information that might be developed by Microsoft Corporation for a
particular user based upon that user’s particular environment. To the extent permitted by law,
MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND
STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE
IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights
covering subject matter within this documentation. Except as provided in a separate agreement
from Microsoft, your use of this document does not give you any license to these patents,
trademarks or other intellectual property.
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e–mail addresses, logos, people, places and events depicted herein are fictitious.
Microsoft, Active Directory, Forefront, Internet Explorer, SharePoint, SQL Server, and Windows are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
You have no obligation to give Microsoft any suggestions, comments or other feedback
("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft
then you provide to Microsoft, without charge, the right to use, share and commercialize your
Feedback in any way and for any purpose. You also give to third parties, without charge, any
patent rights needed for their products, technologies and services to use or interface with any
specific parts of a Microsoft software or service that includes the Feedback. You will not give
Feedback that is subject to a license that requires Microsoft to license its software or
documentation to third parties because we include your Feedback in them.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
4 External Collaboration Toolkit for SharePoint
Audience
This solution is intended for organizations whose users need to collaborate with
various people outside the organization such as partners, contractors, clients,
customers, and so on. Although the ECTS and Windows SharePoint Services
provide strong external collaboration capabilities, companies that have highly
complex collaboration needs, or need very high levels of security may not have
their specific needs met by the ECTS.
Choosing a Collaboration Solution provides guidance to help you determine
if SharePoint Products ad Technologies and the ECTS are well suited to your
specific situation.
The following figure shows the basic logical diagram of the solution.
Firewall
Internal External
user user
AD DS for
internal users Exranet server
SQL Server
with shared content ADAM for
external users
ECTS allows users to create a new site collection either with or without
administrator approval. This streamlines the process of creating new collaboration
sites, and gets users collaborating quickly. The ECTS provides the following
components that enable this capability:
• Create Site Collection. This Web Part allows an approved user either to create a
new site collection (if workflow is not enabled), or request that a new site be
created.
• Site Collection Manager. This Web Part shows an internal user all of the sites
that they currently own. The user can navigate to one of the sites listed or
delete the site.
• Site Collection Approval (optional). This Web Part gives an administrator the
option to approve or deny site collection creation requests.
Additional Features
The ECTS also provides some additional features that help make using and
administering the system easier. These features include:
• Configuration Utility. This Web Part allows administrators to modify how the
software works. Settings that can be changed include the SMTP host, mail
sender account, workflow for site creation and user creation, and so forth.
• Update My Account Information. Provides self service profile update
functionality.
• Forgotten password reset. Provides functionality to help external users who
have forgotten their passwords.
• Forms-based authentication. Lets external users authenticate using a logon
form.
• Gather profile information at first logon. Directs external users to a Web page
to input profile information.
Installation Overview
The process of installing the ECTS is relatively straightforward. The installation
process generally involves the following steps:
• Prepare the environment. Before you begin the installation process, gather the
data you’ll need, confirm that your environment meets the solution
prerequisites, and complete a few pre-installation steps.
• Install required software. Next, you install the software that the solution
requires.
• Configure Windows SharePoint Services. This phase of the installation process
involves configuring the Windows SharePoint Services environment.
• Install ECTS. Finally, you install the ECTS software.
Required Data
There are a number of decisions that you can make before you begin that will help
streamline the installation process. Record the decisions you make about the
following items before you begin installing:
• Internal URL. This is the URL for the extranet server that internal users will use.
Depending on your typical DNS naming conventions, this might be a fully
qualified domain name (FQDN). For example, you might choose http://collab or
http://collab.corp.treyresearch.net depending on your naming convention. This
name will be served by your internal DNS servers.
• External URL. This is the URL for the extranet server that external users will
access. This must be a FQDN such as http://collab.extranet.treyresearch.net.
This name will be served by your external DNS provider.
Chapter 2: Installation and Deployment 3
• ADAM host name. This is the internal FQDN of the ADAM server. This name will
be used for the Secure Sockets Layer (SSL) certificate.
• SQL Server name. For a SQL Server Express installation, this will be
host\SQLEXPRESS, where host is the short name of the host on which
SQL Server is installed. If you use a different version of SQL Server, this name
could be different.
• Internal e-mail server name. You need the name of your internal e-mail server
because the ECTS software will use this e–mail server to send messages to
users of the system. Make sure the e–mail server that you use can relay
messages to users outside your organization.
• E-mail sender address. You will need to choose an e-mail address to use to
send e–mail from the ECTS system. This can be any e–mail address, such as
sharepoint@treyresearch.net. Generally speaking, this address does not need
to handle incoming mail, so any valid e–mail address should work.
• LDAP container name. This is the container that will be used to store the users
in the ADAM directory. This name can be any valid container name, but we
recommend using something in this form:
CN=ExternalUsers,DC=domain_component,DC= domain_component For
example, for the domain treyresearch.net we recommend using
CN=ExternalUsers,DC=treyresearch,DC=net.
• LDAP port number. This is the port number on which the ADAM server will
listen for unencrypted connections. Under normal circumstances you can
accept the default of 389. If you choose to use a different port number, it must
be higher than 1024 and lower than 65536, and not already be in use.
• LDAPS port number. This is the port number on which the ADAM server will
listen for SSL encrypted connections. Under normal circumstances you can
accept the default of 636. If you choose to use a different port number, it must
be higher than 1024 and lower than 65536, and not already be in use.
• Port number for the SharePoint Central Administration server. When you install
the SharePoint Central Administration server, you can specify a port number
for it to use. If you don’t specify a port number, SharePoint will randomly
choose one for you. Choose a port number that is higher than 1024 and lower
than 65536, preferably one that is easy to remember. You will need to be able to
access this port from your internal network, but should not be able to access it
from the Internet.
Appendix B, “Required Data for Installation,” of this document provides a form that
you can use to record the required data that you will use during the installation
process.
Prerequisites
Before you begin to install the solution, ensure that you:
• Install Windows Server 2003 R2 SP2 on the server that will host your extranet
collaboration environment (the extranet server).
• Deploy the extranet server in the appropriate location on your network,
preferably in the perimeter network.
• Join the extranet server to your enterprise AD DS domain.
• Install and configure an internal e–mail server and ensure that all internal users
who will use the ECTS have a valid e–mail address.
• Configure your firewalls to allow:
• HTTP and HTTPS traffic from the internal network to the extranet server.
• HTTPS traffic from the Internet to the extranet server.
• SharePoint Central Administration traffic from the internal network to the
extranet server.
Solution Accelerators microsoft.com/technet/SolutionAccelerators
4 External Collaboration Toolkit for SharePoint
• Active Directory traffic from the extranet server to the Active Directory
server.
Note In a test environment, it is reasonable to open all TCP and UDP ports
from the extranet server to the Active Directory server. In a production
environment, limit traffic on the firewall to the specific ports that are needed.
For the specific ports that should be opened on your firewall, see How to
configure a firewall for domains and trusts.
• E–mail traffic from the extranet server to the internal e–mail server.
Pre-installation Steps
Before you can install and set up the solution, you must first prepare the
environment. This process involves the following steps.
Install Certificate
If you are using your own Microsoft CA, follow these instructions to get a
certificate for the ADAM server. If your certificate comes from another channel,
follow the instructions provided by that source.
First, you may need to modify your firewall rules to allow HTTP (port 80) traffic
from the extranet server to the CA server inside your organization. This traffic is
only required to get the certificate; after you have obtained the certificate, you can
disable this communication.
From the extranet server, use Microsoft Internet Explorer® to access the
certification service on the domain controller at http://domain_controller/certsrv,
where domain_controller is the name of the domain controller running the
certification authority.
To install a certificate on the extranet server:
1. Under Select a Task, click Request a certificate.
2. On the Request a Certificate page, click advanced certificate request.
3. On the next page, click Create and submit a request to this CA.
4. On the next page, under Certificate Template, click Web Server. Under
Identifying information for Offline Template, in the Name field, type the FQDN
of the extranet server. Fill out the rest of the fields in this section as
appropriate.
5. Under Key Options, click Create a new key set. For CSP, click Microsoft RSA
SChannel Cryptographic Provider. In the Key Size text box, type 1024. Click
Automatic key container name, and then select the Store certificate in the local
computer certificate store check box.
6. Under Additional Options, for Request Format, click PKCS10, in the Friendly
Name text box, type a name, such as ADAM Certificate and then click Submit. If
a Potential Scripting Violation warning appears, click Yes.
7. On the Certificate Issued page, click Install this Certificate, and then, if a
Potential Scripting Violation warning appears, click Yes.
At this point you can update your firewall rules to disallow HTTP communication
between the extranet server and the CA server; it will no longer necessary.
To verify that the certificate was installed, you can use Microsoft Management
Console (MMC) with the Certificates snap-in to look at the local computer
certificates. Expand Certificates, expand Personal, and expand Certificates to find
the certificate you just installed. Or you can run certutil –store my from the
command line to see the certificate.
Install ADAM
Next, you will need to install ADAM on the extranet server. ADAM should be
available on your server in Add or Remove Programs under Windows Components
(look under Active Directory Services), or you can get the latest version on the
Microsoft Download Center. Follow the instructions and accept all the defaults for
the ADAM installation. Do not create an ADAM instance at this point; you will do so
later in the setup process.
To begin the setup process, open a Command Prompt window and change to the
SharePoint bin directory:
cd “%CommonProgramFiles%\microsoft shared\web server extensions\12\bin”
From there, run the following command: psconfig –cmd configdb –create –server
SQL Server where SQL Server is the name of the SQL Server you created earlier
(for example, TREY-SP-01\SQLEXPRESS). This will create the SharePoint
configuration databases that Windows SharePoint Services will use.
Next, you need to create the Central Administration server. To do so, use the
following command: psconfig –cmd adminvs –provision –port port where port is
the port number for the Central Administration server that you recorded with your
Required Data.
Set Up E–mail
Now that you have created the Central Administration server, you can use it to
complete the configuration of Windows SharePoint Services. To access the server,
click Start, point to Administrative Tools, and then click SharePoint 3.0 Central
Administration, or use Internet Explorer to access http://host name:port where
host name is the host name of the extranet server and port is the port number for
the Central Administration server that you recorded with your Required Data. The
first thing to configure inside Windows SharePoint Services is outgoing e–mail.
To configure outgoing e–mail:
1. In Central Administration, under Administrator Tasks, click Outgoing e–mail
settings.
2. In the Action area, click Configure Outgoing E–Mail Settings.
3. On the Outgoing E–Mail Settings page, fill in the form using the information
that you recorded with your Required Data. In the Outbound SMTP server text
box, type the internal e–mail server name. In the From address text box, type
the e–mail sender address. You can opt to provide a Reply-to address in the
appropriate box, then click OK to finish.
At this point, SharePoint should be able to send e–mail to internal and external
users.
Client Integration
With forms-based authentication, client integration is disabled by default. The main
impact of having client integration disabled is that documents cannot be saved
directly to the SharePoint site from within a client application. Instead, the user
must save the document locally then upload it to the site.
There might be workarounds available that you could use to make some client
integration features work with forms-based authentication. However, these
workarounds might be inadequate, or you may experience unexpected issues with
them. Microsoft does not support such workarounds. If you plan to use client
integration with forms-based authentication, you must fully test any solutions or
workarounds to determine if the performance and functionality are acceptable in
your environment.
For more information about forms-based authentication and client integration, see
Configure forms-based authentication (Office SharePoint Server).
Install ECTS
The External Collaboration Toolkit for SharePoint is distributed as a Windows
Installer package (MSI) that contains the setup utilities and binaries for the
solution. Running this MSI (called ECTS.msi) copies these files to your system, but
does not automatically install or configure the software.
After the software is installed, you have two options for setting up the software: to
use the Setup Wizard or run the installation scripts manually. This section
describes both methods.
Whichever method you choose, the first step is to install the ECTS.msi on the
extranet server. To do this, log on to the extranet server as the local administrator,
then either double-click the ECTS.msi file, or run msiexec –i ects.msi from the
command line. By default, this will copy all the necessary files into a folder called
External Collaboration Toolkit under My Documents. The installer will give you the
option to select which features you want to install on the server. You should
generally install all the features. After you copy the binaries to the extranet server,
you still must set up the ADAM user store for external users, configure SQL
Server, and install the SharePoint extensions. You can either use the Setup Wizard
to perform these tasks, or do them manually.
Set Up Manually
You can choose to run the installation scripts manually, which this section
describes. Note that you perform the manual setup in the following order: ADAM,
SQL Server, then Windows SharePoint Services. Also note that you should log on
as either local administrator (preferred) or domain administrator before you begin
the setup process.
To run the ECTS SharePoint setup script, use the following command:
cscript ects_setup_sharepoint.vbs ADAMhost container SQL_Server internalURL
SMTPHost mailfrom LDAPS_port
Where ADAMhost is the server hosting the ADAM instance, container is the base
container for the LDAP instance, SQL_Server is the appropriate SQL Server
instance, internalURL is the URL for the internal SharePoint site, SMTPHost is the
internal e–mail host name that SharePoint should use, mailfrom is the e–mail
address from which the mail should come, and LDAPS_port is the port on which
ADAM listens for SSL encrypted connections. You recorded all of this information
with your Required Data.
This script:
• Creates a customized Windows SharePoint Services feature and packages it as
a Windows SharePoint solution file.
• Installs ECTSBase.wsp and ECTSSolution.wsp.
• Deploys these solutions to the front-end Web servers.
• Activates all the features in these solutions.
Note When ECTSBase.wsp is activated, the solution makes all the required
changes to the web.config files for both the internal and external sites.
• Adds all Web Parts to the appropriate Web Parts gallery.
After the ECTS is installed and basic configuration is complete, you can verify that
Windows SharePoint Services is working as expected.
Verify Installation
Following setup, you can take steps to verify that basic things are working as
expected. For example, you should be able to see a basic SharePoint site by
accessing your internal URL from a browser on your internal network. If you
attempt to access the external URL from an external browser, you should see a
forms-based authentication page (assuming your firewall is configured as
expected).
If you encounter errors, the most likely cause is a mistake in entering the Required
Data used to set up SharePoint. If you feel that you might have entered some of the
Required Data incorrectly, you can use the undeploysolution.cmd script to remove
the ECTS software so you can try again. You can find this script in the installation
folder (typically My Documents\External Collaboration Toolkit).
To run the undeploysolution.cmd script, use the following command:
undeploysolution.cmd internalURL
Where internalURL is the URL for the internal SharePoint site. Running this
command will remove all traces of the ECTS from your SharePoint environment.
Internet Information Services. Note that you need a certificate only for the
external Web site.
Server Hardening
Before allowing external users to connect to your collaboration server, we strongly
recommend that you use the Security Configuration Wizard (SCW) to ensure that
non-essential functionality is turned off on your collaboration server. This will help
to reduce the attack surface of your server when it is connected to the Internet. For
information about how to install and run this tool, see the SCW Quick Start
Guide on the Microsoft Download Center.
For more information about hardening your Windows Server 2003–based system,
see the Windows Server 2003 Security Guide.
Next Steps
After the software is installed and configured, you need to make the Web Parts
available, set up the security for the site, and configure how the ECTS works.
These topics are covered in the next chapter of this document.
Configure ECTS
The following actions must be performed to configure the ECTS:
• Create SharePoint groups for administrative functions
• Add the Configuration Utility Web Part
• Use the Configuration Utility to configure ECTS
• Create the ECTS Management page
• Add management Web Parts to the ECTS Management page
• Create the ECTS Home page
After the groups are created, users or groups from the organization’s Active
Directory domain should be added as members to the appropriate SharePoint
groups.
• Email Source Address. The value entered in this field will display as the From:
address for all e–mail sent from the different components of the solution.
• SMTP Host. This is the e–mail server through which all e–mail will be sent.
Enter either the short computer name, for example, woodgrovemain, or the
computer’s fully qualified domain name, for example,
woodgrovemain.corp.woodgrove.com.
Administrative Operations
The following procedures describe the operational processes for site collection
creation and user account creation and management.
Solution Accelerators microsoft.com/technet/SolutionAccelerators
18 External Collaboration Toolkit for SharePoint
• Delete User. This removes the user from the ADAM store, which makes it
impossible for the user to log on. The user will also be removed from any site
to which they were granted permissions.
Note Deleting a user from a SharePoint site does not affect the user account in
ADAM. If there is any chance that the user will be given access to the same site or
to a different site in the future, remove the account at the SharePoint level instead
of deleting the account from ADAM.
• Enable/Disable User. The option presented is relative to the current state of the
user in ADAM. If the user is enabled, they could be disabled and vice versa.
Disabling a user is a less permanent way to remove a user’s access to the
collaboration Web sites to which they have been given permission. Toggling
between disable and enable does not change the user’s permissions on any
collaboration site.
• Reset Password. If a user forgets their password and self-service password
reset is not enabled, you can use this function to reset their password in
ADAM. Click Reset Password to have a new password randomly generated and
displayed on the page. The help desk personnel or other user administrators
should have a standard secure process by which to relay the new password to
the external user.
• Modify Profile. Profile information stored for the external user includes the
person’s full name, telephone number, and the external company with which
they are affiliated. The Modify action allows the administrator to change these
attributes of the user’s profile.
Using Sub-sites
If some content on your site will be viewed or modified by every user, but you want
to create different collaboration areas, you can create a subsite under the site you
already created. For example, you might have a large project team and want to
have one subsite for developers and another for marketing personnel. To create a
subsite, go to an existing site and use the Site Actions menu, click Create, then
click Sites and Workspaces.
In either case, you can immediately establish the permissions that the user will
have on your site when their account is registered and you have given them the
password they will need to log on.
External URL
Acknowledgments
The Solution Accelerators – Security and Compliance (SA-SC) team would like to
acknowledge and thank the group of people who produced the External
Collaboration Toolkit for SharePoint. The following individuals were either directly
responsible or made a substantial contribution to the writing, development, and
testing of this solution.
Developers Editor
David Mowers, Securitay Inc. Jennifer Kerns, Wadeware LLC
Jeffrey Hamblin, Securitay Inc.
Reviewers
Michel Audet, George Weston Limited Noelle Mendez-Villamil, Microsoft
Yung Chou, Microsoft Tony Muniz, Microsoft
Mirek Glowacki, George Weston Tony Noblett, Socair Solutions Inc.
Limited Henry Ong
Josh Hjelmstad, St. Cloud State Sanjay Pandit, Microsoft
University
Catherine Read, Socair Solutions
Robert Hoover, Microsoft Inc.
Vik Kolli, Microsoft Elton Tucker, Microsoft
Uri Lichtenfeld, Microsoft