نمایش نتایج: از شماره 1 تا 3 از مجموع 3

موضوع: What every SharePoint administrator needs to know about Alternate Access Mappings

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    What every SharePoint administrator needs to know about Alternate Access Mappings

    کد:
    http://blogs.msdn.com/sharepoint/archive/2007/03/06/what-every-sharepoint-administrator-needs-to-know-about-alternate-access-mappings-part-1.aspx

    PART-1


    Hi folks, this is Troy Starr again from the Windows SharePoint Services Test team. Today I'd like to talk about one of the most powerful, but often one of the least understood, features in Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007. That feature is called Alternate Access Mappings. Around here, we just call it "AAM" for short.
    At the most basic level, AAM tells SharePoint how to map web requests (for example, browsing to the homepage of a SharePoint site) to the correct web application and site so that SharePoint can serve the correct content back to you. It then tells SharePoint what URL the users should be taken to as they interact with SharePoint.
    Seems simple enough, doesn’t it? Those of you who are familiar with developing web applications in Internet Information Services may be wondering right now why we need such a feature since IIS can tell you what the URL of an incoming web request is. The major reason we need this is that there are common Internet deployment scenarios where the URL of a web request received by IIS is not the same URL that the end user entered. These are most common in reverse proxy publishing and load balancing scenarios.
    How is this possible? Let's consider a reverse proxy scenario. A reverse proxy is a device that sits between end users and your web server. All requests to your web server are first received by the reverse proxy device, and if those requests pass the proxy's security filtering, the proxy will forward the requests on to your web server. Reverse proxies can perform advanced functionality such as receiving a web request over the Internet via SSL (HTTPS), but forward the request to the your server via HTTP. This is referred to as off-box SSL termination. They can also forward the request to a different port number than it was originally received on and can even change the HTTP Host header field. If SharePoint were base its links off of the URL of the request it received, the links that end users click on could be the incorrect "internal" URL rather than the correct "public" URL.
    SharePoint is compatible with a variety of reverse proxy servers, but for this example we'll take a look at a publishing rule from Microsoft's reverse proxy software - Internet Security and Acceleration Server 2006. ISA Server 2006 includes a SharePoint publishing wizard that walks you through creating a publishing rule for SharePoint. Once the rule is created, you can modify it at any time. (The following images show a slightly modified publishing rule where the "Forward the original host header" option is turned off to help demonstrate the flexibility of AAM. If we left the "Forward the original host header" option turned on, the public hostname would also serve as the internal hostname when configuring AAM.) The first two dialogs show the "listener" and "public name" properties of the rule, which define what URL users will use to access your SharePoint site. Remember that this URL is really the URL of your reverse proxy server, which will forward the request to your SharePoint server.

    The end user's URL is comprised of the public protocol, the public hostname, and the public port number.

    Public Protocol
    +
    "://"
    +
    Public Hostname
    +
    ":"
    +
    Public Port Number
    =
    Public URL
    HTTPS
    443
    https://www.contoso.com
    The next two dialogs show the "to" and "bridging" properties of the rule, which define what URL the reverse proxy server will use to forward the request to your SharePoint server.

    The SharePoint server's URL is comprised of the internal protocol, the internal hostname, and the internal port number.

    Internal Protocol
    +
    "://"
    +
    Internal Hostname
    +
    ":"
    +
    Internal Port Number
    =
    Internal URL
    HTTP
    sharepoint.dmz.contoso.com
    80
    http://sharepoint.dmz.contoso.com

    Great - we've properly set up this reverse proxy server to receive web requests from end users at https://www.contoso.com and forward them to your SharePoint server at http://sharepoint.dmz.contoso.com. We're halfway there! The next step is to configure your SharePoint web application and AAM to match the publishing rule above. To do this, we'll extend an existing web application to an additional IIS Web site just for your reverse proxy's publishing rule. Note that you're also able to create a new web application from scratch for this publishing rule - the fields you'll need to fill out are the same in either case.
    Browse to your WSS 3.0 Central Administration site and click on the Application Management tab. Next, click "Create or extend Web application" and then click "Extend an existing Web application." Select the web application that you wish to use, and then fill out the port, host header, and SSL fields based on the internal URL properties that we defined above. In the URL field, enter the public URL that we defined above. Finally, you'll want to select an AAM Zone to assign this extension of your web application to. There are a maximum of 5 zones available in each web application. We'll use the Internet zone in this example, but you're free to use any available zone. All of the zones provide the same functionality, although the Default zone will always be used for certain features such as sending administrative e-mail messages to site collection owners. When you're finished, click OK to create the IIS Web site.
    Next, you'll want to verify that your public URL was created correctly in AAM and then add your internal URL. Unless your internal URL is the same as your public URL, this is an extra step that you must perform manually. To do this, browse to your WSS 3.0 Central Administration site and click on the Operations tab. Next, click "Alternate access mappings." Click the Alternate Access Mappings selector drop-down and select the web application that you're publishing through your reverse proxy server. You should now see the AAM URLs assigned to your web application.

    As you can see, the public URL from the reverse proxy publishing rule has been assigned to your web application's Internet zone. The final touch is to add the internal URL from the reverse proxy publishing rule to your web application's Internet zone. To do this, click "Add Internal URLs" in the AAM toolbar, type in the internal URL, and select the same zone that you used for the public URL. In this case, that was the Internet zone. When you're finished, click Save. You should now see the additional URL is assigned to your web application, in the same zone as the public URL of your reverse proxy publishing rule.

    All done! Now, when a user browses to https://www.contoso.com, the web request will be received by the proxy server and forwarded to http://sharepoint.dmz.contoso.com. SharePoint will then receive the web request, see that the URL of the request is http://sharepoint.dmz.contoso.com, find that this URL is assigned to the Contoso web application, and return the content from that web application. In addition, because the http://sharepoint.dmz.contoso.com URL is assigned to the Internet zone, SharePoint will also generate links on the pages using the public URL for that zone - https://www.contoso.com. This ensures that end users are taken to the proper URL when clicking on links on the page.
    Load balancers work similarly, especially if they overwrite the end user's original URL with the URL of the individual web server that the request is being load balanced to. To address this, just add each individual web server's URL to AAM as an internal URL and associate them all to the same zone as end user's public URL.
    I hope that this introduction to Alternate Access Mappings was helpful to you. Please feel free to post comments to this blog entry with any questions you may have about AAM. I will be posting another blog entry soon covering common AAM mistakes and how to avoid them.

    Troy Starr





    موضوعات مشابه:

  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://blogs.msdn.com/sharepoint/archive/2007/03/19/what-every-sharepoint-administrator-needs-to-know-about-alternate-access-mappings-part-2-of-3.aspx
    PART-2

    In Part 1 of my blog series on Alternate Access Mappings, I gave a brief introduction to the feature and an example of how it can be used. In this blog entry, I'd like to discuss some of the common AAM-related mistakes I've noticed people make when deploying SharePoint.
    Mistake #1: "I'm not deploying SharePoint in an unusual way, so I don't need to worry configuring Alternate Access Mappings."
    Probably the most common cause of AAM-related issues is administrators not realizing that they need to configure it in the first place. It's certainly understandable as this is a new requirement in Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007. The reality is that every SharePoint administrator needs to make sure that AAM is configured correctly, even if you're performing a simple deployment.
    For SharePoint to provide a robust and stable API that can work on multiple machines, even machines where the SharePoint web application service is not running, our resolution of URLs to SharePoint sites cannot rely on hosts files, DNS, or IIS bindings. Instead, once SharePoint receives a request it will only use AAM to perform that URL resolution. So while it is necessary to make sure your hosts files, DNS, and IIS bindings are properly configured so that a web request can reach the SharePoint server, it is also necessary to configure the URLs in AAM to match.
    Here are some specific examples:

    • Fully Qualified Domain Names (FQDN) - If you're using an FQDN URL to reach your SharePoint web application, you need to configure that domain name in DNS. You also need to configure a matching URL in AAM. If this is an URL that end users will use to reach your site, then make it a public URL. If this is an URL that a reverse proxy device will use to forward requests to your site, then make it an internal URL - just be sure that you've configured the end user's URL as the public URL in the same zone.
    • Localhost - Localhost is the syntactic sugar of networking. It allows you to type in http://localhost in your browser and always reach the web site hosted on your local machine. However, since localhost is made possible through the machine's hosts file, SharePoint can't automatically take advantage of it. If you need http://localhost to be a valid URL for SharePoint, you'll need to enter it into AAM.
    • IP addresses - If you're in an environment where there is no DNS or hosts name resolution and you're just using URLs with IP addresses, you still need to enter those URLs into AAM.

    So, if you're seeing broken images or are being redirected to http://machinename when browsing to your SharePoint site, then that URL probably hasn't been entered into AAM.
    Mistake #2: Your reverse proxy server's "link translation" feature is sufficient.
    Some administrators understand that AAM will fix up the links on pages so that end users are taken to the proper public URL, but they also know that their reverse proxy server has a "link translation" feature that does something similar. If they both do the same thing, then why not just turn it on in the reverse proxy publishing rule and not worry about setting it in AAM?
    There are several reasons why this is not a good idea. First off, in our compatibility testing experience, no link translation feature from any reverse proxy server, including ISA Server 2006, is sufficient to fix up all SharePoint links to use the public URL. SharePoint embeds its URLs in many places and in a variety of encodings. Reverse proxy servers are currently not sophisticated enough to find and fix them all. Second, SharePoint has features that use URLs but do not go through reverse proxy server publishing rules. E-mail alerts are a good example. Only AAM will be able to make sure the links in your e-mail alerts are using the correct URL for the user.
    So while you're more than welcome to enable link translation in your SharePoint publishing rule, don't forget to properly configure AAM as well. And by the way, if you're exposing the SharePoint 3.0 Central Administration site via a publishing rule, be sure to disable the link translation feature for that rule. It will likely interfere with your ability to configure AAM.

    Mistake #3: Trying to reuse the same URL in AAM or not aligning the URLs to the same zone.
    This is a mistake that often catches people when they configure SharePoint to expose a web application to both their internal network and the Internet. For example, suppose you've configured a SharePoint web application on your corporate network with http://sharepoint as your Default zone URL. Now you want to expose it to the Internet as http://www.contoso.com. When configuring your reverse proxy server, you tell it to forward the requests to http://sharepoint and then add http://www.contoso.com as a public URL to the Internet zone. Sounds good?
    Not quite, unfortunately. While access to the site from your corporate network will continue to work as expected, you might find that access from the Internet isn't working so well and that there are several links pointing to http://sharepoint This is because the two URLs have been entered into different AAM zones and therefore are not associated with each other.
    An URL can be used only once in AAM, and the http://sharepoint URL was already in use on your corporate network. To forward your Internet-based requests to the same web application, you should use a different internal URL for your reverse proxy publishing rule such http://sharepoint.dmz.contoso.com. You can leave http://sharepoint alone in AAM and still add http://www.contoso.com as your public URL in the Internet zone. You just need to add http://sharepoint.dmz.contoso.com as an additional internal URL in the same zone as your http://www.contoso.com public URL - your Internet zone. With them both in the same zone, SharePoint can generate the proper links using the public URL for that zone.
    Mistake #4: Updates made in AAM automatically update IIS bindings and vice versa.
    Actually, once a web application has been extended to a zone, SharePoint will not attempt to modify its IIS bindings. If you go into IIS and modify those bindings yourself, say by adding a host header binding, changing a port number, or adding an SSL port, SharePoint won't be aware of those changes and will not update the AAM URLs for you. Similarly, an update to the AAM URLs to add an SSL URL won't automatically update your IIS bindings to match.
    Instead, if you need to make a change in your IIS bindings, our recommendation is that you remove the SharePoint web application from that zone. Then you can re-extend the web application to that zone with your updated bindings. This includes if you want to add an SSL port - we don't recommend reusing the same IIS Web site for your HTTP and SSL hosting. Instead, you should extend a dedicated HTTP and a dedicated SSL web site, each assigned to its own AAM zone and URLs.
    Mistake #5: Forgetting to configure your environment so that search can crawl your sites.
    You may have configured AAM and your network so that end users can reach your sites, but did you remember to do the same for SharePoint search? The SharePoint search service browses to your web applications to crawl their content and needs to be able to access your public URLs. Make sure that the machine running the search indexing service can reach those public URLs - particularly the one using NTLM authentication. If necessary, configure the proxy settings of your search service account to use your proxy servers. You can do this by logging into the machine as that account and editing its LAN connection settings in IE.
    Mistake #6: Typos!
    It happens more often than you might think - a quick series of keystrokes and you transpose 2 digits in the port number or two letters in the hostname. Now all of a sudden, SharePoint starts giving you "Cannot find server or DNS Error" messages. Be sure to double check those URLs in AAM. If you're using a reverse proxy server, verify that they match the URLs in your publishing rule.
    Hopefully these tips will save you a couple of hours of troubleshooting and perhaps even a few gray hairs. What are your most common mistakes when configuring AAM? Share them with everyone by adding a comment to this post. And of course, you're welcome to ask any additional questions you have about these tips. Next time, I'll dig a little deeper into AAM and how it integrates with other SharePoint features such as security.

    Troy Starr





  3. #3
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://blogs.msdn.com/sharepoint/archive/2007/03/19/what-every-sharepoint-administrator-needs-to-know-about-alternate-access-mappings-part-3-of-3.aspx
    PART-3

    In Part 1 of my blog series on Alternate Access Mappings, I gave a brief introduction to the feature and an example of how it can be used. In Part 2, I described some of the common AAM-related problems people run into when deploying SharePoint and how to avoid them. For the final article in our series, I'll discuss how AAM integrates with some other features in SharePoint.

    Authentication Providers

    As I mentioned in Part 1 of this blog series, AAM allows you to expose a web application in as many as 5 different AAM zones, with a different IIS Web site backing each zone. (As an aside, some people accidentally refer to this as having up to 5 different web applications sharing the same content database(s). In reality, there is just one web application.) Not only do these zones allow you to use multiple URLs to access the same web application, they allow you to use multiple authentication providers to access the same web application as well.

    When extending a web application into a zone, SharePoint only offers you the choice of using Windows authentication provided by Internet Information Services. Once the web application has been extended into the zone, you can modify that zone to use a different type of authentication. To do this, browse to the SharePoint 3.0 Central Administration site and click Application Management --> Authentication providers. Next, select your web application from the Web Application selector on the right side of the page. Finally, select the zone that you wish to modify. Now you change your authentication settings for that zone.

    The power of this feature is that it allows you to configure completely independent authentication settings to access the very same content. For example, you might configure some content to be anonymously accessible while other content requires credentials. You could configure one zone to have anonymous access enabled and all other forms of authentication disabled, guaranteeing that only the anonymous content will be accessible. At the same time, another zone can have anonymous access disabled while NTLM authentication is enabled, guaranteeing that only authenticated access will be allowed. Plus, you can even have different types of accounts to access the same content - one zone can be configured to use Windows Active Directory (AD) accounts while another zone can be configured to use non-AD accounts via ASP.NET Forms authentication.

    Web Application Policies

    Web application policies allow administrators to grant or deny access to accounts and security groups for all sites exposed through a zone. This can be useful for a variety of scenarios.

    For example, the SharePoint search crawler must go through the same authorization infrastructure as everyone else - it can only crawl content that it has access to. However, users would still like search to crawl restricted content so that authorized users can find that content in search results. The search service uses a "Full Read" policy on the web applications to give its crawler permission to read all content on that web application. That way, it can crawl and index all existing and future content, even content that the site administrator hasn't explicitly given it access to.

    Another example would be help desk personnel who need administrative access to SharePoint sites so that they can assist users. To do this, you can create a web application policy that grants the help desk staff accounts "Full Control" permission so that they have full administrative access to all current and future sites on the web application.

    Because policies are tied to both web applications and their zones, you can ensure that the policy you've applied to one zone doesn't affect other zones. This can be useful if you have content exposed both on the corporate network and to the Internet. For example, suppose you've given a help desk staff account Full Control permission over a web application's zone that has been assigned to the corporate network. If someone were to try and use that account to access the site over the Internet, that Full Control policy wouldn't apply because it would recognize that the URL is in a different zone. Therefore, the account wouldn't automatically be given administrative access to the site.

    External Resource Mappings

    On the Alternate Access Mappings page, you may have noticed a button on the toolbar called "Map to External Resource." It allows you to extend the AAM functionality to content that is not hosted within the SharePoint farm. When you click on this button, you will be asked to create an entry for an external resource, which you could conceptually think of as another web application. Once you have an external resource, you can assign different URLs and zones to it in the same way that you do for SharePoint web applications. This feature isn't utilized in Windows SharePoint Services 3.0, but third party products that build on top of WSS can make use of it.

    For example, Office SharePoint Server 2007's search technology is able to crawl content external to the SharePoint farm such as file shares and Web sites. If that content is available at different URLs on different networks, then you would want search to return search results using the appropriate URLs for the user's current network. By using AAM's external resource mapping technology, search can remap the external URLs in its search results to match the user's zone.

    I hope you've found this series on AAM helpful. As always, feel free to ask any questions via the blog comments.


    Troy Starr





کلمات کلیدی در جستجوها:

sharepoint 2010 tmg ssl termination

sharepoint forum.persiannetworks.com

what is off-box ssl termination

sharepoint search results map to external resource

sharepoint external resource mapping

sharepoint 2007 create external resource mapping

sharepoint 2007 wont recognize alternate access mapping

tmg 2010 sharepoint 2010 offbox ssl

external resource mapping sharepoint 2010

sharepoint what everyone should know about aam

sharepoint 2007 alternate access mapping not authorized

sharepoint alternate access mapping 2010 tmg hosts file

configure sharepoint 2010 for offbox ssl termination

sharepoint 2010 aam image broken only hostname

sharepoint aam external resource

create external resource mapping sharepoint

default alternate access mapping alerts search

aam external resource mapping

step by step how to configure alternate access mapping in sharepoint 2010 from scratch

alternate access mapping external resource mapping

alternate access mapping external resource

sharepoint 2010 map to external resource remove

remove external resource mapping

sharepoint 2007 alternate access mapping restrict by ip

map to external resource sharepoint 2010

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •