Article

SharePoint Integration with Linux Access Gateway

Author Info

29 July 2009 - 11:09am
Submitted by: nramesh

Author Blog
Author Profile

Tags

Tags Map
article
Reads:

1623

Score:
4.5
4.5
2
 
Comments:

0

Authors: Jency Flawrence and Ramesh Nerella

Content:

Introduction

When the SharePoint server is protected by the Linux Access Gateway, you could face some problems if the default rewriter configuration is used. The document outlines a proposed deployment scenario, steps to configure Linux Access Gateway and non-browser clients, Test setup used for this document and Known issues.

Deployment scenario

Fig 1: Setup of SharePoint server accelerated using LAG using Non-Redirected Login

Click to view.

  1. A non-http client requests access to the SharePoint server protected by Linux Access Gateway.
  2. The Linux Access Gateway is configured to authenticate using Non-Redirected login as the client does not support 302 redirects. So, request is forwarded to Identity Server for authentication through SOAP back channel.
  3. Once authenticated, IDP sends back success response.
  4. Linux Access Gateway forwards the user request to the SharePoint server.
  5. SharePoint server will send the response content.
  6. Linux Access Gateway forwards the response to the client.

Configuring Linux Access Gateway

Host or Domain-based Configuration

To accelerate the SharePoint server configured with basic authentication as a Host based and Domain based service with the rewriter profile configuration, do the following:

  1. Login to the Administration Console with the administrator credentials
  2. Select Access Manager > Access Gateways > Edit.
  3. Click the Reverse Proxy that you have configured.
  4. Select the HTML Rewriting tab and create a word and a character profile as follows:
    1. Make sure the default profile is enabled.
    2. Create a new word profile as follows:
      1. Select New from HTML Rewriter Profile List, and then create a new HTML Rewriter word profile.
      2. Click the newly added word profile.
      3. Add the following content type to the And Document Content-Type Header Is section: 
        application/x-vermeer-rpc
      4. Add the following values to the Variable or Attribute Name to Search for Is section: 
        formvalue  
value
      5. Select Rewrite Inbound Query String Data.
      6. Select Rewrite Inbound Post Data.
      7. Select Rewrite Inbound Headers.
      8. Click OK.

      3. Fig 2: Word Profile Configuration

      Click to view.

    3. Create a character profile.
      A character profile must be created to rewrite absolute or relative URLs which has the following encoding formats by using Search and Replace Strings:
      1. Select New from HTML Rewriter Profile List, and then create a new HTML Rewriter character profile.
      2. Click the newly added character profile.
      3. Click New in Additional Strings to Replace section.
      4. Specify the Search and Replace strings as shown in Table 1, then click OK.

        5. SEARCH STRING REPLACE STRING
        \u0022http:\u002f\u002f webserverpersistence.com:1677 \u0022http://share.lag150.com
        http%253A%252F%252F webserverpersistence.com%253A1677 http://share.lag150.com
        http%3A%2F%2F webserverpersistence%2Ecom%3A1677 http%3A%2F%2Fshare.lag150.com
        http%3a%2f%2f webserverpersistence.com%3a1677 http://share.lag150.com
        http:%2f%2f webserverpersistence.com http://share.lag150.com
        http:\u00252F\u00252F webserverpersistence.com http://share.lag150.com
        http\u00253A\u00252F\u00252F webserverpersistence.com\u00253A1677 http://share.lag150.com

        Table 1: Search and Replace Strings

        Note: In the table, webserverpersistence.com is an example SharePoint site with a non-default port 1677 and share.lag150.com is the accelerated DNS name.

        Fig 3: Character Profile Configuration

        Click to view.

  5. Configure authentication for non-browser clients.
    To access SharePoint resources using clients which do not support 302 redirection enabled authentication
    1. Select Access Manager > Access Gateways > Edit > Configured Reverse Proxy > Protected Resources > Authentication Procedure > Select Name/Password – Basic Method > Enable Non-Redirected Login > OK

      Fig 4: Configuring Non-Redirected Login

      Click to view.

    2. Configure the security realm if it has been configured in the IIS server running SharePoint. You can find the security realm configuration by opening IIS Administration Console, selecting the SharePoint site you are accelerating and right-click and access “Properties”. In the Directory Security tab you can find the Security realm field.

      Fig 5: Security Realm Configuration in IIS Administration

      Click to view.

  6. Configure Identity Injection Policy to insert SharePoint site credentials , place the touch file /var/novell/.overwrite_AuthHeader_With_IIData and restart vmc to ensure that credentials are properly injected.
  7. Webserver Host name should be configured with the web server DNS name. Do not use the Forward received Host name option.

Path-based Configuration

To accelerate the SharePoint server configured with basic authentication as a Path-based service with the rewriter profile configuration, do the following:

  1. Login to the Administration Console with the administrator credentials
  2. Select Access Manager > Access Gateways > Edit.
  3. Click the Reverse Proxy that you have configured.
  4. Select the HTML Rewriting tab and create a word and a character profile as follows:
    1. Make sure the default profile is enabled.
    2. Create a new word profile. To create a new word profile:
      1. Select New from HTML Rewriter Profile List, and then create a new HTML Rewriter word profile.
      2. Click the newly added word profile.
      3. Add the following content type to the And Document Content-Type Header Is section: 
        application/x-vermeer-rpc
      4. Add the following values to the Variable or Attribute Name to Search for Is section: 
        ctx.displayFormUrl 
ctx.editFormUrl 
ctx.HttpPath 
ctx.imagesPath 
ctx.listUrlDir 
strHelpUrl 
strImageAZ 
strImagePath 
editPrmsUrl 
sDialogUrl 
formvalue 
value 
WPSC.WebPartPage.WebServerRelativeURL 
L_Menu_BaseUrl
      5. Add the following methods to the JavaScript Method to Search for Is section: 
        insertitem 
UpdateFormDigest 
ProcessDefaultNavigateHierarchy
      6. Add the following search and replace entries to the String to Search for Is section:

        Click to view.

      7. Select Rewrite Inbound Query String Data.
      8. Select Rewrite Inbound Post Data.
      9. Select Rewrite Inbound Headers.
      10. Make sure that Enable Rewrite Actions remains selected.
      11. Click OK.

      Fig 6: Word Profile Configuration

      Click to view.

    3. Create a character profile. A character profile must be created to rewrite absolute or relative URLs which has the following encoding formats by using Search and Replace Strings:
      1. Select New from HTML Rewriter Profile List, and then create a new HTML Rewriter character profile.
      2. Click the newly added character profile.
      3. Click New in Additional Strings to Replace section.
      4. Specify the Search and Replace strings as shown in Table 1, then click OK.

        5.    
        SEARCH STRING REPLACE STRING
        \u0022http:\u002f\u002f webserverpersistence.com:1677 \u0022http:// www .lag150.com/shpt
        http%253A%252F%252F webserverpersistence.com%253A1677 http:// www .lag150.com/shpt
        http%3A%2F%2F webserverpersistence%2Ecom%3A1677 http%3A%2F%2F www .lag150.com/shpt
        http%3a%2f%2f webserverpersistence.com%3a1677 http:// www .lag150.com/shpt
        http:%2f%2f webserverpersistence.com http:// www .lag150.com/shpt
        http:\u00252F\u00252F webserverpersistence.com http:// www .lag150.com/shpt
        http\u00253A\u00252F\u00252F webserverpersistence.com\u00253A1677 http:// www .lag150.com /shpt
        _vti_bin/shtml.dll/_vti_rpc shpt/_vti_bin/shtml.dll/_vti_rpc
        SharePoint.OpenDocuments.3 SharePoint.OpenDocuments.2
        SX|http:// webserverpersistence.com:1677 SX|http:// webserverpersistence.com:1677/shpt

        Table 1: Search and Replace Strings

        Note: In the table, webserverpersistence.com is an example SharePoint site with a non-default port 1677, www.lag150.com is the parent accelerated DNS name and /shpt is the accelerated path.

        Fig 7: Character Profile Configuration

        Click to view.

  5. Configure authentication for non-browser clients.
    To access SharePoint resources using clients which do not support 302 redirection enabled authentication
    1. Select Access Manager > Access Gateways > Edit > Configured Reverse Proxy > Protected Resources > Authentication Procedure > Select Name/Password – Basic Method > Enable Non-Redirected Login > OK

      Fig 8: Configuring Non-Redirected Login

      Click to view.

    2. Configure the security realm if it has been configured in the IIS server running SharePoint. You can find the security realm configuration by opening IIS Administration Console, selecting the SharePoint site you are accelerating and right-click and access “Properties”. In the Directory Security tab you can find the Security realm field

      Fig 9: Security Realm Configuration in IIS Administration

      Click to view.

  6. Configure Identity Injection Policy to insert SharePoint site credentials , place the touch file /var/novell/.overwrite_AuthHeader_With_IIData and restart vmc to ensure that credentials are properly injected.
  7. If you are using a non-browser client such as Windows Network Places to access SharePoint, do the following (This step is needed only path-based configuration):
    1. Log in as the root user.
    2. Specify the following command to create a touch file: 
      touch /var/novell/.spnetworkplaces
    3. For this touch file to function as specified, you should add the following lines to the file, and restart Linux Access Gateway. 
      SHAREPOINTPATH=/<accelerated path> 
HOSTNAME=<accelerated host name>
      For example, 
      SHAREPOINTPATH=/shpt
HOSTNAME=www .lag150.com
  8. To specify POST size up to 50 MB use /var/novell/.reqPostSize touch file and add the following line: 
    REQPOSTSIZE=<value in terms of MB>
    For example, 
    REQPOSTSIZE=10
  9. Specify the following command to restart the Access Gateway Appliance: 
    /etc/init.d/novell-vmc stop 
/etc/init.d/novell-vmc start
  10. Webserver Host name should be configured with the web server DNS name. Do not use the Forward received Host name option.

Configuring Non-Browser Clients to Access SharePoint Sites

You can access the SharePoint resources either by using browsers such as Internet Explorer 7 and Firefox 3.0 or non-browser clients such as Microsoft Network Place, Nautilus browser in SLES 10 SP2 or MAC finder. When you use browser access SharePoint, no additional configurations are required. But the non browser clients require certain configurations, in order to enable them to access SharePoint.

The following sections describe these configuration steps.

Connecting to SharePoint Server By Using Microsoft Network Place

  1. Select Start > My Network Places.
  2. Click Add a network place in the Network Tasks section.
  3. Click Next in Add a Netwrok Palce Wizard.
  4. Leave the default option unchanged, then click Next.
  5. In the Internet or Network Address field, specify the Published DNS name in the following format, the click Next: 
    http://< published DNS name>/<shared_folder>

    Fig 10: Add Network Place wizard

    Click to view.

  6. Optionally, give a name for the network place and click Next.
  7. Click Finish.
  8. Double-click on the created Network Place to browse the contents of the SharePoint folder.

Connecting to SharePoint Server By Using Nautilus File Browser

  1. Select Places > Home folder to open your home directory.
  2. Select Connect to Server in the File menu.
  3. Specify the following information in Connect to Server dialog box:

    Fig 11: Nautilus browser

    Click to view.

    • Service Type: Select either WebDAV(HTTP) or Secure WebDAV(HTTPS) depending on whether an http or https based service is accessed.
    • Server: Specify the published DNS name(without the http scheme).
    • Optional Information: Specify the port information, file folder information, username and a name for the connection.
  4. Click Connect.
  5. Double-click on the connection to browse the contents of the SharePoint folder.

Connecting to SharePoint Server By Using Mac Finder

  1. Select Go: menu > Connect to Server.
  2. Specify the published DNS name in the Server Address field, then click Connect.

    Fig 12: MAC Finder configuration

    Click to view.

  3. Double- click on the connection to browse the contents of the SharePoint folder.

Known Issues

  • Linux Access Gateway supports NTLM authentication without single sign-on.
  • Cross domain authentication will not work for different cookie domains
  • Re-login after logout does not happen across different cookie domains
  • Nautilus issue: SharePoint folders with names containing space characters or double byte characters cannot be accessed through Nautilus. This is a limitation of Nautilus.
  • URLs without the http scheme are not rewritten by default. The Administrator should add a character profile to rewrite such URLs.

    For example, search www.proxy-158:6296 and replace with www.lag150.com

Tested Scenarios

This configuration is tested with the following setup:

Servers

  • Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007
  • WSS 3.0 with Windows 2003 Server Enterprise Edition
  • MOSS 2007 with Windows 2003 Server Enterprise Edition (both Standalone and Farm installation)
  • Test area mainly covered acceleration of the SharePoint Team site configured (with basic authentication) which included Document library, Picture library, Slide Library, Calendar and Tasks. Search, Excel Calculation Services and testing with Microsoft InfoPath has not yet been done.

Clients

  • Browsers: Internet Explorer 7 and Firefox 3.0
  • Non-browser clients: Microsoft Network Place, Nautilus browser in SLES 10 SP2 and MAC finder
    • Tested SharePoint integrated with Microsoft Exchange Server 2003 for sending mails. Receiving mails from Exchange Server has not yet been tested.
    • Tested SharePoint integrated with Microsoft Office 2007 Applications: MS Word, Excel and PowerPoint.

Useful links:

Non-Redirected Login configuration:


Author Info

29 July 2009 - 11:09am
Submitted by: nramesh

Author Blog
Author Profile

Tags

Tags Map


Related Articles


User Comments

© 2009 Novell, Inc. All Rights Reserved.