You can configure Access Manager to provide protected access to SharePoint by using a domain-based proxy service and single sign-on access by using identity injection. You can access Sharepoint with a URL similar to this: https://<Published DNS name>:<port number if any>/path. For example, https://shpt.multibox-mag.com/default.aspx.
Perform the following configurations:
Configure the proxy service type as Domain-Based Multi-Homing.
For example, the published DNS Name = shpt.multibox-mag.com.
For more information, see Configuring the Domain-Based Proxy Service
in the NetIQ Access Manager 3.2 SP3 Access Gateway Guide.
Configure the following Web servers options:
Web Server Host Name: Specify the actual host name of the SharePoint server.
Connect Port: Specify the port that the Access Gateway should use to communicatewith Web servers.
For more information, see Configuring Web Servers of a Proxy Service
in the NetIQ Access Manager 3.2 SP3 Access Gateway Guide.
Create new HTML Rewriter profiles: one Word profile and one Character profile.
For more information about how to create a new rewriter profile, see Creating or Modifying a Rewriter Profile
in the NetIQ Access Manager 3.2 SP3 Access Gateway Guide.
Create a Word rewriter and enter the following values:
And Document Content-Type Header is: click New, then specify the following type:
application/x-vermeer-rpc
Variable or Attribute Name to Search for Is: Create the following two new attributes:
formvalue
value
Create a Character rewriter. In the Additional Strings to Replace section, specify the search and replace strings as shown in Table 3-1, then click OK.
NOTE:win2k8-r2-64bit:32274 in tables Table 3-1 and Table 3-2 is referring to Sharepoint server's domain name and the port in which it is configured. Change it with your Sharepoint server's domain name and the port number.
Table 3-1 Search and Replace strings
Search String |
Replace String |
---|---|
\u0022http:\u002f\u002fwin2k8-r2-64bit:32274 |
\u0022https://shpt.multibox-mag.com |
http%253A%252F%252Fwin2k8-r2-64bit%253A32274 |
https://shpt.multibox-mag.com |
http%3A%2F%2Fwin2k8-r2-64bit%2Ecom%3A32274 |
https%3A%2F%2Fshpt.multibox-mag.com |
http%3a%2f%2fwin2k8-r2-64bit%3a32274 |
https://shpt.multibox-mag.com |
http:%2f%2fwin2k8-r2-64bit |
https://shpt.multibox-mag.com |
http:\u00252F\u00252Fwin2k8-r2-64bit |
https://shpt.multibox-mag.com |
http\u00253A\u00252F\u00252Fwin2k8-r2-64bit\u00253A32274 |
https://shpt.multibox-mag.com |
Save and enable this rewriter profile and move it to the top of the ordered list of profiles for this accelerator.
Configure the protected resources: pr-private, pr-public, and pr-other.
For more information, see Configuring Protected Resources
in the NetIQ Access Manager 3.2 SP3 Access Gateway Guide.
Protected resource: pr-private
Authentication Procedure: Secure Name/Password – Form type contract
URL Path: /default.aspx
Identity Injection: Enabled (injects Credential Profile LDAP name and password into the Authorization headers)
Protected resource: pr-public
Authentication Procedure: None
URL Path: /
Protected resource: pr-other
Authentication Procedure: WebDAV
Create a new authentication procedure with the following settings:
Contract: Secure Name/Password - Form
Non-Redirected Login: enabled
Realm: Specify the name of the realm. Ensure that the value is same as the value of the Sharepoint IIS Basic Authentication Setting.
For example: If you have specified the value of Basic Authentication Setting value as xyz, enter the same value as the name of the realm.
Redirect to Identity Server When No Authentication Header is Provided: disabled
URL Path: /*
Identity Injection: Enabled (injects Credential Profile LDAP name and password into the Authorization headers)
You can configure Access Manager to provide protected access to SharePoint using a path-based proxy service with the Remove Path on Fill option enabled, and single sign-on access by using identity injection. You can access Sharepoint with a URL similar to this: https://<Published DNS name>:<port number if any>/path. For example, https://multibox-mag.com/shpt/default.aspx.
When the Remove Path on Fill option is enabled, SharePoint access requires the following additional entries in the Advanced Options section for Global, Master and path-based service.
Advanced options required in the global settings include:
NAGGlobalOptions AllowMSWebDavMiniRedir=on
Advanced options required in the master service include:
NAGHostOptions primaryWebdav=/shpt
NAGHostOptions webdavPath=/_vti_inf.html
NAGHostOptions webdavPath=/_vti_bin/_vti_aut/author.dll
NAGHostOptions webdavPath=/_vti_bin/shtml.dll/_vti_rpc
NAGHostOptions webdavPath=/_vti_bin/_vti_aut/author.dll
NAGHostOptions webdavPath=/_vti_bin/_vti_adm/admin.dll
NAGHostOptions webdavPath=/_vti_bin/owssvr.dll
Advanced options required in the path-based service include:
NAGChildOptions WebDav=/shpt
Perform the following configurations:
Configure the proxy service type as Path-Based Multi-Homing. For example, Published DNS Name= shpt.multibox-mag.com)
Path List: /shpt
Remove Path on Fill: Select the check box.
Reinsert Path in “set-cookie” Header: Select the check box.
For more information, see Configuring a Path-Based Multi-Homing Proxy Service
in the NetIQ Access Manager 3.2 SP3 Access Gateway Guide.
Configure the following options for Web servers:
Web Server Host Name: Enter the actual host name of the SharePoint server.
Connect Port: Enter the port that the Access Gateway should use to communicate with the Web servers.
For more information, see Configuring Web Servers of a Proxy Service
in the NetIQ Access Manager 3.2 SP3 Access Gateway Guide.
Create new HTML Rewriter profiles: one Word profile and one Character profile.
For more information about how to create a new rewriter profile, see Creating or Modifying a Rewriter Profile
in the NetIQ Access Manager 3.2 SP3 Access Gateway Guide.
Create a Word rewriter. Keep the default values except the following:
And Document Content-Type Header Is: click New, then specify the following type:
application/x-vermeer-rpc
Rewrite Inbound Query String Data: Select the check box.
Rewrite Inbound POST Data: Select the check box.
Rewrite Inbound Headers: Select the check box.
Enable Rewriter Actions: Select the check box.
Variable or Attribute Name to Search for Is: Specify the following attributes:
ctx.displayFormUrl ctx.editFormUrl ctx.HttpPath ctx.imagesPath ctx.listUrlDir editPrmsUrl formvalue L_Menu_BaseUrl sDialogUrl strHelpUrl strImageAZ strImagePath value webUrl WPSC.WebPartPage.WebServerRelativeURL
Java Script Method of Search for is: Specify the following attributes:
insertitem ProcessDefaultNavigateHierarchy UpdateFormDigest
String to Search for is: Specify the following attributes:
Search=/_layouts/images Replace=$path/_layouts/images Search=/sites Replace=$path/sites Search=\u002f_layouts\u002fimages Replace=$path\u002f_layouts\u002fimages
Create a Character rewriter and enter the following values:.
And Document Content-Type Header Is: application/x-vermeer-rpc
Additional Strings to Replace: Specify the search and replace strings as shown in Table 3-2, then click OK
Table 3-2 Search and Replace strings
Search String |
Replace String |
---|---|
\u0022http:\u002f\u002fwin2k8-r2-64bit:32274 |
\u0022https://multibox-mag.com/shpt |
\u002f_layouts |
/shpt\u002f_layouts |
\u002f_vti_bin |
/shpt\u002f_vti_bin |
event,'/_layouts |
event,'/shpt/_layouts |
http%253A%252F%252Fwin2k8-r2-64bit%253A32274 |
https://multibox-mag.com/shpt |
http%3A%2F%2Fwin2k8-r2-64bit%2Ecom%3A32274 |
https%3A%2F%2Fmultibox-mag.com/shpt |
http%3a%2f%2fwin2k8-r2-64bit%3a32274 |
https%3a%2f%2fmultibox-mag.com/shpt |
http:%2f%2fwin2k8-r2-64bit |
https://multibox-magcom/shpt |
http:\u00252F\u00252Fwin2k8-r2-64bit |
https://multibox-mag.com/shpt |
http\u00253A\u00252F\u00252Fwin2k8-r2-64bit\u00253A32274 |
https://multibox-mag.com/shpt webUrl=/ webUrl=/shpt |
Save and enable this rewriter profile and move it to the top of the ordered list of profiles for this accelerator.
Configure the protected resources: pr-private, pr-public, and pr-other.
For more information, see Configuring Protected Resources
in the NetIQ Access Manager 3.2 SP3 Access Gateway Guide.
Protected resource: pr-private
Authentication Procedure: Secure Name/Password – Form type contract
URL Path: /shpt/default.aspx
Identity Injection: Enabled (injects Credential Profile LDAP name and password into the Authorization headers)
Protected resource: pr-public
Authentication Procedure: None
URL Path: /shpt
Protected resource: pr-other
Authentication Procedure: WebDAV
Create an authentication procedure with the following settings:
Contract: Secure Name/Password - Form
Non-Redirected Login: enabled
Realm: Sharepoint
Redirect to Identity Server When No Authentication Header is Provided: disabled
URL Path: /shpt/*
Identity Injection: Enabled (injects Credential Profile LDAP name and password into the Authorization headers)