Wednesday, May 12, 2010

Setting up One Way Trust for SharePoint installations

We just installed our SharePoint servers in the perimeter network (DMZ). Since our domain controllers are in the corporate network we had to configure a separate domain in the DMZ and setup one way trust between the 2 domains (DMZ domain trusts the internal domain). We had to struggle a bit becuase of the firewall rules that needed to be created and changes that need to be made to the domain controllers.

Firewall Ports to be opened

Microsoft-DS traffic: tcp-445, udp-445
LDAP: tcp-389 (or tcp636 if using SSL)
LDAP Ping: udp-389
Kerberos authentication protocol: tcp-88, udp-88
DNS: tcp-53, udp-53
Net Logon Service: tcp-135, udp-135
Dynamic RPC ports: 5000-5100

Note that these ports need to be opened not only for the DCs in DMZ to communicate with the internal DCs but also any server that needs to authenticate against the internal DCs which in our case were the SharePoint web front ends.

Limit the Dynamic RPC ports to 5000-5050

Net Logon service uses RPC endpoint mappers (tcp and udp 135) for initial handshake and use high ports for subsequent communucation. Since it is not secure to open all the high ports we need to limit the range of dynamic RPC ports(5000-5100 in our case). To limit the range set the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]

"Ports"=REG_MULTI_SZ:5000-5100

Note that this limiting of dynamic ports mainly needs to be done on all the DCs in the internal network. We went ahead and did this on the DMZ DCs as well.

OAM Webgate configuration for ARR Reverse Proxy

I just configured a reverse proxy for our SharePoint portal site using IIS7 and ARR. I installed webgate with Windows Authentication (IWA) turned on since we wanted employees to be single signed on. However I noticed significant performance loss going through this reverse proxy as opposed to logging in directly to the SharePoint server.

I set the CachePragmaHeader and CacheControlHeader to public instead of the default no-cache to improve performance significantly. I obviously also removed the custom 401 error message which send a whole HTML file. See blog below.

By the way, if people are unable to download word documents or excel spreadsheets from your websites that is protected by webgate update the webgate configuration and set CachePragmaHeader and CacheControlHeader to public. That should resolve the issue (in most cases).