Microsoft Office SharePoint Server 2007 administrators companion phần 7 pptx

Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 Designing a Secure Mobile Infrastructure.. Chapter 19 Publishing SharePoint Server 2007 Data

Chapter 19

Publishing SharePoint Server

2007 Data to Mobile Devices

Through ISA Server 2006

Designing a Secure Mobile Infrastructure 663

Configuring Servers for Secure Mobile Access to SharePoint Data 671

Configuring Windows Mobile Devices to Access SharePoint 688

Summary 690

At this point, it is certainly clear that Microsoft Office SharePoint Server 2007 focuses on

the collection and distribution of data to a company’s employees Just as certain is the fact

that it is only a matter of time before that data will need to be presented to mobile users

In support of the ever-growing mobile user community, Microsoft has made great strides

in the development of the Windows Mobile platform Now with its Windows Mobile 5.0

operating system, Microsoft has opened opportunities for instant access to user data

including e-mail, contacts, calendar, and tasks From a SharePoint perspective, Microsoft

has included a new Mobile URL feature wherein the URL is generated automatically for

each site to provide access to mobile device users Rather than provide a picture-rich

envi-ronment, a typical SharePoint environment for the mobile URL slims the page down to its

most important List feature

Windows Mobile 5.0 devices are available from all major cellular carriers and come in

several different forms Some devices use standard QWERTY keyboards to facilitate text

input, while other devices use a normal phone-style number pad

Windows Mobile 5.0 is split between two similar but different operating systems:

Win-dows Mobile 5.0 for PocketPC and WinWin-dows Mobile 5.0 for Smartphone Although these

devices share a similar core operating system in Windows Mobile 5.0, there are

differ-ences in the feature set supported by each device The PocketPC version of the Windows

Mobile 5.0 platform includes functionality that makes these devices act more like a blend

between phones and laptop computers Windows Mobile 5.0 for PocketPC includes

applications such as Mobile Word, Mobile Excel, Mobile PowerPoint, and even a

Termi-nal Services client In addition, devices that run Windows Mobile 5.0 for PocketPC havesupport for connecting to Wi-Fi networks to check e-mail or access Internet resources This chapter focuses on how to configure Microsoft Internet Security and Acceleration(ISA) Server 2006 to publish a SharePoint site to a Windows Mobile device

Designing a Secure Mobile Infrastructure

Network engineers face a constant battle in today’s network environments as demandsfor data and simplified communications continue to grow They must find a way to man-age the delicate balance between simplifying the delivery of information to end userswith the ever present mindset of ensuring that the delivery will be secure Without ensur-ing that data can maintain security levels as outlined in company security policies, itwould not be wise to publish data to areas of the network that introduce widespreadexposure to unauthorized individuals

Real World Secure Access to SharePoint Server 2007 Sites

The decision to publish SharePoint data to the Web using ISA Server 2006 shouldonly come after a good amount of time has been spent evaluating the data to bepublished and the depth of the security measures that should be in place In somecases you may find that the data to be published does not pose any type of vulner-ability to the company’s intellectual property, brand, or personal privacy of theemployees In this case, publishing data without being overly concerned for datasecurity is acceptable

In many cases, however, data security is not a negligible piece of the deploymentscenario Rather, it is the key piece In real-world implementations, the focus onsecurity should never be absent from the task at hand It is always best to error onthe side of caution and work toward a solution that offers users access to pertinentinformation without jeopardizing company property Microsoft’s intention with theISA Server 2006 product was to provide a means of facilitating the publication ofinternal resources to external users while still maintaining a blanket of security thatprotects the company and its property The consistent challenge in real-worlddeployments is to find a happy medium between data security, ease of access, andease of implementation

In a situation such as this, you must always keep in mind that unmanaged devicessuch as Windows Mobile 5 Smartphones and Pocket PCs do not fall under thesame constraints and restrictions of desktops and laptops that have been added asmembers of the domain These devices, though manageable through the Microsoft

Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 665

Exchange server deployment, are readily accessible to not only the employees who

own them but also to the malicious individuals looking to obtain any piece of

com-pany information As with any deployment that involves external roaming users,

security awareness training for the end-user population is a major factor in the

suc-cess of the deployment

Understanding Firewall Configurations

Securing resources on the internal network can be accomplished using any of three

com-mon solutions: 1) the edge firewall solution, 2) the multi-homed firewall solution, and 3)

the back-to-back firewall configuration Figure 19-1 shows a simple comparison of these

firewall solutions

Note Although our discussions in the text will focus on understanding the

back-to-back firewall configuration, the practice and procedure for configuring

SharePoint is consistent across any of the three firewall scenarios

Figure 19-1 Comparison of the three common firewall security implementations

The edge firewall is by far the simplest and cheapest solution as it only involves a singlefirewall device that established a clear line between the internal network and the Inter-net The down side is that there is a single point of attack and failure.

The multi-homed firewall, like the edge firewall, involves only one hardware device but ithas at least one additional network card The additional network card provides theopportunity to place resources on an external or perimeter network However, there isstill a single point of attack and failure in this topology

The back-to-back firewall, as you might have guessed, is the most expensive one, but it isalso the solution that affords the highest level of security and the lowest level of granu-larity with our access controls Table 19-1 outlines the pros and cons of each firewallimplementation

Before you learn about the infrastructure requirements for securely publishing Point to Windows Mobile users, let’s look at the network pieces that a corporation mightalready have employed in delivering a secure mobile messaging solution

Share-Solutions that involve the configuration of a perimeter network with two third-party wall devices often include front-end servers placed into the perimeter network while theback-end storage servers are neatly tucked away on the internal network The firewallconfiguration involves a loose set of firewall policy settings on the external firewall thatallows traffic from any source terminating at the front-end servers The internal firewall,

on the other hand, protects the internal resources with a much more stringent set of wall policy settings that allows traffic to pass through if the source of the traffic is a server

fire-in the perimeter network and the destfire-ination is a specific server on the fire-internal network.This is illustrated in Figure 19-2

Table 19-1 Pros and Cons of the Three Common Firewall Implementations

Firewall solution Pros Cons Security rating Notes

Internet Edge Low cost Not as

High Should never be a member

of a domain

Back-to-back Easily

scalable

High cost Highknowledge level

Very high Only internal firewall

should be considered for membership in the internal Active Directory domain

Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 667

Figure 19-2 A messaging infrastructure deployed with two third-party firewall devices

Deploying SharePoint in this fashion would be very similar In fact, the external firewall

access policy would only need to be extended to allow incoming traffic over port 80, and

possibly port 443, to the front-end SharePoint server or Network Load Balancing (NLB)

device The internal firewall, however, would require an additional rule to allow the

front-end SharePoint server to communicate with an internal SQL Server 2005 server The

default port of 1433 would need to be permitted from a source of the front-end

Share-Point server to the back-end database server This is illustrated in Figure 19-3

Figure 19-3 Deploying a SharePoint front-end server in a perimeter network with a

back-end SQL server

If you’re concerned with the idea of placing your SharePoint server in the perimeter

net-work, then be assured that placing it on the internal network is even more unwise The

ramifications of placing it amongst the other internal resources are significant in that

Back-end

Exchange

Server

Front-end Exchange Server

Domain

Controller

INTERNET

Internal Network

both the external and the internal firewall would have to be configured to allow Internetclients to pass through to the internal network Indeed, unwise So what should you do?Use Microsoft Internet Security and Acceleration (ISA) Server 2006 as the solution.

Using ISA Server 2006 with SharePoint Server 2007

Implementations

ISA Server 2006 comes in Standard and Enterprise Editions The core difference in theeditions lies in the scalability opportunities of Enterprise Edition Standard Edition is lim-ited to a single server with up to 4 CPUs and 2 GB of RAM Enterprise Edition, on theother hand, has no hardware limitations and can scale as part of a Network Load Balanc-ing (NLB) cluster with a maximum of 32 nodes The combination of the size of the exist-ing infrastructure and your projections for growth will determine which edition is rightfor you

What ISA Server 2006 provides is a multi-tasking application that can exponentiallyenhance the security of traffic within, across, or directed to resources on your corporatenetwork ISA Server 2006 can function in one or all of three core roles:

■ Web Access Protection

■ Branch Office Gateway

■ Secure Application Publishing

More Info You can read more about ISA Server 2006 at

http://www.microsoft.com/isaserver.

The secure application publishing feature of ISA Server 2006 allows organizations to tect internal servers like Exchange, SharePoint, and other Web application servers ISAServer 2006’s publishing rules can be broken down into two forms: Web publishing andserver publishing Web publishing rules are distinguished from server publishing rules inthat Web publishing rules are geared toward the traditional Web-based type applicationslike Web servers, mail servers, and ftp servers Server publishing rules are used whenpublishing services like Terminal Services or Telnet Since SharePoint is clearly one of theWeb-based applications, we will focus on the use of Web publishing rules

pro-Web publishing rules provide a host of advantages including:

■ Reverse proxy for internal resources

■ Application layer inspection of connections to published services

■ Path redirection

■ Pre-authentication of traffic to published services

Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 669

■ Support for RADIUS, LDAP, SecurID, and more

■ Publishing multiple sites to a single IP address

■ URL re-writes

■ SSL bridging and SSL tunneling

■ Site publication scheduling

■ Reverse caching of content for external requests

By the end of this chapter, you will see just how good things can be when ISA Server 2006

is part of your network infrastructure Microsoft has done a great job of allowing

admin-istrators to secure deployments with an easy-to-use interface and a helpful set of wizards

to facilitate application publishing

Note It is a common debate among IT security professionals as to whether

wall applications such as ISA Server 2006 are as secure as hardware-based

fire-wall devices The raw answer to that debate is that a firefire-wall is only as secure as

it is configured to be But if that isn’t enough to satisfy your curiosity, please visit

http://www.microsoft.com/isaserver/hardware to see how Microsoft has worked

with several vendors to bring the ease of ISA packaged with a hardware platform

as a security appliance

Once you have decided that ISA Server 2006 should be a part of the network

infrastruc-ture, you must decide where and how you will deploy it As a firewall product, ISA Server

2006 fits nicely into any of the three firewall deployment scenarios mentioned earlier;

edge, multi-homed, or back-to-back When a SharePoint site is published to the Internet

using ISA, it is protected because the true name and IP address of the SharePoint server

are never exposed to the external, requesting user Users will submit their requests to the

ISA server which, in turn, will authenticate the user if necessary and then forward the

request to the SharePoint server

For small organizations, and especially those built off of Microsoft Small Business Server

2003 Premium Edition, ISA is positioned to be the Internet edge firewall that provides a

barrier of protection between the Internet and the intranet As Figure 19-4 shows, ISA

would be connected to the Internet and the intranet as it inspects all outbound and

inbound traffic

Figure 19-4 ISA Server as an edge gateway

Many large companies have already invested time, money, and manpower in building asecure network environment around the back-to-back firewall configuration This does notpreclude them from needing or wanting to use ISA Server 2006 in their infrastructure Asshown in Figure 19-5, ISA Server 2006 can slip nicely into an existing perimeter network

Figure 19-5 ISA Server 2006 as a compliment to an existing firewall configurationThis configuration minimizes the changes that are needed on the internal and externalfirewalls but adds all of the elements of security that ISA provides All resources can now

SQL Server 2005 Back-end Server

SharePoint Server 2007 Front-end Server

Back-end

Exchange

Server

Front-end Exchange Server

ISA Server 2006

SharePoint Server 2007 Front-end Server

Back-end

Exchange

Server

Front-end Exchange Server

ISA Server 2006

Domain

Controller

INTERNET

Internal Network

Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 671

remain on the internal network ISA Server 2006’s reverse proxy features will introduce a

“you wait and I’ll go get it” method of handling traffic ISA will receive the initial request

as the internal firewall has allowed the passing of the traffic to ISA ISA can then

authen-ticate the user and proceed to retrieve the content on behalf of the authenauthen-ticated user

Another common practice in IT security is to deploy firewalls from different vendors in

the front-end and back-end solution If such is the case, it makes great sense to install ISA

Server 2006 as the internal or front-end firewall, as shown in Figure 19-6

Figure 19-6 ISA Server 2006 as a back-end firewall

From small, low-budget organizations to large, well-funded organizations, there is a

wall deployment right for every situation Whether it be a single firewall, multiple

fire-walls, third-party devices, or ISA, planning your infrastructure to support the publication

of SharePoint data is a must

Configuring Servers for Secure Mobile Access to

SharePoint Data

After the design phase is over and the servers have been deployed into their respective

places on the physical network, it is time to configure the servers to support the delivery

of SharePoint data to mobile employees Much as the design phase takes planning and

consideration, the configuration phase requires careful considerations Moving into

implementation, you will need to answer questions such as:

■ Do I have a single SharePoint site? Or an entire server farm?

■ Is my SharePoint data accessed internally and externally?

SQL Server 2005 Back-end Server

SharePoint Server 2007 Front-end Server

Back-end

Exchange

Server

Front-end Exchange Server

ISA Server 2006

Domain

Controller

INTERNET

Internal Network

■ Do I need to use HTTPS? If so, do I have the appropriate certificates?

■ What is the server information that we need to publish: IP address? Full qualifieddomain name (FQDN)?

■ What type of authentication do I require? LDAP? Forms-based? Basic? None?Having the answers to each of these questions will make the ISA configuration wizardmuch easier and will help ensure a smooth deployment Since SharePoint is a Web-basedservice provided to the end user, it is most common to see users accessing informationusing fully qualified domain names like http://intranet.contoso.com Alternate AccessMapping (AAM) is a feature of Windows SharePoint Services 3.0 (and thus Office Share-Point Server 2007) that provides users of multiple domains and even multiple networks

to access the same set of content using unique URLs SharePoint identifies the source of

a request and matches that to a defined network (URL) This allows SharePoint to return

a URL consistent to the FQDN provided by the user For example, an external user encing content from the URL http://companyweb.contoso.com should not receive areturn URL of http://intranet.contoso.com SharePoint uses zones as a means of manag-ing URLs and authentication providers when accessing the same content from differentnetworks Figure 19-7 illustrates the use of alternate access mappings for SharePointdata

refer-Figure 19-7 Example of alternate access mappings for SharePoint

The configuration in the diagram would allow users to access the content from multipleURLs including:

SQL Server 2005 Back-end Server

SharePoint Server 2007 Front-end Servers

MOSS03

ISA Server 2006

Domain Controller

intranet.contoso.com (Intranet zone)

AAM: companyweb.contoso.com (Internet zone)

Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 673

■ http://moss01.contoso.com individual server name, defined on the Intranet zone

■ http://moss02.contoso.com individual server name, defined on the Intranet zone

■ http://moss03.contoso.com individual server name, defined on the Intranet zone

■ http://intranet.contoso.com NLB cluster name for farm, defined on the Intranet

zone

■ http://companyweb.contoso.com Alternate Access Mapping to reference the NLB

farm, defined on the Internet zone

When the SharePoint server receives a request for http://intranet.contoso.com, it assumes

that the request is coming from a computer that is on the Intranet zone and will return the

same URL When the server receives a request for http://extranet.contoso.com, it

assumes that the request is coming from the Internet zone and will return the same URL

Note To support the scenario provided, DNS records would need to be created

accordingly The records for each server will most likely exist by default as a result

of DNS Dynamic Update The required Host (A) records for the intranet and

com-pany Web host names should be created manually

Alternate Access Mappings are configured from the Global Configuration section of the

Operations page in SharePoint 3.0 Central Administration, shown in Figure 19-8

Figure 19-8 Alternate Access Mappings link in Central Administration

All currently configured URLs are listed on the Alternate Access Mapping page, as shown

in Figure 19-9

Figure 19-9 Alternate Access Mappings in SharePoint

New mappings can be defined by providing a URL and the appropriate security zone forthe URL The zone chosen is dependent upon the level of security required for the deliv-ery of the data In situations where information should be delivered to the requestinggeneral public as part an Internet accessible site, the Internet zone would be best if Anon-ymous authentication is enabled For scenarios where company employees need access

to the data that perhaps is still the Internet zone but with a stronger security, a nism like Windows Integrated authentication would be in order

mecha-With the Alternate Access Mapping in place, it will be possible for external user to accessdata using the http://companyweb.contoso.com URL SharePoint is configured bydefault to allow mobile device access to the content using the http://companyweb.con-toso.com/m URL (shown in Figure 19-9) Using the /m at the end of the URL identifies

to SharePoint to return the less graphically intensive version of a SharePoint site

Figure 19-10 SharePoint mobile URL with the /m switch

Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 675

Since we are dealing here with providing access to external users, it is critical that we

con-sider the need for the encryption of traffic for connections between external mobile users

and the SharePoint server To configure SSL for the SharePoint site is similar to enabling

SSL for any other Web site A certificate must be obtained and installed on the SharePoint

server The certificate installed on the SharePoint server, and inevitably on the ISA server,

can be obtained from either a certification authority (CA) on an existing internal Public

Key Infrastructure (PKI) or it can be obtained from a publicly trusted certification

author-ity There will be some extra work involved to use an internal PKI as the devices running

Windows Mobile will need to establish trust to the internal root server On the other

hand, there will be some extra money involved if a certificate is obtained from a publicly

trusted PKI

As shown in Figure 19-11, ISA supports two types of SSL deployments: SSL tunneling and

SSL bridging ISA server configured to perform SSL tunneling simply passes HTTPS

information through to the Web front-end server itself SSL bridging allows ISA to

per-form a stateful inspection of the traffic because the traffic is decrypted at the ISA server

and re-encrypted as ISA makes the request to the SharePoint server

Figure 19-11 ISA Server 2006 and SSL tunneling

To configure the more secure SSL bridging option, two certificates are required One tificate will be installed on the SharePoint server and one certificate on the ISA server Thecertificate installed on the SharePoint server should have a common name equal to that

cer-of the server (for example, moss1.contoso.com) The second certificate will be installed

on the ISA server and should have a common name that reflects the name of the site thatusers are connecting to (for example, companyweb.contoso.com) It is best practice toobtain the Web server certificate used on the ISA server from a trusted public certificationauthority since this is the server that users will directly query Using a public certificationauthority prevents errors or warnings on the client system For each URL that is accessedusing SSL, you’ll need a separate certificate installed on the ISA server and another cer-tificate installed on the SharePoint server The certificate stored on the SharePoint servercan be obtained from an internal certification authority if one exists However, the ISAserver needs to be configured to trust the root certificate for the PKI that issued the Webserver certificate to the SharePoint server

Before purchasing a certificate from a public certification authority, review the list of tificates in the Trusted Root Certification Authorities on the mobile devices, shown in Fig-ure 19-12

cer-Figure 19-12 Trusted CAs on a mobile device

Once the certificates are in place, the ISA server can be configured with a Web listener

and a publishing rule A Web listener, as its name suggests, is an object that is created to

specify a specific IP address and port to listen on In addition, it defines the SSL

require-Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 677

ments and the authentication mechanisms available to requesting clients that meet the

outlined criteria Web listeners can be created from the ISA toolbox

Note Web listeners can be created during the Web Publishing wizard as well

For providing access to SharePoint data, you will need to perform the follow steps to

cre-ate a Web listener:

1 Configure the Web listener to use the Require SSL Secured Connection With Clients

option, as shown in Figure 19-13

Figure 19-13 Illustration of the three available authentication methods

2 Assign an IP address to the Web listener You can assign the entire pool of addresses

from the External network or you can specify an individual IP address, as shown in

Figure 19-14 If a single IP address is specified, you can provide unique certificates

for each IP address

Figure 19-14 Configuring Web listeners for a specific network

3 Select an authentication mechanism for the Web listener Figure 19-15 shows a

typ-ical configuration for Web listener authentication when publishing SharePoint datathrough ISA

Figure 19-15 Selecting an authentication mechanism

Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 679

The HTML Form Authentication option shown here will allow ISA to present a

default HTML form to request authentication credentials Clients could also

pro-vide credentials to ISA via SSL client certificates or they can use HTTP

authentica-tion types of Basic, Digest, or Windows Integrated For situaauthentica-tions in which no

authentication is required, the Web listener can be set to allow no authentication

Validating credentials involves determining how ISA will check the credentials

vided through one of the methods mentioned in the previous paragraph ISA

pro-vides several options including:

❑ Windows (Active Directory) Validates credentials against a Windows Active

Directory domain The ISA server must be a member of the domain

❑ LDAP (Active Directory) Validates credentials against a Windows Active

Directory domain However, the ISA server does not have to be a member of

the domain

❑ RADIUS ISA can be configured as a RADIUS client that redirects requests to

any RADIUS server specified

❑ RADIUS OTP A RADIUS solution where password changes occur based on

time or an authentication request counter, thereby a creating

one-time-pass-word (OTP)

❑ RSA SecurID An integration with the RSA SecurID authentication technology

Choosing authentication servers is required when the authentication type that is

selected requires validation against another server Figure 19-16 shows the

selec-tion of validaselec-tion servers for the LDAP (Active Directory) authenticaselec-tion method

selected in the previous step

Using Active Directory, RADIUS, or RSA SecurID will all require the configuration

of the back-end servers that will perform the validation of the user credentials

Figure 19-16 Selecting the LDAP authentication method

Once the Web listener is created, a publishing rule can be configured The publishingrule, as noted earlier, is the core component to making resources available to the externalnetwork Figure 19-17 shows the ISA Tasks option for easily instantiating a wizard to walkthrough the publishing of a SharePoint site

Figure 19-17 ISA Tasks options

The Publish SharePoint Sites wizard involves several steps in which you specify much ofthe existing configuration and how it is going to be referenced by external requests Once

Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 681

you have provided a name for the new publishing rule, you will need to provide

informa-tion on the infrastructure that is being published Figure 19-18 shows the opinforma-tions

avail-able at the beginning of the wizard

Figure 19-18 Publishing Wizard options

Creating the Web listener establishes the connection type that should exist between the

ISA server and the clients In our example above, we chose to use a secure SSL connection

between Web listener and clients Remember that the certificate with a common name for

the Web site was added during the creation of the Web listener This was to ensure the

security of the data transmitted between the ISA server and the external client systems

However, the wizard that is used to publish the SharePoint site establishes the

connec-tion type that should exist between the ISA server and the SharePoint server hosting the

site Figure 19-19 displays the two options available for the connection type between the

ISA server and the SharePoint server

Figure 19-19 Server Connection Security page in the New SharePoint PublishingRule Wizard

Using the SSL option to secure communication between the ISA server and the Point server requires a certificate to be installed on the SharePoint server and that the ISAserver trust the root CA that issued the certificate If there are multiple SharePoint servers

Share-in a farm that is beShare-ing published, the certificate must be Share-installed on each server Share-in thefarm It is not uncommon to use an internal Public Key Infrastructure to issue a certificate

to the SharePoint server or servers However, if this is the case, the ISA server will not have

a native trust for this certificate The ISA server will need to have the root CA certificateimported into the list of Trusted Root Certification Authorities In a normal Internet sce-nario, if there is a lack of trust for a certificate, then the end user is prompted to accept thelack of trust and proceed with the request Since this side of the publishing scenarioinvolves two servers and no end users, there is no opportunity to accept the lack of trust

Therefore, the ISA server must be configured to trust the certificate.

Some network engineers might argue that using SSL for the communication between theISA server and the SharePoint server is not even required The argument for this casebeing that the communication between these two computers happens on a portion of thenetwork that is not as vulnerable to attack In situations where the ISA server is an edgefirewall, a multi-homed, or the back-end firewall of a back-to-back scenario, the commu-nication with the SharePoint server all takes place over the internal corporate network.Therefore the need to use SSL to encrypt data is not as significant unless you are in a

Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 683

highly secured environment The decision to make between using HTTPS or HTTP for

the ISA server is based solely on the desire for additional security since the performance

hit on the Web front-end SharePoint servers is not significant

The next step in the wizard, shown in Figure 19-20, is to provide information on the

loca-tion of the internal site that needs to be proxied by the ISA server There are a couple of

important things to consider as you provide this information The name of the internal

Web site must match the common name on the certificate that was installed, if using

HTTPS communication between the ISA server and the SharePoint server The ISA server

must be able to resolve the name of the internal Web site This presents a problem in

sce-narios where the ISA server is not a member of the Active Directory domain and is not

configured to use an internal DNS server The wizard provides an additional text box to

enter a computer name or IP address that the ISA server will be able to resolve

Figure 19-20 Internal Publishing Details page of the New SharePoint Publishing

Rule Wizard

For security measures, it is most common not to include the ISA server in the Active

Directory domain unless it is the back-end firewall in a back-to-back firewall scenario

Therefore it is important to specify the IP address of the internal SharePoint server that

hosts the Web site

Publishing a Web site by using ISA allows for the defining of the name of the public site

that users type, as shown in Figure 19-21 An IP address can also be used, however, this

is common only when name resolution methods are not available for a period of time orwhen testing the publishing of a site The name that is specified must be resolvable on theInternet by having a Host (A) record created in the DNS zone database that is authorita-tive for your external domain.

Figure 19-21 Public Name Details page of the New SharePoint Site Publishing WizardNext in the Publish SharePoint Site wizard is the configuration of the appropriate Web lis-tener Figure 19-22 shows the option for choosing an existing Web listener or creating anew one Remember that a Web listener defines where the ISA server is listening and howauthentication occurs

Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 685

Figure 19-22 Select Web Listener page in the New SharePoint Publishing Rule Wizard

Since the ISA server needs to establish a connection to the internal SharePoint server, an

authentication method must be configured, shown in Figure 19-23 The easiest selection

to make for authentication of the ISA server to the SharePoint server is the option for

NTLM authentication NT LAN Manager authentication, or NTLM, is supported by all

systems that are Windows Server 2003 operating systems and even some earlier versions

of Windows NTLM is used, in particular, to provide authentication between two

Win-dows Server 2003 servers that are not part of the same domain As we have noted on

sev-eral occasions, here it is common to find that the ISA server is not, in fact, part of the

Active Directory domain It is more often a stand-alone server that belongs to a

work-group

Figure 19-23 Authentication Delegation page in the New SharePoint Site Publishing WizardThe ISA server needs to be configured to authenticate the client to the SharePoint server

in order to retrieve content for the requesting user The wizard provides several otheroptions including:

■ No Delegation, And Client Cannot Authenticate Directly

■ No Delegation, But Client Can Authenticate Directly

■ Basic Authentication

■ Negotiate (Kerberos/NTLM)

■ Kerberos Constrained Delegation

If the ISA server were a member of the internal Active Directory domain, it would be sible to select and configure the options that deal with Kerberos authentication UsingKerberos for authentication requires some additional configuration steps A service prin-cipal name (SPN) must be created to be used by the ISA server for the Kerberos authen-tication process The Web server must be configured to accept Kerberos authenticationand be configured to use Integrated Windows authentication in Internet Information Ser-vices (IIS)

pos-The Kerberos Constrained Delegation option also requires that the ISA server be trustedfor delegation The Negotiate (Kerberos/NTLM) authentication option will try to use Ker-

Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 687

beros as the first authentication method but will fall back to NTLM if and when the

Ker-beros authentication attempt fails

As a true sign that this wizard is for SharePoint and not just any Web site, the next step

in the wizard, shown in Figure 19-24, requires the acknowledgement that Alternate

Access Mappings have been configured on the SharePoint server Remember that

Alter-nate Access Mappings allow the SharePoint site to be referenced by using multiple URLs

Figure 19-24 Alternate Access Mappings in the New SharePoint Site Publishing Wizard

The integration of ISA Server with SharePoint is undisputed when the a new wizard exists

and that wizard request information particular to the SharePoint deployment

The final step in publishing a SharePoint site to the Internet is to define the user set that

this rule is applied to Any SharePoint group can be added and removed at will For

situ-ations in which all users should not have access to the published data, user-created

groups can be used

Note Any changes to the ISA Server 2006 firewall policy or the system policy

requires you to click the Apply button to complete the changes

After completing the Publish SharePoint Site Wizard, the rule will be displayed in the

Firewall Policy list

Configuring Windows Mobile Devices to

Access SharePoint

Once the SharePoint server and ISA server have been configured appropriately, there aresome final configurations that need to be done on both the Windows Mobile devices andthe infrastructure in general

Windows SharePoint Services 3.0 has included a new default feature that creates a siteURL specifically for mobile devices As shown in Figure 19-24, the mobile URL is thesame as the default URL with the /m characters added to the end

Figure 19-25 Mobile URL with the /m switch appended

If the ISA server was configured to use SSL to encrypt data transfers between clients andserver using a certificate from an internal certification authority (CA), the clients should

be configured to trust the root CA The root CA certificate can be imported into theTrusted Root Certification Authorities list on each client Without trusting the certificate,clients will consistently receive the warning message shown in Figure 19-26 If the certif-icate used by ISA was obtained from a certificate authority listed by default on theTrusted Root Certification authorities list of the Windows Mobile clients, then no furtherconfigurations will be necessary and no warning messages will appear

Chapter 19 Publishing SharePoint Server 2007 Data to Mobile Devices Through ISA Server 2006 689

Figure 19-26 Certificate warning message in a mobile device

Once the user proceeds through the warning, if displayed, she will be presented with a

logon form that is created automatically by the ISA server, shown in Figure 19-27 The

form is presented when HTML form authentication is selected The user is required to

supply a username in the form of domain\user (for example, contoso\jlew) and the

accompanying password The ISA server, as configured, will forward the user credentials

to an authentication server Once the credentials are validated, the user will be presented

with the reformatted page Once on the page with the mobile device orientation, users

can view and edit SharePoint lists

Figure 19-27 Logon screen for mobile users

Summary

The ability of SharePoint Server 2007 to deliver data on demand to mobile devices whilemaintaining a secure communication stream is a powerful tool for today’s telecommut-ers, remote workers, outside sales force, and much more Couple the power of SharePointServer 2007 and its data on demand with the Microsoft Exchange Server 2007 features ofe-mail on demand, and the entire staff can be within reach of anything and everythingthat your typical and even atypical business day can throw at you

Chapter 20

Excel Services and Building

Business Intelligence Solutions

Understanding Excel Services Components 692

Configuring Excel Services 693

Publishing Workbooks to Excel Services 696

Working with Spreadsheets Through Excel Web Access 700

Using Excel Services in Dashboards 705

Configuring Security 707

Performance Considerations 710

Accessing Data from Other Sources 717

Summary 720

Excel Services are a key component in the Microsoft Business Intelligence strategy, which

involves delivering key information, in real time, to the right audience, and in the format

they can most easily work with One of the challenges in complex organizations is the

need to aggregate and display mission-critical information about the business pipeline—

figures that help decision makers understand where the organization is succeeding in its

stated objectives and where it is falling behind Much of that information is often

main-tained in Microsoft Office Excel workbooks that are continuously updated by the

infor-mation workers responsible for day-to-day operations in the organization

The strength of Excel has always been the flexibility it gives users to create a data

repos-itory quickly and easily and to implement sophisticated data processing, charting, and

analysis without the lengthy effort required to build a full-scale database application The

downside of the ease that Excel offers is that much of this data becomes spread

through-out the organization in a disaggregated state, with no effective means to tie these

work-books into database-driven decision support systems

Excel Services gives you the ability to integrate Excel workbooks into your information

management architecture by consolidating them in common document libraries and

publishing the spreadsheets, charts, and graphs on your SharePoint sites Data can becombined with data from other databases and back-end systems and summarized intokey performance indicators to give decision makers an “at-a-glance” view of the status of

a project or business area

It has always been possible to upload an Excel workbook to a Microsoft Windows Point Services document library to make it available to others However, users whowanted to view the data had to have Excel installed on their local machine and downloadthe entire workbook to their system to open it Excel Services will render the spreadsheetinto HTML for display in a Web Part or in a full-screen browser, and you can control whatparts of the spreadsheet users have access to Only files produced in Office Excel 2007can be submitted to Excel Services for rendering on the server, and only two file formatsspecifically are supported: XLSX and XLSB

Share-Understanding Excel Services Components

Excel Services consists of both the underlying services running on the server and a set ofthe Web Parts that are used to display them In this section, you will look at each of themajor components of Excel Services

Excel Calculation Services

The Excel Calculation Services component is responsible for loading workbooks fromTrusted File Locations, executing the calculations in the worksheet cells, and refreshingreferences to external data Executing a calculation in a spreadsheet within Excel Calcu-lation Services on the server produces exactly the same results as the same formulas exe-cuted in the Excel 2007 client Excel Calculation Services manages security of thecalculations in the workbooks, ensuring that no unauthorized external data source iscalled during recalculation Excel Calculation Services is an application role that can berun on a separate server from the Web front-end components and can be load-balancedacross multiple servers The Excel Calculation Services component also manages caching

of data related to workbooks for improved performance The data cached includes thesheets and graphs, as well as the state of ongoing calculations and the results from exter-nal data queries

Excel Web Access

Excel Web Access is the feature set that allows Excel 2007 workbooks to be rendered asHTML in a Web browser Excel Web Access enables users to load entire workbooks in thebrowser and interact with them in much the same way as they could inside Excel, short ofsaving any changes to them Excel Web Access requires no client installation beyond the

Chapter 20 Excel Services and Building Business Intelligence Solutions 693

browser and does not download any code to the user’s workstation The Excel Web

Access Web Part is a standard Web Part that can be placed on any Web Part page and used

to render all or part of an Excel workbook stored in a Trusted File Location

Excel Web Services

Excel Web Services is the component of Excel Services that supports programmatic

access to Excel workbooks stored on the server Developers can write code to pass

param-eters to workbooks, refresh calculations, and retrieve results through Excel Web Services

This functionality allows organizations to remotely call server-side logic stored in

work-books in SharePoint for use in other applications without having to port or rewrite the

code

Excel Calculation Service Proxy

The Excel Calculation Service Proxy is responsible for coordinating requests for

calcula-tions from the Excel Web Access and Excel Web Services components to the Excel

Cal-culation Services component On a single-server machine, this is a simple hand-off

operation In a multiserver farm, the Excel Calculation Service Proxy is also responsible

for load balancing requests between Microsoft Office SharePoint Server 2007 servers

run-ning the Excel Calculation Services component

The Report Center Template

The Report Center template is the starting point for business intelligence portals in Office

Server 2007 It provides a ready-to-use layout for organizing workbooks, reports,

score-cards, data connections, and dashboards A site based on the Report Center template can

store multiple different sets of data focusing on distinct aspects of the organization or it

can focus on displaying the progress results toward one specific goal

Configuring Excel Services

Excel Services is installed as part of SharePoint Server 2007 but is not enabled by default

To make use of Excel Services, a few additional steps are required to configure it in an

SharePoint Server 2007 installation

To configure Excel Services, you must first install an instance of SharePoint Server 2007

in either the Complete or Web Server mode Once it is installed, you need to create a

Shared Services Provider (SSP) Excel Services is a shared service that is available only

from an SSP There are two parts to configuring Excel Services First you need to enable

Excel Services and then you need to configure a trusted connection

More Info For details on configuring an SSP, see Chapter 18, “Administrating Shared Services Providers.”

Enabling Excel Services

Excel Services are not enabled in a default installation of SharePoint Server 2007, so thefirst step is to enable the service on at least one server in the farm In a server farm withone Web front-end server and one application server, you can enable the service on eitherserver with the objective of using the server with the least load on it currently If you havemultiple Web front-end servers, best practice is to enable Excel Services on a separateapplication server that is available to all Web front-end servers You can enable Excel Ser-vices on multiple servers in the farm to enhance redundancy and scalability For instruc-tions on how to do this, see the section “Scaling Excel Services.” To enable Excel Services,follow these steps:

1 Open SharePoint 3.0 Central Administration.

2 Click the Operations tab.

3 Click Services On Server.

4 If the Status of Excel Calculation Services is Stopped, click the Start link to the right.Configuring a Trusted Connection

Excel Services can only process data in workbooks that are stored in specifically

autho-rized locations, known as Trusted File Locations A Trusted File Location can be either a

Windows SharePoint Services document library, a URL to an Excel file, or a path to a file

in a shared folder Controlling which locations Excel Services will recognize and renderdata from allows administrators to control who has permission to both publish and viewExcel workbooks through Excel Services For Windows SharePoint Services sites, youmust create a new Trusted File Location for each document library by completing the fol-lowing steps:

1 In Central Administration, on the left menu bar, under Shared Services

Administra-tion, click the link for the Shared Services Provider you are using for your Webapplication

2 Under Excel Services Management, click Manage Trusted File Locations.

3 Click Add Trusted File Location.

4 On the Add Trusted File Location page, type the URL of the file location as follows

(see Figure 20-1):

Chapter 20 Excel Services and Building Business Intelligence Solutions 695

❑ For Windows SharePoint Services Type the full URL to a specific document

library, for example: http://mossserver1/sites/wsssite/doclib.

❑ For UNC Type the path to an Excel file stored in a shared folder, for

exam-ple: \\server1\sharedfolder.

❑ For HTTP Type the HTTP address to an Excel file stored on a Web site, for

example: http://webserver1/virtualdir.

Selecting the HTTP location type when referring to a document library, or

vice versa, will cause the Excel Calculation Services request to fail When

load-ing a workbook from a Windows SharePoint Services site, permission checks

are handled by impersonating the user account making the request, which

cannot be done for UNC shares or HTTP Web sites

Figure 20-1 Add Trusted File Location

5 If the location you entered contains subfolders, they will not be trusted

automati-cally To specify that subfolders also be trusted, select the Children Trusted check

box

6 Under the External Data section, select the Allow External Data option if the

spreadsheets you will be publishing have links to External data sources

External data sources include queries to databases through Office Data Connection

(ODC) connections, which are supported by Excel Services only if this option is

selected Unless you select this option, you won’t be able to use these data sources

7 Click OK to add the Trusted File Location.

Real World Planning Trusted File Locations

When planning your Excel Services architecture, you need to decide how manyTrusted File Locations to create within your farm This is a complex question thatcan involve several possible approaches Let’s take a look at two possibleapproaches adopted by fictional companies

A Small Organization

An organization with 300 users decided that their information needs were fairlyspecific and only a few users would be editing and published workbooks to theserver They concluded that they would need only one Trusted File Location fortheir intranet portal and sites The decision was based partly on their interest inincluding the address to the Trusted File Location library in their training materials

so that everyone who needed the feature would know where to go

A Large Organization

An organization with several thousand users examined the same problem andcame up with a different strategy They realized that they would have several groupsusing Excel Services for different purposes and that that one size would not fit all.One department in the organization wanted to be able to put all its workbooks onthe server and view any of them through the Web browser For this group, a docu-ment library was configured so that everyone in the department had Edit permis-sions, but the maximum workbook size that Excel Calculation Services wouldprocess was set to 7 MB to reduce the overhead on the server A different depart-ment had a limited set of relatively complex workbooks that generated cost projec-tions for the department quarterly At present, the department tracks large amounts

of data in these workbooks, but it is considering moving the data into a back-enddatabase and performing some of the calculations using User Defined Functions.For this group, a document library was configured with only a few users with Editpermissions, but which allowed workbooks up to 20 MB and allowed connections

in trusted data connection libraries and user-defined functions

Publishing Workbooks to Excel Services

Making an Excel workbook available through Excel Services begins with uploading anExcel 2007 workbook to a document library on a SharePoint Server 2007 site You canupload an existing Excel workbook or create a new one directly within the documentlibrary Any of the standard techniques for interacting with a document library will work

to store an Excel file on the server, such as uploading it through the Web site or throughthe Explorer View However, to take advantage of specific features of Excel Services, such

Chapter 20 Excel Services and Building Business Intelligence Solutions 697

as controlling which worksheets are visible and which cells can receive input, you must

use the Publish feature within Excel 2007 None of the other methods of making an Excel

2007 workbook available through Excel Services (for example, storing it in a file share or

non-SharePoint Web site) will provide support for restricting the visibility of sheets and

defining input parameters

To publish a workbook to Excel Services, follow these steps:

1 Open and edit the file in Excel 2007.

2 From the File menu, point to Publish and select Excel Services

3 For the Save As Type, select either Excel Workbook (.xlsx) or Excel Binary

Work-book (.xlsb)

4 In the File Name box, type the full URL path to the document library along with the

file name of the document—for example, http://contoso.msft/sitedirectory/

sales/forecasts/Q12007.xlsx.

5 Click Excel Services Options as shown in Figure 20-2.

Figure 20-2 Publish Excel Workbook—Save As Dialog

6 If you want to hide any parts of the workbook, complete the following actions: On

the Show tab, click the drop-down list and select either Sheets or Items In The

Workbook Then clear the check boxes for items that should remain hidden from

viewers

7 If you want to allow users to input new values into the spreadsheet at run time,

complete the following actions: On the Parameters tab, click Add, and then choosethe parameter cells

Note To use parameters, you must define named cells that can be updated with new values

Publishing an Excel 2007 workbook stores it in a SharePoint Server 2007 documentlibrary, which allows you to take advantage of the document management features builtinto document libraries, such as version control, workflows, and life-cycle management,including information management policies and auditing Users can publish workbooks

to any document library for which they have Add permissions, but they will not be able

to view the workbook through Web Access until you enable it as a Trusted File Location

Note Some organizations use the Workbook Sharing feature to allow multiple users to edit a spreadsheet simultaneously If this feature is enabled in the file, Excel Services will not load or process it

Limiting the Area That Can Be Viewed

One of the controls that can be placed on a workbook when it is uploaded to the server

is to limit which parts of the workbook can be viewed by users in the Web browser.Although Excel Services loads and processes the entire spreadsheet when a user requests

to view it, the author can specify which parts of the workbook are visible and which partsare hidden Excel 2007 provides three options for controlling the visible area of the work-book:

■ Entire Workbook The default option is to display all items

■ Sheets You can select specific sheets to display, but you cannot limit which items

on each sheet are available

■ Items In The Workbook You can select from a list of named ranges, charts, tables,pivot tables, and pivot charts In this case, you need to assign names to these objectsbefore saving the workbook to the server

None of these options affect the ability to view and edit items in a workbook when it isopened in Excel 2007, only when it is viewed through the Web browser If the workbookcontains many sheets of supporting data and calculations or charts that show differentpresentations of the results, you can choose to hide the parts of the workbook that arenot relevant to the viewer Any time you want to edit the workbook, you can open itdirectly in Excel 2007 and have full access to all the sheets and objects

Chapter 20 Excel Services and Building Business Intelligence Solutions 699

Defining Parameters

Excel Web Access renders workbook data in a read-only view, which allows users to

nav-igate between the spreadsheet tabs but not edit any of the cells You can enable selective

user input to the workbook by naming specific cells and then identifying those cells as

Parameters during the publishing process To assign a name to a cell, right-click the cell

in the workbook and select Name A Range The dialog box shown in Figure 20-3 appears

Enter a meaningful name and a description that explains the purpose of the parameter

Figure 20-3 The New Name dialog box for defining parameters

Each parameter is a single value that can be changed by the user and will be updated in

the workbook when the user applies the change The changed value is preserved only for

the individual session that the user is participating in, and all parameter changes are

dis-carded when the user’s session ends Likewise, the parameters entered by one user are

not visible to other users and do not affect the calculations in other users’ sessions You

add and remove cells as parameters on the Parameters tab of the Excel Services Options

dialog box, as shown in Figure 20-4

Figure 20-4 The Parameters tab

Note It is a good idea to use clear and easily understood names for the cells that will be used as parameters because the cell name appears as the parameter name in the Web browser.

There are certain requirements for a cell to be used as a parameter:

■ The parameter can refer only to a single cell

■ The cell must be a named “cell.”

■ The cell cannot contain a formula

■ The cell cannot be in a pivot table, table, or chart

A powerful aspect of the parameter feature is that a user can update a parameter even ifthe cell falls in a part of the workbook that is not marked as visible Although the usermight not be able to see the cell that is affected, the results of calculations linked to thatcell value might be visible This allows you to hide the underlying data set that producesresults while still allowing users to update key values

Working with Spreadsheets Through Excel

Web Access

Excel Web Access allows users to interact with workbooks in two ways: opening a book so that it is completely rendered in the browser, and viewing a portion of a work-book within an Excel Web Access Web Part All the features of Excel Web Access areavailable in both views, and the difference is primarily related to whether the data beingdisplayed is important in the context of other indicators in the site or is self-containedwithin the workbook

work-Viewing a Spreadsheet in the Browser

In some cases, the very power of Excel workbooks has become an encumbrance to users

In the past, large workbooks with complex calculations became difficult to use becausethey took time to load and the external link updating and formula recalculations had to

be re-run by every user who opened the file Sometimes a user only wanted to view a gle chart or the results of one calculation At other times, the user wasn’t sure whether theworkbook contained the information he was looking for, but he had to take the time toopen it to find out

sin-When a workbook is published to Excel Services, you can configure the default settings

of the document library so that a user can simply click the link to the file in the documentlibrary and SharePoint Server 2007 will redirect the user to a full-browser view of theworkbook

Chapter 20 Excel Services and Building Business Intelligence Solutions 701

To specify that opening a file in the Web browser is the default action that occurs when

a user clicks the link in a document library, modify the document library settings as

follows:

1 Open the Document Library Settings page.

2 Click Advanced Settings.

3 Under Browser-Enabled Documents, click Display As Web Page and then click OK

Alternatively, a user can select View In Web Browser from the document context menu,

as shown in Figure 20-5

Figure 20-5 Viewing in a browser

This is different from the traditional method of opening an Excel file from a Web server,

where the file is downloaded to the browser and Excel is loaded in place to provide the

rendering With Excel Web Access, Excel Services handles the processing and rendering

of the workbook and returns only HTML to the Web browser That means that large

spreadsheets do not have to download to your workstation for you to be able to view

them Any sheets or objects that were hidden during the publishing process will be

unavailable, and a parameters pane will appear to allow input of values into parameter

cells

Note Although you can view and interact with workbooks through the Web

browser, you cannot edit them directly To modify a workbook, you need to edit it

in Excel 2007

Commands Available Within the Browser

You will find that you are able to navigate around the workbook, changing sheets andscrolling to view cells or charts, in much the same way as in the Excel client This sectioncovers the following commands; however, other commands are also available within thebrowser:

■ Open

■ Open Snapshot

■ Reload Workbook

■ Refresh Selected Connection

■ Refresh All Connections

work-on the server and cannot be saved directly back to the server

Open Snapshot in Excel 2007

A “snapshot” is a read-only copy of an Excel file produced by Excel Services for users who

do not have the right to open the full spreadsheet Use the Open Snapshot In Excel 2007command to display the data and results from formula calculations, as processed byExcel Services, but not the formulas themselves Only sheets and graphs that were madeavailable in the workbook when it was uploaded are rendered in the snapshot Excel Ser-vices generates the snapshot by opening the file on the server, requerying external datasources, recalculating cell values, and outputting the values and formats to the browser