Just another Microsoft MVPs site

Getting ISA and your Sharepoint Online Gallery to place nice . . .

Ok, this has been a little pain in my backside ever since last October . . .   You load up SBS Standard, customize the companyweb main page with a couple web parts from the Online Gallery and everything is just peachy . . .


That is until you throw in your Premium Technologies CD and load ISA.  Now your web parts aren’t working – so you decide that you’re going to try adding them again.  Nice try – when you try browsing the Online Gallery, you either get a message that the gallery doesn’t exist, or that it doesn’t contain any web parts.  Right – they were all there a few minutes ago . . . Take ISA out of the mix and voila! – the online gallery / web parts work as expected.


The official response from MS is to edit your web.config file for the Sharepoint site to include proxy information.  This is fine & dandy – but it doesn’t work.  Why?  Because the problem why this isn’t working in the first place is that ISA is denying the requests due to an authentication failure (check your ISA web proxy logs and you’ll see a 12209 error after you edit your web.config file to point to ISA’s proxy) – and there’s no way (that I’ve found at least) to provide user credentials for the proxy service in the web.config file . . .


Ok, so I’ve tried the usual suspects – I disabled required authentication for outbound web requests, edited the HTTP redirector filter to forward requests from SecureNAT & Firewall clients directly to the requested web server instead of the web proxy service, and it still fails.  I have a hunch on why this is – but haven’t taken the time to research it in depth and get proof.  I’m thinking the root of the issue is that WSS and ISA are on the same machine.  I’m guessing that if we had WSS on a member server behind ISA, we could get it to work either by having the firewall client running & editing the web.config file to use the proxy, or by configuring the member server as a SecureNAT client and tweaking the HTTP Redirector Filter as mentioned above.  Since WSS is running on the ISA server, it isn’t a Firewall or SecureNAT client (it’s default gateway is set to either your router or ISP’s gateway – not the ISA server (itself)).


So – just how in the Sam – Freakin – Hell do you get this to work?  A packet filter young grasshopper – a packet filter.  Open ISA Management and expand Servers & Arrays | | Access Policy | IP Packet Filters.  Create a new packet filter that allows outbound HTTP traffic (TCP | Local : All Ports | Remote : Fixed 80).  VOILA!  You can access your Online Gallery, and the web parts even work!  :^)


Now, it is very important to note that there is a security consideration to this workaround.  Allowing this packet filter allows any app running on your server go out on port 80 without providing user information.  However, the traffic will still be logged in your ISA IP packet filter log.  Assuming you make sure to leave IE configured to use the proxy and keep the locked down secure settings, limit browsing from you server as much as possible and follow general security guidelines, you shouldn’t have any problems.  To put this in perspective, this workaround simply tweaks your SBS so that outbound traffic on port 80 acts just like it would on SBS Standard.  All other traffic (inbound / outbound) is still subject to the more stringent ISA policies.

6 Comments

  1. Edward Lee

    You’ve just come very close to helping me solve a problem that I’ve been struggeling with for quite some time. In addition to Companyweb on my SBS server, I’ve got a second server on my LAN running SharePoint Portal Server 2003. Neither had been able to access the online gallery. I followed your advice above, and the Online Gallery started working for Companyweb.

    Any thoughts on what I might do to get this working with the second server?

    Thanks,

    Ed Lee

  2. Chad Gross

    Hi Ed –

    Try this – in ISA, create a Client Address Set that includes the IP of the member server running SPS. Now create a new Protocol Rule that allows HTTP traffic for the Client Address Set you just created. Next, edit the HTTP Redirector Filter to forward web requests from SecureNAT clients directly to the requested web server instead of the web proxy service. Last, make sure that ISA isn’t requiring authentication for outbound web requests.

  3. Edward Lee

    You are a genius Chad!!!

    I was able to get this to work by following your suggestions above (except that I did not need to configure the HTTP Redirector Filter to redirect web proxy service). I’m not quite sure what this means?

    Did I open much of a security hole by creating the HTTP protocol rule?

    Want to take a shot at another odd problem I’m having? Whenever I restart the SBS server, I lose access to my SharePoint portal over the Internet (works fine internally). Restarting MS ISA Server Control

    and associated services clears up the problem.

    Thanks again!!!

    Ed Lee

  4. Hollis D Paul [ Outlook MVP ]

    It’s not a real return URL, but you can guess from my MVP speciality.

    I have my SPS2003 server on a member server of a SBS2003 Premium tech domain/network. ISA 2000 is in place. I had the destination of an XLM webpart in the Trusted site group. I have a destination set, with IP rule in place. It still would not connect. I found an article in the SPS help file entitled "Managing WebParts" that said to add the proxy parameters and the cache parameters to the web.config file. I set the cache parameter to None, and set the proxy parameter according to my system, and Voila!, the XLM webpart pulled the RSS syndication feed, and Sig’s XSLT formatted it nicely on the page.

    My beef, aside from the proxy pamameters not being put automatically into the web.config file, is that the sharepoint experts did not suggest this and that a SBS MVP provided the first clue, and another pointed to your blog entry.

  5. Frank

    I tried what is recommend but still can not view the online gallery. An Ideas?

  6. Chad

    Hi Frank – If you’ve created the packet filter as mentioned on your SBS, verify that you have not set proxy info in the web.config file.

Leave a Reply

Your email address will not be published. Required fields are marked *