donderdag 13 januari 2011

SharePoint 2010 and Threat Management Gateway 2010 Alternate Access Mappings

Because I couldn’t find any clear blog about how to configure AAM in SharePoint 2010 with in this case TMG 2010 I hope this one can help some other people.


Above is a simplified overview of the infrastructure.

  • SHP01 is the SharePoint 2010 Application Server
  • DC01 is the domain controller for the corp.local domain and also the DNS server for corp.local
  • TMG01 is the Threat Management Gateway 2010 server acting as a firewall between the internal corp.local network and  the WWW
  • Client01 is just an internal client
  • Client02 is just an client in someone home location connected to the WWW

The story is that people working on the work location where shp01 is hosted like to use the URL http://biportal.corp.local to access the SharePoint sites from client01. The people at the home location like to access the SharePoint sites from client02 using the URL

First I created a A-Host record biportal.corp.local in the DNS pointing to the SHP01 server IP Address.

Then I configured a SharePoint 2010 web application using URL http://biportal.corp.local: (I also created the bindings (host header) on the web application in IIS after the web application was created)

And left the public URL as generated.


When now looking at the alternate access mappings you will see:

I started to configure TMG using the SharePoint Site Publishing rule wizard. For know I will give you some screen shots on the most needed configuration items:

The To address is the DNS record address that points to the SHP01 server. On the from tab the Anywhere location is used. This is done when you follow the wizard.

I selected on the Traffic tab making sure only https request are allowed.


The Public Name address says that only using this address accessing the TMG internet site is allowed to be handled by the TMG firewall rule.


Also a listner is configured: Accepting only SSL connections.

And for authentication HTML form is used, this means when users try to open the SharePoint site by using they will get a TMG web form to login.



The next thing they did was adding an alternate access mapping for the home users:

Seems to be okay or not? The internal users can do everything on the SharePoint Sites using http://biportal.corp.local and the home users can do there work using But then some more advanced users started working from home and the helpdesk starts to receive messages like:

  • User: I’m redirected to an error page but it is not displayed, instead it displays an DNS error could not find host.
  • Helpdesk: Okay sir, what is the url in your browser?
  • User: http://biportal.corp.local/_layout/……
  • Hey that’s strange we will have an look!

Also an other user was not able to edit lists entries in the DataSheet view, he would get an error like: "The Access Web Datasheet is attempting to retrieve data from a different domain.  You will be redirected to an error page. Contact your system administrator to resolve this error."

So what is causing this?

An URL can be used only once in AAM, and http://biportal.corp.local is already used for your internal network and now you try to use it a second time in the TMG publishing configuration. This is my interpretation of the text on{72C1C85B-1D2D-4A4A-90DE-CA74A7808184}&pID=795 Mistake #3.

So we need to change something.

  1. Add a new A-Host record to your DNS, I choose publicbiportal.corp.local
  2. Add a new Internal URL Alternate Access Mapping in the same Zone as the URL, this should result in:
  3. Change the bindings on the IIS web application to also use publicbiportal.corp.local as host header.
  4. Then we need to change the published SharePoint rule in TMG 2010, the biportal.corp.local is changed to publicbiportal.corp.local

When correct we should be finished and can access the SharePoint site from client01 by URL http://biportal.corp.local

When we try to open http://publicbiportal.corp.local from client01 we should be able to open the SharePoint site but are redirected to what is correct!

From the home client02 we can use to access the SharePoint site! No errors occur anymore and I can use the DataSheet View to edit list entries without the earlier mentioned error about retrieve data from other domain…

Could we do something else to make life easier? I did think about always using the server address for the web application when creating. In above case this means using shp01.corp.local as host header and http://shp01.corp.local as public url when configuring the web application. Then we could use biportal.corp.local and for the alternate access mappings and TMG configuration. ONLY most of my SharePoint applications don’t exist of 1 web application. Start thinking of mysite.corp.local and a specific projects.corp.local site. Then already we can’t use shp01.corp.local any more because it is already in use.

As last example where I want the biportal, projects and mysite web applications I and up with:

Did I miss something or you have a better solution please let me know! Comments are welcome.

1 opmerking:

Ronald zei

Hi Arjan, Thanks for the write up! Is it kinda common to use http internally? I normally try to go for the same URLs internally and externally.