Advanced Extranet Support
Published: May 2010
Microsoft SharePoint Foundation provides an object model for creating and managing incoming and outgoing URLs in cases in which a reverse proxy server must be implemented between the client computer and the Web server that is running SharePoint Foundation. An incoming URL is the URL of a request when it reaches the Web server that is running SharePoint Foundation. SharePoint Foundation determines this URL by examining the application layer protocol (HTTP or HTTPS), the host header in the HTTP packet, and the destination port of the TCP packet. An outgoing URL is the base absolute URL that SharePoint Foundation uses in the links that it generates on the pages that it returns to the user.
A reverse proxy configuration may be required, for instance, when the same SharePoint site must face both internally within a corporation or organization, and externally to an extranet or the Internet. In such a case, two servers share the same content, and the reverse proxy applies only to the externally facing server. The internally facing server is directly accessible by HTTP; the externally facing server can be reached only by a Secure Sockets Layer (SSL) request to the reverse proxy server.
Advanced extranet support addresses the following reverse proxy configurations:
SSL Termination — The user accesses a SharePoint site by specifying https as the protocol in the URL. A reverse proxy server receives the SSL request, converts it into an HTTP request (http), and forwards the converted request to the server that is running SharePoint Foundation.
Host Header Modification — An application that generates a Web request includes a header in the request called the host header. The HTTP host header identifies the host that the user entered in the URL. In this configuration, the user accesses a SharePoint site using a URL such as http://www.example.com, where the host is www.example.com. A reverse proxy server receives the request, changes the host header to the internal name of the server that is running SharePoint Foundation, such as sharepoint.internal.example.com, and then forwards the request to this server.
Port Translation — The user accesses a SharePoint site by using a particular port number, such as 80 for HTTP requests. A reverse proxy server receives the request and forwards it to the server that is running SharePoint Foundation on a different port, such as 1234.
In each of these cases, the reverse proxy server modifies the original request URL to become a different URL. Before advanced extranet support was added, SharePoint Foundation assumed that the incoming URL it received was the original request URL. It used that incoming URL as the absolute URL in the links that it generated on the pages that it returned to the user, which would be the wrong URL for the user. Advanced extranet support makes it possible for SharePoint Foundation to use a different protocol, host name, and port number in the links it generates on the pages that it returns to the user.
A reverse proxy server receives a request for a particular URL from the client computer; the proxy server then remaps the request to a different URL for the Web server that is running SharePoint Foundation. For example, the proxy server may receive a request such as https://www.example.com/sites/Site/default.aspx but forward the request to the Web server as http://nn.nn.nnn.nn/sites/Site/default.aspx. With the advanced extranet support, SharePoint Foundation can be customized to return the same original URL base (for example, https://www.example.com) in all links on its pages.
Advanced extranet support applies only to content Web applications and not to the SharePoint Central Administration Web site or Web application.
SharePoint Foundation examines the packets it receives from the proxy server and isolates the protocol, host name, and port number parts of the request or incoming URL. It then uses two tables to determine the correct base of the URL to return: one table maps each incoming URL to a particular zone, and the other table maps each zone to a particular outgoing URL. SharePoint Foundation rewrites the URLs shown on its pages by using the outgoing base URL that it finds through the tables.
Zones map incoming URLs that SharePoint Foundation receives from the proxy server to outgoing URLs that it uses in the links it generates on the pages it returns to the user. Five zones per virtual server represent the various ways of accessing a SharePoint site: Intranet, Internet, Extranet, Custom, and Default. Although each zone can have any number of incoming URLs, each zone can have only one outgoing URL.
The following types of the Microsoft.SharePoint.Administration namespace provide ways to create and manage alternate request URLs on a virtual server:
SharePoint Foundation allows you to define managed paths for explicit inclusion or wildcard inclusion. For administrative guidance about defining managed paths and about using reverse proxy servers, see Plan alternate access mappings (Office SharePoint Server).