Much of the information that you might need to troubleshoot issues is contained in "Appendix A: Known Issues," earlier in this paper.
In general, it is best to adopt a sequential approach to troubleshooting difficulties you might encounter when publishing SharePoint Portal Server deployments behind an ISA Server computer or any proxy server. You should ensure that the SharePoint Portal Server deployment is operating correctly and that it can be successfully accessed from the corporate intranet before attempting to publish it by means of a proxy server. With respect to the scenarios addressed by this paper, this includes ensuring that:
- You can successfully access the portal site by using Basic authentication.
- The proper SSL certificates are installed on the SharePoint Portal Server deployment and on the external ISA Server computer.
- You can successfully access the portal site over SSL, using the internal FQDN URL.
- The default URL for the portal site that you are publishing is correctly configured.
- The proxy server settings for SharePoint Portal Server search are correctly configured.
- Your SharePoint Portal Server deployment is crawling portal content without errors.
If any of the above steps are not validated prior to publishing the portal site behind any proxy server, there is little chance of success. Although you might actually publish the portal site and be able to access it, if each of the above steps have not been validated in sequence, you might have a portal site for which search does not work.
The scenarios in this paper include a sequential approach to testing all of the above steps before the final steps of ISA Server Web publishing. If you follow this sequential approach in your deployment, you can successfully publish your portal sites behind ISA Server or any proxy server.
SSL Configuration Issues
There are many references to SSL configuration throughout this paper that you should read and understand so that you can successfully configure SSL for your SharePoint Portal Server deployment.
One particularly prevalent SSL-related error when attempting to access a SharePoint Portal Server deployment published behind an ISA Server is a browser error page containing the following error text:
500 Internal Server Error - The target principal name is incorrect. (-2146893022)
For information about the cause of and steps required to correct this issue, see article 328917, "You receive a 'The target principal name is incorrect' error message when you connect to a Web site that was published by using ISA Server 2000 Web publishing," in the Knowledge Base.
Note that the information in this article pertains to both ISA Server 2000 and ISA Server 2004.
You might encounter an authentication problem when attempting to initially browse to a portal site that you have published using either ISA Server 2000 or ISA Server 2004. You might get prompted for authentication credentials repeatedly and never successfully get to the home page of the portal site. This is usually because of an incorrectly configured ISA Server. The scenarios in this paper include the following ISA Server configuration instructions:
For ISA Server 2004:
- In the step for configuring the ISA Server 2000 computer to listen for incoming requests, select the Ask unauthenticated users for identification check box.
- In the step for verifying that the Web publishing rule properties are correct, select the Allow delegation of basic authentication credentials check box.
- In the step for creating a secure Web server publishing rule, select the Require all users to authenticate check box when configuring the Web listener properties.
- In the step for verifying that the secure Web server publishing rule properties are correct, select the Forward Basic authentication credentials (Basic delegation) check box.
If you follow step 1 but do not follow step 2 for either version of ISA Server, ISA Server requires users to authenticate on the domain before it sends a request to the published portal site. However, when ISA Server then sends that request, the authentication information provided will not be sent to the published portal site. This leads to a situation in which no users can successfully access the published portal site. To avoid this problem, ensure that you follow both steps. You must ensure that the listener authenticates users and that the Web publishing rule forwards those credentials to the published portal site.
Note Forwarding credentials only works with Basic authentication. You cannot forward credentials for any other authentication method supported by either ISA Server 2000 or ISA Server 2004.
For information about troubleshooting ISA Server 2000 Web publishing, see "ISA Server Feature Pack: Troubleshooting Web Publishing on ISA Server".
For information about troubleshooting ISA Server 2004 Web publishing, see Publishing Web Servers Using ISA Server 2004.