Solved SharePoint reverse proxy replacement for MS ForeFront UAG
-
The one contact we have is a sales guy, don't think I want him joining over here. Probably you would be looking at the VLM-200 which we got a quote for $1800 US direct from Kemp, plus whatever it was for maintenance.
-
How are you accessing SharePoint without user CALs?
-
@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:
How are you accessing SharePoint without user CALs?
I have plenty of CALs, but they are for Srv2008R2 (+SharePoint 2010 and a SQL Server Core Edition). Microsofts WAP requires 2012R2 or newer.
-
@jt1001001 said in SharePoint reverse proxy replacement for MS ForeFront UAG:
The one contact we have is a sales guy, don't think I want him joining over here. Probably you would be looking at the VLM-200 which we got a quote for $1800 US direct from Kemp, plus whatever it was for maintenance.
Ok, thx for asking.
-
Deployed the free KEMP LoadMaster virtual appliance today, works pretty well.
There are some issues with permitted groups in the SSO settings, probably related to caching or session variables/cookies. What I didn't find was a way to upload a separated CA chain cert, guess I need to build a cert with a full chain included.
Another issue is related to Kerberos. You need to setup an AD user that holds the appliances FQDN in the NT username field - doesn't fit in my case, because my FQDN alone is 17 chars and the field can just hold 20 chars for historic reasons. Fallback was using basic auth against SP, which is not great but OK because my SP is internally and externally on SSL only.
I'll try this setup for a few weeks, the restricted bandwidth could just be enough. Thx @jt1001001
-
Are you splitting your internet connection so that only traffic for the SP are going through the proxy?
-
@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:
Are you splitting your internet connection so that only traffic for the SP are going through the proxy?
Splitting? SP is on one of the local nets, the proxy in a DMZ with a IP in my public subnet
-
@thwr said in SharePoint reverse proxy replacement for MS ForeFront UAG:
@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:
Are you splitting your internet connection so that only traffic for the SP are going through the proxy?
Splitting? SP is on one of the local nets, the proxy in a DMZ with a IP in my public subnet
So this new thing you put into place filters/proxies the whole network to the internet?
-
@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:
@thwr said in SharePoint reverse proxy replacement for MS ForeFront UAG:
@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:
Are you splitting your internet connection so that only traffic for the SP are going through the proxy?
Splitting? SP is on one of the local nets, the proxy in a DMZ with a IP in my public subnet
So this new thing you put into place filters/proxies the whole network to the internet?
Just inbound traffic to SP. Outbound is something different. Think of that like on-site hosting in a completely separated network
-
@thwr said in SharePoint reverse proxy replacement for MS ForeFront UAG:
@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:
@thwr said in SharePoint reverse proxy replacement for MS ForeFront UAG:
@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:
Are you splitting your internet connection so that only traffic for the SP are going through the proxy?
Splitting? SP is on one of the local nets, the proxy in a DMZ with a IP in my public subnet
So this new thing you put into place filters/proxies the whole network to the internet?
Just inbound traffic to SP. Outbound is something different. Think of that like on-site hosting in a completely separated network
Or maybe like this: A reverse UTM. I'm not protecting any internal clients from malicious traffic, I'm protecting my SharePoint frontend servers. Filtering/IPS (SNORT) will be in place soon, yes.
-
@thwr or anyone else that has used Kemp.
Have any of you tried to work with Let's Encrypt here? Their forums seem unhelpful. The unit has to decrypt and reencrypt the traffic in order to process the headers at L7.
It is easy enough to load my cert into the unit, but I do not want to have to do it manually every 2 months.
-
@JaredBusch no just Godaddy certs so far. You probably found the same blog posts I did:
http://blog.ganser.com/automate-lets-encrypt-certificate-renew-and-deployment-to-kemp-loadbalancer/ -
@jt1001001 said in SharePoint reverse proxy replacement for MS ForeFront UAG:
@JaredBusch no just Godaddy certs so far. You probably found the same blog posts I did:
http://blog.ganser.com/automate-lets-encrypt-certificate-renew-and-deployment-to-kemp-loadbalancer/I did not find that one, and it is exactly the right thing.
I can update my cron to call a script instead of certbot renew and then have it use the Kemp API to push the cert after a renew.
So now on to setting up multiple certs per virtual service. read a post that I couldn't. if I can't this gets harder too.
Because LE on IIS still is not pretty.