There are quite a few situations where you want your SharePoint Web Application available to different sets of users, using different web addresses. For example, our internal users may use http://XYZ to access our web application, but our external clients may have to enter https://secure.xyz.com
SharePoint allows you to assign up to five different "end-user addresses" for each of your Web Applications. These "end-user addresses" are ones that people will type into their browser to access your site. SharePoint uses a feature called Alternate Access Mapping (AAM) to make sure that the web application is available through different addresses while still ensuring that the links in the page sent back to the user are formatted correctly.
For a standard, non-SharePoint web site, this is relatively easy. Microsoft's IIS web server allows an administrator to specify as many addresses as they want for a single web site. These are called "host headers". If you are careful and make sure that all the internal links in your standard web site are written without a domain (e.g. /contactus.aspx), then the end user will always get the correct links based on the address they have used to access the website.
So why doesn't SharePoint work the same way? Well, part of the reason is that there are some scenarios where SharePoint will receive requests using one address, but it needs to translate these to another address before sending the final page to the end user. More on this later.
The end result is that IIS is responsible for accepting the page requests and passing them to SharePoint. It is then SharePoint's job to figure out which Web Application on the server farm the user is trying to access, and what "end user address" it should use when creating the output page.
So this is where Alternate Access Mapping comes into play. However, I got to say, it must be one of the most confusing user interfaces in the whole Central Administration. Even the Search Managed Properties is easier to figure out than this one. Here is my attempt to explain its workings. There is also a great set of MSDN blog articles from Troy Starr, and some screen webcasts from Bob Fox
What I have been referring to as "end user addresses" SharePoint calls Public Zone URLs. We have five different zones:
- Default
- Intranet
- Extranet
- Custom
- Internet
They all work the same way, the names just reflect common uses, feel free to use each one as you please. The Default zone is set up for you when you create the Web Application. This zone is given the address that you specified during the "Create Web Application" process. It's up to you to set up the remaining four if you need them.
The easiest way to set these up is to use Edit Public Zone URLs from the Central Administration - Operations - Alternate Access Mapping page:
You need to make sure that you have the correct Alternate Access Mapping Collection specified at the top of the page. This is the Web Application that we want to configure "end user addresses" for. You might find the term "Public URLs" confusing. This does not mean that these are URLs that will be available outside your firewall. It refers to the URLs that your end-users will use to access your site. Some of these may be available outside your firewall, others will only be available internally.
In my example above, I am going to make my Web Application available on all five possible zones. The default name may reflect the machine that my web application is running on. My internal users will go to http://Intranet, but when they are out of the office they will use https://secure.xyz.com. Finally, I will allow clients to access certain information on the same web application at http://extranet.xyz.com
Once we click Save, SharePoint creates one entry in the AAM for each of our Public URLs. I would also update my IIS configuration at this stage to include host headers in my web site for each of these addresses.
But what does the Internal URL section of the table refer to? And how come it is identical to the Public URL? For me, it would have been better if Internal URLs were called Incoming URLs and Public URL was called Out-Going. Basically what happens is that SharePoint looks at the request for a page that it receives from IIS to determine which Public URL to use when creating the final page for the user.
For our example above, this is very straight-forward. If one of our road-warrior salespeople accesses https://secure.xyz.com from their browser, SharePoint will know that they are in the Custom zone, so any URLs on the page that refer to the web application should use the prefix of https://secure.xyz.com on the page it sends to the user. So simple, it almost sounds useless.
However, there are situations when the request that SharePoint receives does not match the address that the user entered. For example, we may have a Reverse Proxy server (such as Microsoft ISA 2006) that receives all the page requests from our external users and then forwards them to our server farm using the SharePoint server name. In this case, we want our our Internal URL to be something like http://AppServer01 but we still want the page sent to the user to use https://secure.xyz.com for any links to other content on the Web Application.
To configure this we use the Add Internal URLs button. This will allow us to specify another address that SharePoint should listen on for requests for our Web Application. By setting the zone to Custom we let SharePoint know what format we want the Web Application links written as.
This will create a 6th entry on our Alternate Access Mapping Collection. Note that we now have two entries for the Custom zone, both with different Internal URLs. We can add as many Internal URLs as we need for each of the zones. However, each Internal URL must be unique across the collection - otherwise SharePoint would not know which Public URL to use to generate the page for the end user.
In our example above, we might think of getting rid of the Custom Zone entry that defines http://secure.xyz.com as a valid Internal URL. After all, SharePoint will never receive requests directly with this URL (only our Proxy Server will). However, this is one of the quirks of the AAM interface - you must have an entry where the Internal and Public URL match. If you do delete this entry, then SharePoint will assign the Default Zone URL to the remaining Custom entry. Just accept that they need to be there.
If you haven't defined a Public URL for one of the zones, you can either use the Edit Public URLs or the Add Internal URLs button to configure it. Confusing, but the end result is the same - a new entry set up in your Web Application's AAM Collection that uses the same URL for both the internal and Public URL.
Similarly, when you use the Edit Public URLs screen to clear one of the Zones, SharePoint will remove the entry from the Collection that uses the same Internal and External URL. If there are any other entries in the collection for that Zone, SharePoint will reconfigure it to use the the Default Public URL.
Finally, here's a graphic to illustrate what is happening. Each zone can have many Internal URLs. SharePoint translates these to the appropriate Public URL based on the Web Application's AAM settings.
28 comments:
Thanks for sharing your insight, it is all much clearer now. One thing, when you say "I would also update my IIS configuration at this stage to include host headers in my web site for each of these addresses", could you please specify a bit? On my sharepoint server there is nothing I can do with the IIS manager. Thanks! Robert Sjursen, Developer
Hi Robert,
I've seen two approaches to doing IIS updates. One involves adding a host header to an existing IIS web site. Another uses Central Administration to create a new IIS website and associate it with an existing SharePoint site.
I prefer the first method, but I am unaware of any advantage in using one way over the other.
To do this in IIS, right-click on the web site -> properties -> Web Site tab. Then click Advanced and add a new entry for each additional address you want your website available on.
I've just gone round and round trying to get the crawl to work (2436 warnings in the event log). It was finally fixed using AAM. MS Tech support gave me this link to better understand how it works.
This is the clearest expanation I've come across so far, but I'm still puzzled by one part. You said "The default name may reflect the machine that my web application is running on."
If I have multiple web front ends, which machine is the web application running on?
I guess I'm getting hung up on when I would use this and when I would extend an existing web application onto another IIS Web site.
Great article. Thanks!
I was assuming a single server implementation when giving my example of what the different zones would point to.
If I did have a number of web front-end servers in my farm then I could still use a machine name to be able to access the site via that specific machine.
Alternatively if I have a number of front-end servers I should configure a load balancer and set up a DNS entry. My default zone may then point to the load balanced name.
Think about the different points along the way that your incoming traffic is going to stop to ask direction:
1. Your reverse proxy server handling external traffic - "Where can I find https://secure.xyz.com?".
"Take a left and head to the load-balancer called http://clustered.intranet"
2. Your load balancer decides which machine in the cluster is least busy and hands the request to IIS on that machine
3. IIS takes the request for http://clustered.intranet and decides which of the websites set up on that machine should handle it (by checking their host headers)
4. Assuming that IIS handed the request to a site using SharePoint site, the Web Appplication now checks its AAM to see if it recognizes it. This also tells it what format it should use for generating the URLs on the page it will hand back
When you extend a web application in SharePoint, you are basically updating the AAM information. Behind the scenes SharePoint will create a new IIS Web Site on each of your front-end servers.
"When you extend a web application in SharePoint, you are basically updating the AAM information. Behind the scenes SharePoint will create a new IIS Web Site on each of your front-end servers."
Except that when I create a web application, or add a new front end, it automatically does that anyway (creates the new IIS web site).
The only way extending made any sense to me was that extending an existing web application onto an existing IIS site DIDN'T seem to add that existing IIS web site to the other front ends automatically. I just can't understand when that would be useful as it appears to be the same thing as adding an AAM that points to a specific server.
Ivan,
What is the easiest way to redirect from one Sharepoint Site to another? We are migrating sites from an old sharepoint server to a new one and we want to start redirecting the users automatically to the new URL
Redirecting users to the new URL? This will depend on how you are going about it.
If you are moving a whole web application from one server farm to another, then I would suggest updating the URL in your DNS servers to point to the new server.
If you are moving site collections from one web application to another, you could use a redirection web part. These are not too difficult to write, but Bamboo Solutions already have one (disclaimer: my company is a Bamboo Solutions partner)
Hi,
I have 2 front-end servers in 2 different locations. The content databases are hosted in the locations where they would be most uses so content will be pulled locally.
How do I make requests for sharepoint in one location go to the server in that location? Thus pulling content from the database in that location.
Thanks.
Hi Ivan and others.
I have a question and a problem:)
I am publishing sharepoint to the internet and everything is ok with the access mappings, works great as https://sharepoint but i have to put our intranet website (drupal or some other CMS) that is on another server and i do that by adding it with the view page web part. Now that works ok when accessing sharepoint from the intranet but when from internet it can't show the page in sharepoint. The feature map to external resources maybe the hint but have no idea how to use that thing. Any help how to enable the web site from the other server to be accessed through sharepoint.
I am using ISA 2006 and MOSS07.
Regards
babylonsr
Great Post! Wish I had this when I was figuring out AAM.
I am trying to figure out how to redirect requests from http://domainanme.com to http://www.domainname.com
without creating a separate IIS website.
I already had a public url in AAM for http://www.domainname.com and after reading your article I created another one for http://domainanme.com.
This seems to work, but my concern is how this will effect Search Engine Optimization. Won't the search engines see http://domainanme.com and http://www.domainanme.com as two different sites even though they are pointing at the same IIS website?
I realize this is more of an SEO question, but thought maybe someone had run into this same situation before.
Thanks,
John
Very good article. Thank you for taking the time to include those of us with a Single Server Farm.
Question: I named my internet Web site using the same name as my Windows Domain. When I NSlookup www.domain.com , I get the IIS server's Ip address; but when I Nslookup domain.com I just get the IP address of my DNS server, not my WEB site. Can AAM fix this problem and how would I procede?
Great article. I have a default site and created two AAM - one intranet for windows authentication and one extranet for forms authentication. I have some custom .net web apps coexising with Sharepoint, and I can access them from the default URL but not the two AAM urls. I can find nothing on why this is.
Hello:
I have an FBA site using SSL published at port 8448 (dedicated SSL, not wildcard. I had to use a different port (8448) than 443 for since 443 is already using a wildcard SSL)
Internal URL Zone Public URL for the Zone
http://site1.company1.com Default http://site1.company1.com
https://site1.company1.com:9443 Internet https://site1.company1.com:9443
I have the site https://site1.company1.com:9443 published through ISA Server (reverse proxy) to the external world as https://site1.company1.com.
External users access the site using the URL https://site1.company1.com and ISA in reverse proxy configuration connects it to
https://site1.company1.com:9443.
Everything works fine except the following
-- URLs in Search Results still appears as https://site1.company1.com:9443
-- If I click on view properties for a document in the document library, I get page not found since the URL its using is https://site1.company1.com:9443
-- same case with view/edit properties, version histoty etc. for all lists.
Please help
Thanks in Advance
-Jeff
Hi,
We have the following requirement:-
There is a SharePoint web application with the site-collection created at the root. This web application needs to be accessed by users in the US and the users in the Europe, through intranet and internet as well, using different URLs respectively. Users will use different URLs for accessing the same web application based on the location. For example: -
Internal users in the US will use http://abc.com
Internet users in the US will use http://www.abc-internet.com
Internal users in the Europe will use http://xyz.com
Internet users in the Europe will use http://www.xyz-internet.com
I would like to know how can the above scenario be achieved using the alternate access mapping. Any prompt suggestions on this is appreciated. Thanks in advance.
Thanks for article. I have a problem. I have a site which is running on PORT 80 and its default site name is "reporter:80". In AAM I have assigned default URL to "http://myOwnSite.com" and also assign the same name in my IIS host header against that site which is my DNS alias as well. But when access that site it prompt for login / Password instead of taking me inside the site with logged in credential. Please suggest
Hi Subrata Das,
Chances are your web browser is configured to not pass your username and password to the site.
This is because Internet Explorer considers sites with names like http://myownsite.com to be part of the "Internet Zone". Where-as your old site name of http://reporter:80 would have been categorized as part of the "Intranet Zone".
Basically Internet Explorer uses a tighter set of permissions in the "Internet Zone". This includes not automatically passing your username and password.
To get around this, update your browser so that it knows that http://myownsite.com is really an Intranet site.
You can do this from Tools - Internet Options - Security - Local Intranet. Then click the Sites button and add your URL.
Your browser's status bar will show you what Zone settings IE is using for the site you are currently on.
You can use Group Policy to update these settings across all users in an organisation
Hi,
We had a unique problem in our sharepoint web app. Ours is internet facing site with anonymous access and for some reasons our client is not accepting AAM entry. They want to live with only DNS entry. But when we are not using AAM for our web application and our .Net session objects are becoming null. We use couple of session objects in our webpart coding. Do you have any clue about the relation between the way session is handled in sharepoint and AAM
Hello,
I think this article is nailing exactly what I need to get out of the corner I put my public site into. Basically we are setup on one domain and have a public site using that domain address. We also have www.url2.com that was just developed and made public. However, now I cannot login to it using the username@url1.com domain (which is our only domain). Would adding an internal URL to the AAM to map the public www.url2.com to internal url2.url1.com work to get login access back? Please let me know what you think.
Hi csteacy,
What happens when you try to access your www.URL2.com site? Do you get prompted for a username/password? Is the home page available to anonymous browsing?
If you are being prompted, or even if you can view pages enabled for anonymous access, then AAM is not the source of your problems.
Is the www.url2.com web application on the same SharePoint server as www.url1.com?
You may also want to check your permiter network to make sure that it is allowing the necessary traffic through to SharePoint
Thank you very much for your response. When trying to access the www.url2.com site, once I click on the Sign In link..I then get the login box. The homepage and the rest of the site is setup for anonymous browsing and is working for internal and external traffic.
The www.url2.com application is on the same server as www.url1.com application and each have been given an IP address and hosted on port 80.
The primary users/administrators are setup on both url1 and url2 as users of url1 domain. We only have one domain setup on the network.
Thank you for your time looking at this issue.
Hi Ian
Great post, thank you.
Easy question, though:
We have sharepoint (WSS 3) site http://server1 as Intranet, and customer's site http://server1/Company.
Main site http://server1 is published as public FQDN http://www.company.com via AAM mapping in WSS. But we need actually publish the Customer's site, i.e. when http://www.company.com should be diverted to the http://server1/Company. Main site http://server1 has to be inaccessible for Internet access.
How can we achieve that without hard-coding tricks?
Dima
Hi CSteacy
I don't think AAM is your problem. I assume that when you try to log in from www.url2.com the credentials are not accepted?
If this is the case, I would suggest looking at your IIS logs and Windows Event logs to see if you can find any clues. Also check on any firewalls that you are publishing the www.url2.com site through.
Is www.url1.com also available externally? If external log ons are working for this site, then it would indicate that your network is probably fine.
Another suggestion is to compare the IIS configuration of your two web sites to see if you can find any differences
Good luck!
Hi Dima,
From what I understand, you are trying to automatically redirect users from the home site to a specific subsite.
I am assuming that the sub-site that you want to redirect the user to will depend on their company.
This isn't something that SharePoint provides out of the box. However, it isn't hard to do, but does require some coding experience.
Adam Buenz has built one that uses AD properties to determine where to send the user. You can read about it and download the component here
Awesome article!
AAM is causing me a very odd problem. We have a farm set up with two WFEs. I've put my site on HTTP port 8084, with host headers of site.foo.com.
We have a load balancer that accepts requests to https://site.foo.com, strips the SSL, and forwards it to one of the two WFEs as http://site.foo.com:8084. The WFEs correctly pick this up and feed the pages back to a browser.
The problem comes when I apply AAM to adjust the URLs sent back. I set them up as:
http://sharepoint:8084 Default http://sharepoint:8084
https://site.foo.com Internet https://site.foo.com
http://site.foo.com:8084 Internet https://site.foo.com
THis all works beautifully - EXCEPT for one small feature. One of the contextual search scopes that WSS automatically generates (This List) is missing from the scopes dropdown if you come in through the load balancer on the HTTPS URL. If you hit a list page directly using the http://sharepoint:8084 URL, the scope appears correctly. The other contextual search scope (This Site) appears no matter which URL I use, and works as expected.
I've played with every configuration I can think of, and have no luck making this search work with AAM. Any suggestions/ideas are most welcome.
Hi Ivan: Great Article: wonder if you could answer my question
Our sharepoint wfes are loadbalanced and have web applications configured to pass through this device >
http://thissite.test.com :
WE then added a rule to the loadbalancer to redirect all the requests to this url to
https://thissite.test.com
MOst of the backend functions work but a large number of UI functions dont.
So, I updated the AAM mappings to add https://thissite.test.com to the custom zone.
Still fails. My question is :
Given our existing web app, do i need to reconfigure this app as follows
http://myapp.test.com:8080 and then extend it to http://thissite.test.com ? BIt confused .. could you help ?
Ivan, you are the man. In other words, you ROCK. Call me retarded, but your post made everthing clear about AAM which was so baffling before I came across your succinct, yet eloquent post. Thanks man.
Your fan...
Kris
In client system, AAM site (Internal URL) is prompting username and password in Internet Explorer. It is working fine with Mozila. Operating system Windows server 2008/ Sharepoint server 2007 with SP2 / IE8.
1.This Internal URL is working fine other systems IE
2.Other Internal URL is working fine in this system via IE
Steps Checked:
1.Internal URL added into Trusted sites
2.In security user authentication selected as custom level – Automatically logon with current user name and password.
3. In IIS site authentication anonymous authentication is disabled.
This is happens due to any updates, Can anyone pls help me …
Hi Ivan,
Sub:Cannot access PWA site (WSS 3.0) through Internet
Hi,
My set-up is I have installed everything - SQL, IIS, PS2K7 and WSS 3.0 on
the same server. The name of my Server / Computer name is say e.g. ABCDE-PS.
B4 i go ahead please be informed that I do not have a registered DNS Name or ISA server.
I have a registered ip address say for e.g. 60.0.0.1. I have a ADSL router
which has been configured with the ip address 60.0.0.1. I have setup the
router to port forward to a wireless router (ip address 192.168.1.1) for a separate LAN which in turn is port forwarding to the static ip 192.168.1.199, which is my Project Server 2007 ABCDE-PS.
My Project Server ABCDE-PS is on the same wireless LAN as mentioned above. When I access the Project server with the URL http://ABCDE-PS/PWA ...it works absolutely fine.
But When I access the server through internet outside the company using url - http://60.0.0.1/pwa /default.aspx , it asks for User id and pwd. After
entering the user id and pwd i get an error :
'Go back to site
Error
An unexpected error has occured
Trouble shoot issues with Windows SharePoint Services'.
Here I did not understand the meaning of unexpected error......???
So I close the IE and again select the same URL and press enter now it gives me an error
'Access Denied
You do not have permissions to perform this action or access this resource'
Please help...What do I have to do ....What settings should I check up.
Thanks in Advance.
Post a Comment