Ever wanted to published SharePoint 2010 externally and found it difficult to understand and even harder to find good documentation? I’ve worked on this particular issue several times in the past few months, so thought it was time to put fingers to keyboard and provide a few tips.
These notes cover publishing SharePoint 2010 with either ISA 2006 or Forefront TMG.
Before you begin:
Commonly your internal SharePoint farm will be accessed over HTTP whilst external access is via HTTPS.
In this example I will use the following configuration:
SharePoint URL: http://sharepoint.domain.local
MySites URL: http://mysites.domain.local
Wildcard digital certificate: *.internetdomain.com
Two external DNS records pointing to the same external IP address on the ISA server:
• SharePoint.internetdomain.com
• Mysites.internetdomain.com
SharePoint Steps:
1. Extend the SharePoint and MySites web applications (in Central Admin)
2. Install your digital certificate (and root certificate) on the Web Front End Server
3. Using PowerShell add two Alternative Access Mappings (AAM’s):
- New-SPAlternateURL https://sharepoint.domain.local -zone “Internet” – internal
- New-SPAlternateURL https://sharepoint.internetdomain.com -zone “Internet”
- Get-SPAlternateURL can be used to list the AAM’s
4. In IIS edit the binding on the Extended web application – change from HTTP to HTTPS and select the certificate above. Once done remove the HTTP (listening on port 443) binding, this isn’t needed.
5. Make sure the new sites have started an IISReset may be required.
Forefront TMG or ISA Server Steps:
1. Create a web listener
- HTTPS
- Redirect HTTP to HTTPS
- Use the same certificate installed on SharePoint above
- Configure SSO = .internetdomain.com (this ensures only one login to TMG or ISA is required for all sites on that listener with matching domains)
2. Create two publishing rules, one for SharePoint and the other for MySites
- Use the same web listener for both
- Forward the original host headers
- Bridge the connection using HTTPS (keep the protocols the same between the external URL and the internal URL)
In some instances you may need to create translation rules for HTTP to HTTPS. This can be done on the publishing rule.
Access rules can be used to block access to specific sub-URL’s.
SharePoint lightbulb moments 
For one to extend the Web Applications one needs to upgrade the product key with internet licensing key?
Only if the access is unauthenticated. If users are authenticated then the internet connector license isn’t required, however the user does require a CAL.
Great post– I was running into the same issue and finally stumbled on your post. Thank goodness to midnight trolling.
I am assuming in step 2 under ‘sharepoint steps’ above, you are referring to the domain controller as the location where the certificate and root certificate need to be installed or is it the sharepoint server itself?
SR, the certificates need to be installed on the SharePoint Web Front End Server if you have more than one server in your SharePoint Farm. If you have only one SharePoint server, then install the certificates on that server. The certificates are added to the bindings on the SharePoint website in IIS.