Geeks With Blogs
Cajun MCSE MS technology down on the bayou

The best practice for publishing an Internet facing SharePoint site is to use ISA as a reverse proxy solution to provide an additional layer of security between the SharePoint portal and the end user.  This eliminates any traffic originating from the Internet from ever reaching the internal protected network.  Instead the traffic terminates in the DMZ at the ISA server and it in turn performs Active Directory or Forms Based authentication through LDAP, LDAPS, or Radius.  It then proxies the content from the internal network to the DMZ then to the end user.


One of the “gotchas” for publishing SharePoint through ISA is the way ISA handles authentication and cookies.  By default, ISA will not issue persistent cookies to the web browser.  This requires your users to authenticate multiple time while navigating the portal between site collections or opening a document in a document library.   This of course provides maximum security however its also a nuisance to most users.


This setting can be changed to allow persistent cookies which will then behave like Integrated Windows Authentication once the user has logged in the first time.  The downside to this configuration is the user will remain logged in until they manually sign out even if the browser is closed or the computer restarted.


An acceptable compromise is to configure persistent cookies only for computers selected as Private Computers during the login process.  This allows users to select how ISA should act depending on which computer they are accessing SharePoint from. 


To set persistent cookies, go to the forms tab on the web listener for that ISA rule and click Advanced:

ISA Advanced Forms Dialog








Now when the user selects Private Computer, ISA won’t keep asking for authentication:













Users should be educated on the consequences of this choice as to not compromise the portal by using this option on public Internet terminals or publicly accessible computers.

Posted on Monday, December 28, 2009 12:35 PM Windows 2008 Server , Windows Networking , MS SharePoint | Back to top

Comments on this post: SharePoint, ISA, and Persistent Cookies

# re: SharePoint, ISA, and Persistent Cookies
Requesting Gravatar...
what happens if a user select "this is a private computer" but really with the public such as a library? will the user be logged in?
Left by T Paul on Feb 15, 2010 9:56 AM

# re: SharePoint, ISA, and Persistent Cookies
Requesting Gravatar...
Yes the user will be logged in, and stay logged in for the duration of the timeout settings unless they manually log out. This is why it's important to educate your users on the difference. The timeouts are set in the same dialogue box under client security settings in Advanced Forms.
Left by Ryan Roussel on Feb 15, 2010 10:02 AM

# re: SharePoint, ISA, and Persistent Cookies
Requesting Gravatar...
Excellent site, keep up the good work. I read a lot of blogs on a daily basis and for the most part, people lack substance but, I just wanted to make a quick comment to say I’m glad I found your blog. Thanks
Boxing Videos
Left by Compare ISA on Jun 07, 2010 12:42 AM

Your comment:
 (will show your gravatar)

Copyright © Ryan Roussel | Powered by: