SharePoint

Contents

1 Introduction

Microsoft SharePoint is a web platform that provides many capabilities such as:

  • Document management
  • Version control
  • File sharing
  • Collaboration
  • Social networking
  • Enterprise search
  • Business intelligence
  • Workflow automation
  • Website creation

image1.png

A SharePoint Server Farm can include application servers and Web Front End (WFE) servers. The WFE server is used to handle requests from clients. If the WFE server is receiving a lot of requests, it may be necessary to build multiple WFE servers and distribute the load amongst them. To provide resiliency and high performance, these WFEs should be load balanced.

The Office Web Apps (OWA) servers can also be managed and/or load balanced by using the LoadMaster. The SharePoint template and steps in this document provide options for both.

1.1 Intended Audience

This document is intended for use by anyone who is interested in learning about deploying a Kemp LoadMaster with SharePoint.

1.2 Document Purpose

This deployment guide provides instructions on how to configure the Kemp LoadMaster to load balance SharePoint using Kemp LoadMaster application templates. This guide should only be used as a reference for the load balancing configuration of SharePoint services because each environment is unique and may have different requirements. This guide outlines the load balancing configuration using the default SharePoint ports using Kemp LoadMaster application templates, but unique ports can also be leveraged based on the environment.

This guide also outlines the configuration of Virtual Services using Layer 7. Some environments may have the ability to leverage Layer 4, which can improve performance. Contact Kemp Support for any questions regarding configuration options.

1.3 Prerequisites

It is assumed that if you are offloading SSL, an SSL certificate and key is already obtained and installed on the LoadMaster. For help with SSL certificates, refer to the SSL Accelerated Services, Feature Description on the Kemp Documentation page. It is also assumed that a working SharePoint environment is installed.

2 Template

Kemp has developed a template containing our recommended settings for this workload. You can install this template to help create Virtual Services (VSs) because it automatically populates the settings. You can use the template to easily create the required VSs with the recommended settings. You can remove templates after use and this will not affect deployed services. If needed, you can make changes to any of the VS settings after using the template.

Download released templates from the Templates section on the Kemp Documentation Page.

For more information and steps on how to import and use templates, refer to the Virtual Services and Templates, Feature Description on the Kemp Documentation Page.

3 LoadMaster Global Settings

Before setting up the Virtual Services, the following global settings should be configured to support the workload.

3.1 Layer 4 Considerations before Deployment

For this application, if you are using an L4 service, it is automatically transparent. When using transparency, the following should be considered:

If clients are on the same subnet as the Real Server, returning traffic to the LoadMaster is instead sent to the client. This is asymmetric routing and causes the client to drop the connection because it is expecting it from the LoadMaster, not the Real Server. The diagram below shows the flow of traffic when this rule is not followed.

image2.png

If the Real Servers' default gateway is not set to be the LoadMaster’s interface (the shared IP if the LoadMasters are in HA), traffic returning to the LoadMaster is instead sent to the gateway. This is asymmetric routing and causes the connection to drop because the connection should be sent from the LoadMaster, not the Real Server. The diagram below shows the flow of traffic when this rule is not followed.

image3.png

3.2 Enable Subnet Originating Requests Globally

It is best practice to enable the Subnet Originating Requests option globally.

In a one-armed setup (where the Virtual Service and Real Servers are on the same network/subnet) Subnet Originating Requests is usually not needed. However, enabling Subnet Originating Requests should not affect the routing in a one-armed setup.

In a two-armed setup where the Virtual Service is on network/subnet A, for example, and the Real Servers are on network B, Subnet Originating Requests should be enabled on LoadMasters with firmware version 7.1-16 and above.

When Subnet Originating Requests is enabled, the LoadMaster routes traffic so that the Real Server sees traffic arriving from the LoadMaster interface that is in that network/subnet.

When Subnet Originating Requests is enabled globally, it is automatically enabled on all Virtual Services. If the Subnet Originating Requests option is disabled globally, you can choose whether to enable Subnet Originating Requests on a per-Virtual Service basis.

To enable Subnet Originating Requests globally, follow the steps below:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to System Configuration > Miscellaneous Options > Network Options.

image305.png

2. Select the Subnet Originating Requests check box.

3.3 Enable Check Persist Globally

It is recommended that you change the Always Check Persist option to Yes – Accept Changes. Use the following steps:

1. Go to System Configuration > Miscellaneous Options > L7 Configuration.

image18.png

2. Click the Always Check Persist drop-down arrow and select Yes – Accept Changes.

4 Configure the LoadMaster for SharePoint

To configure the LoadMaster for SharePoint, you must set up Virtual Services:

  • Some are for the Central Administration site, which is used to administer the SharePoint configuration overall. When you deploy the first SharePoint server, the management site is created. Further production sites can be created as needed.
  • The other Virtual Services are for the User Portal Site. This is for access to MySites and the rest of the SharePoint infrastructure.

This guide contains a section on creating a Virtual Service in the WUI using a template. To configure the Virtual Services using the Application Programming Interface (API), refer to the RESTful API on the Kemp documentation page.

The table in each section outlines the API settings and values. You can use this information when using the Kemp LoadMaster API and automation tools.

Using a template automatically populates the settings in the Virtual Services. This is quicker and easier than manually configuring each Virtual Service. If needed, changes can be made to any of the Virtual Service settings after using the template. For more information on the SharePoint templates, refer to the Template section.

It may be possible to have a single Virtual Service for both that has extra ports, but you might want different settings on the different Virtual Services, or you might want one Virtual Service to be only accessible internally, for example.

The sections below give instructions on how to set up Virtual Services for Microsoft SharePoint. Refer to the relevant sections for step-by-step instructions on configuring the Virtual Services, depending on your environment. The settings contained in this document are recommended by Kemp. However, your specific configuration may require different settings.

For more information on each of the fields, refer to the Web User Interface (WUI), Configuration Guide on the Kemp Documentation page.

4.1 Two-Armed Configurations

If you have a two-armed configuration with SSL offloading, you may need to enable subnet originating requests. This can either be done on a per-Virtual Service basis (Subnet Originating Requests field in Standard Options in the Virtual Service modify screen), or on a global basis (System Configuration > Miscellaneous Options > Network Options > Subnet Originating Requests).

It is recommended that the Subnet Originating Requests option is enabled on a per-Virtual Service basis.
While a one-armed configuration is not common, it is supported. For security best practice, you should separate the network that clients will connect to from the network that the Real Servers are on.

4.2 Configure SharePoint 2010 Virtual Services

Refer to the sections below for API parameters and values for the Virtual Services for SharePoint 2010. These Virtual Services are not all required – configure the relevant Virtual Services, based on your environment.

4.2.1 Create a Virtual Service using a Template

To configure a Virtual Service using the application template, perform the following steps:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

2. Type a valid Virtual Address.

3. Select the appropriate template in the Use Template drop-down list.

4. Click Add this Virtual Service.

5. Expand the Real Servers section.

6. Click Add New.

7. Type the Real Server Address.

8. Confirm that the correct port is entered.

9. Click Add This Real Server.

4.2.2 Configuring the User Portal Site Virtual Services for SharePoint 2010

The sections below outline the API parameters and values for the User Portal Site Virtual Services for SharePoint 2010. Refer to the relevant sections below depending on your environment.

4.2.2.1 SharePoint 2010 HTTP Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

80

prot

tcp

Transparent

0

Schedule rr

Persist

src

PersistTimeout

3600

Idletime

900

CheckUrl

/

Add any Real Servers as needed.

4.2.2.2 SharePoint 2010 HTTPS Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

443

prot

tcp

Transparent

0

Schedule rr

Persist

src

PersistTimeout

3600

Idletime

900

CheckUrl /

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

Add any Real Servers as needed.

4.2.2.3 SharePoint 2010 HTTPS Offloaded Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

443

prot

tcp

SSLAcceleration

1

CipherSet

BestPractices

Transparent

0

Schedule rr

Persist

src

PersistTimeout

3600

Idletime

900

CheckUrl

/

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

Add any Real Servers as needed.

4.2.2.4 SharePoint 2010 HTTPS Re-encrypt Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

443

prot

tcp

SSLAcceleration

1

SSLReencrypt

1

CipherSet

BestPractices

Schedule rr

Persistent

src

PersistTimeout

3600

Idletime

900

CheckUrl

/

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

Add any Real Servers as needed.

4.2.3 Configuring the Central Administration Site Virtual Services for SharePoint 2010

The sections below outline the API parameters and values for the Central Administration Site Virtual Services for SharePoint 2010. Refer to the relevant sections below depending on your environment.

The Central Administration port is dynamic and is created during the installation of SharePoint. Ensure you update the tcp port when configuring the Virtual Service.

4.2.3.1 SharePoint 2010 HTTP Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

8000

prot

tcp

VStype

http

Transparent

0

Schedule rr

Persist

src

PersistTimeout

3600

Idletime

900

CheckType

http

CheckUrl

/

Add any Real Servers as needed.

4.2.3.2 SharePoint 2010 HTTPS Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

10894

prot

tcp

VStype

http

Transparent

0

Schedule rr

Persist

src

PersistTimeout

3600

Idletime

900

CheckType

https

CheckUrl

/

Add any Real Servers as needed.

4.2.3.3 SharePoint 2010 HTTPS Offloaded Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

10894

prot

tcp

VStype

http

SSLAcceleration

1

CipherSet

BestPractices

Transparent

0

Schedule rr

Persistent

src

PersistTimeout

3600

Idletime

900

CheckType

http

CheckUrl

/

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

Add any Real Servers as needed.

4.2.3.4 SharePoint 2010 HTTPS Re-encrypted Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

10894

prot

tcp

VStype

http

SSLAcceleration

1

SSLReencrypt

1

CipherSet

BestPractices

Schedule rr

Persist

src

PersistTimeout

3600

Idletime

900

CheckType

https

CheckUrl

/

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

Add any Real Servers as needed.

4.3 Configure SharePoint 2013 Virtual Services

Refer to the sections below for API parameters and values for the Virtual Services for SharePoint 2013. These Virtual Services are not all required – configure the relevant Virtual Services, based on your environment.

4.3.1 Create a Virtual Service using a Template

To configure a Virtual Service using the application template, perform the following steps:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

2. Type a valid Virtual Address.

3. Select the appropriate template in the Use Template drop-down list.

4. Click Add this Virtual Service.

5. Expand the Real Servers section.

6. Click Add New.

7. Type the Real Server Address.

8. Confirm that the correct port is entered.

9. Click Add This Real Server.

4.3.2 Configure the User Portal Site Virtual Services for SharePoint 2013

The sections below outline the API parameters and values for the User Portal Site Virtual Services for SharePoint 2013. Refer to the relevant sections below depending on your environment.

4.3.2.1 SharePoint 2013 HTTP Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

80

prot

tcp

Transparent

0

Schedule rr

Idletime

900

CheckUrl

/

Add any Real Servers as needed.

4.3.2.2 SharePoint 2013 HTTPS Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

443

prot

tcp

Transparent

0

Schedule rr

Idletime

900

CheckUrl

/

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

Add any Real Servers as needed.

4.3.2.3 SharePoint 2013 HTTPS Offloaded Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

443

prot

tcp

SSLAcceleration

1

CipherSet

BestPractices

Transparent

0

Schedule rr

Idletime

900

CheckUrl

/

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

Add any Real Servers as needed.

4.3.2.4 SharePoint 2013 HTTPS Re-encrypt Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

Add any Real Servers as needed.

4.3.3 Configure the Central Administration Site Virtual Services for SharePoint 2013

The sections below outline the API parameters and values for the Central Administration Site Virtual Services for SharePoint 2013. Refer to the relevant sections below depending on your environment.

The Central Administration port is dynamic and is created during the installation of SharePoint. Ensure you update the tcp port when configuring the Virtual Service.

4.3.3.1 SharePoint 2013 HTTP Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

8000

prot

tcp

VStype

http

Transparent

0

Schedule rr

Idletime

900

CheckType

http

CheckUrl

/

Add any Real Servers as needed.

4.3.3.2 SharePoint 2013 HTTPS Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

10894

prot

tcp

VStype

http

Transparent

0

Schedule rr

Idletime

900

CheckType

https

CheckUrl

/

Add any Real Servers as needed.

4.3.3.3 SharePoint 2013 HTTPS Offloaded Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

10894

prot

tcp

VStype

http

SSLAcceleration

1

CipherSet

BestPractices

Transparent

0

Schedule rr

Idletime

900

CheckType

http

CheckUrl

/

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

Add any Real Servers as needed.

4.3.3.4 SharePoint 2013 HTTPS Re-encrypted Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

10894

prot

tcp

VStype

http

Transparent 0
Schedule rr

SSLAcceleration

1

SSLReencrypt

1

CipherSet

BestPractices

Idletime

900

CheckType

https

CheckUrl

/

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

Add any Real Servers as needed.

4.3.4 SharePoint 2013 HTTP and WAF Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

80

prot

tcp

Transparent

0

Schedule rr

Idletime

900

Intercept

1

rule (use the command to add a WAF rule)

G/ip_reputation%20G/known_vulns%20G/malware_detection%20G/botnet_attacks%20A/sharepoint_attacks%20A/iis_attacks

CheckUrl

/

All rules should be selected for each ruleset. Additional OWASP Core Rule Sets can be downloaded from the ModSecurity website to further secure the SharePoint environment.

Add any Real Servers as needed.

4.3.5 SharePoint 2013 HTTPS Re-encrypted and WAF Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

443

prot

tcp

Transparent

0

Schedule rr

Idletime

900

SSLAcceleration

1

SSLReencrypt

1

CipherSet

BestPractices

Intercept

1

rule (use the command to add a WAF rule)

G/ip_reputation%20G/known_vulns%20G/malware_detection%20G/botnet_attacks%20A/sharepoint_attacks%20A/iis_attacks

CheckUrl

/

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

All rules should be selected for each ruleset. Additional OWASP Core Rule Sets can be downloaded from the ModSecurity website to further secure the SharePoint environment.

Add any Real Servers as needed.

4.4 Configure SharePoint 2016 Virtual Services

Refer to the sections below for API parameters and values for the Virtual Services for SharePoint 2016. Not all these Virtual Services are required – configure the relevant Virtual Services based on your environment.

4.4.1 Create a Virtual Service using a Template

To configure a Virtual Service using the application template, perform the following steps:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

2. Type a valid Virtual Address.

3. Select the appropriate template in the Use Template drop-down list.

4. Click Add this Virtual Service.

5. Expand the Real Servers section.

6. Click Add New.

7. Type the Real Server Address.

8. Confirm that the correct port is entered.

9. Click Add This Real Server.

4.4.2 Configure the User Portal Site Virtual Services for SharePoint 2016

The sections below outline the API parameters and values for the User Portal Site Virtual Services for SharePoint 2016. Refer to the relevant sections below depending on your environment.

4.4.2.1 SharePoint 2016 HTTP Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

80

prot

tcp

Transparent

0

Schedule lc

Idletime

900

CheckUrl

/

CheckHeaders Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Add any Real Servers as needed.

4.4.2.2 SharePoint 2016 HTTPS Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

443

prot

tcp

Transparent

0

Schedule

lc

Idletime

900

CheckUrl

/

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

Add any Real Servers as needed.

4.4.2.3 SharePoint 2016 HTTPS Offloaded Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

443

prot

tcp

SSLAcceleration

1

CipherSet

BestPractices

Transparent

0

Schedule

lc

Idletime

900

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

It is optional to add a HTTP redirector Virtual service. Whether you require one or not depends on your environment.

Add any Real servers as needed.

4.4.2.4 SharePoint 2016 HTTPS Re-encrypt Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

10894

prot

tcp

SSLAcceleration

1

SSLReencrypt

1

CipherSet

BestPractices

Schedule

lc

Idletime

900

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

4.4.3 Configure the Central Administration Site Virtual Services for SharePoint 2016

The sections below outline the API parameters and values for the Central Administration Site Virtual Services for SharePoint 2016. Refer to the relevant sections below depending on your environment.

The Central Administration port is dynamic and is created during the installation of SharePoint. Ensure you update the tcp port when configuring the Virtual Service.

4.4.3.1 SharePoint 2016 HTTP Central Administration Site Virtual Service Recommended API Settings (optional)2

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

8000

prot

tcp

VStype

http

Transparent

0

Schedule

lc

Idletime

900

CheckType

http

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Add any Real Servers as needed.

4.4.3.2 SharePoint 2016 HTTPS Central Administration Site Virtual Service Recommended API Settings (optional)2

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

10894

prot

tcp

VStype

http

Transparent

0

Schedule

lc

Idletime

900

CheckType

https

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Add any Real Servers as needed.

4.4.3.3 SharePoint 2016 HTTPS Offloaded Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

10894

prot

tcp

VStype

http

SSLAcceleration

1

CipherSet

BestPractices

Transparent

0

Schedule

lc

Idletime

900

CheckType

http

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description SSL Services on the Kemp Documentation Page

Add any Real Servers as needed.

4.4.3.4 SharePoint 2016 HTTPS Re-encrypt Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

10894

prot

tcp

SSLAcceleration

1

SSLReencrypt

1

CipherSet

BestPractices

Schedule

lc

Idletime

900

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

4.4.4 SharePoint 2016 HTTP and WAF Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

80

prot

tcp

Transparent

0

Idletime

900

Intercept

1

rule (use the command to add a WAF rule)

G/ip_reputation%20G/known_vulns%20G/malware_detection%20G/botnet_attacks%20A/sharepoint_attacks%20A/iis_attacks

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

All rules should be selected for each ruleset. Additional OWASP Core Rule Sets can be downloaded from the ModSecurity website to further secure the SharePoint environment.

Add any Real Servers as needed.

4.4.5 SharePoint 2016 HTTPS Re-encrypted and WAF Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

443

prot

tcp

Transparent

0

Idletime

900

SSLAcceleration

1

SSLReencrypt

 1

CipherSet

BestPractices

Intercept

1

rule (use the command to add a WAF rule)

G/ip_reputation%20G/known_vulns%20G/malware_detection%20G/botnet_attacks%20A/sharepoint_attacks%20A/iis_attacks

CheckType

https

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

All rules should be selected for each ruleset. Additional OWASP Core Rule Sets can be downloaded from the ModSecurity website to further secure the SharePoint environment.

Add any Real Servers as needed.

4.5 Configure SharePoint 2019 Virtual Services

Refer to the sections below for API parameters and values for the Virtual Services for SharePoint 2019. These Virtual Services are not all required – configure the relevant Virtual Services based on your environment.

4.5.1 Create a Virtual Service using a Template

To configure a Virtual Service using the application template, perform the following steps:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

2. Type a valid Virtual Address.

3. Select the appropriate template in the Use Template drop-down list.

4. Click Add this Virtual Service.

5. Expand the Real Servers section.

6. Click Add New.

7. Type the Real Server Address.

8. Confirm that the correct port is entered.

9. Click Add This Real Server.

4.5.2 Configure the User Portal Site Virtual Services for SharePoint 2019

The sections below outline the API parameters and values for the User Portal Site Virtual Services for SharePoint 2019. Refer to the relevant sections below depending on your environment.

4.5.2.1 SharePoint 2019 HTTP Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

80

prot

tcp

Transparent

0

Schedule

lc

Idletime

900

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Add any Real Servers as needed.

4.5.2.2 SharePoint 2019 HTTPS Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

443

prot

tcp

Transparent

0

Schedule

lc

Idletime

900

CheckUrl

/

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

Add any Real Servers as needed.

4.5.2.3 SharePoint 2019 HTTPS Offloaded Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

443

prot

tcp

SSLAcceleration

1

CipherSet

BestPractices

Transparent

0

Schedule

lc

Idletime

900

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description SSL Services on the Kemp Documentation Page.

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

Add any Real Servers as needed.

4.5.2.4 SharePoint 2019 HTTPS Re-encrypt Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

443

prot

tcp

SSLAcceleration

1

SSLReencrypt

1

CipherSet

BestPractices

Schedule

lc

Idletime

900

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

4.5.3 Configure the Central Administration Site Virtual Services for SharePoint 2019

The sections below outline the API parameters and values for the Central Administration Site Virtual Services for SharePoint 2019. Refer to the relevant sections below depending on your environment.

The Central Administration port is dynamic and is created during the installation of SharePoint. Ensure you update the tcp port when configuring the Virtual Service.

4.5.3.1 SharePoint 2019 HTTP Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

8000

prot

tcp

VStype

http

Transparent

0

Schedule

lc

Idletime

900

CheckType

http

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Add any Real Servers as needed.

4.5.3.2 SharePoint 2019 HTTPS Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

10894

prot

tcp

VStype

http

Transparent

0

Schedule

lc

Idletime

900

CheckType

https

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Add any Real Servers as needed.

4.5.3.3 SharePoint 2019 HTTPS Offloaded Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

10894

prot

tcp

VStype

http

SSLAcceleration

1

CipherSet

BestPractices

Transparent

0

Schedule

lc

Idletime

900

CheckType

http

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

Add any Real Servers as needed.

4.5.3.4 SharePoint 2019 HTTPS Re-encrypted Central Administration Site Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

10894

prot

tcp

VStype

http

SSLAcceleration

1

SSLReencrypt

1

CipherSet

BestPractices

Schedule

lc

Idletime

900

CheckType

https

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.

Add any Real Servers as needed.

4.5.4 SharePoint 2019 HTTP and WAF Virtual Service Recommended API Settings (optional)AA

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

80

prot

tcp

Transparent

0

Idletime

900

Intercept

1

rule (use the command to add a WAF rule)

G/ip_reputation%20G/known_vulns%20G/malware_detection%20G/botnet_attacks%20A/sharepoint_attacks%20A/iis_attacks

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

All rules should be selected for each ruleset. Additional OWASP Core Rule Sets can be downloaded from the ModSecurity website to further secure the SharePoint environment.

Add any Real Servers as needed.

4.5.5 SharePoint 2019 HTTPS Re-encrypted and WAF Virtual Service Recommended API Settings (optional)

This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.

API Parameter

API Value

port

443

prot

tcp

Transparent

0

Idletime

900

SSLAcceleration

1

SSLReencrypt

 1

CipherSet

BestPractices

Intercept

1

rule (use the command to add a WAF rule)

G/ip_reputation%20G/known_vulns%20G/malware_detection%20G/botnet_attacks%20A/sharepoint_attacks%20A/iis_attacks

CheckType

https

CheckUrl

/

CheckHeaders

Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL.

It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.

All rules should be selected for each ruleset. Additional OWASP Core Rule Sets can be downloaded from the ModSecurity website to further secure the SharePoint environment.

Add any Real Servers as needed.

5 Enabling the Edge Security Pack (ESP) with SharePoint

If desired, you can use ESP with SharePoint. To do this, follow the steps in the ESP, Feature Description but ensure to select either Permanent Cookies Always or Permanent Cookies only on Private Computers for the Use Session or Permanent Cookies option.

Selecting a permanent cookie option ensures that Office documents can be opened correctly from SharePoint.

6 References

Unless otherwise specified, the documents below can be found at http://www.kemptechnologies.com/documentation

ESP, Feature Description

Web User Interface (WUI), Configuration Guide

IPsec Tunneling, Feature Description

Virtual Services and Templates, Feature Description

SSL Accelerated Services, Feature Description

Last Updated Date

This document was last updated on 09 September 2019.

Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
Dmitry Ignatev

I want to ask about Configure a SharePoint 2016 HTTPS Re-encrypted and WAF Virtual Service. Any attempt to enter HOST to the Field under "Show Headers" ends with an error. I'll try enter (example) sps.e-lab.domain.ru to the Host field, as in Alternate Access Mappings.
Is it possible to give an example of filling these fields?

Avatar
Matt Martinez

The way this reads is really wierd, "Enter the HOST and URL of the Web Application configured in Alternate Access Mappings." It should be Enter HOST:URL. For example, HOST:mysharepointsite.contoso.com. You literally input HOST as the header.

Avatar
Naseer Husein

Thank you for bringing that to our attention. We will review and have the documentation team make any necessary changes.

Edited by Naseer Husein