Microsoft SharePoint
Contents
1 Introduction
Microsoft SharePoint is a web platform that provides many capabilities such as:
- Document management
- Version control
- File sharing
- Collaboration
- Social networking
- Enterprise search
- Business intelligence
- Workflow automation
- Website creation
A SharePoint Server Farm can include application servers and Web Front End (WFE) servers. The WFE server is used to handle requests from clients. If the WFE server is receiving a lot of requests, it may be necessary to build multiple WFE servers and distribute the load amongst them. To provide resiliency and high performance, these WFEs should be load balanced.
The Office Web Apps (OWA) servers can also be managed and/or load balanced by using the LoadMaster. The SharePoint template and steps in this document provide options for both.
1.1 Intended Audience
This document is intended for use by anyone who is interested in learning about deploying a Kemp LoadMaster with SharePoint.
1.2 Document Purpose
This deployment guide provides instructions on how to configure the Kemp LoadMaster to load balance SharePoint using Kemp LoadMaster application templates. This guide should only be used as a reference for the load balancing configuration of SharePoint services because each environment is unique and may have different requirements. This guide outlines the load balancing configuration using the default SharePoint ports using Kemp LoadMaster application templates, but unique ports can also be leveraged based on the environment.
This guide also outlines the configuration of Virtual Services using Layer 7. Some environments may have the ability to leverage Layer 4, which can improve performance. Contact Kemp Support for any questions regarding configuration options.
1.3 Prerequisites
It is assumed that if you are offloading SSL, an SSL certificate and key is already obtained and installed on the LoadMaster. For help with SSL certificates, refer to the SSL Accelerated Services, Feature Description on the Kemp Documentation page. It is also assumed that a working SharePoint environment is installed.
2 Template
Kemp has developed a template containing our recommended settings for this workload. You can install this template to help create Virtual Services (VSs) because it automatically populates the settings. You can use the template to easily create the required VSs with the recommended settings. For some workloads, additional manual steps may be required such as assigning a certificate or applying port following. These steps are covered in the document, if needed.
You can remove templates after use and this will not affect deployed services. If needed, you can make changes to any of the VS settings after using the template.
Download released templates from the following page: LoadMaster Templates.
For more information and steps on how to import and use templates, refer to the Virtual Services and Templates, Feature Description on the Kemp Documentation page.
3 LoadMaster Global Settings
Before setting up the Virtual Services, the following global settings should be configured to support the workload.
3.1 Layer 4 Considerations before Deployment
For this application, if you are using an L4 service, it is automatically transparent. When using transparency, the following should be considered:
If clients are on the same subnet as the Real Server, returning traffic to the LoadMaster is instead sent to the client. This is asymmetric routing and causes the client to drop the connection because it is expecting it from the LoadMaster, not the Real Server. The diagram below shows the flow of traffic when this rule is not followed.
If the Real Servers' default gateway is not set to be the LoadMaster's interface (the shared IP if the LoadMasters are in HA), traffic returning to the LoadMaster is instead sent to the gateway. This is asymmetric routing and causes the connection to drop because the connection should be sent from the LoadMaster, not the Real Server. The diagram below shows the flow of traffic when this rule is not followed.
3.2 Enable Subnet Originating Requests Globally
It is best practice to enable the Subnet Originating Requests option globally.
In a one-armed setup (where the Virtual Service and Real Servers are on the same network/subnet) Subnet Originating Requests is usually not needed. However, enabling Subnet Originating Requests should not affect the routing in a one-armed setup.
In a two-armed setup where the Virtual Service is on network/subnet A, for example, and the Real Servers are on network B, Subnet Originating Requests should be enabled on LoadMasters with firmware version 7.1-16 and above.
When Subnet Originating Requests is enabled, the Real Server sees traffic originating from 10.20.20.21 (LoadMaster eth1 address) and responds correctly in most scenarios.
With Subnet Originating Requests disabled, the Real Server sees traffic originating from 10.0.0.15 (LoadMaster Virtual Service address on eth0) and responds to eth0 which could cause asymmetric routing.
When Subnet Originating Requests is enabled globally, it is automatically enabled on all Virtual Services. If the Subnet Originating Requests option is disabled globally, you can choose whether to enable Subnet Originating Requests on a per-Virtual Service basis.
To enable Subnet Originating Requests globally, follow the steps below:
1. In the main menu of the LoadMaster User Interface (UI), go to System Configuration > Miscellaneous Options > Network Options.
2. Select the Subnet Originating Requests check box.
3.3 Enable Check Persist Globally
It is recommended that you change the Always Check Persist option to Yes - Accept Changes. Use the following steps:
1. Go to System Configuration > Miscellaneous Options > L7 Configuration.
2. Click the Always Check Persist drop-down arrow and select Yes - Accept Changes.
4 Configure the LoadMaster for SharePoint
To configure the LoadMaster for SharePoint, you must set up Virtual Services:
- Some are for the Central Administration site, which is used to administer the SharePoint configuration overall. When you deploy the first SharePoint server, the management site is created. Further production sites can be created as needed.
- The other Virtual Services are for the User Portal Site. This is for access to MySites and the rest of the SharePoint infrastructure.
This guide contains a section on creating a Virtual Service in the WUI using a template. To configure the Virtual Services using the Application Programming Interface (API), refer to the RESTful API on the Kemp documentation page.
The table in each section outlines the API settings and values. You can use this information when using the Kemp LoadMaster API and automation tools.
Using a template automatically populates the settings in the Virtual Services. This is quicker and easier than manually configuring each Virtual Service. If needed, changes can be made to any of the Virtual Service settings after using the template. For more information on the SharePoint templates, refer to the Template section.
It may be possible to have a single Virtual Service for both that has extra ports, but you might want different settings on the different Virtual Services, or you might want one Virtual Service to be only accessible internally, for example.
The sections below give instructions on how to set up Virtual Services for Microsoft SharePoint. Refer to the relevant sections for step-by-step instructions on configuring the Virtual Services, depending on your environment. The settings contained in this document are recommended by Kemp. However, your specific configuration may require different settings.
For more information on each of the fields, refer to the Web User Interface (WUI), Configuration Guide on the Kemp Documentation page.
4.1 Two-Armed Configurations
If you have a two-armed configuration with SSL offloading, you may need to enable subnet originating requests. This can either be done on a per-Virtual Service basis (Subnet Originating Requests field in Standard Options in the Virtual Service modify screen), or on a global basis (System Configuration > Miscellaneous Options > Network Options > Subnet Originating Requests).
It is recommended that the Subnet Originating Requests option is enabled on a per-Virtual Service basis.
While a one-armed configuration is not common, it is supported. For security best practice, you should separate the network that clients will connect to from the network that the Real Servers are on.
4.2 Configure SharePoint 2010 Virtual Services
Refer to the sections below for API parameters and values for the Virtual Services for SharePoint 2010. These Virtual Services are not all required - configure the relevant Virtual Services, based on your environment.
4.2.1 Create a Virtual Service using a Template
To configure a Virtual Service using the application template, perform the following steps:
1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.
2. Type a valid Virtual Address.
3. Select the appropriate template in the Use Template drop-down list.
4. Click Add this Virtual Service.
5. Expand the Real Servers section.
6. Click Add New.
7. Type the Real Server Address.
8. Confirm that the correct port is entered.
9. Click Add This Real Server.
4.2.2 Configuring the User Portal Site Virtual Services for SharePoint 2010
The sections below outline the API parameters and values for the User Portal Site Virtual Services for SharePoint 2010. Refer to the relevant sections below depending on your environment.
4.2.2.1 SharePoint 2010 HTTP Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
80 |
|
prot |
tcp |
|
Transparent |
0 |
| Schedule | rr |
|
Persist |
src |
|
PersistTimeout |
3600 |
|
Idletime |
900 |
|
CheckUrl |
/ |
Add any Real Servers as needed.
4.2.2.2 SharePoint 2010 HTTPS Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
443 |
|
prot |
tcp |
|
Transparent |
0 |
| Schedule | rr |
|
Persist |
src |
|
PersistTimeout |
3600 |
|
Idletime |
900 |
| CheckUrl | / |
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
Add any Real Servers as needed.
4.2.2.3 SharePoint 2010 HTTPS Offloaded Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
443 |
|
prot |
tcp |
|
SSLAcceleration |
1 |
|
CipherSet |
BestPractices |
|
Transparent |
0 |
| Schedule | rr |
|
Persist |
src |
|
PersistTimeout |
3600 |
|
Idletime |
900 |
|
CheckUrl |
/ |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
Add any Real Servers as needed.
4.2.2.4 SharePoint 2010 HTTPS Re-encrypt Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
443 |
|
prot |
tcp |
|
SSLAcceleration |
1 |
|
SSLReencrypt |
1 |
|
CipherSet |
BestPractices |
| Schedule | rr |
|
Persistent |
src |
|
PersistTimeout |
3600 |
|
Idletime |
900 |
|
CheckUrl |
/ |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
Add any Real Servers as needed.
4.2.3 Configuring the Central Administration Site Virtual Services for SharePoint 2010
The sections below outline the API parameters and values for the Central Administration Site Virtual Services for SharePoint 2010. Refer to the relevant sections below depending on your environment.
The Central Administration port is dynamic and is created during the installation of SharePoint. Ensure you update the tcp port when configuring the Virtual Service.
4.2.3.1 SharePoint 2010 HTTP Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
8000 |
|
prot |
tcp |
|
VStype |
http |
|
Transparent |
0 |
| Schedule | rr |
|
Persist |
src |
|
PersistTimeout |
3600 |
|
Idletime |
900 |
|
CheckType |
http |
|
CheckUrl |
/ |
Add any Real Servers as needed.
4.2.3.2 SharePoint 2010 HTTPS Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
10894 |
|
prot |
tcp |
|
VStype |
http |
|
Transparent |
0 |
| Schedule | rr |
|
Persist |
src |
|
PersistTimeout |
3600 |
|
Idletime |
900 |
|
CheckType |
https |
|
CheckUrl |
/ |
Add any Real Servers as needed.
4.2.3.3 SharePoint 2010 HTTPS Offloaded Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
10894 |
|
prot |
tcp |
|
VStype |
http |
|
SSLAcceleration |
1 |
|
CipherSet |
BestPractices |
|
Transparent |
0 |
| Schedule | rr |
|
Persistent |
src |
|
PersistTimeout |
3600 |
|
Idletime |
900 |
|
CheckType |
http |
|
CheckUrl |
/ |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
Add any Real Servers as needed.
4.2.3.4 SharePoint 2010 HTTPS Re-encrypted Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
10894 |
|
prot |
tcp |
|
VStype |
http |
|
SSLAcceleration |
1 |
|
SSLReencrypt |
1 |
|
CipherSet |
BestPractices |
| Schedule | rr |
|
Persist |
src |
|
PersistTimeout |
3600 |
|
Idletime |
900 |
|
CheckType |
https |
|
CheckUrl |
/ |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
Add any Real Servers as needed.
4.3 Configure SharePoint 2013 Virtual Services
Refer to the sections below for API parameters and values for the Virtual Services for SharePoint 2013. These Virtual Services are not all required - configure the relevant Virtual Services, based on your environment.
4.3.1 Create a Virtual Service using a Template
To configure a Virtual Service using the application template, perform the following steps:
1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.
2. Type a valid Virtual Address.
3. Select the appropriate template in the Use Template drop-down list.
4. Click Add this Virtual Service.
5. Expand the Real Servers section.
6. Click Add New.
7. Type the Real Server Address.
8. Confirm that the correct port is entered.
9. Click Add This Real Server.
4.3.2 Configure the User Portal Site Virtual Services for SharePoint 2013
The sections below outline the API parameters and values for the User Portal Site Virtual Services for SharePoint 2013. Refer to the relevant sections below depending on your environment.
4.3.2.1 SharePoint 2013 HTTP Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
80 |
|
prot |
tcp |
|
Transparent |
0 |
| Schedule | rr |
|
Idletime |
900 |
|
CheckUrl |
/ |
Add any Real Servers as needed.
4.3.2.2 SharePoint 2013 HTTPS Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
443 |
|
prot |
tcp |
|
Transparent |
0 |
| Schedule | rr |
|
Idletime |
900 |
|
CheckUrl |
/ |
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
Add any Real Servers as needed.
4.3.2.3 SharePoint 2013 HTTPS Offloaded Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
443 |
|
prot |
tcp |
|
SSLAcceleration |
1 |
|
CipherSet |
BestPractices |
|
Transparent |
0 |
| Schedule | rr |
|
Idletime |
900 |
|
CheckUrl |
/ |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
Add any Real Servers as needed.
4.3.2.4 SharePoint 2013 HTTPS Re-encrypt Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
Add any Real Servers as needed.
4.3.3 Configure the Central Administration Site Virtual Services for SharePoint 2013
The sections below outline the API parameters and values for the Central Administration Site Virtual Services for SharePoint 2013. Refer to the relevant sections below depending on your environment.
The Central Administration port is dynamic and is created during the installation of SharePoint. Ensure you update the tcp port when configuring the Virtual Service.
4.3.3.1 SharePoint 2013 HTTP Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
8000 |
|
prot |
tcp |
|
VStype |
http |
|
Transparent |
0 |
| Schedule | rr |
|
Idletime |
900 |
|
CheckType |
http |
|
CheckUrl |
/ |
Add any Real Servers as needed.
4.3.3.2 SharePoint 2013 HTTPS Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
10894 |
|
prot |
tcp |
|
VStype |
http |
|
Transparent |
0 |
| Schedule | rr |
|
Idletime |
900 |
|
CheckType |
https |
|
CheckUrl |
/ |
Add any Real Servers as needed.
4.3.3.3 SharePoint 2013 HTTPS Offloaded Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
10894 |
|
prot |
tcp |
|
VStype |
http |
|
SSLAcceleration |
1 |
|
CipherSet |
BestPractices |
|
Transparent |
0 |
| Schedule | rr |
|
Idletime |
900 |
|
CheckType |
http |
|
CheckUrl |
/ |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
Add any Real Servers as needed.
4.3.3.4 SharePoint 2013 HTTPS Re-encrypted Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
10894 |
|
prot |
tcp |
|
VStype |
http |
| Transparent | 0 |
| Schedule | rr |
|
SSLAcceleration |
1 |
|
SSLReencrypt |
1 |
|
CipherSet |
BestPractices |
|
Idletime |
900 |
|
CheckType |
https |
|
CheckUrl |
/ |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
Add any Real Servers as needed.
4.3.4 SharePoint 2013 HTTP and WAF Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
80 |
|
prot |
tcp |
|
Transparent |
0 |
| Schedule | rr |
|
Idletime |
900 |
|
Intercept |
1 |
|
rule (use the command to add a WAF rule) |
G/ip_reputation%20G/known_vulns%20G/malware_detection%20G/botnet_attacks%20A/sharepoint_attacks%20A/iis_attacks |
|
CheckUrl |
/ |
All rules should be selected for each ruleset. Additional OWASP Core Rule Sets can be downloaded from the ModSecurity website to further secure the SharePoint environment.
Add any Real Servers as needed.
4.3.5 SharePoint 2013 HTTPS Re-encrypted and WAF Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
443 |
|
prot |
tcp |
|
Transparent |
0 |
| Schedule | rr |
|
Idletime |
900 |
|
SSLAcceleration |
1 |
|
SSLReencrypt |
1 |
|
CipherSet |
BestPractices |
|
Intercept |
1 |
|
rule (use the command to add a WAF rule) |
G/ip_reputation%20G/known_vulns%20G/malware_detection%20G/botnet_attacks%20A/sharepoint_attacks%20A/iis_attacks |
|
CheckUrl |
/ |
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
All rules should be selected for each ruleset. Additional OWASP Core Rule Sets can be downloaded from the ModSecurity website to further secure the SharePoint environment.
Add any Real Servers as needed.
4.4 Configure SharePoint 2016 Virtual Services
Refer to the sections below for API parameters and values for the Virtual Services for SharePoint 2016. Not all these Virtual Services are required - configure the relevant Virtual Services based on your environment.
4.4.1 Create a Virtual Service using a Template
To configure a Virtual Service using the application template, perform the following steps:
1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.
2. Type a valid Virtual Address.
3. Select the appropriate template in the Use Template drop-down list.
4. Click Add this Virtual Service.
5. Expand the Real Servers section.
6. Click Add New.
7. Type the Real Server Address.
8. Confirm that the correct port is entered.
9. Click Add This Real Server.
4.4.2 Configure the User Portal Site Virtual Services for SharePoint 2016
The sections below outline the API parameters and values for the User Portal Site Virtual Services for SharePoint 2016. Refer to the relevant sections below depending on your environment.
4.4.2.1 SharePoint 2016 HTTP Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
80 |
|
prot |
tcp |
|
Transparent |
0 |
| Schedule | lc |
|
Idletime |
900 |
|
CheckUrl |
/ |
| CheckHeaders | Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Add any Real Servers as needed.
4.4.2.2 SharePoint 2016 HTTPS Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
443 |
|
prot |
tcp |
|
Transparent |
0 |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckUrl |
/ |
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
Add any Real Servers as needed.
4.4.2.3 SharePoint 2016 HTTPS Offloaded Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
443 |
|
prot |
tcp |
|
SSLAcceleration |
1 |
|
CipherSet |
BestPractices |
|
Transparent |
0 |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
It is optional to add a HTTP redirector Virtual service. Whether you require one or not depends on your environment.
Add any Real servers as needed.
4.4.2.4 SharePoint 2016 HTTPS Re-encrypt Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
10894 |
|
prot |
tcp |
|
SSLAcceleration |
1 |
|
SSLReencrypt |
1 |
|
CipherSet |
BestPractices |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
4.4.3 Configure the Central Administration Site Virtual Services for SharePoint 2016
The sections below outline the API parameters and values for the Central Administration Site Virtual Services for SharePoint 2016. Refer to the relevant sections below depending on your environment.
The Central Administration port is dynamic and is created during the installation of SharePoint. Ensure you update the tcp port when configuring the Virtual Service.
4.4.3.1 SharePoint 2016 HTTP Central Administration Site Virtual Service Recommended API Settings (optional)2
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
8000 |
|
prot |
tcp |
|
VStype |
http |
|
Transparent |
0 |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckType |
http |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Add any Real Servers as needed.
4.4.3.2 SharePoint 2016 HTTPS Central Administration Site Virtual Service Recommended API Settings (optional)2
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
10894 |
|
prot |
tcp |
|
VStype |
http |
|
Transparent |
0 |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckType |
https |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Add any Real Servers as needed.
4.4.3.3 SharePoint 2016 HTTPS Offloaded Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
10894 |
|
prot |
tcp |
|
VStype |
http |
|
SSLAcceleration |
1 |
|
CipherSet |
BestPractices |
|
Transparent |
0 |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckType |
http |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description SSL Services on the Kemp Documentation Page
Add any Real Servers as needed.
4.4.3.4 SharePoint 2016 HTTPS Re-encrypt Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
10894 |
|
prot |
tcp |
|
SSLAcceleration |
1 |
|
SSLReencrypt |
1 |
|
CipherSet |
BestPractices |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
4.4.4 SharePoint 2016 HTTP and WAF Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
80 |
|
prot |
tcp |
|
Transparent |
0 |
|
Idletime |
900 |
|
Intercept |
1 |
|
rule (use the command to add a WAF rule) |
G/ip_reputation%20G/known_vulns%20G/malware_detection%20G/botnet_attacks%20A/sharepoint_attacks%20A/iis_attacks |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
All rules should be selected for each ruleset. Additional OWASP Core Rule Sets can be downloaded from the ModSecurity website to further secure the SharePoint environment.
Add any Real Servers as needed.
4.4.5 SharePoint 2016 HTTPS Re-encrypted and WAF Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
443 |
|
prot |
tcp |
|
Transparent |
0 |
|
Idletime |
900 |
|
SSLAcceleration |
1 |
|
SSLReencrypt |
1 |
|
CipherSet |
BestPractices |
|
Intercept |
1 |
|
rule (use the command to add a WAF rule) |
G/ip_reputation%20G/known_vulns%20G/malware_detection%20G/botnet_attacks%20A/sharepoint_attacks%20A/iis_attacks |
|
CheckType |
https |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
All rules should be selected for each ruleset. Additional OWASP Core Rule Sets can be downloaded from the ModSecurity website to further secure the SharePoint environment.
Add any Real Servers as needed.
4.5 Configure SharePoint 2019 Virtual Services
Refer to the sections below for API parameters and values for the Virtual Services for SharePoint 2019. These Virtual Services are not all required - configure the relevant Virtual Services based on your environment.
4.5.1 Create a Virtual Service using a Template
To configure a Virtual Service using the application template, perform the following steps:
1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.
2. Type a valid Virtual Address.
3. Select the appropriate template in the Use Template drop-down list.
4. Click Add this Virtual Service.
5. Expand the Real Servers section.
6. Click Add New.
7. Type the Real Server Address.
8. Confirm that the correct port is entered.
9. Click Add This Real Server.
4.5.2 Configure the User Portal Site Virtual Services for SharePoint 2019
The sections below outline the API parameters and values for the User Portal Site Virtual Services for SharePoint 2019. Refer to the relevant sections below depending on your environment.
4.5.2.1 SharePoint 2019 HTTP Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
80 |
|
prot |
tcp |
|
Transparent |
0 |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Add any Real Servers as needed.
4.5.2.2 SharePoint 2019 HTTPS Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
443 |
|
prot |
tcp |
|
Transparent |
0 |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckUrl |
/ |
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
Add any Real Servers as needed.
4.5.2.3 SharePoint 2019 HTTPS Offloaded Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
443 |
|
prot |
tcp |
|
SSLAcceleration |
1 |
|
CipherSet |
BestPractices |
|
Transparent |
0 |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description SSL Services on the Kemp Documentation Page.
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
Add any Real Servers as needed.
4.5.2.4 SharePoint 2019 HTTPS Re-encrypt Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
443 |
|
prot |
tcp |
|
SSLAcceleration |
1 |
|
SSLReencrypt |
1 |
|
CipherSet |
BestPractices |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
4.5.3 Configure the Central Administration Site Virtual Services for SharePoint 2019
The sections below outline the API parameters and values for the Central Administration Site Virtual Services for SharePoint 2019. Refer to the relevant sections below depending on your environment.
The Central Administration port is dynamic and is created during the installation of SharePoint. Ensure you update the tcp port when configuring the Virtual Service.
4.5.3.1 SharePoint 2019 HTTP Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
8000 |
|
prot |
tcp |
|
VStype |
http |
|
Transparent |
0 |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckType |
http |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Add any Real Servers as needed.
4.5.3.2 SharePoint 2019 HTTPS Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
10894 |
|
prot |
tcp |
|
VStype |
http |
|
Transparent |
0 |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckType |
https |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Add any Real Servers as needed.
4.5.3.3 SharePoint 2019 HTTPS Offloaded Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
10894 |
|
prot |
tcp |
|
VStype |
http |
|
SSLAcceleration |
1 |
|
CipherSet |
BestPractices |
|
Transparent |
0 |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckType |
http |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
Add any Real Servers as needed.
4.5.3.4 SharePoint 2019 HTTPS Re-encrypted Central Administration Site Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
10894 |
|
prot |
tcp |
|
VStype |
http |
|
SSLAcceleration |
1 |
|
SSLReencrypt |
1 |
|
CipherSet |
BestPractices |
|
Schedule |
lc |
|
Idletime |
900 |
|
CheckType |
https |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
Ensure you add your SSL certificate to the Virtual Service. For more information, refer to the SSL Accelerated Services Feature Description on the Kemp Documentation Page.
Add any Real Servers as needed.
4.5.4 SharePoint 2019 HTTP and WAF Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
80 |
|
prot |
tcp |
|
Transparent |
0 |
|
Idletime |
900 |
|
Intercept |
1 |
|
rule (use the command to add a WAF rule) |
G/ip_reputation%20G/known_vulns%20G/malware_detection%20G/botnet_attacks%20A/sharepoint_attacks%20A/iis_attacks |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
All rules should be selected for each ruleset. Additional OWASP Core Rule Sets can be downloaded from the ModSecurity website to further secure the SharePoint environment.
Add any Real Servers as needed.
4.5.5 SharePoint 2019 HTTPS Re-encrypted and WAF Virtual Service Recommended API Settings (optional)
This table outlines the API parameters and values set using the Kemp application template. These settings can be used with scripts and automation tools.
|
API Parameter |
API Value |
|---|---|
|
port |
443 |
|
prot |
tcp |
|
Transparent |
0 |
|
Idletime |
900 |
|
SSLAcceleration |
1 |
|
SSLReencrypt |
1 |
|
CipherSet |
BestPractices |
|
Intercept |
1 |
|
rule (use the command to add a WAF rule) |
G/ip_reputation%20G/known_vulns%20G/malware_detection%20G/botnet_attacks%20A/sharepoint_attacks%20A/iis_attacks |
|
CheckType |
https |
|
CheckUrl |
/ |
|
CheckHeaders |
Enter the HOST and URL of the Web Application configured in Alternate Access Mappings in the format HOST:URL. |
It is optional to add a HTTP redirector Virtual Service. Whether you require one or not depends on your environment.
All rules should be selected for each ruleset. Additional OWASP Core Rule Sets can be downloaded from the ModSecurity website to further secure the SharePoint environment.
Add any Real Servers as needed.
5 Enabling the Edge Security Pack (ESP) with SharePoint
If desired, you can use ESP with SharePoint. To do this, follow the steps in the ESP, Feature Description but ensure to select either Permanent Cookies Always or Permanent Cookies only on Private Computers for the Use Session or Permanent Cookies option.
Selecting a permanent cookie option ensures that Office documents can be opened correctly from SharePoint.
6 References
Unless otherwise specified, the documents below can be found at http://www.kemptechnologies.com/documentation
ESP, Feature Description
Web User Interface (WUI), Configuration Guide
IPsec Tunneling, Feature Description
Virtual Services and Templates, Feature Description
SSL Accelerated Services, Feature Description
Last Updated Date
This document was last updated on 26 May 2022.