Protecting enterprise systems is no less important with Windows Phone 7 than it is with conventional desktops, but the integration tools to do so differ. In order to access just about anything on your SharePoint farms with a Windows Phone 7 handset, you have to put Forefront's Unified Access Gateway in the middle (the only exception is by using the mobile Internet Explorer browser).
Unified Access Gateway (UAG) is Microsoft's secure access gateway and packet inspector designed to protect enterprise servers from inbound requests only; it does not provide general outbound filtering or any sort of outbound stateful packet inspection.
In general, the hub-based integration with Windows Phone 7 and SharePoint works only with SharePoint 2010. There are a couple other requirements:
- To connect to a site through the mobile workspace, you have to use a Wi-Fi connection -- not 3G.
- The target site has to use Windows authentication, rather than basic or any other form of authentication.
The first step to getting all of this working is to install UAG itself in front of your SharePoint server. Then, once the product has been deployed correctly, you create an HTTP trunk and then the SharePoint application within UAG. Here's a quick guide to doing just that within UAG.
To create an HTTP trunk:
1. Right-click HTTP Connections, and then click New Trunk, and then click Next.
2. Click Portal Trunk, and then click Next.
3. Enter a name in the Trunk name text box. In the Public Host Name text box, enter portal.yourdomain.com. This value gives the HTTP trunk an endpoint that is used to create a single portal environment that publishes the SharePoint site on a single page. Select the IP address corresponding to the external network, and click Next.
4. Click Add to open the dialog box that allows you to add the authentication server to the trunk. Then click Add again, and in the Server type drop-down list, select Active Directory. In the Server name text box, enter the name of the machine running SharePoint 2010. In the Connection settings section, click Define domain controllers, and then click Define. In the Domain Controllers dialog box, enter the internal IP address for the domain controller. Click OK.
5. In the Search settings section, click the ... button next to Base DN. In the Search Root dialog box, in the Select Base DN drop-down list, select CN=Users,DC=yourdomain,DC=com. Click OK.
6. Select the Include subfolders check box, set the Level of nested groups equal to 0, and in the Server access section, in the User (domain\user) text box, enter administrator credentials and then click OK, and then click Yes.
7. Select the server, and then click Select. Click User provides credentials for each selected server. Select the Use the same user name check box, and finally, click Next.
8. Click Use Forefront UAG access policies, and click Next twice.
9. Click Finish to finalize the setup.
Next, you create the SharePoint application in UAG:
1. In the Forefront UAG Management console Applications section, click Add, and in Add Application Wizard, click Next.
2. Click Web, and in the Web drop-down list, select Microsoft SharePoint Server 2010. Click Next.
3. In the Application name text box, enter a friendly name which will appear on the UAG Portal home page and click Next twice.
4. Click Configure an application server, and then click Next.
5. Leave Address type as IP/Host, and in the Addresses list, enter the host name or internal IP address of your SharePoint server. In the Paths list, leave the default "/" entry, and click HTTP port, and enter 80 in the box. (You can also use HTTPS and port 443 if you prefer.) In the Public host name text box, enter the alternate access mapping URL on the server running SharePoint that matches with the appropriate site collection. Click Next.
6. Select the Use SSO check box, click Add, and then in the Authentication and Authorization Server dialog box, select your machine. Click Select, and then in the Select client authentication method section, click Both. Select the Allow rich clients to bypass trunk authentication box, and also select the Use Office Forms Based Authentication for Office client applications check box. Then, click Next.
7. Click Yes, and in the Portal Link dialog box, select the Open in a new window check box. Click Next.
8. Select the Authorize all users check box, and click Next.
9. Click Finish.
It's a little complicated to set up, but once you get it working, the SharePoint Workspace Mobile hub within Windows Phone 7 is superb. It's included with all phones as part of the OS, so there are no individual device configurations to deploy, and it's part of the Office Mobile suite on the handset itself.
You can work on documents just as you would on a PC, save them back to the portal, get conflict resolution and even have the ability to store offline copies of files that automatically synchronize when a connection is restored.
And while you work, your UAG configuration keeps the whole setup secure.
ABOUT THE AUTHOR:
Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. His books include RADIUS, Hardening Windowsand, most recently, Windows Vista: Beyond the Manual.
This was first published in September 2011