Professional Documents
Culture Documents
Configure A Two-Way Hybrid Topology
Configure A Two-Way Hybrid Topology
Configure A Two-Way Hybrid Topology
Summary: Learn how to configure the infrastructure for SharePoint 2013 hybrid environments using a two-way authentication topology.
This article contains guidance for Phase 1 of the SharePoint hybrid environment deployment process, which integrates SharePoint Server 2013 and SharePoint
Online.
This is the first phase in the process to configure a SharePoint hybrid solution. The procedures in these articles must be completed in the order
shown:
For an overview of the whole process, see Plan a two-way hybrid topology.
After you complete and validate the procedures in this article, you’ll proceed to Phase 2: Configure a reverse proxy device for SharePoint Server 2013 hybrid.
If you haven’t already done this, read Plan a two-way hybrid topology before you start to configure anything. This is important because the planning article helps
you make important decisions and record them on the SharePoint hybrid deployment worksheet, referred to in the rest of this article as the worksheet. This in turn
informs which procedures in this article to use and which you can skip over.
If you’ve read the planning article, you should have already done the following:
Decided which authentication topology that you need to deploy, based on the one or more solutions that you want to configure.
Decided whether to use an existing web application or create one for hybrid.
These decisions are recorded in Table 2 of the worksheet. If not, go back and read Plan a two-way hybrid topology and make these decisions
before you go any further.
1 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
If you want to deploy one or more solutions that require only the two-way authentication topology, you're in the right place. Otherwise, go to Configure a hybrid
topology for SharePoint Server 2013 and select the right article for the authentication topology that you need.
In addition to helping you understand which authentication topology to configure for a particular solution or for multiple solutions, the planning article also helps you
collect the information and files, such as certificates, that you need during this configuration phase.
Worksheet tips
Things will go a lot easier if all of the applicable information is entered on the SharePoint hybrid worksheet before you start to configure anything. At a minimum,
you need to know the following things to use this article.
Table: Decisions that should already be recorded on the SharePoint hybrid worksheet
Will you use an existing web application for hybrid or create one? New or existing web application row of
Table 2
What site collection strategy will you use? Site collection strategy row of Table 2
What’s the IP address of the Internet-facing endpoint on the reverse proxy device that the external URL is IP address of the external endpoint row of
associated with? Table 3
Verify that these decisions are entered on the worksheet before you continue.
Configuration phases
In order to configure the environment infrastructure for a two-way authentication topology, you'll need both SharePoint Server 2013 interfaces, such as the
SharePoint Central Administration website, and the Administration pages in SharePoint Online. To prevent you from having to switch between these interfaces
more than necessary, we've organized the configuration steps into the following phases:
Create and configure a target application for the SSL certificate in SharePoint Online
Please complete each configuration step in the order shown in this article.
Important:
It is recommended that you thoroughly document your deployment strategy and that you maintain detailed work logs during the hybrid environment
configuration process. In any complex implementation project, a detailed record of every design decision, server configuration, procedure, and output is a
very important reference for troubleshooting, support, and awareness.
A public domain registered with a domain registrar, such as GoDaddy.com, that the URL of the external endpoint of the reverse proxy device is associated
with.
An A record in your public domain’s DNS zone that's associated with the published SharePoint site (which is the External URL, such as
2 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
spexternal.adventureworks.com). This enables Office 365 to send requests to the external endpoint on the reverse proxy device that’s configured for hybrid.
This A record maps the External URL to the IP address of the Internet-facing endpoint of the reverse proxy device. For more information, see Plan a
two-way hybrid topology.
If you don’t yet have a public domain that you want to use for this purpose (such as adventureworks.com), get one now, and then create this A record. If you
already took care of this during the planning phase, the name of your public domain and the IP address that you need to create this A Record are recorded in
Table 3 of the worksheet.
You have to complete the steps in the Add your domain to Office 365 article to add the host name of your public domain to Office 365.
Note:
The procedures in this section assume that you have an existing SharePoint Server 2013 farm that you intend to use for hybrid functionality.
If you haven's set these up previously, see Set up SharePoint services for hybrid environments for a fast way to configure them.
Tip:
You can use the Services on Server page in Central Administration to see whether these services are started.
2. Under Application Management, click Manage services on server. Applications that are started show Started in the Status column, as illustrated in
the following figure.
3 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
email property values. This metadata is used by the STS Service to construct security tokens during the authentication process.
For information about how to configure user profile synchronization in the User Profile Service, see Synchronize user and group profiles in SharePoint Server
2013.
For complete information about how to administer the User Profile Service, see Administer the User Profile service in SharePoint Server 2013.
Configure the App Management and Microsoft SharePoint Foundation Subscription Settings
services
You have to verify that the App Management and Microsoft SharePoint Foundation Subscription Settings services are started and configured. These services
must be enabled to support certain configuration procedures and to provide support when you register SharePoint Online as a high-trust app in SharePoint
Server 2013.
For information about how to enable and configure the App Management and Subscription Settings services, see the Configure the Subscription Settings and
App Management service applications section of Configure an environment for apps for SharePoint (SharePoint 2013).
This means that the Work email field in the on-premises SharePoint User Profile Store has to contain the federated email address. For example, if a
federated user logs on to the on-premises domain as adventureworks\karenb, and the public domain for the hybrid environment is adventureworks.com,
the federated email address is karenb@adventureworks.com.
For more information, see Adding and Editing User Profile Properties (http://go.microsoft.com/fwlink/?LinkId=392213).
During the planning phase, you should have decided whether you'll use an existing web application or create one and which site collection strategy you'll
configure. If so, your decisions are listed in the Site collection strategy row of Table 2 of the worksheet. If you haven't decided yet, review the Plan a two-way
hybrid topology article and make these decisions before you go any further.
Configure a site collection strategy by using a path-based web application (without AAM)
Configure a site collection strategy by using a path-based web application (with AAM)
1. Ensure that the web application and root site collection exist.
For more information, see the Choose a site collection strategy section of Plan a two-way hybrid topology.
4 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
Ensure that the primary web application and root site collection exist
The host-named site collection that you’ll create a bit later has to be created in a web application that’s configured to use the following:
You also need a path-based site collection to use as the root site collection in this web application.
If you identified a web application that you want to use during planning, it should be listed in the Primary web application URL row of
Table 5a of the worksheet.
If the web application and root site collection don’t exist, you’ll have to create them. You can do this by using either Central Administration or the
SharePoint 2013 Management Shell. If they already exist, go to Ensure that an SSL binding exists on the primary web application.
Here’s an example for how to create a web application by using SharePoint 2013 Management Shell.
New-SPWebApplication -Name 'Adventureworks Web app' -SecureSocketsLayer -port 443 -ApplicationPool AdventureworksAppPool -A
Where:
Record the port number that you chose in the Port number of the web application row of Table 5a of the worksheet.
The new web application uses a web application pool named AdventureworksAppPool.
The web application is created by using Windows Integrated Authentication with NTLM.
Here’s an example for how to create the root site collection by using the SharePoint 2013 Management Shell.
New-SPSite 'https://sharepoint' -Name 'Portal' -Description 'Adventureworks Root site collection' -OwnerAlias 'adventurewor
Where:
For more information about how to create a web application and root site collection for a host-named site collection, see Create claims-based web
5 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
applications in SharePoint 2013 and Host-named site collection architecture and deployment (SharePoint 2013).
Tip:
This is typically a separate certificate from the one that you'll later install on the reverse proxy device. For more information, see the What SSL
Certificates do you need? section of Plan a two-way hybrid topology.
After the certificate is bound to the web application, you’ll be able to see this host name in the Issued To field in the Server Certificates dialog box in
Internet Information Services (IIS). For more information, see How to Set Up SSL on IIS 7.0.
Note:
Host-named site collections must be created by using the SharePoint 2013 Management Shell. You can't use Central Administration for creating this
type of site collection.
Here’s an example of how to create a host-named site collection by using the SharePoint 2013 Management Shell.
Where:
https://spexternal.adventureworks.com is the URL of the host-named site collection. This URL must be identical to the External URL.
https://sharepoint is the web application that the site collection is created in.
For more information, see Host-named site collection architecture and deployment (SharePoint 2013).
For more information about how to use split DNS in a hybrid topology, see Architecture Design Recommendation for SharePoint 2013 Hybrid Search
Features. For information about how to configure a split DNS, see A faulty split-brain DNS configuration can prevent a seamless SSO sign-in experience.
6 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
The External URL is recorded in the External URL row of Table 3 of the worksheet.
You have finished configuring the site collection strategy by using a host-named site collection for hybrid. Now, skip ahead to Assign a UPN domain suffix.
Configure a site collection strategy by using a path-based web application without AAM
If you want to configure a site collection strategy by using a path-based web application without needing to create an Alternate Access Mapping (AAM) for the
SharePoint hybrid environment, complete these steps in the order shown:
Note:
When you configure a site collection strategy without AAM, the public URL of the primary web application must be identical to the External URL.
For more information, see the Choose a site collection strategy section of Plan a two-way hybrid topology.
If during planning, you decided which existing web application to use as the primary web application, its URL should be recorded in the Primary web
application URL row of Table 5b of the worksheet. If so, skip ahead to Ensure that an SSL binding exists on the primary web application. Otherwise, to
create a web application to use as the primary web application, use the procedures in Create claims-based web applications in SharePoint 2013.
In general, you should use the default settings. However, the following configuration settings are required.
Location Description
In the IIS Web Site section, in Type the port number that you want this web application to use—for example, 443.
the Port box.
7 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
Record this port number in the Port number of the web application row of Table 5b of the
worksheet.
In the Security Configuration Ensure that Use Secure Sockets Layer (SSL) is set to Yes. You’ll have to bind an SSL certificate to the web
section. application, which we discuss more in the next section.
Record https in the Protocol of the web application row of Table 5b of the worksheet.
In the Claims Authentication Select the Enable Windows Authentication check box, select the Integrated Windows authentication check box,
Types section. and in the drop-down menu, select NTLM.
In the Public URL section, in Type the External URL—for example, https://spexternal.adventureworks.com.
the URL box.
Important:
By default, SharePoint appends the port number to the default URL that it recommends for this field. When you
replace that URL with the external URL, don’t append the port number.
This URL is recorded in the External URL row of Table 3 of the worksheet.
To make things easier for yourself in later procedures, we recommend that you do the following.
Get the URL from the Public URL section of the Create New Web Application page in Central Administration, and record it in the
Primary web application URL row of Table 5b of the worksheet.
Tip:
8 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
This is typically a separate certificate from the one that you'll later install on the reverse proxy device, but you can use the Secure Channel SSL
certificate for this if you want to. For more information, see the What SSL Certificates do you need? section of Plan a two-way hybrid topology.
The host name of the web application must be in the Subject field of the SSL certificate. After the certificate is bound to the web application, you can see
this host name in the Issued To field in the Server Certificates dialog box in Internet Information Services (IIS). For more information, see How to Set Up
SSL on IIS 7.0.
For more information about how to use split DNS in a hybrid topology, see Architecture Design Recommendation for SharePoint 2013 Hybrid Search
Features. For information about how to configure a split DNS, see A faulty split-brain DNS configuration can prevent a seamless SSO sign-in experience.
The External URL is recorded in the External URL row of Table 3 of the worksheet.
You have finished configuring the site collection strategy by using a path-based site collection without AAM for hybrid. Now, skip ahead to Assign a UPN
domain suffix.
Configure a site collection strategy by using a path-based web application with AAM
If you want to use a path-based web application with Alternate Access Mapping (AAM) for your site collection strategy, complete these steps in the order
shown:
3. Ensure that an SSL binding exists on the primary web application (if it is needed).
4. Configure AAM.
9 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
If you’ve already configured a different name mapping type, go to Assign a UPN domain suffix.
The following video demonstrates how a site collection strategy works with a path-based web application with AAM.
If during planning, you decided which existing web application to use as the primary web application, its URL should be recorded in the Primary web
application URL row of Table 5c of the worksheet. If so, skip ahead to Extend the primary web application. Otherwise, to create a web application to use
as the primary web application, use the procedures in Create claims-based web applications in SharePoint 2013. The SharePoint hybrid configuration is
not affected by the initial configuration of this web application when you configure this site collection strategy. This is because you’ll apply the settings that
you need for hybrid when you extend the web application a bit later. So you can use any settings that you want when you create a web application.
To make things easier for yourself in later procedures, we recommend that you record this information when you create the web
application:
Get the URL from the Public URL section of the Create New Web Application page in Central Administration, and record it in the
Primary web application URL row of Table 5c of the worksheet.
When you’ve completed the procedures in this section, you’ll have two IIS websites. Both are connected to the same content database. The original IIS
website will be unchanged and can continue to be accessed by internal users. The extended web application will use a different zone, such as the Internet
zone, and will be configured to use the External URL as the public URL. This extended web application is used only for servicing SharePoint hybrid
requests.
Important:
Ensure that you perform these procedures on the specific web applications that you intend to use as the primary web application for SharePoint hybrid
solutions. The URL of this web application that you have to extend is recorded in the Primary web application URL row of Table 5c of the worksheet.
To extend the web application, use the procedures in Extend claims-based web applications in SharePoint 2013. In general, you should use the default
settings. But, the following configuration settings are required.
10 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
Location Description
In the IIS Web Site Ensure that the value is set to the appropriate port number for one of the following:
section, in the Port box
If you decide to extend the primary web application for unencrypted HTTP connections, use port 80 or the HTTP port
specified by the network administrator who configures the reverse proxy device. All inbound service connections from
the reverse proxy device to the web application's site collection have to use HTTP.
If you decide to configure the primary web application for encrypted HTTPS connections, use port 443 or the SSL
port specified by the network administrator who configures the reverse proxy device. All inbound service connections
from the reverse proxy device to the web application's site collection have to use HTTPS.
Record the port number in the Port number of the extended web application row of Table 5c of the
worksheet.
In the Security Choose the appropriate value for Use Secure Sockets Layer (SSL). If you choose No, the web application will use
Configuration section unencrypted HTTP. If you choose Yes, the web application will use encrypted HTTPS, and you must bind an SSL certificate
to the extended web application. We discuss this certificate more in the next section.
Record the protocol that you chose in the Protocol of the extended web application row of Table 5c of
the worksheet.
In the Claims Select the Enable Windows Authentication check box, select the Integrated Windows authentication check box, and in
Authentication Types the drop-down menu, select NTLM.
section
Important:
By default, SharePoint appends the port number to the default URL that it recommends for this field. When you replace
that URL with the external URL, don’t append the port number.
This URL is recorded in the External URL row of Table 3 of the worksheet.
In the Public URL Select the zone that you want to assign to this extended web application. We recommend that you set the Zone value to
section, in the Zone list Internet if it’s available.
11 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
Record the zone that you selected in the AAM Zone of the extended web application row of Table 5c of
the worksheet.
Ensure that an SSL binding exists on the primary web application (if it's needed)
If you configured the extended web application to use SSL, you’ll have to ensure that an SSL certificate is bound to the web application that you extended
in the previous section. Otherwise, if you configured the extended web application for HTTP (unencrypted), skip ahead to Configure AAM.
For production environments, this certificate should be issued either by a public or an enterprise certification authority (CA). For test and development
environments, this can be a self-signed certificate. We call this the on-premises SharePoint SSL certificate.
Important:
This certificate must have the bridging host name of the URL in the Subject field. For example, if the bridging URL is https://bridge, the Subject field of
the certificate must contain bridge. Therefore, this certificate can’t be created by using IIS. But you can use a certificate creation tool such as
MakeCert.exe to create it. After the certificate is bound to the web application, you can see this host name in the Issued To field in the Server
Certificates dialog box in Internet Information Services (IIS).
Tip:
This is typically a separate certificate from the one that you'll later install on the reverse proxy device. For more information, see the What SSL
Certificates do you need? section of Plan a two-way hybrid topology.
For more information about how to set up SSL, see A guide to https and Secure Sockets Layer in SharePoint 2013.
Configure AAM
To enable SharePoint Server 2013 to dynamically translate links in requests by using the External URL, follow these steps.
To configure AAM
4. In the Alternate Access Mapping Collection section, click the down arrow, and then click Change Alternate Access Mapping Collection. In the
dialog box that is displayed, select the primary web application that you’re configuring for hybrid.
The URL of this web application is recorded in the Primary web application URL row of Table 5c of the worksheet.
5. In the Add Internal URL section, in the URL protocol, host and port box, type the URL you want to use as the bridging URL. This URL must have
the same protocol as the extended web application, either http or https. For example, if you configured the extended web application by using
https, the URL will resemble https://bridge.
12 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
a. The protocol that you used is recorded in the Protocol of the extended web application row of Table 5c of the worksheet.
b. Record this URL in the Bridging URL row of Table 5c of the worksheet.
6. In the Zone drop-down menu, select the same zone that you used when you extended the web application.
This zone is recorded in the AAM Zone of the extended web application row of Table 5c of the worksheet
7. Click Save.
The URL that you specified in step 5 appears in the Internal URL column of the Alternate Access Mappings page.
Here’s an example CNAME record where the host name is Bridge, based on the bridging URL, https://bridge.
To verify that the alias name you chose for your CNAME record is resolving to the SharePoint Server 2013 farm, do the following verification step.
Verification step
1. Log on to the reverse proxy device as administrator and open a Windows command prompt.
2. Ping the alias name in the CNAME record. For example, if the alias name is Bridge, then type the following and press Enter.
ping bridge
The command prompt should return the IP address of the SharePoint farm that’s specified in the CNAME record. If not, verify that the fully qualified
domain name of the SharePoint farm is correctly specified in the CNAME record and then repeat these verification steps.
13 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
Note:
If the ping command is blocked on the network, try using either the tracert -4 or the pathping -4 command instead.
You have finished configuring the site collection strategy by using a path-based site collection with AAM for hybrid.
The following procedures show how to configure this manually. If you have many users that you want to federate, we recommend that you put all federated user
accounts into an OU and then create a script that will change the UPN domain suffix for each user account in that OU. For supported guidance on DirSync
filtering, see Configure filtering for directory synchronization. For information about how to create a script for this, see How Can I Assign a New UPN to All My
Users.
1. On the Active directory server, open Active Directory Domains and Trusts.
2. In the left pane, right-click the top-level node, and then click Properties.
3. In the UPN suffixes dialog box, enter the domain suffix in the Alternative UPN suffixes box that that you want for hybrid, and then click Add > OK.
Record the UPN domain suffix in the UPN Domain Suffix row of Table 3 of the worksheet.
1. In Active Directory Users and Computers, in the left pane, click the Users node.
2. In the Name column, right-click the user account that you want to federate, and then click Properties.
4. Select the UPN domain suffix (which you added in the previous procedure) from the drop-down list.
5. Repeat steps 2 through 4 for each additional user account that you want to federate.
14 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
After the UPN domain suffix is added to all users accounts that you want to federate, you have to run SharePoint user profile synchronization to update the
SharePoint User Profile Store with the new account UPNs that were entered in AD DS. For information about how to run profile sync, see Manage user profile
synchronization in SharePoint Server 2013.
Note:
If you configured your primary web application to use SSL, this step is not required, and you can skip ahead to Create and configure a target application for
the SSL certificate in SharePoint Online.
To enable OAuth over HTTP, run the following commands as a farm administrator account from the SharePoint 2013 Management Shell command prompt on
each web server in your SharePoint Server 2013 farm.
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
$serviceConfig.Update()
If you have enabled OAuth over HTTP for testing but want to reconfigure your environment to use SSL, you can disable OAuth over HTTP. To do this, run the
following commands using a farm administrator account from the SharePoint 2013 Management Shell command prompt on each web server in your SharePoint
Server 2013 farm.
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $false
$serviceConfig.Update()
Create and configure a target application for the SSL certificate in SharePoint Online
In this section, you create and configure a Secure Store target application in SharePoint Online. This target application is used to store the Secure Channel SSL
certificate and enable it so that it can be used by SharePoint Online services when users request data from the on-premises SharePoint farm. We refer to this
target application as the Secure Channel Target Application.
To follow these steps, you need the information recorded in Table 4b of the worksheet.
Note:
You can use either a certificate that contains a private key, such as a Private Information Exchange (.pfx) file, or an Internet Security Certificate File (.cer). If
you use a .pfx file, you must provide a password for the private key later in this procedure.
When you configure SharePoint hybrid solutions in Phase 4: Configure a hybrid solution, you’ll provide the name of the target application that you created so that
SharePoint Online Search and Business Connectivity Services can get the Secure Channel SSL certificate that's needed to authenticate with the reverse proxy
device.
15 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
2. In the SharePoint Online Administration Center, in the left pane, choose secure store.
a. In the Target Application ID box, type the name (which will be the ID) that you want to use for the target application. For example, we recommend
that you name it SecureChannelTargetApplication. Do not use spaces in this name.
Note:
You create the ID in this step—you do not receive the ID from elsewhere. This ID is a unique target application name that cannot be changed.
Record this name in the Target Application ID row of Table 6 of the worksheet.
b. In the Display Name box, type the name that you want to use as the display name for the new target application—for example, Secure Channel
Target App.
Record this name in the Target Application Display Name row of Table 6 of the worksheet.
c. In the Contact E-mail box, type the name of the primary contact for this target application.
a. In the Field Name column, in the first row, delete any existing text that is in the box, and then type Certificate.
b. In the Field Type column, in the first row, in the drop-down list, select Certificate.
c. In the Field Name column, in the second row, delete any existing text that is in the box, and then type Certificate Password.
Note:
You must follow this step only if you are importing the certificate from a certificate that contains a private key, such as a Private Information
Exchange (.pfx) file.
d. In the Field Type column, in the second row, in the drop-down list, select Certificate Password.
6. In the Target Application Administrators section, in the box, type the names of users who will have access to manage the settings of this target
application. Make sure to add any users who will test the hybrid configuration so that they can make changes, if it's needed.
7. In the Members section, in the box, type the names of the Azure AD users and groups that you want to enable to use hybrid solutions.
16 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
The Office 365 global administrator can create Azure AD groups. These are domain groups, not SharePoint groups.
A list of these users, or the group they were added to, is listed in the Federated Users row of Table 1 of the worksheet.
8. Click OK.
9. Select the check box next to the ID of the target application that you created—for example, SecureChannelTargetApp.
This name is listed in the Target Application Display Name row of Table 6 of the worksheet.
11. In the set credentials for secure store target application dialog box, do the following:
b. Browse to the location of the Secure Channel SSL certificate, select the certificate, and then click Open.
The name and location of this certificate is recorded in the Secure Channel SSL Certificate location and filename row of Table
4b of the worksheet.
c. If the certificate you’re using contains a private key, such as a Private Information Exchange (.pfx) file, then in the Certificate Password field, type
the password of the certificate. Otherwise, go to step 12.
The password is recorded in the Secure Channel SSL Certificate password row of Table 4b of the worksheet.
d. In the Confirm Certificate Password field, retype the password of the certificate.
For more information, see Configure the Secure Store Service in SharePoint 2013.
Verify that your public Internet domain name can be resolved in DNS.
Verify that you can connect to the primary web application by using both the internal and external URLs.
17 of 18 05/07/2015 05:02 PM
Configure a two-way hybrid topology https://technet.microsoft.com/en-in/library/dn60...
Verify that you can successfully access an on-premises site collection within the primary web application from the Internet by using the external URL of your
reverse proxy endpoint. The computer that you use for this validation step must have the Secure Channel SSL certificate installed in the Personal certificate
store of the computer account.
After you have completed and validated the configuration tasks in this topic, go to Phase 2: Configure a reverse proxy device for SharePoint Server 2013 hybrid.
© 2015 Microsoft
18 of 18 05/07/2015 05:02 PM