The best practice for publishing an Internet facing SharePoint site is to use ISA as a reverse proxy solution to provide an additional layer of security between the SharePoint portal and the end user. This eliminates any traffic originating from the Internet from ever reaching the internal protected network. Instead the traffic terminates in the DMZ at the ISA server and it in turn performs Active Directory or Forms Based authentication through LDAP, LDAPS, or Radius. It then proxies the content from the internal network to the DMZ then to the end user.
One of the “gotchas” for publishing SharePoint through ISA is the way ISA handles authentication and cookies. By default, ISA will not issue persistent cookies to the web browser. This requires your users to authenticate multiple time while navigating the portal between site collections or opening a document in a document library. This of course provides maximum security however its also a nuisance to most users.
This setting can be changed to allow persistent cookies which will then behave like Integrated Windows Authentication once the user has logged in the first time. The downside to this configuration is the user will remain logged in until they manually sign out even if the browser is closed or the computer restarted.
An acceptable compromise is to configure persistent cookies only for computers selected as Private Computers during the login process. This allows users to select how ISA should act depending on which computer they are accessing SharePoint from.
To set persistent cookies, go to the forms tab on the web listener for that ISA rule and click Advanced:
Now when the user selects Private Computer, ISA won’t keep asking for authentication:
Users should be educated on the consequences of this choice as to not compromise the portal by using this option on public Internet terminals or publicly accessible computers.