SharePoint 2010–Best Practices for Alternate Access Mappings (AAM)

Have I done a soap-box post recently?  Yup, this one. 

There is an awful lot of misunderstanding about the concept of Alternate Access Mappings (AAM) in the SharePoint world.  It seems like every SharePoint consultant I talk to has a different opinion on why and how the AAM setting should be used, with a lot of it boiling down to the old stand-by of “it depends”.  So, this is how I’ve set up my standards so that I always have a certain level of consistency across the farm.

At its most basic level, AAMs are configuration settings set in SharePoint Central Admin that tells SharePoint how to map a web request to the correct web application so that SharePoint can respond with the correct content.  It then tells the SharePoint content engine what zone and URL to use in relative links as users continue to surf that SharePoint site.

The major reason we need this is that there are very common Internet and load balancing scenarios where the URL of a web request received by IIS is not the same URL that the end user entered in their web browser.  There are also various health monitoring tools that will need to try to access the individual WFE to verify that each server is up and responding correctly.  Additionally, we see situations where search driven applications accessed internally and externally will need to work within the same zone in order to return result URLs that make sense in the context of where the site is being accessed from.

Because we can also host multiple web applications within our SharePoint farm, we need to make sure the nomenclature and zones are correctly set up so that when performing a global enterprise search, if a user has accessed the site from the “Intranet” zone, all search result URLs will utilize the other web application “Intranet” zones as well.

When it comes to Public URLs and Internal URLs, what’s the difference?

Public URLs: what the user types into the browser address bar to access the site.

Internal URLs: what load balancers, reverse proxy, NAT and port forwarding devices use to forward a user request to the farm.  This is where you may see individual WFE IP addresses and non-standard ports.

If I change an AAM, why don’t the IIS bindings change to match them?

That would be a cool feature, I’m not really sure why something like that isn’t implemented yet.  For the time being, if you add additional AAMs you’ll need to remote into the WFEs and add the additional bindings to the web applications of your choice.  Don’t forget that if you’re using FQDNs (and you should always have a FQDN for your farm) you’ll need the appropriate DNS entries as well.

Great, I totally understand AAMs.  Now what is best practice standards for how they are set up?

While I can’t speak to every situation, this is generally how I define my zones and set up my Alternate Access Mappings (AAMs).  Default and Intranet should always be used, the rest are of course optional, but whatever naming convention you use, be consistent!

Default: always the FQDN in the form of “http://WEBAPP.Company.com” (or “http://WEBAPP.domain.local” – whatever your FQDN format happens to be )

Intranet: Just the name of the webapp itself in the form of “http://WEBAPP”  It is important to use a single name, without any “.”s in the name, as some windows applications will see “.” in the address and will assume “Internet” zone for the address, which can lead to some interesting authentication issues with Microsoft Office applications.  Resources accessed internally work best with a single name address.

Internet: Almost always prefixed with "WWW” in the form of “http://www.WEBAPP.Company.com” – this identifies the access URL as a public facing or externally accessible site.  Remember there is no magic to using www, it is just a naming convention and you still need to do all the leg work to set up your firewall/NAT/port forwarding.  Seems obvious to some, but you’d be surprised what some non-technical people will assume.

Custom: In all honesty I have never used this field for anything more than specialized one-off URL testing and sometimes for SSL cert verification (which generally should go on the load balancer anyways) or when I’m looking to rename a site for business reasons and want to test out the site using the new URL.  I have never actually seen this field in use for normal production applications.

Extranet: Every company will be different, but I like to use the “PARTNERS” prefix, in the form of "http://partners.WEBAPP.Company.com”, you can use CLIENTS or CUSTOMERS as well, just be consistent in your naming convention, if you do have variations for business reasons make sure the rules are clearly documented.

Great, so I’m all set?

NO!  Whatever you decide to use as standards you absolutely must document them somewhere accessible (like say, SharePoint?) and then get agreement on these standards going forward.  You may have it clear in your head and totally understand how things should be set up, but when you win the lottery or move on to your next gig, if the company doesn’t have a documented standard to refer to going forward all your hard work will go down the tubes.  Entropy sets in and the standards will be diluted by those who come after you unless you leave behind some sort of guiding principles.

5 thoughts on “SharePoint 2010–Best Practices for Alternate Access Mappings (AAM)”

  1. I am having an issue in one SharePoint site. We have recently migrated from 2007 to 2010.

    Problem: Not able to browse the website first time. It needs 3-4 refreshes to browse and this is intermittent. Even on the server we are not able to browse the site at all. Its showing blank page only.

    we have checked DNS enteries and everything is right.

    Error in SP Logs: Alternate access mappings have not been configured. Users or services are accessing the site http://xx.company.com with the URL http://xx. This may cause incorrect links to be stored or returned to users. If this is expected, add the URL http://xx as an AAM response URL.

    AAM settings:
    Internal URL Public URL
    http://servername http://xx.company.com
    http://xx.company.com http://xx.company.com

    Please help.
    Thank you

  2. also try to check the antVirus installation.
    Uninstall and Check whether the site is working..
    Accordingly check the antivirus

Leave a Reply