Publishing SharePoint 2010 with UAG – Cannot Check Out Documents and They May Be Read-Only


Some of the more frustrating issues I come across when supporting UAG are encountered when publishing SharePoint. It seems as though SharePoint 2010 is particularly vulnerable to oddities when publishing it through UAG or any reverse proxy for that matter.  Ben Ari has a great blog that goes a long way to explaining why it can be challenging.

I used the concepts Ben laid out but I wanted to show you exactly what I did to solve this particular problem.

Note: In the resolution below I am making an assumption that you are using SSL on your UAG trunk to publish SharePoint. I highly recommend using SSL for security reasons.


You have SharePoint 2010 published through Unified Access Gateway 2010 but external users are unable to check out documents. Also, when choosing to Edit them they are “Read-Only”.

As you can see in Figure 1 below that the client is going to try to Check Out a document that is in the Shared Documents area.


Fig. 1

The user gets the below error which states “This document could not be checked out. You may not have permission to check out the document or it is already checked out or locked for editing by another user.” (Figure 2)


Fig. 2

You may also see an issue if you click on the document link and try to Edit it through the “Open Document” interface.  (Figure 3)


Fig. 3

The document opens up in Word or Excel but on the header bar is says “Read-Only”. (Figure 4)



Fig. 4



To resolve this issue I have documented the exact steps I went through in my test lab.  The figure below shows the only existing Alternate Access Mappings that existed before we started steps to resolve. (Figure 5).


Fig. 5


1.) From the SharePoint 2010 Central Administration click on Manage Web Applications (Figure 6).


Fig. 6

2.) Highlight the application you are publishing through UAG and click Extend to extend the web application. (Figure 7)


Fig. 7

3.) You will need to change the port to 80 (or 443 if you are set up for SSL) and you will also set a host header. Make up something unique but remember it for later. In this case I just called it “spexternal”. (Figure 8)


Fig. 8

4.) Scroll down on this same step and set the URL to be what your external users will use to access the application from outside your company. In this case I used  (Figure 9)

Set your zone to one that is not already being used. In this case I used Internet. (Figure 9)



Fig. 9

5.) Go back to the main page of your SharePoint Central Administration and click on “Configure Alternate Access Mappings” (Figure 10).


Fig. 10

6.) You will notice that there is now an new AAM for the Internet Zone (Figure 11).


Fig. 11

7.) Click on the right hand side where it says Alternate Access Mapping Collection and choose “Change Alternate Access Mapping Collection”. (Figure 12)


Fig. 12

8.) Again select the application you are publishing. In this case it is SharePoint – 80 (Figure 13).


Fig. 13

9.) Now you should see the AAMs that pertain only to that application. (Figure 14). Click Add Internal URLs.


Fig. 14

10) Under the URL protocol, host and port are you will need to put the name you came up with in Step 3. In my case it was “spexternal” and since the application is published on 80 I would use “http” as the protocol. Figure 15 shows that combined it would be http://spexternal 

You also want to make sure that the Zone you chose in Step 4 is the one selected in the Zone dropdown box.

Click Save.


Fig. 15

11.) You should have something similar to Figure 16 now in your AAMs. It shows that the request that will be coming to SharePoint from the UAG Server will be http://spexternal and the URL that “Internet” users will utilize is



Fig. 16

12.) The last step is to edit the publishing rule on UAG to reflect the changes you made on SharePoint. In this case I went in to the “Web Servers” tab of the publishing rule and made sure that 80 is in the “HTTP Port:” field and that the “Replace the host header with the following” is checked and that it is using the name we chose in Step 3. In this case “spexternal”. (Figure 17). Click OK and then Activate in UAG and wait until it is synchronized.


Fig. 17

Congratulations! If you did everything correctly you should now be able to Checkout documents and editing them will not show “Read-Only”.



Publishing SharePoint 2010 can be tricky especially through UAG 2010. In this article I explained how to properly configure AAMs in SharePoint and the changes you needed to make in UAG to get certain functions working correctly for external users.


Note: If the information contained here was useful please let me know in the comments below. Also, if there are any corrections needed or you would like to see future content on a particular subject please let me know that as well. Thanks!

Comments (1)

  1. SharePoint 2013 Administrator Training says:

    Wooh this is very informative article, you successively did that with SharePoint 2010. Is this same process is applicable with SharePoint 2013?">SharePoint 2013 Administrator Training

Skip to main content