Identifying your infrastructure deployment goals

  • Article

Updated: February 15, 2013

Applies To: Unified Access Gateway

After you have identified your infrastructure design requirements for each stage of the Forefront Unified Access Gateway (UAG) deployment, you must evaluate your specific deployment goals, and clearly pinpoint infrastructure modifications that are required to meet each goal. Depending on the size of your organization, this might involve multiple IT staff, in addition to the Forefront UAG administrator. Use this guide to help each person involved to identify the shifts that are required in the existing infrastructure, in order to deploy Forefront UAG successfully.

For information on identifying your infrastructure design requirements, see Identifying your infrastructure design requirements.

The following table summarizes the possible deployment goals and provides an overview of the infrastructure modifications required for each goal.

Deployment goal Infrastructure modifications

Deploy a single Forefront UAG server

This goal requires you to deploy and install a single Forefront UAG server in your existing network infrastructure.

Infrastructure design modifications include:

  1. Placing the Forefront UAG server into your corporate topology, and configuring any corporate firewalls to allow traffic to and from the Forefront UAG server.

  2. Adding the Forefront UAG server to a domain or a workgroup.

  3. Configuring network addressing and routing.

  4. Configuring internal and external DNS servers.

Deploy multiple Forefront UAG servers

This goal requires you to deploy and install multiple Forefront UAG servers in your existing network infrastructure.

Infrastructure design modifications include:

  1. Placing the Forefront UAG servers into your corporate topology, and configuring any corporate firewalls to allow traffic to and from the Forefront UAG server.

  2. Adding the Forefront UAG servers.

  3. Configuring network addressing and routing.

  4. Configuring internal and external DNS servers.

Deploy Forefront UAGForefront UAG endpoints

This goal includes allowing remote endpoints to access corporate applications and resources via Forefront UAG. You can install Forefront UAG endpoint components online when clients connect to a trunk, or offline using the Forefront UAG Client Components installer or an installation file.

Infrastructure design modifications include:

  1. Ensure that managed endpoints that will connect to Forefront UAG are running an operating system and browser that allows them to access published applications.

  2. Ensure that managed endpoints have the correct permissions, and Internet Explorer settings to enable the installation of components in online or offline mode.

Authenticate clients for access to Forefront UAG portals and published applications

This goal requires you to configure front end authentication to verify the credentials of clients connecting to Forefront UAG portal and site sessions. If the backend published servers require authentication, it also requires you to set up authentication mechanisms for verifying client credentials on backend servers. In addition, Forefront UAG supports single sign-on, allowing you to pass credentials supplied during session sign-on to backend servers, thus requiring clients to sign on only once.

The following infrastructure design modifications are required:

  1. Set up a client authentication infrastructure.

  2. If you want to implement single sign-on using Kerberos constrained delegation, configure the Kerberos infrastructure.

  3. If you want to use Active Directory Federation Services (ADFS), deploy an ADFS server.

Verify the health of endpoints connecting to Forefront UAG

Forefront UAG can verify the health of endpoints against inbuilt Forefront UAG access policies, or against Network Access Protection policies downloaded from a Network Policy Server (NPS). In addition to access policies, you can also implement granular authorization policies applications and resources published in a portal, by allowing only authorized users and groups to access specific portal applications.

The following infrastructure design modifications are required:

  1. If you want to use NAP policies for endpoint health checking, set up and configure NPS servers.

  2. To set up certified endpoints, a certification authority (CA) is required to issue client certificates to endpoints. You can set up the CA remotely, or locally on the Forefront UAG server.

Limit application access to specific users and groups

This goal requires you to configure portal authorization to control access to portal applications.

The following infrastructure design modifications are required:

  1. Set up an authentication server so that you can use users and groups for portal authorization.

  2. Set up users and groups on the authentication server.

Differentiate between different types of endpoints, and define some endpoints as privileged

This goal requires to configure endpoints as certified, and assign them a more permissive access policy.

The following infrastructure design modifications are required:

  • Certified endpoints use a client certificate for certification and identification. You must have a certification authority set up either locally on the Forefront UAG server, or remotely, in order to deploy certificates to clients.

Publish internal applications and resources via Forefront UAG

This goal requires you to set up Forefront UAG trunks. Using trunks, you can create a Forefront UAG portal or a Web site for accessing a single Web application. After creating a portal trunk, you add applications and resources to it, in order to publish them via the trunk.

Infrastructure design modifications include:

  1. If you want endpoints to access Forefront UAG portals or sites over an HTTPS connection, the Forefront UAG server or array members hosting the site must have a server certificate to present to endpoints connecting over HTTPS.

  2. If there is an HTTPS connection between the Forefront UAG server and the backend published servers, server certificates are required on backend servers to authenticate the HTTPS connection.

  3. If you want to publish Remote Desktop Services (RDS), ensure that endpoints comply with system requirements.

  4. If you want to publish File Access and Local Drive Mapping applications, ensure that Forefront UAG servers belong to a domain.

Log Forefront UAG information

There are a number of logging options that include the following infrastructure modification:

  • Set up a logging server. If you do not use the Forefront UAG inbuilt logging reporter, you can log to a Syslog server, a RADIUS accounting server, an SMTP server, or a local or remote SQL Server.

Monitor Forefront UAG activity

If you have Microsoft System Center Operations Manager 2007 deployed in your organization, configure the Forefront UAG management pack.

Next steps in planning your infrastructure design

Mapping your deployment goals to an infrastructure design