Planning for client authentication
Published: January 11, 2010
Updated: February 1, 2010
Applies To: Unified Access Gateway
Forefront Unified Access Gateway (UAG) allows you to control client endpoint access to published resources, by using the following methods:
Require an HTTPS channel between client endpoints and the Forefront UAG server.
Apply session authentication. You can require client endpoints to authenticate in order to connect to a portal or an individually published Web application.
Client endpoint access over HTTPS
When you create a trunk to publish a portal or specific Web application, you can specify that client endpoints must communicate with the Forefront UAG server over an HTTPS connection. In this case, you must select a server certificate when you configure the trunk. This certificate is used to authenticate the Forefront UAG server to the client endpoint.
About session authentication
Forefront UAG enables you to control access to internal resources by verifying end user credentials against an authentication database. A portal or application session is opened only for end users who authenticate successfully; end users who cannot authenticate successfully do not gain access. Access is granted per end user, and each authentication instance is only valid for one session. Forefront UAG seamlessly integrates with numerous authentication schemes even if the application being protected has no inherent support for the method you choose to implement, such as, where Forefront UAG serves as a client of the third-party authentication server. In addition, Forefront UAG also enables periodic reauthentication by applying a logoff scheme. After a predetermined time, end users must resubmit credentials to continue working; otherwise, their sessions are terminated.
To define session authentication, you should define an authentication server against which the credentials of end users who connect to a portal or application session are verified. For more information about Forefront UAG client authentication schemes, see Implementing frontend authentication.