Planning to implement endpoint access policies
Published: January 11, 2010
Updated: February 1, 2010
Applies To: Unified Access Gateway
You can use Forefront Unified Access Gateway (UAG) client endpoint policies to create tiers of access to sites and applications. Endpoint policies enable you to determine whether or not client endpoint devices are allowed to access internal sites and applications, or perform certain operations on the application servers, depending on the settings and features of the endpoint devices.
This topic describes:
Using endpoint policies—How to set up and use endpoint policies.
Session endpoint policies—What a session endpoint policy is, and how it helps control access to Forefront UAG.
Application endpoint policies—What an application endpoint policy is, and how it helps control access to Forefront UAG.
Endpoint detection—The Forefront UAG Endpoint Detection component, and how it provides the basis for allowing remote users to access Forefront UAG based on policies.
Using endpoint policies
You can set up your endpoint policies so that access to internal applications is allowed, as follows:
From corporate laptops—All applications are accessible.
From an Internet kiosk—Only Microsoft Office Outlook Web Access is accessible.
|Other access scenarios are possible, depending on your requirements.|
You can use endpoint policies to control access to:
Forefront UAG sites for default and privileged sessions.
Specific application features; such as, downloading or uploading for Web applications, zones of a Web application defined by URLs, or printer, clipboard, and drive redirection for RemoteApps.
To publish an application, you must create a Forefront UAG trunk and add the application to the trunk. When you create a trunk, you assign the relevant endpoint policies to the trunk. When you add an application to a trunk, you assign the relevant policies to the application. An endpoint policy encompasses the conditions that apply to all endpoint devices, and is interpreted according to the operating system on which the computer runs, such as Windows or Linux. Different conditions can apply to different operating systems, according to the policies that you define.
An endpoint policy can be made up of operating system-specific policies or expressions, as follows:
Platform-specific policies—Platform-specific policies are enforced according to the operating system of the endpoint device from which the user accesses the Forefront UAG site. Available operating systems are Windows, Mac OS, and Linux.
Expressions—Expressions are conditions that are made up of variables, free VBScript text, or a combination of both. Each expression encompasses platform-specific expressions, which are enforced according to the operating system of the endpoint device from which the user accesses the Forefront UAG site. Use expressions to define an endpoint policy in deployments in which you do not have to address platform-specific issues. You can also use expressions, including platform-specific expressions, to define multiple conditions once, and then use them in several policies.
You can use endpoint policies and expressions that are provided with Forefront UAG, edit them, and define additional policies and expressions, as required. You can use endpoint policies to define multiple conditions once only, and apply them to the Forefront UAG site and across several applications.
|It is recommended that you tailor the default endpoint policies to your organization's security needs. For example, edit all platform-specific Default Web Application Access policies to check for the antivirus software that your corporate endpoint computers are running.|
For more information about creating, editing, and removing policies and expressions, see Configuring Forefront UAG access policies.
Session endpoint policies
When you create a trunk, you can assign it both of the following session policies:
Session Access Policy—Defines access permissions to the site. Only endpoints that comply with the selected policy are allowed access.
Privileged Endpoint Policy—Defines the conditions that render an endpoint a privileged endpoint, which can enjoy session privileges.
You first select the session policies when you create a trunk. You can change the session policies later from within the Forefront UAG Management console.
Application endpoint policies
Application endpoint policies may be of the following types:
Access policies that control access to an application.
Download policies that help prevent the spreading of sensitive data to endpoints that should not have access to sensitive data (for Web applications and browser-embedded applications only).
Upload policies that help prevent endpoints from sending malicious data, such as viruses, into the internal network (for Web applications and browser-embedded applications only).
Restricted zone policies that restrict access to sensitive areas of an application (for Web applications and browser-embedded applications only).
Printer, clipboard, and drive redirection policies for RemoteApps.
You first select the application endpoint policies when you create a trunk. You can change the application endpoint policies later from within the Forefront UAG Management console.
To assess the compliance of an endpoint to the Forefront UAG endpoint policies, Forefront UAG attempts to determine which security components are installed and running on the endpoint, as soon as the user attempts to access the site. This is done by the Forefront UAG Endpoint Detection component, which is installed on the endpoint. The Endpoint Detection component verifies the identity of the Forefront UAG site against the site’s server certificate, and checks whether the site is on the user’s Trusted Sites list. Only if the site is trusted, will the component run on the endpoint computer and collect the data that identifies which components are installed and running on the computer. When detection is not functional on an endpoint computer, access may be denied, even though the endpoint might comply with the requirements of the policy. For example, if an application’s policy requires a running antivirus program, and such a program is already running on the computer, access to the application is still denied, because Forefront UAG cannot detect that the program is running on this computer.
Forefront UAG provides a default endpoint detection script (Detection.vbs). You can also create customized detection scripts.
Compliance with Forefront UAG endpoint policies is determined when a client endpoint computer first accesses the site. If a client’s computer settings that affect compliance are changed after login, users must log in again to apply the changes. When using NAP policies, enforcement is performed for the duration of the session.
Information collected from client endpoints
While working with the Forefront UAG site, if endpoint detection is enabled on the client endpoint, in addition to identifying settings and features on the client endpoint, the following information is collected by the Endpoint Detection component:
Network domains—Domain Name System (DNS) and NetBIOS.
User information—User name and user type.
Certificates in “My certificate store”—Certificate issuer and certificate subject.
If required (for example, to comply with legal or corporate guidelines), you can configure Forefront UAG so that users are notified before the information is retrieved from their device and are prompted to give their consent for the site to collect such information. You configure this setting by selecting the Prompt user before retrieving information from endpoint check box on the Endpoint Access Settings tab of the Advanced Trunk Configuration dialog box. On endpoints where users do not give their consent, detection is not performed.