About SSL tunneling
Updated: February 15, 2013
Applies To: Unified Access Gateway
Some of the Forefront Unified Access Gateway 2010 SP3 features discussed in this article may be deprecated and may be removed in subsequent releases. For a complete list of deprecated features, see Features Deprecated in Forefront UAG SP3.
When using Forefront Unified Access Gateway (UAG) and supporting non-Web applications over a secure sockets layer (SSL) connection, SSL tunneling causes the application traffic at the client endpoint to be overlaid with SSL encryption and tunneled to the SSL VPN gateway, that is, Forefront UAG. The SSL VPN gateway decrypts the traffic and sends the payload to the application server in the internal network. The Forefront UAG Socket Forwarding component add-on, which is based on Layered Service Provider and Named Service Provider technologies, can be used to support a wider variety of applications, such as supporting applications that jump ports, without the need to make changes to the running operating system. The Forefront UAG SSL Network Tunneling component can be used to provide full VPN access to the corporate network.
The SSL Application Tunneling component tunnels application traffic through SSL using one of the following relay types:
Simple relay—Opens a port on the client endpoint, and tunnels the TCP traffic to and from a specific port on the application server. Using this type of relay, to communicate with the application server, the application client on the endpoint must communicate through the locally opened port. The SSL Application Tunneling component makes changes, such as changes to the application client settings, Windows registry, or Windows hosts file, to enable the application client to communicate through this tunnel.
HTTP Proxy and SOCKS Proxy relays—Opens a port on the client endpoint. The SSL Application Tunneling component acts as either an HTTP or a SOCKS proxy server, and it tunnels the HTTP or SOCKS traffic to and from the application server. Using this type of relay, the application client on the endpoint can communicate through the locally opened port with multiple servers and ports. The SSL Application Tunneling component makes changes, such as changes to the application client settings, Windows registry, or Windows hosts file, to enable the application client to communicate through this tunnel. This type of relay enables the SSL VPN proxy to request more than one server, thus enabling the support of dynamic ports.
Note
In browsers where the Java applet is used, when multiple portals are open concurrently, only applications that are launched from the portal that was accessed first can listen on HTTP or SOCKS proxy ports. Users cannot launch applications that use HTTP proxy and SOCKS proxy relays from additional portals.
Transparent relay—Automatically creates a relay between the client endpoint and the application server, for every application client on the endpoint that wants to communicate with the internal network. This type of relay is supported only by the Forefront UAG Socket Forwarding component and does not require any changes on the endpoint.
Note
The Socket Forwarding component is an ActiveX component and can run only on Windows operating systems with Internet Explorer.
SSL Network Tunneling component—This component supports full connectivity over a virtual transparent connection, and enables you to install, run, and manage remote connections, as if the endpoint were part of the corporate network. The SSL Network Tunneling component uses either the proprietary Forefront UAG Network Connector, or a standards-based approach using the Secure Socket Tunneling Protocol (SSTP). The operating system of the client endpoint and the type of the SSL Network Connector deployed on the server, determine which type of SSL Network Tunneling component is used, as follows:
SSL Network Tunneling (Network Connector)—Used on client endpoints running the Windows XP and Windows Vista operating systems.
Note
The SSL Network Tunneling (Network Connector) component can run only on Windows operating systems with Internet Explorer.
SSL Network Tunneling (SSTP)—Used on client endpoints running the Windows 7 operating system.
Note that if you are running XCompress on Forefront UAG, you must set the streaming optimization to "Low latency". You can automate the process by copying the file XCompress.js from the following location:
...\Microsoft Forefront Unified Access Gateway\von\conf\samples\CustomHooks
to the following location:
...\Microsoft Forefront Unified Access Gateway\common\bin\CustomHooks
Open the file you copied, and follow the instructions in the file to configure it for your system.
The following topics describe the endpoint components used for SSL connections: