Planning for endpoint health checking
Published: January 11, 2010
Updated: February 1, 2010
Applies To: Unified Access Gateway
Forefront Unified Access Gateway (UAG) access policies control remote endpoint access to Forefront UAG sessions and published resources. When client endpoints try to establish a session to a Forefront UAG site or portal, settings on the endpoint are compared with access policies to determine what type of access is allowed. You can use Forefront UAG client endpoint policies to create tiers of access to sites and applications. Endpoint policies enable you to determine whether or not client endpoint devices are allowed to access internal sites and applications, or perform certain operations on the application servers, depending on the settings and features of the endpoint devices.
You can configure the following types of access policies:
Inbuilt access policies─Forefront UAG provides inbuilt, predefined access policies. You can modify these predefined policies, if required, or create new policies.
Network Access Protection (NAP) policies─Forefront UAG can evaluate remote endpoints against NAP policies downloaded from a Network Policy Server (NPS).
Inbuilt access policies
Forefront UAG inbuilt endpoint policies enable you to create tiers of access by determining whether or not endpoint devices are allowed to access internal sites and applications, or perform certain operations on the application servers, depending on the security settings of the endpoint devices.
An endpoint policy can contain:
Platform-specific policies—These are enforced according to the operating system of the endpoint device from which the user accesses the Forefront UAG site. The available choices are Windows, Mac OS, Linux, or any other platform.
Expressions—These are conditions that are made up of variables, free VBScript text, or a combination of both. An expression encompasses platform-specific expressions, which are enforced according to the platform of the endpoint device from which the user accesses the Forefront UAG site. You should use expressions to define a policy in deployments where you do not need to address platform-specific issues. You can also use expressions, including platform-specific expressions, to define multiple conditions once, and then use them in several policies.
You can use the policies that are provided with Forefront UAG, edit them, and define additional policies, as required. You can use policies to define multiple conditions once, and apply them to the Forefront UAG site and across several applications.
|It is recommended that you tailor the default policies to your organization's security needs. For example, edit all platform-specific Default Web Application Access policies to check for the antivirus software that your corporate endpoint computers are running.|
NAP access policies
In addition to Forefront UAG inbuilt policies, you can evaluate endpoint settings as NAP policies downloaded from an NPS server. You specify the NPS server location and settings in the Forefront UAG Management console, and the NAP policies are retrieved from the specified server.