Export (0) Print
Expand All

Introduction to publishing design

Published: January 11, 2010

Updated: February 15, 2013

Applies To: Unified Access Gateway

Some of the Forefront Unified Access Gateway 2010 SP3 features discussed in this article may be deprecated and may be removed in subsequent releases. For a complete list of deprecated features, see Features Deprecated in Forefront UAG SP3.

Using Forefront Unified Access Gateway (UAG), you can make internal applications and resources available to remote endpoints, by publishing them via a transfer channel, known as a trunk.

This topic provides an overview of the following:

  • About trunks—Describes the types of trunks you can create in Forefront UAG, how to configure trunk properties, the internal resources you can publish via a trunk, and how to define application settings.

  • Connecting to trunks —Describes how remote endpoints connect to a trunk and access applications that are published via the trunk.

About trunks

You can create the following types of trunks:

  1. HTTP trunks—Endpoints connect to the trunk over an HTTP connection.

  2. HTTPS trunks—Endpoints connect to the trunk over an HTTPS connection. A server certificate is defined for a trunk, and is used to authenticate the identity of the Forefront UAG server to the endpoint. An external certificate is required because the endpoint must trust the certification authority (CA) that issued the certificate.

  3. Redirection trunks—For each existing HTTPS trunk, you can create a redirect trunk with the same name and properties as the HTTPS trunk. When remote endpoints request HTTPS trunks using an HTTP connection, the redirect trunk ensures that requests are redirected to the HTTPS trunk.

For each Forefront UAG trunk, you can define a number of properties, and select the applications and resources you want to publish via the trunk.

Trunk properties

Using the Create Trunk Wizard, you can create a trunk that is configured with basic trunk properties. After completing the wizard, you can modify the trunk properties, if required.

Trunk properties include:

  1. Names and IP addresses—You specify a unique internal trunk name, a public host name that endpoints enter to access the trunk, and an IP address and port combination on which Forefront UAG listens for requests to the trunk. You configure these settings on the main page and on the General tab of the trunk properties.

  2. Authentication settings—You can require that endpoint users authenticate in order to access the trunk, using a variety of authentication mechanisms. You configure these settings on the Authentication tab of the trunk properties.

  3. Certificate—For HTTPS trunks, you specify a server certificate that is used to authenticate the Forefront UAG server to endpoints connecting to the trunk. You select the certificate on the General tab of the trunk properties.

  4. Endpoint access policy—Using Forefront UAG, you can control remote access by specifying that endpoints must comply with access policy requirements in order to access a trunk. You can create inbuilt access policies, or download Network Access Protection (NAP) policies from an Network Policy Server (NPS). Endpoint settings are evaluated, and only those that comply with the access policy can connect to the trunk. You configure these settings on the Endpoint Access Settings tab of the trunk properties

  5. Web portal home page—You can associate a web portal home page with each trunk. Via the portal page, endpoints can access one or more applications published via the trunk. Forefront UAG provides a default portal page, or you can create a custom home page.

  6. Portal settings—There are a number of portal features that you can configure for a trunk. These include, allowing users to select an authentication server against which they authenticate, enabling users to authenticate dynamically if they attempt to access an application that they cannot access using credentials with which they are currently logged on, and allowing users to manage their credentials and change passwords via the portal. You configure these settings on the Authentication tab of the trunk properties.

  7. Logon settings—You can specify how users log on to a trunk, including using a default or custom logon page, setting maximum logon attempts, applying an Outlook Web Access look and feel to a logon page, and configuring logoff behavior. You configure these settings on the Authentication tab of the trunk properties.

  8. Session settings—You can specify how users access a trunk session, including configuring a maximum number of concurrent session connections (both authenticated and unauthenticated), specifying how endpoint components are installed during a session, and configuring cleanup behavior when a session ends. You configure session settings on the Session tab of the trunk properties.

  9. Portal application template—Forefront UAG provides a default template for the trunk portal home page. You can use the default template, or configure and use a customized template. In addition, you can configure the global Content-Type lists, and specify how to handle compression in responses. You select the template on the Application Customization tab of the trunk properties.

  10. Traffic inspection—Forefront UAG can apply inspection to basic URLs, parameters and other incoming data. You can configure general URL inspection settings, such as a level of enforcement for a URL set, and a maximum size of pages sent using HTTP POST and PUT. You can configure URL inspection rules that deny access to URLs that are not present in the URL inspection rule list, and define global parameters rules that are applied to a URL when its URL inspection rule is set to handle parameters. Forefront UAG provides predefined URL rule sets for a number of applications. In addition, you can configure Forefront UAG to check HTTP headers and filter requests, so that only explicitly allowed traffic passes through the Forefront UAG server. You configure inspection on the URL Inspection, Global URL Settings, and URL Set tabs of the trunk properties.

  11. HTTP compression—You can configure how Forefront UAG handles HTTP compression. You configure HTTP compression settings on the Application Customization tab of the trunk properties.

  12. HAT settings—You can use the host address translation (HAT) mechanism to translate multiple internal host names to a single external host name, by encrypting the address of the internal resource and inserting it into the URL. When endpoints communicate with Forefront UAG to request and receive data from internal applications and resources, Forefront UAG transparently parses the requests and responses using content-type parsers, and dynamically manipulates the URLs in them. HAT configuration includes, defining a list of URLs on which you do not want to run the content-type parsers in the request or response body, defining a list of URLs on which you want to run a search and replace parsers on the response body, and defining a list of URLs that, when requested, will be redirected or rerouted to a specific location. You configure HAT on the Portal tab of the trunk properties.

Trunk applications

The following table lists the internal resources you can publish via a Forefront UAG trunk.

 

Application type Application Description

Built-in services

Portal

Provides the default Forefront UAG portal home page for the trunk.

File Access

Allows remote endpoints to connect to file servers on the corporate network, and to shares on the file servers.

Web Monitor

Forefront UAG Web Monitor is used to monitor Forefront UAG traffic. You can publish Web Monitor to access it remotely via the portal.

Web applications

Other Web application (application specific hostname)

Allows you to publish an application that is not specified on the Web applications list. This option if used if you want to enable users to reach the application using a public host name for the application instead of the portal public host name.

Other Web application (portal hostname)

Allows you to publish an application that is not specified on the Web applications list. This option if used if you want to enable users to reach the application using the portal public host name.

Active Directory Federation Services 2.0

Allows you to publish an Active Directory Federation Services (AD FS) 2.0 authentication server.

Microsoft Dynamics CRM 4.0

Allows you to publish Dynamics CRM with increased control and security. For more information, see the Dynamics CRM publishing solution guide.

Microsoft Dynamics CRM 2011

Microsoft Exchange (all versions)

Allows you to publish Outlook Web Access, Outlook Anywhere (RPC-over-HTTP, and ActivSync for Exchange 2003, Exchange 2007, and Exchange 2010). For more information, see the Exchange services publishing solution guide.

Microsoft Forefront Identity Manager 2010

Allows you to publish Forefront Identity Manager via Forefront UAG.

Microsoft Office Communicator Web Access 2007

Allows you to publish Office Communication Web Access via Forefront UAG.

Microsoft Office SharePoint Portal Server 2003

Allows you to publish SharePoint via Forefront UAG. For more information, see the SharePoint publishing solution guide.

Microsoft Office SharePoint Server 2007

Microsoft SharePoint Server 2010

Rights Management Services

Allows you to publish Active Directory Rights Management Services (AD RMS) via Forefront UAG. See Publishing an AD RMS server (SharePoint) or Publishing an AD RMS server (Exchange).

Microsoft Lync Web App 2010

Allows you to publish the Microsoft Lync Web App 2010 via Forefront UAG. See Publishing Lync web services.

Browser-embedded applications

Generic Browser-Embedded App (multiple servers)

Allows you to publish a browser-embedded application that is not specified on the browser-embedded list.

Citrix XenApp (Web Interface 5.0)

Allows you to publish Citrix XenApp

Terminal Services (TS)/Remote Desktop Services (RDS)

RemoteApp

Allows you to provide access to RDS. Access to RemoteApps; Remote Desktop (predefined); and Remote Desktop (user-defined) is available for endpoint devices running Windows 7, Windows Vista with Service Pack 2, Windows Vista with Service Pack 1, and Windows XP with Service Pack 3. Endpoints must be running the Remote Desktop Connection (RDC) 7.0 client.

For computers not running Windows 7, see Enabling RDS on Windows Vista and Windows XP.

Remote Desktop (Predefined)

Allows access to a Remote Desktop specified by the administrator.

Remote Desktop (User-defined)

Allows access to a remote desktop selected by the user

TS Client Tunneling (Windows Vista/Windows XP)

Allows access to TS published by tunneling RDS traffic from the endpoint to RDS servers. Tunneled traffic is not controlled or inspected, and endpoints require installation of the Socket Forwarding endpoint component. For endpoints running Windows XP and Windows Vista 32-bit.

TS Web Client Tunneling (Windows Server 2003 multiple server)

Allows access to TS published by tunneling RDS traffic from the endpoint to RDS servers using the Socket Forwarding component. For endpoints running Windows Server 2003.

Client/server and legacy applications

Generic Client Application

Allows you to publish non-web applications

General Client Application (multiple servers)

Generic Silent Client Application

Enhanced Generic Client Application (multiple servers)

Enhanced Generic Client Application (hosts required)

Enhanced Generic Client Application (hosts optional)

Enhanced Generic Client Application (hosts disabled)

Enhanced HAT

Generic HTTP Proxy Enabled Client Application

Generic SOCKS Enabled Client Application

Citrix Program Neighborhood (Direct)

Outlook (Corporate/Workgroup Mode)

Local Drive Mapping

Provides access to internal file structures using Forefront UAG File Access

Local Drive Mapping (Windows XP/2003)

Remote Network Access

Application properties

Using the Add Application Wizard, you can define the basic settings for publishing applications in a trunk. After completing the wizard, you can define additional application settings, if required.

Application settings include the following:

  1. General application settings─You can configure the name by which an application is referenced in the portal, and any prerequisite applications that must be running in order for the application to run (for client/server and legacy applications only).

  2. Inactivity period for monitoring application usage─You can configure an inactivity period for an application. When a user does not use the application within the specified time, an “application exited” message is sent to the Web Monitor. When a user resumes application use, an “application accessed” message is sent. If the period is set to zero, the application closes only when the user session ends.

  3. Backend server settings─You can configure the name, IP addresses, and ports of backend servers, so that a Forefront UAG server can communicate with published applications hosted on the servers.

  4. Authentication settings─You can configure authentication settings to specify how credentials, provided by users during portal logon, are forwarded to published backend servers that require users to authenticate.

  5. Application inspection─You can specify how application traffic is inspected. You can configure how URL requests are checked against URL and other rules, and specify how HTTP data is inspected. For Web applications, you can enable HTTP request smuggling protection. In addition, you can configure cookie encryption for Set-Cookie headers.

  6. Socket Forwarding component─For non-HTTP and non-HTTPS applications, you can specify how the Forefront UAG Socket Forwarding component is activated on remote endpoints.

  7. Application access policies─In addition to configuring an access policy for the portal, you can configure an access policy with which endpoints must comply in order to access the application, and to download and upload files associated with the application. If applicable, you can also configure a policy which controls access to restricted zones for a published application.

  8. Application authorization─You can control application access by configuring authorization settings that restrict access to specific users and groups.

  9. Application link in portal─If you are using the Forefront UAG default portal home page, you can specify how applications are presented in the portal.

Connecting to trunks

Remote endpoints connect over HTTP or HTTPS to the public host name of a trunk, and access applications published via a trunk, either via a web portal or by connecting directly to an application.

The following sections describe:

Connecting via a web portal

Endpoints can connect to Forefront UAG by means of a portal webpage, which allows users to type in a single URL to reach a consolidated gateway, for access to one or more applications published in a trunk. Requiring users to access resources via a portal page provides, a consolidated gateway to multiple applications, allows users to view and manage endpoint component installation, and manage their credentials, including selecting authentication servers, inputting additional credentials as required by portal applications, and changing passwords. To allow access to multiple internal resources using a single external IP address, Forefront UAG trunks automatically use the HAT mechanism to identify the internal address. For more information, see About host address translation (HAT).

Connecting directly to an application

Forefront UAG uses a feature known as application-specific host headers to allow users to connect directly to a specific web application, rather than accessing the application via a Forefront UAG portal. This feature provides an alternative to the host address translation (HAT) mechanism. When the Forefront UAG server receives a request for an application-specific host name, it performs authentication, and then automatically opens the required application, bypassing the Forefront UAG portal home page. Note that this option requires end users to remember the public host name for each application that is published directly. Note the following design requirements:

  1. The application-specific host name must be resolvable by a public DNS server.

  2. The application host name should resolve to the same IP address as the public host name of the trunk via which the application is published.

  3. The public host name of the application must be in or above the domain-level namespace of the portal’s public host name

  4. In HTTPS trunks, it is recommended that both the public host name of the trunk and the public host name of the application should be included on the server certificate used by the trunk. Alternatively you can use a wildcard certificate. You can also use names that do not match the certificate. In this case, ignore the certificate warning that pops up during trunk configuration. If names do not match, connecting endpoints will be presented with a browser warning that there might be a problem with the website’s security certificate, and must choose to continue for site access.

Connecting to arrays and single servers

When multiple Forefront UAG servers are deployed in an array, the same trunks are configured on each array member.

Endpoints connect to single servers and arrays as follows:

  • Connecting to a single Forefront UAG server─If you have a single Forefront UAG server, each trunk on the server must have a public host name, and a unique combination of public IP address and port number. When a user connects to the trunk portal by entering the public host name in the endpoint browser, the name must be resolvable by a public DNS server to the IP address of the trunk. To create multiple portals, you must either have multiple public IP addresses, or the same IP address and a different port on which to receive requests for the second portal.

  • Connecting to an array of Forefront UAG servers─If multiple Forefront UAG servers are deployed in an array, all array members share the same trunks. If load balancing is enabled on the array, each trunk requires a unique virtual IP address (VIP). The IP address must be resolvable by a public DNS server, so that when a user specifies the public host name of the portal in the endpoint browser, it resolves to the correct portal VIP address. You can only use the same VIP address for multiple trunks if each trunk is listening for endpoint requests on a different port. If you do not enable load balancing on the array, each trunk must have a unique public IP address and port combination, as required for a single server.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft