Add Application Wizard help

Updated: February 1, 2010

Applies To: Unified Access Gateway

The Publish Application Wizard helps you to publish internal applications and servers via a Forefront Unified Access Gateway (UAG) portal. This topic provides a summary of the pages and settings available when you run the wizard to publish an application in a portal.

• Select Application page

• Application Setup page

• Endpoint Security page

• Application Deployment page

• Web Servers page

• Connectivity Verifier Settings page

• Server Settings page

• Authentication page

• Portal Link page

• Authorization page

Select Application page

On the Select Application page you select the application you want to publish in the portal.

• Built-in services
  Select to publish predefined services and applications, such as, File Access and SSL Tunneling (with Network Connector or SSTP).

• Web applications
  Select to publish applications that use the HTTP or HTTPS protocol, and have a Web interface. You can publish a single Web application, or a farm of backend Web servers.

• Client/server and legacy applications
  Select to publish applications that use non-Web (HTTP or HTTPS) protocols. Applications of this type are handled by the SSL Application Tunneling endpoint component.

• Browser-embedded applications
  Select to publish Web-initiated applications that use a Web-based interface to create a non-Web connection. Applications of this type are handled by the SSL Wrapper endpoint component. You can publish a single browser-embedded application or a farm of backend servers.

Application Setup page

On the Application Setup page you specify the name and type of the application.

• Application name
  Specify the name of the application as it will appear on the portal page.

• Application type
  Specify this value if you are publishing a generic Web application; otherwise, Forefront UAG will determine the application type. If you publish multiple generic Web applications of the same type in a portal, this value should be identical for each application.

Endpoint Security page

In the Endpoint Security page, select the access policies for your application. Note that not all of the policies may be available for some published applications.

• Access policy
  Select a policy with which endpoints must conform in order to access the published application.

• Upload policy
  Select a policy with which endpoints must conform in order to upload content associated with the published application.

• Download policy
  Select a policy with which endpoints must conform in order to download content associated with the published application.

• Restricted zone policy
  Select a policy with which endpoints must conform in order to gain access to the restricted zone of an application, if one is configured.

• Edit Endpoint Policies
  Click to modify default Forefront UAG access policies, or to create new policies.

Application Deployment page

If you are publishing a Web application, on the Application Deployment page, specify whether you want to publish a single server or a Web farm.

• Publish a Web site
  Select this option to publish a single Web application

• Publish a farm of load-balanced Web servers
  Select this option to publish a farm of mirrored Web servers

Web Servers page

If you are publishing a Web application, on the Web Servers page, configure settings for the backend Web server that you want to publish.

• Address type
  Click IP/Host to identify the Web server with one or more IP addresses or DNS host names. Click Subnet to define the multiple IP addresses with a subnet and mask. Click Regular Expression to define multiple IP addresses using the Regex++ regular expression syntax to define the address range in Addresses. For example: [0—9A—Z—]+\.contoso\.com. When you use regular expressions, a corresponding rule is added in Forefront Threat Management Gateway (TMG), to allow traffic from the local host network (the Forefront UAG server) to any server in the Forefront TMG internal network, on the configured port.

• Addresses
  If you select IP/Host, double-click in the Addresses list to add a value.

• Paths
  If the Paths list appears, double-click in the list to specify the path of the published application. A path must start with a slash (/) character.

• HTTP Port
  Specify the port on which the application is published. To use the default port for the application, type Auto. To enable all ports type All. To disable all ports leave the field empty. To define multiple ports, use comma-separated entries (for example: 81, 82, 83). To define a range of ports, use a dash (for example: 81-84).

• Public host name
  If this field appears, specify the URL that the user types to access the Web application. This field is only used for Web applications that support public host names. The public host name must match the server certificate, and reside in the same domain as the public host name of the trunk. If you are publishing a Web farm, the name should be the FQDN of a real host, including the domain name.

• Replace host header with the following field
  If this field appears, specify a URL to be used to distinguish the internal host name of the application from its public host name. The URL should include the domain in which the trunk is located. For example, if the public host name of the application is HRPortal, and the trunk resides in the domain contoso.com, specify: https://HRPortal-External.contoso.com.

• Server farm host
  If you are publishing a Web farm, in Server farm host, specify the host name of the Web server farm. This name is used for link translation, IP session affinity, and optionally the HTTP host header.

• Use the farm name in the HTTP host header
  If you are publishing a Web farm, enable this value to specify that the host name in the HTTP request should be replaced with the farm host name. For the load-balancing method, select the affinity method to be used for Web farm requests.

Connectivity Verifier Settings page

If you are publishing a Web farm, use this page to specify how the state of Web farm members should be detected.

• Verification Method
  Select the method by which server farm member status will be verified. In order to check server availability, the connectivity verifier resolves farm names and caches the resolution information. If DNS resolution changes for a farm member, this may not be detected by the connectivity verifier which continues to use cached settings, and will consider the farm member as unavailable.

  • Send an HTTP GET request—Click this option to verify the server farm members with an HTTP GET request. In the Request path box, specify the path to be used to determine whether the server farm members are running.

  • Send a Ping request—Click this option to verify the server farm members with a Ping request.

  • Establish a TCP connection—Click this option to verify the server farm members by establishing a TCP connection.

  • In Timeout response threshold, specify the length of time (in milliseconds) that a connectivity verifier will wait for a response from a server.

  • In Successful response threshold, specify the number of consecutive responses that Forefront UAG must receive from the server before the server is considered to be running.

  • In Failed response threshold, specify the number of consecutive responses that Forefront UAG must receive from the server before the server is considered to be down.

Server Settings page

If you are publishing a non-Web server, on the Server Settings page, configure backend server settings. Each application has a unique user interface, depending on the required parameters.

Authentication page

On the Authentication page, specify how clients provide credentials to published backend Web servers that require authentication.

• Use single sign-on to send credentials to published applications
  Enable this setting to forward credentials (provided by users when accessing the Forefront UAG portal) to backend Web servers.

• Select authentication servers
  Click Add to select the server or servers that will be used to authenticate users to backend Web servers. To select a server, in the Authentication and Authorization Servers dialog box, select authentication servers in the list, and then click Select. Click Add to add an additional authentication server.

• 401 request
  Select to authenticate users to published Web applications using HTTP 401.

• HTML form
  Select to authenticate users to published Web applications using an HTML form.

• Both
  Select to authenticate users with an HTTP 401 and an HTML form. Note that you can also delegate user credentials to backend applications using Kerberos. This setting is not provided in the wizard, but can be configured on the application property pages, after you complete the publishing wizard.

Portal Link page

On the Portal Link page specify how the application appears in the portal.

• Add a portal and toolbar link
  Enable this setting to add an application link to the default portal home page and toolbar.

• Portal name
  If required, modify the name by which the application is defined in the portal. The default is the name you specified on the first page of the wizard.

• Folder
  Specify a folder or subfolder via which the user can access the application if required. The URL must be an absolute URL (for example, https://www.contoso.com). Note that if you defined the application address using the IP address/Host name address type, the URL that is displayed here is, by default, a combination of the values of the Addresses and Paths fields. Ensure that it is the URL of the application link.

• Application URL
  Specify the internal entry link URL from the portal to the application. The URL must be an absolute URL (for example, https://www.contoso.com). Note that if you defined the application address using the IP address/Host name address type, the URL that is displayed here is, by default, a combination of the values of the Addresses and Paths fields. Ensure that it is the URL of the application link.

• Mobile URL
  Specify the internal entry link URL from the mobile portal to the application. The URL must be an absolute URL (for example, https://www.contoso.com/contoso).

• Icon URL
  Specify the URL of the icon representing the application (displayed in the portal to the left of the application name).

• Open in a new window
  Enable to specify that the application should open in a new window.

Authorization page

Specify which portal users can access the published application.

• Authorize all users
  Enable to specify that all remote clients authenticated for portal access can view and access the application. If you clear this check box, you must configure authorization settings for the application.

• Users and Groups
  In Users and groups, click Add to add users and groups who are authorized to access this portal application. For more information about configuring users and groups, see Implementing users and groups for application authorization.