Introduction to infrastructure design

Updated: February 15, 2013

Applies To: Unified Access Gateway

This topic provides an overview of the Forefront Unified Access Gateway (UAG) features that affect your infrastructure design.

Forefront UAG single server or array deployment

Depending on your requirements, you can deploy a single Forefront UAG server, or an array of Forefront UAG servers. An array consists of multiple Forefront UAG servers that share the same configuration and provide scalability and high availability. You can implement load balancing among array members, using the Windows Network Load Balancing feature that is integrated into Forefront UAG or using a hardware load balancer.

For more information, see Introduction to array design.

Forefront UAG as a DirectAccess server

Forefront UAG can be deployed as a Forefront UAG DirectAccess server to extend the benefits of Windows DirectAccess across your infrastructure, enhancing scalability, simplifying deployment and management, and providing remote users the experience of being seamlessly connected to your internal network any time that they have Internet access. Depending on your requirements, you can deploy a single Forefront UAG DirectAccess server, or an array of servers to provide scalability and high availability. You can implement load balancing among array members, using the Windows Network Load Balancing feature that is integrated into Forefront UAG or using a hardware load balancer.

For more information, see Forefront UAG DirectAccess.

Forefront UAG as a publishing server

Forefront UAG can be configured as a publishing server. Internal applications and resources are published via Forefront UAG, and can then be access by remote client endpoints, either directly, or via a Forefront UAG Web portal.

Application publishing

Using Forefront UAG you create trunks to publish a wide range of internal applications and resources for access by remote endpoints. For more information about Forefront UAG concepts such as trunks and portals, and about the types of applications you can publish, see Introduction to publishing design.

Endpoint deployment

Forefront UAG deploys endpoint components on managed and unmanaged remote client endpoints connecting to Forefront UAG portals and published applications. These components are required to enable endpoints to access a number of Forefront UAG features. Components can only be installed on endpoints that comply with system requirements.

For more information, see System requirements for Forefront UAG client devices, and Introduction to endpoint component deployment design.

Endpoint access control

Forefront UAG provides a number of mechanisms for controlling and securing endpoint access to Forefront UAG portals and published applications including, client authentication, endpoint health checking, and application authorization.

  1. Client authentication─You can require remote clients to authenticate in order to establish a session with a Forefront UAG portal. You can use a number of different client authentication mechanisms. In addition, you can implement single sign-on, so that client credentials that are provided during session logon are passed to backend published servers that require authentication, so clients only need to provide credentials once.

    For more information, see Planning for client authentication.

  2. Endpoint health checking─You can compare endpoint settings with Forefront UAG access policies. Only endpoints that comply with policies can access published resources. You can create inbuilt Forefront UAG access policies, or use Network Access Protection (NAP) policies that are downloaded from a Network Policy Server (NPS).

    For more information, see Planning for endpoint health checking.

  3. Portal application authorization─You can implement portal application authorization to limit access to portal applications to specific users and groups.

    For more information, see Planning for portal application authorization.

Logging and monitoring

Forefront UAG can log to a variety of formats, including a syslog server, RADIUS accounting server, SMTP server, and SQL Server. In addition, you can monitor Forefront UAG using Microsoft System Center Operations Manager 2007.

For more information, see Configuring monitoring and logging.

Next steps in planning your infrastructure design

Identifying your infrastructure design requirements.