Why enable remote access to Exchange services with Forefront UAG?

Published: January 11, 2010

Updated: February 15, 2013

Applies To: Unified Access Gateway

Enabling remote access to Exchange applications with Forefront Unified Access Gateway (UAG) provides the following benefits:

  • Preauthentication—In a standard Exchange deployment, users authenticate directly against the Exchange Client Access server. By publishing Exchange applications with Forefront UAG, you can allow users to preauthenticate against the Forefront UAG server, before they gain access to the internal Exchange Client Access server.

    Forefront UAG supports the following preauthentication methods:

    • Basic—Users are prompted for a user name and password. When using Basic authentication, the user name and password are not encrypted when they are transmitted, unless you are also using Secure Sockets Layer (SSL) to encrypt the HTTP session. However, it is recommended to use an HTTPS trunk for better security.

    • NTLM/KCD—Users are not prompted for a user name and password. This authentication method provides the highest level of security when accessing Exchange services. When the end user accesses the portal, a hashed version of the password is transmitted automatically (without user interaction) to Forefront UAG, and then Kerberos constrained delegation is used to provide access to the Client Access server.

  • Web farm load balancing (WFLB)—A large organization can have many Exchange Client Access servers. You can use load balancing to ensure that traffic is distributed evenly between each Exchange Client Access server.

    Forefront UAG uses a round-robin mechanism to ensure that user requests to a web application serviced by a web farm are distributed fairly among farm members that are online, by spreading requests from different IP addresses evenly among the web farm members. This even spread is preserved during failover. When failover occurs, servers that are not responding are detected, and the load is distributed among the available servers.

    Forefront UAG uses affinity to ensure that, after a user has been routed once to a particular Client Access server, the user continues to be routed to that server. To keep this persistency, Forefront UAG supports session affinity and IP affinity.

  • Using Outlook Web Access (OWA) in deployments provides the following additional benefits:

    • Strong authentication—When using OWA, you can use Integrated Windows authentication (IWA), which includes the Negotiate, Kerberos, and NTLM authentication methods to provide strong authentication.

    • Authorization—Access to Outlook Web Access from outside the organization’s firewall can be restricted to specific user groups.

    • Single sign on—Users need to sign on only once during a session. After they do, Forefront UAG stores their credentials for the session, and they are then automatically signed on to any system they want to access during the session. This is useful if a user receives a mail containing a link to a SharePoint site or additional applications.

    • Health inspection—Forefront UAG provides a number of endpoint policies that can be used to check the health of endpoint clients. For example, you can provide unrestricted access to clients running an up-to-date firewall and antivirus, while restricting (or blocking) access to clients that only have an up-to-date firewall.

    • Session clean up—The Forefront UAG Endpoint Session Cleanup component deletes persistent browser data that is downloaded to a client endpoint browser from the sites protected by Forefront UAG, or created by a client endpoint browser, when any of the following occurs:

      • A Forefront UAG session ends, for example, when the user closes the browser.

      • When the user logs off a Forefront UAG site by using the site’s logoff mechanism.

      • During a scheduled logoff or scheduled cleanup.

    • Upload/download policies—In addition to the endpoint policies that check the health of endpoint clients, Forefront UAG also provides policies that restrict the actions that end users can do when connected to the website. For example, you can create a policy such that if the client endpoint does not have an antivirus installed, it can download files that are included as email attachments, but cannot upload files as email attachments.

  • Edge readiness—Forefront UAG was developed and designed as an Internet and perimeter network solution, and it is hardened and secured according to industry standards.