Securing remote access

  • Article

Updated: February 1, 2010

Applies To: Unified Access Gateway

This topic describes the options that are available to help you provide secure remote access to your published applications and resources through Forefront Unified Access Gateway (UAG).

When providing remote access to your applications, you must design a remote access policy. Designing a remote access policy requires you to determine who are your end users, what clients they are using, and decide if you want to provide access to only certified client endpoints.

Forefront UAG provides the following mechanisms to determine who the client endpoint is, whether they can access internal resources and applications, and if so, which internal resources and applications they can access:

  • Forefront UAG Endpoint Detection component—Used to determine the client type, including the operating system, firewall version, and antivirus software. This component is also used to determine the other endpoint components that are currently installed on the client endpoint.

  • Forefront UAG Endpoint policies—Forefront UAG is installed with a large number of default endpoint policies that can be used to provide or block access to certain applications and resources, based on the health of the client endpoint. Forefront UAG also contains policies that restrict a client from uploading content to the site, or downloading content from the site. For example, you may want to prevent users who are accessing the site from an internet kiosk from downloading documents, or prevent users who don’t have an up-to-date antivirus from uploading documents.

  • Authentication servers—Forefront UAG supports a wide range of authentication servers, such as, RADIUS, ACE SecureID, and Active Directory. These servers can be used to authenticate users before they even access the portal.

  • Application authorization—Enables individual users or groups of users to be granted access to specific applications within a portal. For example, members of the finance department can be granted access to financial applications but denied access to the customer relationship management application; or, members of the sales department can be granted access to the sales database but denied access to the company’s financial applications.

  • Forefront UAG Endpoint Session Cleanup component—The Endpoint Session Cleanup component can remove temporary data after a session ends. This can prevent the leaking of sensitive data, for example, if during the time someone is using the portal, files containing sensitive information are downloaded to the client endpoint.

  • Certified client endpoints—You can certify client endpoints by using a client certificate. You can create client endpoint policies whereby users can access a site or an application only if their computer is a certified endpoint. The certified endpoint feature is supported only on HTTPS trunks.