Overview of access control
Published: January 11, 2010
Updated: February 1, 2011
Applies To: Unified Access Gateway
Forefront Unified Access Gateway (UAG) enables you to provide remote access to corporate applications and resources for remote employees, mobile workers, partners, and other third-parties. However, providing remote access to applications and resources that are located on your corporate network could potentially lead to security breaches. Forefront UAG helps you to provide secure remote access only to the users and endpoints that you want to allow access to your applications and resources, by using a combination of endpoint health policies, authentication servers, and application access authorization.
Health policies—Forefront UAG provides inbuilt policies that check the health of endpoint devices by checking for system settings and features on the endpoint. Each of the policies can be edited to check for specific settings or features, as required. You can also define your own policies. When checking the health of endpoint devices, you must try to find the correct balance between using strict policies or more permissive policies, for a wide range of end users using different endpoints devices and requiring access to many different applications.
Authentication servers—You can require users to authenticate for access to the Forefront UAG portal and application sessions. Forefront UAG supports a number of predefined authentication schemes; you can also create custom schemes. Configuring authentication requires you to set up authentication servers against which user credentials are verified.
User authorization—In addition to user authentication, you can configure authorization settings for specific applications published in a portal. You specify which users and groups can access specific applications, based on users and groups defined on user and group servers that are used for authorization. You can configure users and groups on the same server you use for authentication, or you can combine authentication against one type of authentication server, with the authorization of users and groups in a different authentication scheme.