This document discusses Forefront Unified Access Gateway (UAG). It covers UAG architecture, support boundaries for UAG 2010 including only allowing inbound access control when used as a portal and not supporting multiple network adapters with a single NIC. It discusses the UAG access model including publishing applications via reverse proxy, port forwarding, and Direct Access. It also covers publishing applications like SharePoint and Remote Desktop and client components.
7. UAG Usage
Allow Integration
anywhere with SSTP
access DirectAccess
Forefront UAG is used only
Portal
for inbound access control
Endpoint Allow
Customization compliance integration
scan with NAP
8. Forefront UAG architecture
Image from : Deploying Microsoft
Forefront Unified Access Gateway 2010
Microsoft Press
9. What’s New In UAG
64-Bit Software
Enhanced Host-based and Network Firewall
Multi-Server Arrays
Network Load Balancing
UAG and DirectAccess
Publishing Capabilities
Remote Access Client VPN Services
11. UAG 2010: Support boundaries – Direct Access
http://technet.microsoft.com/en-us/library/ee522953.aspx
You can use Forefront UAG as a publishing server, creating trunks to publish
corporate applications for access by remote client endpoints either directly, or
via a Web portal. In addition, you can deploy Forefront UAG as a DirectAccess
server, to extend the benefits of Windows DirectAccess across your
infrastructure, providing transparent access for DirectAccess clients. Note the
following :
• A single server can be configured as both a Forefront UAG publishing server,
and as a Forefront UAG DirectAccess server
• An array can consist of Forefront UAG servers that act as both remote access
publishing servers, and as Forefront UAG DirectAccess servers
• You cannot publish the Network Connector application when Forefront UAG
is configured as a DirectAccess server.
12. UAG 2010: Support boundaries – Network adapters
http://technet.microsoft.com/en-us/library/ee522953.aspx
• Forefront UAG supports configuration of two networks –
internal and external. Connecting to different switches for
network redundancy is supported, providing that both are
defined as part of the internal or external network
• Using Forefront TMG running on the Forefront UAG server to
provide multiple network routing is not supported
• Deployment with a single network adapter is not supported
13. UAG 2010: Support boundaries –
Forefront TMG running on Forefront UAG
http://technet.microsoft.com/en-us/library/ee522953.aspx
By default, Forefront Threat Management Gateway (TMG) is installing during
Forefront Unified Access Gateway (UAG) Setup. Forefront TMG is installed as a
complete product, and is not modified to run on a Forefront UAG server
Forefront UAG uses Forefront TMG, as follows:
• Forefront TMG acts as a firewall, protecting the Forefront UAG server
• Forefront UAG uses Forefront TMG infrastructure and functionality in some
deployment and monitoring scenarios
14. Forefront UAG client devices
http://technet.microsoft.com/en-US/library/dd920232.aspx
Internet Explorer version Non-Internet Explorer browser Mobile browser support - Mobile operating system
support -Brower version
Internet Explorer 6 Windows RT
Firefox 2.0.x
Firefox 3.0.x Windows Phone 7, Windows Phone 7.5, Windows Phone 8
Internet Explorer 7
Firefox 3.5.x
Windows Mobile 2005 for Pocket PC; Windows Mobile 6; Windows
Internet Explorer 8 Firefox 4
Mobile 6.5
Firefox 10
Firefox 11
Internet Explorer 9 iPhone version 3.0.x
Safari 3.2.x
Internet Explorer 10 (64-bit) iOS: 4.x and 5.x on iPhone and iPad
Safari 4.0.x
Safari 5.0.x Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0
Internet Explorer 10 (32-bit)
Opera 9 Nokia :
S60 3rd edition, S60 3rd edition, Feature Pack 2, S60 5th
edition
15. Windows 2012 Direct Access And UAG
UAG features for DirectAccess
have been rolled into Server 2012
Side-by-Side Migration of
Forefront UAG DirectAccess
http://technet.microsoft.com/en-
us/library/hh831623.aspx
16. UAG Access Model
Non Web Based
Web Applications Reverse
Port Applications
Proxy And
Forwarding
Portal
Direct
SSTP or Network Vpn «Transparent»
Access
Connector Remote Access
17. UAG Standalone Or Domain Member ?
UAG can be deployed as either a domain member or a
workgroup member
SSTP VPN connection
Scenarios that REQUIRE
Certifcate based authentication
domain membership :
File server access
18. Fault Tolerance and Load Balancing
• A Forefront UAG server array is configured as, and acts like, a single logical
Forefront UAG server
• Configuration is performed once, at the array manager, and then is
distributed automatically to all the array member
• Forefront UAG is integrated with Network Load Balancing
• Do not configure NLB on the Forefront UAG server in the Windows Network
Load Balancing console
• Alternative : external load balancer (check for compliance with Direct Access)
19. UAG Requirements
• The minimum hardware requirements are as
follows:
– 2.66 GHz, Dual core CPU
– 4 GB memory and 2.5 GB of free disk space
– Two network adapters
• There is no official sizing guide for UAG
• Reserve enough disk space for the logs
20. UAG Publishing
• Access to our applications and resources
to people coming from different locations,
and from different devices
• Single web application or a Forefront UAG
portal (that consolidates multiple
resources in a single gateway)
21. Publishing – Portals
All applications
that you want to
publish through
Forefront UAG
need to be part
of a portal
23. Multiple Trunks
• A UAG server can contain multiple trunks,
depending on how many IP addresses are
assigned to its external interface
• At any point, an administrator can add IP
addresses to the external NIC of the UAG
server, add public DNS mappings to these
addresses, and add more trunks
24. UAG Applications
• An "application" for UAG is a collection of
settings and rules that determine how
UAG publishes a certain internal website or
application
25. Types Of Applications
• Over 40 «templates»
– Built-in services
– Web (applications)
– Client/Server and Legacy
• Remote Network Access -> Full VPN
– Browser-embedded
• XenApp
– Terminal Services and Remote Desktop
26. HAT and AAM
• Host Address Translation (HAT) to publish
internal servers with no FQDN resolvable on
the external networks
– Publish multiple servers from within the
organization, all on a single IP and port
• SharePoint has a feature called Alternate
Access Mappings (AAM) that modifies the
URLs before they are sent to UAG
27. Portal And Direct connection
Portal Direct connection
We are able to create a We can publish a web
Applications will be
web portal to act as a application with a public
published in the portal
gateway FQDN
32. Publishing Exchange
• Outlook Web App
• Outlook Anywhere(RPC-over-HTTPS)
• ActiveSync
• Configure Exchange publishing :
– As a normal application
– Directly during the process of creating a trunk (Create
Trunk Wizard)
33. Remote Connectivity
• Network Connector
– Listens and tunnels ALL traffic into the internal
network
• Secure Socket Tunneling Protocol
– SSTP is a Windows Server feature that is new to
Windows Server 2008
– On the client side, the SSTP "client" is also built-in
– UAG adds clients auto configuration
• DirectAccess
35. Remote Desktop
• Configure the RemoteApp on your
Terminal Server
RemoteApp • Export the RemoteApp
configuration as a TSPUB
• Make it available to UAG
Remote Desktop
(Predefined)
Remote Desktop
(User Defined)
37. Client Components
• The UAG client components are automatically
installed on computer that connects to the
UAG portal :
– Endpoint detection
– They contain the SSL tunneling components
– Endpoint Session Cleanup component, which
cleans up the user's system after a session has
ended