Forefront Unified Access Gateway 2010
Endpoint Component Deployment Design Guide
Microsoft® Corporation
Published: January, 2010
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted in examples herein are
fictitious. No association with any real company, organization, product, domain name, e-mail
address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, and MS-DOS, Windows, Windows Server, and Active Directory are trademarks of the
Microsoft group of companies. All other trademarks are property of their respective owners.
Contents
Endpoint component deployment design guide .............................................................................. 5
About this guide............................................................................................................................ 5
Introduction to endpoint component deployment design ................................................................. 5
About endpoint components ........................................................................................................ 5
About the Endpoint Session Cleanup component ........................................................................... 7
About the Endpoint Detection component ....................................................................................... 8
Information collected from client endpoints .................................................................................. 8
About SSL tunneling ........................................................................................................................ 9
About the SSL Application Tunneling component ......................................................................... 10
About the Socket Forwarding component ..................................................................................... 11
About the SSL Network Tunneling component ............................................................................. 12
About remote user interaction .................................................................................................... 13
Identifying your client endpoint component deployment goals ...................................................... 13
Mapping your deployment goals to client endpoint component deployment design ..................... 14
Allowing remote client access ....................................................................................................... 15
What applications do you want to publish? ................................................................................ 15
Who are the clients and what are their limitations? ................................................................... 15
Notes ....................................................................................................................................... 18
How do you install the components on the client endpoint? ...................................................... 18
When do you need to customize the endpoint components? .................................................... 19
Securing remote access ................................................................................................................ 20
Endpoint component deployment design
guide
Remote access to internal applications published by the Forefront Unified Access Gateway
(UAG) server may come from a variety of client endpoints, such as, company-owned laptops,
home computers, and public Internet kiosks. Forefront UAG has the required technology to
identify settings and features on an endpoint computer, and allow or deny access accordingly.
About this guide
This Endpoint component deployment design guide is intended for the system administrator who
is responsible for providing remote access to end users through Forefront UAG. The guide is
designed to help you understand how to use Forefront UAG client endpoint components and
client endpoint policies, to allow or deny access to published applications.
Use this guide to:
Understand client endpoint component concepts. For more information, see Introduction to
endpoint component deployment design.
Identify the goals you want to achieve when deploying client endpoint components. For more
information, see Identifying your client endpoint component deployment goals.
Map your deployment goals to a component deployment design. For more information, see
Mapping your deployment goals to client endpoint component deployment design.
Introduction to endpoint component
deployment design
This topic provides an overview of endpoint components, and how they are used in your endpoint
component deployment in Forefront Unified Access Gateway (UAG).
When designing your endpoint component deployment, make sure you know which applications
will be published through the Forefront UAG server, because different types of applications
require the use of different endpoint components.
About endpoint components
Forefront UAG installs client components on client endpoints to enable Forefront UAG remote
access features. Different remote access features require different client components on the
client endpoint. As soon as the client endpoint attempts to access a Forefront UAG site, Forefront
UAG attempts to determine which client components are installed and running on the endpoint
computer. Detection is performed by the Forefront UAG Endpoint Detection component that is
5
installed on the client endpoint. The Endpoint Detection component verifies the identity of the
Forefront UAG site against the site’s server certificate, and checks whether the site is on the
client endpoint’s Trusted Sites list. Only if the site is trusted, can the component run on the client
endpoint, and collect the data that identifies settings and features on the client endpoint, and
identify which client components are installed and running on the computer.
The Forefront UAG endpoint components that are installed on client endpoints to enable
Forefront UAG features and functionality, include:
Forefront UAG Endpoint Component Manager—Downloads, installs, manages, and
removes all the Forefront UAG endpoint components. There are two versions of this
component: ActiveX and Java Applet.
Forefront UAG Endpoint Session Cleanup—There are two versions of this component:
ActiveX and Java Applet. For more information, see About the Endpoint Session Cleanup
component.
Forefront UAG Endpoint Detection —There are two versions of this component: ActiveX
and Java Applet. For more information, see About the Endpoint Detection component.
Non-Web tunneling—Several components are used to provide SSL tunneling capabilities.
For more information, see About SSL tunneling.
The SSL tunneling components are:
Forefront UAG SSL Application Tunneling—There are two versions of this component:
ActiveX and Java Applet. For more information, see About the SSL Application Tunneling
component.
Forefront UAG Socket Forwarding—For more information see About the Socket
Forwarding component.
Forefront UAG SSL Network Tunneling—For more information, see About the SSL
Network Tunneling component.
Socket Forwarding Helper—Used for support purposes.
When a user first accesses the Forefront UAG site, Forefront UAG detects whether it can install
the client components on the endpoint computer, according to the prerequisites described in Who
are the clients and what are their limitations?.
Note the following:
On endpoint computers that meet these prerequisites, the Forefront UAG Component
Manager installs only the client components required by the published application.
By default, the following components are installed automatically:
Forefront UAG Endpoint Session Cleanup
Client Trace utility
Forefront UAG Endpoint Detection
On client endpoints that do not meet these prerequisites, the Forefront UAG client
components are not installed.
Note:
6
In cases where the SSL Application Tunneling ActiveX component is not installed and
cannot be installed on a client endpoint, when the client endpoint attempts to access a
non-Web application, the SSL Application Tunneling Java applet runs to enable access to
the application. The Java applet provides SSL Tunneling functionality only, and does not
enable any of the other features that are enabled by the Forefront UAG client
components, such as client endpoint detection, Forefront UAG Endpoint Session
Cleanup, Socket Forwarding, or SSL Network Tunneling.
About the Endpoint Session Cleanup
component
The Forefront Unified Access Gateway (UAG) Endpoint Session Cleanup component deletes
persistent data that is downloaded to a client endpoint from the sites protected by Forefront UAG
or data related to the Forefront UAG session that is created by the client endpoint browser. This
occurs when:
A Forefront UAG session ends, for example, when the user closes the browser.
When the user logs off from a Forefront UAG site by using the site’s logoff mechanism.
During a scheduled logoff, or a scheduled cleanup.
After an unscheduled power outage, or an unscheduled reboot.
The Endpoint Session Cleanup component deletes items that are saved in the browser’s cache
during the session, such as Web pages, cookies, and also application-specific cached files that
are stored in the application’s temporary folder. The Endpoint Session Cleanup component also
deletes items that are saved in the browser’s offline folder. These include files that were opened
from within the browser for editing by an external application, such as an Office application (for
example, a document that was opened via the browser for editing in Microsoft Office Word). The
offline folder is cleaned only when all Forefront UAG sessions on the client endpoint end. Only
items that were written to the offline folder after the Endpoint Session Cleanup component was
first activated during the initial login, are deleted.
Optionally, you can configure the Endpoint Session Cleanup component to delete items that are
saved outside the cache, including the browser history, Web address auto complete, intelliforms,
forms autocomplete, and cached passwords. The Endpoint Session Cleanup component deletes
these items only when the component shuts down, and not at the end of each session. If the user
closes the browser without first logging out of the site, the Endpoint Session Cleanup component
does not shut down immediately; it shuts down only on the next scheduled logoff or scheduled
cleanup. Note that all items are deleted according to the DOD 5220.22-M standard.
The Endpoint Session Cleanup component includes a built-in crash recovery mechanism that
ensures that all items are removed even under extreme circumstances, such as a power
shutdown. If, under those circumstances, the component is terminated without deleting all of the
required items, when the computer is next started, the component automatically runs and cleans
up any remaining items.
7
Endpoint Session Cleanup is one of the Forefront UAG client endpoint components which users
are prompted to download when they try to access a Forefront UAG site, prior to logon. You can
set a client endpoint policy whereby users can access a site or launch an application only if the
Endpoint Session Cleanup component is running on the client.
About the Endpoint Detection component
The Forefront Unified Access Gateway (UAG) Endpoint Detection component is used to assess
the compliance of an endpoint to the Forefront UAG endpoint policies. As soon as a user
attempts to access the site, Forefront UAG attempts to determine which security components are
installed and running on the endpoint. The Forefront UAG Endpoint Detection component, which
is installed on the endpoint, verifies the identity of the Forefront UAG site against the site’s server
certificate, and checks whether the site is on the user’s Trusted Sites list. Only if the site is
trusted, will the component run on the endpoint computer and collect the data that identifies which
components are installed and running on the computer. When detection is not functional on an
endpoint computer, access may be denied, even though the endpoint might comply with the
requirements of the policy. For example, if an application’s policy requires a running antivirus
program, and such a program is already running on the computer, access to the application is still
denied, because Forefront UAG cannot detect that the program is running on this computer.
Note:
Forefront UAG provides a default endpoint detection script (Detection.vbs). You can also
create customized detection scripts.
Compliance with Forefront UAG endpoint policies is determined when a client endpoint computer
first accesses the site. If a client’s computer settings that affect compliance are changed after
login, users must log in again to apply the changes. When using NAP policies, enforcement is
performed for the duration of the session.
For information about endpoint policies, see Planning to implement endpoint access policies.
Information collected from client endpoints
While working with the Forefront UAG site, if endpoint detection is enabled on the client endpoint,
in addition to identifying settings and features on the client endpoint, the following information is
collected by the Endpoint Detection component:
Network domains—Domain Name System (DNS) and NetBIOS.
User information—User name and user type.
Certificates in “My certificate store”—Certificate issuer and certificate subject.
If required (for example, to comply with legal or corporate guidelines), you can configure Forefront
UAG so that users are notified before the information is retrieved from their device, and are
prompted to give their consent for the site to collect such information. You configure this setting
by selecting the Prompt user before retrieving information from endpoint check box on the
8
Endpoint Access Settings tab of the Advanced Trunk Configuration dialog box. On endpoints
on which users do not give their consent, detection is not performed.
About SSL tunneling
When using Forefront Unified Access Gateway (UAG) and supporting non-Web applications over
a secure sockets layer (SSL) connection, SSL tunneling causes the application traffic at the client
endpoint to be overlaid with SSL encryption and tunneled to the SSL VPN gateway, that is,
Forefront UAG. The SSL VPN gateway decrypts the traffic and sends the payload to the
application server in the internal network. The Forefront UAG Socket Forwarding component addon, which is based on Layered Service Provider and Named Service Provider technologies, can
be used to support a wider variety of applications, such as supporting applications that jump
ports, without the need to make changes to the running operating system. The Forefront UAG
SSL Network Tunneling component can be used to provide full VPN access to the corporate
network.
The SSL Application Tunneling component tunnels application traffic through SSL using one of
the following relay types:
Simple relay—Opens a port on the client endpoint, and tunnels the TCP traffic to and from a
specific port on the application server. Using this type of relay, to communicate with the
application server, the application client on the endpoint must communicate through the
locally opened port. The SSL Application Tunneling component makes changes, such as
changes to the application client settings, Windows registry, or Windows hosts file, to enable
the application client to communicate through this tunnel.
HTTP Proxy and SOCKS Proxy relays—Opens a port on the client endpoint. The SSL
Application Tunneling component acts as either an HTTP or a SOCKS proxy server, and it
tunnels the HTTP or SOCKS traffic to and from the application server. Using this type of
relay, the application client on the endpoint can communicate through the locally opened port
with multiple servers and ports. The SSL Application Tunneling component makes changes,
such as changes to the application client settings, Windows registry, or Windows hosts file, to
enable the application client to communicate through this tunnel. This type of relay enables
the SSL VPN proxy to request more than one server, thus enabling the support of dynamic
ports.
Note:
In browsers where the Java applet is used, when multiple portals are open
concurrently, only applications that are launched from the portal that was
accessed first can listen on HTTP or SOCKS proxy ports. Users cannot launch
applications that use HTTP proxy and SOCKS proxy relays from additional
portals.
Transparent relay—Automatically creates a relay between the client endpoint and the
application server, for every application client on the endpoint that wants to communicate with
9
the internal network. This type of relay is supported only by the Forefront UAG Socket
Forwarding component and does not require any changes on the endpoint.
Note:
The Socket Forwarding component is an ActiveX component and can run only on
Windows operating systems with Internet Explorer.
SSL Network Tunneling component—This component supports full connectivity over a
virtual transparent connection, and enables you to install, run, and manage remote
connections, as if the endpoint were part of the corporate network. The SSL Network
Tunneling component uses either the proprietary Forefront UAG Network Connector, or a
standards-based approach using the Secure Socket Tunneling Protocol (SSTP). The
operating system of the client endpoint and the type of the SSL Network Connector deployed
on the server, determine which type of SSL Network Tunneling component is used, as
follows:
SSL Network Tunneling (Network Connector)—Used on client endpoints running the
Windows XP and Windows Vista operating systems.
Note:
The SSL Network Tunneling (Network Connector) component can run only
on Windows operating systems with Internet Explorer.
SSL Network Tunneling (SSTP)—Used on client endpoints running the Windows 7
operating system.
Note that if you are running XCompress on Forefront UAG, you must set the streaming
optimization to "Low latency". You can automate the process by copying the file XCompress.js
from the following location:
...\Microsoft Forefront Unified Access Gateway\von\conf\samples\CustomHooks
to the following location:
...\Microsoft Forefront Unified Access Gateway\common\bin\CustomHooks
Open the file you copied, and follow the instructions in the file to configure it for your system.
The following topics describe the endpoint components used for SSL connections:
About the SSL Application Tunneling component
About the Socket Forwarding component
About the SSL Network Tunneling component
About the SSL Application Tunneling
component
The Forefront Unified Access Gateway (UAG) SSL Application Tunneling component provides
SSL connectivity for non-Web protocols, such as those used by client/server and legacy
10
applications, from the Internet to the internal network, thus enabling Forefront UAG users to
safely access back-end applications.
Using the Forefront UAG portal homepage, remote users can access a range of applications,
such as native messaging applications, standard e-mail applications, collaboration tools,
connectivity products, and more. The SSL Application Tunneling component allows precise, peruser and per-server configurations, and can be used in conjunction with Forefront UAG endpoint
policies, providing for an SSL VPN experience. Multi-platform application support ensures that
users can access their applications from computers running Windows, Macintosh OS X, and
Linux operating systems, by using a wide range of browsers.
For end users to run SSL Application Tunneling applications, the Forefront UAG site must be
trusted by the client endpoint. When a user launches an SSL Application Tunneling application,
the SSL Application Tunneling component verifies the identity of the Forefront UAG site against
the site's server certificate, and checks whether the site is on the user's Trusted Sites list; only if
the site is trusted will the application launch.
Note that when working with SSL Application Tunneling applications via an HTTP trunk, tunneled
traffic is not encrypted.
About the Socket Forwarding component
The Forefront Unified Access Gateway (UAG) Socket Forwarding component is used to support a
wider variety of applications than the SSL Application Tunneling component, such as,
applications that jump ports without the need to make changes to the running operating system.
The Forefront UAG Socket Forwarding component comprises two modules: Winsock2 Layered
Service Provider (LSP) and Name Service Provider (NSP). When an application uses Winsock,
Windows loads either the NSP module (when the application performs a name resolution), or the
LSP module (when the application uses sockets to connect to a remote server).
The NSP and LSP modules intercept every networking activity performed by the application.
Though this interception should not cause any problems and is completely transparent to the
application, it is possible that the application will not function correctly because of the NSP or LSP
interception.
To minimize the risk of potential problems, certain applications are included in the LSP and NSP
modules' block list. Based on this list, the NSP and LSP modules can disable themselves, and
stop intercepting network activities when they detect that the application within which they run, is
on their block list. When disabled in this manner, the LSP and NSP modules do not enable
access from this application to the corporate network.
Tip:
When access to an application in the corporate network is blocked because it is included
in the block list, users may still gain access to other application servers that reside on the
local intranet or the Internet.
The LSP and NSP modules contain two inherent application lists:
11
Block list—Contains applications that are known to be problematic. Access to these
applications from within the corporate network is always blocked, regardless of the selected
socket forwarding activation mode.
Allow list—Contains applications for which the LSP and NSP will always be active,
regardless of the selected socket forwarding activation mode.
Blocking of additional applications depends on the following socket forwarding activation mode,
defined during application configuration:
Basic—In this mode, none of the applications that load the LSP or NSP modules are enabled
access to configured corporate resources, unless the Forefront UAG SSL Application
Tunneling component is running, and at least one tunnel is open. In this mode, Windows
services (non-interactive applications) are not allowed access to configured corporate
resources, regardless of whether the SSL Application Tunneling component is running or not.
Extended—This mode is identical to the Basic mode, except that Windows services are
enabled access to configured corporate resources.
Virtual private network (VPN)—In this mode, the LSP and NSP modules are always active
in all applications; that is, access is enabled to configured corporate resources except for the
applications listed in the block list.
Basic mode enables most applications to work via Forefront UAG, and is the recommended
socket forwarding mode. For some applications, however, extended mode or VPN mode is
required.
Note:
You select the Socket Forwarding activation mode for an application when you configure
the application.
About the SSL Network Tunneling
component
This topic describes the Forefront Unified Access Gateway (UAG) SSL Network Tunneling
component, which allows you to create remote client VPN connections to the internal corporate
network.
The SSL Network Tunneling component provides the following features:
Auto-detection and manual tuning of corporate network settings, such as DNS, WINS, default
gateway, and domain name, and includes support for computers with multiple connections.
Support for all types of IP-based unicast traffic, in any direction: client to server, server to
client, and client to client.
Two IP provisioning methods.
Internet access configuration, including split tunneling, non-split tunneling, and no tunneling.
Protocol filters for IP-based protocols.
12
Access to additional networks.
After configuring an SSL Network Tunneling server, you can allow remote VPN access to internal
networks by publishing the SSL Network Tunneling application in a portal. The type of network
tunneling that is used (Network Connector or SSTP) is determined when client endpoints access
your site.
About remote user interaction
Remote VPN clients connecting to the internal network using SSL Network Tunneling are treated
as if they are part of the corporate network, with full connectivity over a virtual and secure
transparent connection. Depending on the SSL Network Tunneling server configuration, remote
VPN clients can:
Communicate with all the computers in the network; for example, the system administrator
can connect to remote VPN client endpoints to install software updates, configure existing
applications, or help users to troubleshoot their systems.
Access corporate servers and systems such as, mail, FTP servers, databases, and voice
over IP applications.
Communicate with other VPN remote clients connected with SSL Network Tunneling.
Remote users can launch the SSL Network Tunneling client using the SSL Network Tunneling
application link on a portal homepage. After the application is launched, users are connected to
the internal network. They can access and be accessed by other network computers. They can
run additional internal applications, without having to launch the application from the portal
homepage. User interaction with SSL Network Tunneling depends on the SSL Network Tunneling
client component that is installed on their computer.
Note the following:
Only one SSL Network Tunneling client can run on a client endpoint at a time.
It is recommended that while SSL Network Tunneling is active, users do not access other
Forefront UAG portal sites or close the Web browser.
Identifying your client endpoint component
deployment goals
For the successful deployment of Forefront Unified Access Gateway (UAG), you must identify
your client endpoint component deployment goals correctly. This topic is designed to help you
identify these goals. After identifying the goals, you can map them to a deployment design that
meets each goal.
The possible goals for client endpoint component deployment include the following:
13
Provide remote access to internal applications and resources—Provide end users (such
as, employees, vendors, partners) with remote access to applications that are published
internally on the corporate network.
End users have different requirements when trying to access your internal applications,
including:
Accessing e-mail.
Viewing company-sensitive presentations and documents.
Accessing internal file shares.
Accessing legacy applications that do not use Web protocols.
For each task, the end user may be working on a managed or unmanaged endpoint device,
running a variety of operating systems, and using different Web browsers.
Ensure that remote access to internal applications is secure—Ensure that only clients
that you want to remotely access applications can do so, and that content that is downloaded
to a client endpoint browser from the sites protected by Forefront UAG or files created by a
client endpoint browser, are removed from the client endpoint at the end of the session, or
when the user logs off from the Forefront UAG site.
Items that you may want to remove include, items saved in the browser’s cache such as Web
pages, cookies, and also application-specific cached files that are stored in the application’s
temporary folder. You may also want to delete items that are saved in the browser’s offline
folder; for example, files that were opened from the browser for editing by an external
application, such as an Office application.
You may also want to delete items that are saved outside of the browser’s cache; for
example, the browser history, Web address auto complete, intelliforms, forms auto complete,
and cached passwords.
Mapping your deployment goals to client
endpoint component deployment design
The following topics describe how to map your Forefront Unified Access Gateway (UAG) client
endpoint deployment goals to a deployment design:
Allowing remote client access—Describes how to allow remote clients to access your internal
applications and resources through a Forefront UAG portal.
Securing remote access—Describes how to ensure that only the clients that you want to
access your applications and resources can do so, and that there is no data leakage from
Forefront UAG portal sessions.
14
Allowing remote client access
This topic provides answers to these questions you should ask when planning to deploy Forefront
Unified Access Gateway (UAG) endpoint components on client endpoints.
What applications do you want to publish?
Who are the clients and what are their limitations?
How do you install the components on the client endpoint?
When do you need to customize the endpoint components?
What are the system requirements for Forefront UAG endpoints?
What applications do you want to publish?
To design a solution that allows clients to access applications and resources remotely, you must
first define the applications and resources that they will access. Forefront UAG can allow access
to a large number of applications and resources within the following categories:
Built-in services—Services such as File Access and SSL Tunneling (remote VPN access).
Web applications—Applications that use the HTTP or HTTPS protocols and a Web
interface.
Client/server and legacy applications—Applications that use non-HTTP/HTTPS protocols.
Browser-embedded applications—Web-initiated applications that use a Web-based
interface to create a non-Web connection.
Different applications require different endpoint components. For example, client/server and
legacy applications require you to use the SSL Application Tunneling component, whereas Web
applications may require only the Endpoint Session Cleanup component.
For further information on planning application publishing and securing your applications, see
Application publishing design guide and Securing remote access.
Who are the clients and what are their limitations?
Although Forefront UAG can provide remote access to several operating systems and Web
browsers, the user experience may differ depending on the operating system and the Web
browser that is on the client endpoint.
The following table describes the prerequisites for installing and running Forefront UAG client
endpoint components.
Supported operating system
Supported browsers for
Client component support
Forefront UAG site access
32-bit operating systems:
Windows XP with SP2, and
Internet Explorer 6;
Internet Explorer 7;
For installing and running client
components, computers running
15
Supported operating system
Supported browsers for
Client component support
Forefront UAG site access
Windows XP with SP3
Internet Explorer 8
Windows Vista and
Windows Vista with SP1
Firefox 3.0.x; Firefox
3.5.x
Windows 7
Safari 3.2.x; Safari 4.0.x
Windows operating systems
support Internet Explorer,
Firefox, and Safari browsers.
The following client components
are supported:
Endpoint Session Cleanup;
Endpoint detection; SSL
Application Tunneling; Socket
Forwarding; Endpoint
Quarantine Enforcement (from
Windows XP SP3).
In addition, some components
are supported only on selected
operating systems:
Windows XP: SSL Network
Tunneling (Network
Connector)
Windows Vista: SSL
Network Tunneling (Network
Connector)
Windows 7: SSL Network
Tunneling (SSTP)
Note:
When using a Web
browser other than
Internet Explorer, when
available, the Java
applet version of the
component is installed.
64-bit operating systems:
Windows Vista and
Windows Vista with SP1
Windows 7
Windows Server 2008 R2
Only 32-bit browsers are
supported:
Internet Explorer 6;
Internet Explorer 7;
Internet Explorer 8
For installing and running client
components, computers running
Windows operating systems
support Internet Explorer,
Firefox, and Safari browsers.
Firefox 3.0.x; Firefox
3.5.x
The following client components
are supported:
Safari 3.2.x; Safari 4.0.x
Endpoint Session Cleanup;
Endpoint detection; SSL
16
Supported operating system
Supported browsers for
Client component support
Forefront UAG site access
Network Tunneling (SSTP);
Endpoint Quarantine
Enforcement.
Note:
The Endpoint Detection
component does not
work on Windows
Server 2008 R2.
In addition, some components
are supported only on selected
operating systems:
Macintosh OS X 10.4 and up
(PowerPC and Intel)
Safari 3.2.x; Safari 4.0.x
Firefox 3.0.x; Firefox
3.5.x
Forefront UAG Java client
components are supported for
Macintosh computers running
Firefox and Safari browsers.
The following client components
are supported:
Linux 32-bit operating systems
Firefox 3.0.x; Firefox 3.5.x
(RPM-based Linux distributions:
Red Hat Enterprise 5, Fedora
10 and up. Debian Linux
distributions; Debian 5 and up,
Ubuntu 8.04 LTS and 9.04 and
up)
Windows Mobile 2005 for
Pocket PC; Windows Mobile 6;
Windows Mobile 6.5
Pocket Internet Explorer
iPhone version 3.0.x
Safari (iPhone version),
supports the premium
mobile portal
Endpoint Session Cleanup;
Endpoint detection; SSL
Application Tunneling.
Forefront UAG Java client
components are supported for
Linux computers running a
Firefox browser.
The following client components
are supported:
Endpoint Session Cleanup;
Endpoint detection; SSL
Application Tunneling.
Windows Mobile 6.5
supports the premium
mobile portal
17
Supported operating system
Supported browsers for
Client component support
Forefront UAG site access
Nokia:
S60 3rd edition, Feature
Pack 1—Validated on E71,
N95
S60 3rd edition, Feature
Pack 2—Validated on E72,
E52
S60 5th edition—Validated
on N97
All handsets support the
limited mobile portal
Notes
Forefront UAG ActiveX client components are supported only on client endpoints running
Windows operating systems with an Internet Explorer browser. For online installation, the
browser must be configured to enable the download and running of signed ActiveX objects.
The Forefront UAG Component Manager ActiveX object installs the other client components.
For initial online installation of Forefront UAG Component Manager, administrator privileges
are required on the client endpoint.
Java client components cannot be installed using offline installation.
For Java client components, Forefront UAG requires JRE version 1.5.
In Forefront UAG, the initial installation of the Endpoint Detection Java applet and the
Endpoint Session Cleanup Java applet require administrator privileges on the client endpoint.
There are no specific requirements for the Forefront UAG Client Trace and Socket
Forwarding Helper components.
Although browsers other than those in the table above may be functional for site access, for
full feature functionality use only the recommended browsers.
How do you install the components on the client
endpoint?
There are three options for installing Forefront UAG client endpoint components:
Install the endpoint components on demand when a client accesses the portal (online
installation mode)—This is useful when there are a number of different applications and
resources published through the portal. As a client accesses a particular application or
resource, the required endpoint components are downloaded and installed.
Online installation mode is suitable for end-users who have ActiveX download rights in
Windows Internet Explorer, and are logged in with administrator privileges. In this mode, as
18
soon as users try to access the site, before logging in, Forefront UAG downloads the
Component Manager to their endpoints. After the Component Manager is installed on the
client endpoint, the Component Manager determines the need for installing the remaining
components each time the user accesses the site, and then installs them.
By default, the following components are installed automatically:
Endpoint Session Cleanup.
Client Trace utility.
Endpoint Detection.
If required, you can configure other components that will be installed automatically.
The remaining components are installed, as required. For example, when the user accesses
a non-Web application for the first time, the Component Manager installs the SSL Application
Tunneling component.
Note:
By default, each portal or application that you publish automatically installs the
endpoint components, unless you specifically change the setting to disable
component installation and activation.
Install the endpoint components using an offline installer—This deployment method
uses the Client Components Installer and is useful for end-users who do not have ActiveX
download rights in Windows Internet Explorer, and are logged in with administrator privileges.
It can also be used on browsers other than Internet Explorer, by end-users who are logged in
with administrator privileges, to install the SSL Network Tunneling (Network Connector)
component.
In this mode, users can download an auto-install file to their computer by using either an
“installer” toolbar button or a link on the portal homepage. They can then log out of the site
and use this file to install the components in an offline mode.
Install the endpoint components using an offline installation file—This method installs
the client endpoint components using a download file, and is used for end-users who do not
have ActiveX download rights on Windows Internet Explorer and are non-privileged
(guest/user) users. In this setup, the administrator must log in to the endpoint computer by
using power-user or Administrator privileges, and install the components before the user
accesses the site.
When do you need to customize the endpoint
components?
The Forefront UAG Endpoint Session Cleanup and Forefront UAG Endpoint Detection
components can be customized to more closely match your requirements:
Endpoint Session Cleanup—Before activating the Endpoint Session Cleanup component
for portal and application sessions, there are several settings that you can modify, if required.
These include:
19
Specifying which items saved outside the browser cache are cleaned up.
Configuring a scheduled cleanup after a preconfigured timeout period.
Enabling the Endpoint Session Cleanup component on a custom logoff page. The code
that triggers the component to initiate the cleanup of the browser’s cache on the client, is
embedded in the logoff message page that is supplied with Forefront UAG. If the trunk is
configured to use a custom logoff page, you must add the code in the custom page.
Configuring the encrypted pages save setting. Usually, Windows Internet Explorer
browsers save encrypted SSL pages to the “temp files” folder. To prevent the browser
from saving SSL pages to the default “temp files” folder, users can enable the “Do not
save encrypted pages to disk” setting in Internet Explorer, located by clicking the Tools
menu, clicking Internet Options, and then clicking the Advanced tab. In this case, when
users download an SSL page, they are prompted to provide an alternative location to
where it should be saved. In this setup, when a session ends, the Endpoint Session
Cleanup component clears the “temp files” folder but cannot identify the location to which
the encrypted pages are saved. To prevent these pages from remaining on the endpoint
computer, at the beginning of each session, the Endpoint Session Cleanup component
automatically disables the “Do not save encrypted pages to disk” setting, if enabled, so
that encrypted pages are saved to the “temp files” folder. At the end of the session, after
the Endpoint Session Cleanup component stops monitoring all open sessions, the “Do
not save encrypted pages to disk” setting reverts to its original status. You can cancel the
disabling of the “Do not save encrypted pages to disk” setting.
Endpoint Detection—This component uses the default script Detection.vbs to detect
applications on a client endpoint, based on the presence of files and registry keys. This file is
located in the folder \Microsoft Forefront Unified Access Gateway\von\InternalSite. You can
make create your own script based on the Detection.vbs script to perform your own
customized endpoint detection.
Securing remote access
This topic describes the options that are available to help you provide secure remote access to
your published applications and resources through Forefront Unified Access Gateway (UAG).
When providing remote access to your applications, you must design a remote access policy.
Designing a remote access policy requires you to determine who are your end users, what clients
they are using, and decide if you want to provide access to only certified client endpoints.
Forefront UAG provides the following mechanisms to determine who the client endpoint is,
whether they can access internal resources and applications, and if so, which internal resources
and applications they can access:
Forefront UAG Endpoint Detection component—Used to determine the client type,
including the operating system, firewall version, and antivirus software. This component is
also used to determine the other endpoint components that are currently installed on the
client endpoint.
20
Forefront UAG Endpoint policies—Forefront UAG is installed with a large number of
default endpoint policies that can be used to provide or block access to certain applications
and resources, based on the health of the client endpoint. Forefront UAG also contains
policies that restrict a client from uploading content to the site, or downloading content from
the site. For example, you may want to prevent users who are accessing the site from an
internet kiosk from downloading documents, or prevent users who don’t have an up-to-date
antivirus from uploading documents.
Authentication servers—Forefront UAG supports a wide range of authentication servers,
such as, RADIUS, ACE SecureID, and Active Directory. These servers can be used to
authenticate users before they even access the portal.
Application authorization—Enables individual users or groups of users to be granted
access to specific applications within a portal. For example, members of the finance
department can be granted access to financial applications but denied access to the
customer relationship management application; or, members of the sales department can be
granted access to the sales database but denied access to the company’s financial
applications.
Forefront UAG Endpoint Session Cleanup component—The Endpoint Session Cleanup
component can remove temporary data after a session ends. This can prevent the leaking of
sensitive data, for example, if during the time someone is using the portal, files containing
sensitive information are downloaded to the client endpoint.
Certified client endpoints—You can certify client endpoints by using a client certificate. You
can create client endpoint policies whereby users can access a site or an application only if
their computer is a certified endpoint. The certified endpoint feature is supported only on
HTTPS trunks.
21
