Publishing SharePoint Products and Technologies through Forefront Unified Access Gateway (UAG) can provide the following advantages to both the organization and end users:
- Anywhere access—Users can access
SharePoint sites and edit their documents from virtually anywhere:
managed laptops, home computers, kiosks, and mobile devices.
- Information leakage prevention—When
users open or edit a document from a SharePoint library via
Forefront UAG, no information is left on the client computer;
Forefront UAG deletes all cached files, temporary files, and
- Endpoint health-based
authorization—Forefront UAG allows administrators to define an
access policy that is based not only on the identity of the user
and the information that is exposed, but also on the condition of
the client computer; for example, basing the policy on the
computer's operating system, on the browser that is used to access
the site, or on whether or not an up-to-date antivirus is running
on the computer. Typical implementations of this type of
authorization prevent users that don’t run an antivirus from
uploading files to the SharePoint site, and they also prevent
access to sensitive information from public computers.
- Web farm load balancing (WFLB)—In a
large organization with many SharePoint servers, using load
balancing can ensure that traffic is distributed evenly between the
Forefront UAG uses a round-robin mechanism to ensure that user requests to a Web application serviced by a Web farm are distributed fairly among farm members that are online, by spreading requests from different IP addresses evenly among the Web farm members. This even spread is preserved during failover. When failover occurs, servers that are not responding are detected, and the load is distributed among the available servers.
Forefront UAG uses affinity to ensure that, after a user has been routed once to a particular SharePoint server, the user continues to be routed to that server. To keep this persistency, Forefront UAG supports session affinity and IP affinity.
- Advanced authentication
schemes—Forefront UAG implements many authentication schemes,
ranging from simple username and password forms to smartcard-only
authentication, one-time passwords, and partner integration via
Active Directory Federation Services (AD FS).
- Enabling access to SharePoint sites from
Microsoft Office Outlook Web Access—When Outlook Web Access is
also published via the Forefront UAG portal, Forefront UAG makes
sure that if an e-mail message contains a link to a published
SharePoint site (for example, https://intranet.woodgrovebank.com/),
the link works properly even if it contains Intranet domain names
(for example, http://intranet/).
- Single sign on—Users need to sign on
only once during a session. After they do, Forefront UAG saves
their credentials, and they are automatically signed on to any
system they want to access during the session. This is very useful
when publishing several SharePoint sites or additional
- Unified portal—After a user logs on,
Forefront UAG presents the user with a list of SharePoint sites and
other applications that are available and for which the user is
authorized. The list is dynamic and reflects the current client
health and Forefront UAG server configuration.
- Automatic timeout—Forefront UAG
detects whether or not users are active, and automatically logs off
users that are not active for a predefined amount of time. This is
very important in remote-access scenarios, where users might leave
their computer unattended in a public location.
- Internet-ready appliances—Forefront
UAG was developed and designed as an Internet and perimeter network
appliance, and it is hardened and secured according to industry
- Secure Sockets Layer (SSL)
termination—Forefront UAG can terminate SSL connections and
mitigate the load off Office SharePoint Server, while providing a
single point of management for certificates.
- Application protection—Not only does
Forefront UAG act as an HTTP proxy and buffer the internal servers
from the Internet, it also incorporates several application-level
technologies to protect computers running Office SharePoint Server
from malicious attacks.
- Policy-based access—Forefront UAG
provides integrated security by ensuring compliance with predefined
rules and policies.
SharePoint Server 2010 and SharePoint Server 2007 provide flexible options for configuring extranet access to sites. You can provide Internet-facing access to a subset of sites on a server farm, or make all content on a server farm accessible from the Internet. You can host extranet content inside your corporate network and make it available through an edge firewall, or you can isolate the server farm inside a perimeter network.
The following table describes potential deployment scenarios for Forefront UAG and SharePoint Products and Technologies:
Remote employees can access corporate information and electronic resources anywhere, anytime, and any place, without requiring a virtual private network (VPN).
Remote employees may be:
External partners can participate in business processes and collaborate with employees of your organization using Active Directory Federation Services (AD FS) 1.x or 2.0. See Configuring SharePoint AAM applications with AD FS for AD FS 1.x and Deploying Forefront UAG with AD FS 2.0 for AD FS 2.0.
You can use an extranet to help enhance the security of data in the following ways:
You can optimize processes and sites for partner collaboration by:
Publish branded, targeted content to partners and customers by: