Forefront Unified Access Gateway (UAG) can use client certificates to specify that a client endpoint is certified. Certified endpoints are defined as privileged; you can assign them more permissive access policies that those of uncertified endpoints.

Setting up certified endpoints requires actions on both the Forefront UAG server and on client endpoints, as follows:

  1. Preparing client endpoints that use Internet Explorer

  2. Adding certificate endpoint applications to a trunk

  3. Enabling certified endpoints

  4. Submitting a request

  5. Checking the certified endpoint request status

  6. Installing the client certificate and logging in as a certified endpoint user

Preparing client endpoints that use Internet Explorer

This procedure is only relevant for client endpoints using Internet Explorer; no preparation is required for other browsers. Before you activate the certified endpoint option, make sure that end users who are using Internet Explorer prepare their endpoints, as follows.

To prepare Internet Explorer browsers for client endpoint certification

  1. Configure the browser to enable downloading and launching of signed ActiveX objects.

  2. For computers running Windows 2000 Server or Windows XP, power-user permissions are required for the current user (this applies to all programs downloaded on the computer running Windows 2000 Server or Windows XP).

Adding certificate endpoint applications to a trunk

This procedure describes how to add the Certified Endpoint Enrollment application to the list of applications that are enabled through the trunk. After you add the application and activate the trunk, a Make this computer certified link is automatically added to the default portal home page, enabling users to request a certificate and make their computer a Certified Endpoint.

To add the Certified Endpoint Enrollment application to the trunk

  1. In the Forefront UAG Management console, select the trunk for which you enabled the Certified Endpoint feature.

  2. Under Application List, click Add.

    The Add Application Wizard is displayed.

  3. Select Built-in Services, then from the drop-down list, select Certified Endpoint Enrollment.

  4. Click Finish.

Note:
  • If you use the default portal home page, adding the Certified Endpoint Enrollment application to the trunk automatically adds the required links to the end-user’s portal. If you use a custom home page, you can manually add this functionality to your page.

  • The Certified Endpoint Enrollment application is not supported on Camino browsers on Mac OS X, because the underlying Microsoft application is not supported on those browsers.

Enabling certified endpoints

Enable certified endpoints for a portal or application session, as follows.

To enable certified endpoints for a session

  1. In the Forefront UAG Management console, click the published portal or application node in the console tree.

  2. On the Session tab of the trunk properties, select Use Endpoint Certificate.

Note:
If the option Disable component installation and activation is selected in the Sessions tab, certified endpoints are disabled.

Submitting a request

Users should submit a request to make a client endpoint certified. For an organization policy that does not issue certificates immediately, clients should check certified endpoint status. After a certificate is issued, client endpoints can install the certificate and log on as a certified endpoint user. Submit a request to make an endpoint certified, as follows.

To submit a request to make a computer a certified endpoint

  1. Access the portal and click the Certified Endpoint button or link. The Certified Endpoint - User Information window is displayed.

  2. Enter the required user information in the text box or boxes.

    Note:
    The fields available in this window may vary, according to the settings defined during the configuration of the Certified Endpoint feature.

  3. At the bottom right corner, click Submit. A message is displayed, prompting you to confirm the request. If your organization’s certification policy is set to issue certificates immediately, you will be notified that the certificate has been issued and be prompted to install it. Otherwise, you will be notified that the request is in progress. In this case, close the Certified Endpoint dialog box, and continue to use the same portal options as before until your request is verified.

Checking the certified endpoint request status

The administrator must approve your request for Certified Endpoint status and issue a certificate accordingly. You must periodically check the status of the request and install the certificate, within the period of time specified in the Certified Endpoint window, as follows.

To check whether the request for Certified Endpoint status has been approved

  1. Access the portal, and click the Certified Endpoint button or link.

  2. The status of your request is displayed. If the request is still in progress, check again within the time period specified in the Certified Endpoint dialog box by using the same browser. If the request is denied, contact the certificates administrator. If the certificate has been issued, you can install the certificate and log in as a certified endpoint user.

Installing the client certificate and logging in as a certified endpoint user

After your certified endpoint status has been approved and a certificate has been issued, you must install the certificate on your computer in order to complete the process.

To install the certificate and log in as a Certified Endpoint user

  1. Access the portal and click the Certified Endpoint button or link. The Certified Endpoint - Certificate Issued window is displayed.

  2. Click Install this certificate to add the certificate to your computer.

    If you are using Internet Explorer, the certificate is installed on your computer. Proceed to step 4 of this procedure.

    If you are using a different browser, a certificate download dialog box is displayed; in this example, the Downloading Certificate dialog box is displayed by Netscape Navigator. After the certificate is installed, a message confirms that the client endpoint is now certified. Click Close to close the Certified Endpoint dialog box. The client endpoint is granted certified endpoint privileges in accordance with privilege settings.

  3. Close all open browsers, then reaccess the portal and log in.

  4. In the Client Authentication dialog box, select the required certificate from the list, and then click OK. This completes the certified endpoint logon process. Your computer is now granted Certified Endpoint privileges, as set by the administrator.

  5. Close all open browser windows, then reaccess the portal and log in.

    The Client Authentication dialog box is displayed.

  6. Select a certificate from the list, and click OK. The login process is complete, and you are logged on as a Certified Endpoint. The Certified Endpoint button or link is no longer available.

    Tip:
    If your portal home page includes the Forefront UAG toolbar, you can click the System Information button to access the System Information window, in order to verify your certified endpoint status. There should be a check mark next to Certified Endpoint.