This topic describes the options that are available to help you provide secure remote access to your published applications and resources through Forefront Unified Access Gateway (UAG).
When providing remote access to your applications, you must design a remote access policy. Designing a remote access policy requires you to determine who are your end users, what clients they are using, and decide if you want to provide access to only certified client endpoints.
Forefront UAG provides the following mechanisms to determine who the client endpoint is, whether they can access internal resources and applications, and if so, which internal resources and applications they can access:
- Forefront UAG Endpoint Detection
component—Used to determine the client type, including the
operating system, firewall version, and antivirus software. This
component is also used to determine the other endpoint components
that are currently installed on the client endpoint.
- Forefront UAG Endpoint
policies—Forefront UAG is installed with a large number of
default endpoint policies that can be used to provide or block
access to certain applications and resources, based on the health
of the client endpoint. Forefront UAG also contains policies that
restrict a client from uploading content to the site, or
downloading content from the site. For example, you may want to
prevent users who are accessing the site from an internet kiosk
from downloading documents, or prevent users who don’t have an
up-to-date antivirus from uploading documents.
- Authentication servers—Forefront UAG
supports a wide range of authentication servers, such as, RADIUS,
ACE SecureID, and Active Directory. These servers can be used to
authenticate users before they even access the portal.
- Application authorization—Enables
individual users or groups of users to be granted access to
specific applications within a portal. For example, members of the
finance department can be granted access to financial applications
but denied access to the customer relationship management
application; or, members of the sales department can be granted
access to the sales database but denied access to the company’s
- Forefront UAG Endpoint Session Cleanup
component—The Endpoint Session Cleanup component can remove
temporary data after a session ends. This can prevent the leaking
of sensitive data, for example, if during the time someone is using
the portal, files containing sensitive information are downloaded
to the client endpoint.
- Certified client endpoints—You can
certify client endpoints by using a client certificate. You can
create client endpoint policies whereby users can access a site or
an application only if their computer is a certified endpoint. The
certified endpoint feature is supported only on HTTPS trunks.