The following procedure describes how to set up a Forefront UAG portal.

Note:
A technical reference for each page of the Create Trunk Wizard is available at Create Trunk Wizard Help.

To set up a trunk

  1. In the Forefront UAG Management console, right-click HTTP Connections to create a trunk accessible over HTTP, or right-click HTTPS Connections to create a trunk accessible over HTTPS. Then click New Trunk.

  2. On the Select Trunk Type page of the Create Trunk Wizard, click Portal trunk. If you want to publish Exchange in the trunk, select Publish Exchange applications via the portal.

  3. On the Setting the Trunk page of the Create Trunk Wizard, do the following:

    1. In Trunk name, specify the name by which you want to identify the trunk. This name will be used as the name of the Web site that is created in IIS running on the Forefront UAG server. Each trunk name within HTTP Connections or HTTPS Connections must be unique. The trunk name cannot contain the public host name.

    2. In Public host name, specify the name or IP address that remote endpoints will use to access the portal site of the trunk.

    3. In IP address, and HTTP port or HTTPS port, specify the IP address and port of the external Web site. The default ports are 80 (HTTP) and 443 (HTTPS).

  4. On the Authentication page of the Create Trunk Wizard, select an authentication server that will be used to authenticate user requests for trunk sessions. You can specify multiple authentication servers. If multiple servers are specified, you can configure trunk settings so that users can select an authentication server from a list of specified servers. Click Add to select a server, as follows:

    1. In the Authentication and Authorization Servers dialog box, select a server and click Select. To add a new server to the list, click Add.

    2. Select User selects from a server list to specify that during login to the trunk, users will be prompted to select an authentication server. If you configure one authentication server, users will authenticate to that server only. Select Show server names to allow users to select an authentication server from a list; otherwise, users must enter the server name. Select User provides credentials for each selected server to prompt users during login to authenticate to all the specified authentication servers. Select Use the same user name to specify that users must enter a single user name that will be used to authenticate to all specified servers.

  5. On the Certificate page of the Create Trunk Wizard (HTTPS trunks only), select the server certificate that will be used to authenticate the Forefront UAG server to the remote endpoint. Click Launch Certificate Manager to open the Microsoft Management Console (MMC) which enables you to import a certificate into the IIS Certificate store.

    1. To import a certificate, in the MMC window, in the left pane, under Console Root, verify that Certificates (Local Computer) > Personal is selected.

    2. From the Action menu, click All Tasks, and then click Import.

    3. Follow the instructions in the Certificate Import Wizard.

  6. On the Endpoint Security page of the Create Trunk Wizard, control access to trunk sessions by selecting policies that allow or deny access, based on the health of client endpoints. Click Use Forefront UAG access policies to determine the health of endpoints using in-built Forefront UAG access policies. Click Use Network Access Protection (NAP) policies, to determine endpoint health using NAP policies downloaded from Network Policy Server (NPS) servers. Ensure that you have an NPS server configured before selecting this option.

    • If you have selected to use Forefront UAG policies, on the Endpoint Policies page of the Create Trunk Wizard, select policies that define the minimum prerequisites for session access. In addition, apply a policy that defines the prerequisites for client endpoints defined as privileged.

    • If you have selected to use NAP, on the NAP Policies page of the Create Trunk Wizard, select the NPS that provides NAP policies to be enforced for session access and for privileged endpoints. Select Deny access to endpoint devices that do not have NAP installed or running to specify that only endpoints compliant with NAP policy can access a trunk session. Select Use Forefront UAG endpoint policies when endpoints do not have NAP installed or running to specify that non-NAP compliant endpoints should be evaluated against Forefront UAG policies.

  7. After completing the Create Trunk Wizard, in the Forefront UAG Management console, on the toolbar, click the Activate configuration icon on the toolbar, and then on the Activate configuration dialog box, click Activate.