When you create a trunk to publish a portal or specific Web application, you can specify that client endpoints must communicate with the Forefront UAG server over an HTTPS connection. In this case, you must select a server certificate when you configure the trunk. This certificate is used to authenticate the Forefront UAG server to the client endpoint.

Forefront UAG enables you to control access to internal resources by verifying end user credentials against an authentication database. A portal or application session is opened only for end users who authenticate successfully; end users who cannot authenticate successfully do not gain access. Access is granted per end user, and each authentication instance is only valid for one session. Forefront UAG seamlessly integrates with numerous authentication schemes even if the application being protected has no inherent support for the method you choose to implement, such as, where Forefront UAG serves as a client of the third-party authentication server. In addition, Forefront UAG also enables periodic reauthentication by applying a logoff scheme. After a predetermined time, end users must resubmit credentials to continue working; otherwise, their sessions are terminated.

To define session authentication, you should define an authentication server against which the credentials of end users who connect to a portal or application session are verified. For more information about Forefront UAG client authentication schemes, see Implementing frontend authentication.