This topic provides answers to these questions you should ask when planning to deploy Forefront Unified Access Gateway (UAG) endpoint components on client endpoints.
- What applications do
you want to publish?
- Who are
the clients and what are their limitations?
- How do you
install the components on the client endpoint?
- When do you
need to customize the endpoint components?
- System requirements for
Forefront UAG client devices
What applications do you want to publish?
To design a solution that allows clients to access applications and resources remotely, you must first define the applications and resources that they will access. Forefront UAG can allow access to a large number of applications and resources within the following categories:
- Built-in services—Services such as
File Access and SSL Tunneling (remote VPN access).
- Web applications—Applications that use
the HTTP or HTTPS protocols and a Web interface.
- Client/server and legacy
applications—Applications that use non-HTTP/HTTPS
protocols.
- Browser-embedded
applications—Web-initiated applications that use a Web-based
interface to create a non-Web connection.
Different applications require different endpoint components. For example, client/server and legacy applications require you to use the SSL Application Tunneling component, whereas Web applications may require only the Endpoint Session Cleanup component.
For further information on planning application publishing and securing your applications, see Publishing planning guide and Securing remote access.
Who are the clients and what are their limitations?
Although Forefront UAG can provide remote access to several operating systems and Web browsers, the user experience may differ depending on the operating system and the Web browser that is on the client endpoint.
The following table describes the prerequisites for installing and running Forefront UAG client endpoint components.
Supported operating system | Supported browsers for Forefront UAG site access | Client component support | ||
---|---|---|---|---|
32-bit operating systems:
|
|
For installing and running client components, computers running Windows operating systems support Internet Explorer, Firefox, and Safari browsers. The following client components are supported: Endpoint Session Cleanup; Endpoint detection; SSL Application Tunneling; Socket Forwarding; Endpoint Quarantine Enforcement (from Windows XP SP3). In addition, some components are supported only on selected operating systems:
|
||
64-bit operating systems:
|
Only 32-bit browsers are supported:
|
For installing and running client components, computers running Windows operating systems support Internet Explorer, Firefox, and Safari browsers. The following client components are supported: Endpoint Session Cleanup; Endpoint detection; SSL Network Tunneling (SSTP); Endpoint Quarantine Enforcement.
In addition, some components are supported only on selected operating systems: |
||
Macintosh OS X 10.4 and up (PowerPC and Intel) |
|
Forefront UAG Java client components are supported for Macintosh computers running Firefox and Safari browsers. The following client components are supported:
|
||
Linux 32-bit operating systems (RPM-based Linux distributions: Red Hat Enterprise 5, Fedora 10 and up. Debian Linux distributions; Debian 5 and up, Ubuntu 8.04 LTS and 9.04 and up) |
Firefox 3.0.x; Firefox 3.5.x |
Forefront UAG Java client components are supported for Linux computers running a Firefox browser. The following client components are supported:
|
||
Windows Mobile 2005 for Pocket PC; Windows Mobile 6; Windows Mobile 6.5 |
Pocket Internet Explorer Windows Mobile 6.5 supports the premium mobile portal |
|||
iPhone version 3.0.x |
Safari (iPhone version), supports the premium mobile portal |
|||
Nokia:
|
All handsets support the limited mobile portal |
Notes
- Forefront UAG ActiveX client components are
supported only on client endpoints running Windows operating
systems with an Internet Explorer browser. For online installation,
the browser must be configured to enable the download and running
of signed ActiveX objects.
- The Forefront UAG Component Manager ActiveX
object installs the other client components. For initial online
installation of Forefront UAG Component Manager, administrator
privileges are required on the client endpoint.
- Java client components cannot be installed
using offline installation.
- For Java client components, Forefront UAG
requires JRE version 1.5.
- In Forefront UAG, the initial installation of
the Endpoint Detection Java applet and the Endpoint Session Cleanup
Java applet require administrator privileges on the client
endpoint.
- There are no specific requirements for the
Forefront UAG Client Trace and Socket Forwarding Helper
components.
- Although browsers other than those in the
table above may be functional for site access, for full feature
functionality use only the recommended browsers.
How do you install the components on the client endpoint?
There are three options for installing Forefront UAG client endpoint components:
- Install the endpoint components on demand
when a client accesses the portal (online installation
mode)—This is useful when there are a number of different
applications and resources published through the portal. As a
client accesses a particular application or resource, the required
endpoint components are downloaded and installed.
Online installation mode is suitable for end-users who have ActiveX download rights in Windows Internet Explorer, and are logged in with administrator privileges. In this mode, as soon as users try to access the site, before logging in, Forefront UAG downloads the Component Manager to their endpoints. After the Component Manager is installed on the client endpoint, the Component Manager determines the need for installing the remaining components each time the user accesses the site, and then installs them.
By default, the following components are installed automatically:
- Endpoint Session Cleanup.
- Client Trace utility.
- Endpoint Detection.
The remaining components are installed, as required. For example, when the user accesses a non-Web application for the first time, the Component Manager installs the SSL Application Tunneling component.
Note: By default, each portal or application that you publish automatically installs the endpoint components, unless you specifically change the setting to disable component installation and activation. - Endpoint Session Cleanup.
- Install the endpoint components using an
offline installer—This deployment method uses the Client
Components Installer and is useful for end-users who do not have
ActiveX download rights in Windows Internet Explorer, and are
logged in with administrator privileges. It can also be used on
browsers other than Internet Explorer, by end-users who are logged
in with administrator privileges, to install the SSL Network
Tunneling (Network Connector) component.
In this mode, users can download an auto-install file to their computer by using either an “installer” toolbar button or a link on the portal homepage. They can then log out of the site and use this file to install the components in an offline mode.
- Install the endpoint components using an
offline installation file—This method installs the client
endpoint components using a download file, and is used for
end-users who do not have ActiveX download rights on Windows
Internet Explorer and are non-privileged (guest/user) users. In
this setup, the administrator must log in to the endpoint computer
by using power-user or Administrator privileges, and install the
components before the user accesses the site.
When do you need to customize the endpoint components?
The Forefront UAG Endpoint Session Cleanup and Forefront UAG Endpoint Detection components can be customized to more closely match your requirements:
- Endpoint Session Cleanup—Before
activating the Endpoint Session Cleanup component for portal and
application sessions, there are several settings that you can
modify, if required. These include:
- Specifying which items saved outside the
browser cache are cleaned up.
- Configuring a scheduled cleanup after a
preconfigured timeout period.
- Enabling the Endpoint Session Cleanup
component on a custom logoff page. The code that triggers the
component to initiate the cleanup of the browser’s cache on the
client, is embedded in the logoff message page that is supplied
with Forefront UAG. If the trunk is configured to use a custom
logoff page, you must add the code in the custom page.
- Configuring the encrypted pages save setting.
Usually, Windows Internet Explorer browsers save encrypted SSL
pages to the “temp files” folder. To prevent the browser from
saving SSL pages to the default “temp files” folder, users can
enable the “Do not save encrypted pages to disk” setting in
Internet Explorer, located by clicking the Tools menu,
clicking Internet Options, and then clicking the
Advanced tab. In this case, when users download an SSL page,
they are prompted to provide an alternative location to where it
should be saved. In this setup, when a session ends, the Endpoint
Session Cleanup component clears the “temp files” folder but cannot
identify the location to which the encrypted pages are saved. To
prevent these pages from remaining on the endpoint computer, at the
beginning of each session, the Endpoint Session Cleanup component
automatically disables the “Do not save encrypted pages to disk”
setting, if enabled, so that encrypted pages are saved to the “temp
files” folder. At the end of the session, after the Endpoint
Session Cleanup component stops monitoring all open sessions, the
“Do not save encrypted pages to disk” setting reverts to its
original status. You can cancel the disabling of the “Do not save
encrypted pages to disk” setting.
- Specifying which items saved outside the
browser cache are cleaned up.
- Endpoint Detection—This component uses
the default script Detection.vbs to detect applications on a client
endpoint, based on the presence of files and registry keys. This
file is located in the folder \Microsoft Forefront Unified Access
Gateway\von\InternalSite. You can make create your own script based
on the Detection.vbs script to perform your own customized endpoint
detection.