To design a solution that allows clients to access applications and resources remotely, you must first define the applications and resources that they will access. Forefront UAG can allow access to a large number of applications and resources within the following categories:

• Built-in services—Services such as File Access and SSL Tunneling (remote VPN access).
  
  
• Web applications—Applications that use the HTTP or HTTPS protocols and a Web interface.
  
  
• Client/server and legacy applications—Applications that use non-HTTP/HTTPS protocols.
  
  
• Browser-embedded applications—Web-initiated applications that use a Web-based interface to create a non-Web connection.
  
  

Different applications require different endpoint components. For example, client/server and legacy applications require you to use the SSL Application Tunneling component, whereas Web applications may require only the Endpoint Session Cleanup component.

For further information on planning application publishing and securing your applications, see Publishing planning guide and Securing remote access.

Although Forefront UAG can provide remote access to several operating systems and Web browsers, the user experience may differ depending on the operating system and the Web browser that is on the client endpoint.

The following table describes the prerequisites for installing and running Forefront UAG client endpoint components.

Supported operating system	Supported browsers for Forefront UAG site access	Client component support
32-bit operating systems: Windows XP with SP2, and Windows XP with SP3 Windows Vista and Windows Vista with SP1 Windows 7	Internet Explorer 6; Internet Explorer 7; Internet Explorer 8 Firefox 3.0.x; Firefox 3.5.x Safari 3.2.x; Safari 4.0.x	For installing and running client components, computers running Windows operating systems support Internet Explorer, Firefox, and Safari browsers. The following client components are supported: Endpoint Session Cleanup; Endpoint detection; SSL Application Tunneling; Socket Forwarding; Endpoint Quarantine Enforcement (from Windows XP SP3). In addition, some components are supported only on selected operating systems: Windows XP: SSL Network Tunneling (Network Connector) Windows Vista: SSL Network Tunneling (Network Connector) Windows 7: SSL Network Tunneling (SSTP) Note: When using a Web browser other than Internet Explorer, when available, the Java applet version of the component is installed.
64-bit operating systems: Windows Vista and Windows Vista with SP1 Windows 7 Windows Server 2008 R2	Only 32-bit browsers are supported: Internet Explorer 6; Internet Explorer 7; Internet Explorer 8 Firefox 3.0.x; Firefox 3.5.x Safari 3.2.x; Safari 4.0.x	For installing and running client components, computers running Windows operating systems support Internet Explorer, Firefox, and Safari browsers. The following client components are supported: Endpoint Session Cleanup; Endpoint detection; SSL Network Tunneling (SSTP); Endpoint Quarantine Enforcement. Note: The Endpoint Detection component does not work on Windows Server 2008 R2. In addition, some components are supported only on selected operating systems:
Macintosh OS X 10.4 and up (PowerPC and Intel)	Safari 3.2.x; Safari 4.0.x Firefox 3.0.x; Firefox 3.5.x	Forefront UAG Java client components are supported for Macintosh computers running Firefox and Safari browsers. The following client components are supported: Endpoint Session Cleanup; Endpoint detection; SSL Application Tunneling.
Linux 32-bit operating systems (RPM-based Linux distributions: Red Hat Enterprise 5, Fedora 10 and up. Debian Linux distributions; Debian 5 and up, Ubuntu 8.04 LTS and 9.04 and up)	Firefox 3.0.x; Firefox 3.5.x	Forefront UAG Java client components are supported for Linux computers running a Firefox browser. The following client components are supported: Endpoint Session Cleanup; Endpoint detection; SSL Application Tunneling.
Windows Mobile 2005 for Pocket PC; Windows Mobile 6; Windows Mobile 6.5	Pocket Internet Explorer Windows Mobile 6.5 supports the premium mobile portal
iPhone version 3.0.x	Safari (iPhone version), supports the premium mobile portal
Nokia: S60 3rd edition, Feature Pack 1—Validated on E71, N95 S60 3rd edition, Feature Pack 2—Validated on E72, E52 S60 5th edition—Validated on N97	All handsets support the limited mobile portal

Notes

There are three options for installing Forefront UAG client endpoint components:

• Install the endpoint components on demand when a client accesses the portal (online installation mode)—This is useful when there are a number of different applications and resources published through the portal. As a client accesses a particular application or resource, the required endpoint components are downloaded and installed.
  
  Online installation mode is suitable for end-users who have ActiveX download rights in Windows Internet Explorer, and are logged in with administrator privileges. In this mode, as soon as users try to access the site, before logging in, Forefront UAG downloads the Component Manager to their endpoints. After the Component Manager is installed on the client endpoint, the Component Manager determines the need for installing the remaining components each time the user accesses the site, and then installs them.
  
  By default, the following components are installed automatically:
  
  
  • Endpoint Session Cleanup.
    
    
  • Client Trace utility.
    
    
  • Endpoint Detection.
    
    
  If required, you can configure other components that will be installed automatically.
  
  The remaining components are installed, as required. For example, when the user accesses a non-Web application for the first time, the Component Manager installs the SSL Application Tunneling component.
  
  

  Note:
  By default, each portal or application that you publish automatically installs the endpoint components, unless you specifically change the setting to disable component installation and activation.

• Install the endpoint components using an offline installer—This deployment method uses the Client Components Installer and is useful for end-users who do not have ActiveX download rights in Windows Internet Explorer, and are logged in with administrator privileges. It can also be used on browsers other than Internet Explorer, by end-users who are logged in with administrator privileges, to install the SSL Network Tunneling (Network Connector) component.
  
  In this mode, users can download an auto-install file to their computer by using either an “installer” toolbar button or a link on the portal homepage. They can then log out of the site and use this file to install the components in an offline mode.
  
  
• Install the endpoint components using an offline installation file—This method installs the client endpoint components using a download file, and is used for end-users who do not have ActiveX download rights on Windows Internet Explorer and are non-privileged (guest/user) users. In this setup, the administrator must log in to the endpoint computer by using power-user or Administrator privileges, and install the components before the user accesses the site.
  
  

The Forefront UAG Endpoint Session Cleanup and Forefront UAG Endpoint Detection components can be customized to more closely match your requirements:

• Endpoint Session Cleanup—Before activating the Endpoint Session Cleanup component for portal and application sessions, there are several settings that you can modify, if required. These include:
  
  
  • Specifying which items saved outside the browser cache are cleaned up.
    
    
  • Configuring a scheduled cleanup after a preconfigured timeout period.
    
    
  • Enabling the Endpoint Session Cleanup component on a custom logoff page. The code that triggers the component to initiate the cleanup of the browser’s cache on the client, is embedded in the logoff message page that is supplied with Forefront UAG. If the trunk is configured to use a custom logoff page, you must add the code in the custom page.
    
    
  • Configuring the encrypted pages save setting. Usually, Windows Internet Explorer browsers save encrypted SSL pages to the “temp files” folder. To prevent the browser from saving SSL pages to the default “temp files” folder, users can enable the “Do not save encrypted pages to disk” setting in Internet Explorer, located by clicking the Tools menu, clicking Internet Options, and then clicking the Advanced tab. In this case, when users download an SSL page, they are prompted to provide an alternative location to where it should be saved. In this setup, when a session ends, the Endpoint Session Cleanup component clears the “temp files” folder but cannot identify the location to which the encrypted pages are saved. To prevent these pages from remaining on the endpoint computer, at the beginning of each session, the Endpoint Session Cleanup component automatically disables the “Do not save encrypted pages to disk” setting, if enabled, so that encrypted pages are saved to the “temp files” folder. At the end of the session, after the Endpoint Session Cleanup component stops monitoring all open sessions, the “Do not save encrypted pages to disk” setting reverts to its original status. You can cancel the disabling of the “Do not save encrypted pages to disk” setting.
    
    
• Endpoint Detection—This component uses the default script Detection.vbs to detect applications on a client endpoint, based on the presence of files and registry keys. This file is located in the folder \Microsoft Forefront Unified Access Gateway\von\InternalSite. You can make create your own script based on the Detection.vbs script to perform your own customized endpoint detection.