When installing Forefront Unified Access Gateway (UAG) endpoint components, the Forefront UAG Endpoint Detection component verifies the identity of the Forefront UAG site against the server certificate for the site, and checks that the site is on the Trusted Sites list of the client endpoint. The Endpoint Detection component runs only if the site is trusted.
This topic describes how to configure the end user’s Trusted Sites list. The list should contain each of the Forefront UAG sites the user needs to access, so that the Forefront UAG Endpoint Detection component can verify that it is trusted.
A Forefront UAG site can be added to a user’s Trusted Sites list on the client endpoint in one of two ways:
- The domain administrator can remotely add the
site, or a number of sites, to the user’s Trusted Sites list with
no user intervention. For details, see Configuring the Trusted Sites list.
- Users can add the Forefront UAG site to their
Trusted Sites list on demand.
Note: After users add a site or a number of sites to the list, users connecting to a portal can remove them from the list by clicking Delete user-defined Trusted Sites list in the System Information window. This removes all the user defined sites from the list.
The following procedure describes how the domain administrator can remotely manage end users’ Trusted Sites list, so that users are not prompted when the Endpoint Detection component verifies that the Forefront UAG site is trusted.
Configuring the Trusted Sites list
You can control the configuration of the Trusted Sites list by using a registry key that you add to the user’s endpoint, which you can deploy as you do any other managed configuration, for example, via the Windows Logon Script or as part of your Group Policy. You can also use this key to control which other sites users can add on demand to their Forefront UAG Trusted Sites list.
To configure the Trusted Sites list
-
On the Forefront UAG server, access the following folder:
…\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples
-
From the samples folder, copy the following files to an external location, making sure they reside in the same folder:
CheckSite.bat
CheckSite.reg
-
At the location where you copied the files, edit the file CheckSite.reg, as described in the Values of CheckSite.reg table below.
The file provides a sample configuration, which adds the following sites to users’ Trusted Sites lists:
- https://www.microsoft.com
- https://www.myPortal.com
Note the following in the sample configuration:
- Users can add sites to the Trusted Sites list
on demand, but they cannot add HTTP sites to the list.
- Users will not be prompted if a trusted
site’s certificate is not valid; in this case, detection will not
be performed.
- Users will be prompted if an untrusted site’s
certificate is not valid, and will be able to add it to the Trusted
Sites list on demand.
- https://www.microsoft.com
-
Deploy the CheckSite.bat file to the end users whose Trusted Sites list you wish to configure.
Note: Make sure the file CheckSite.reg resides in the same folder as the file CheckSite.bat. At the endpoints where you deployed the configuration, the following Registry key is added or updated according to your definitions:
HKEY_CURRENT_USER\Software\WhaleCom\Client\CheckSite
The Trusted Sites configuration is applied on the endpoint, with the settings you defined here.
Values of CheckSite.reg
Value | Type | Description | Data | ||
---|---|---|---|---|---|
Managed |
DWORD |
Mandatory. Determines whether this configuration is applied and whether the computer’s Trusted Sites list is managed remotely or not. |
|
||
CanAddSites |
DWORD |
Optional. Determines whether the user can add other sites to the Trusted Sites list on demand. |
|
||
CanAddHttpSites |
DWORD |
Optional. Determines whether the user can add HTTP sites to the list on demand. Applicable only when the value of “CanAddSites” is 1. |
If this value is not defined, users cannot add HTTP sites to the list. |
||
PromptInvalidCertTrusted |
DWORD |
Optional. Determines behavior when a trusted site’s certificate is not valid. |
If this value is not defined, users are not prompted. |
||
PromptInvalidCertUntrusted |
DWORD |
Optional. Determines whether users are prompted when an untrusted site’s certificate is not valid. |
If this value is not defined, users are prompted. |
||
TrustedSite<#> |
String |
Mandatory. List of trusted sites. |
Define a site as follows: * Schema: HTTPS or HTTP** Host: FQDN or IP Port number; optional for default ports (443 and 80). |
||
PilotExpirationTime |
String |
Optional. End date of “pilot” mode. While in this mode, the identity of sites on the Trusted Sites list you defined here is not verified.
|
Date, using the following format: mm/dd/yyyy By default, no pilot period is configured. |
* Values are case-insensitive.
** The identity of trusted HTTP sites will not be verified, because they do not use a server certificate.