Configuring client endpoints to trust Forefront UAG sites

When installing Forefront Unified Access Gateway (UAG) endpoint components, the Forefront UAG Endpoint Detection component verifies the identity of the Forefront UAG site against the server certificate for the site, and checks that the site is on the Trusted Sites list of the client endpoint. The Endpoint Detection component runs only if the site is trusted.

This topic describes how to configure the end user’s Trusted Sites list. The list should contain each of the Forefront UAG sites the user needs to access, so that the Forefront UAG Endpoint Detection component can verify that it is trusted.

A Forefront UAG site can be added to a user’s Trusted Sites list on the client endpoint in one of two ways:

The domain administrator can remotely add the site, or a number of sites, to the user’s Trusted Sites list with no user intervention. For details, see Configuring the Trusted Sites list.

Users can add the Forefront UAG site to their Trusted Sites list on demand.

Note:
After users add a site or a number of sites to the list, users connecting to a portal can remove them from the list by clicking Delete user-defined Trusted Sites list in the System Information window. This removes all the user defined sites from the list.

The following procedure describes how the domain administrator can remotely manage end users’ Trusted Sites list, so that users are not prompted when the Endpoint Detection component verifies that the Forefront UAG site is trusted.

Configuring the Trusted Sites list

You can control the configuration of the Trusted Sites list by using a registry key that you add to the user’s endpoint, which you can deploy as you do any other managed configuration, for example, via the Windows Logon Script or as part of your Group Policy. You can also use this key to control which other sites users can add on demand to their Forefront UAG Trusted Sites list.

To configure the Trusted Sites list

On the Forefront UAG server, access the following folder:

…\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples
From the samples folder, copy the following files to an external location, making sure they reside in the same folder:

CheckSite.bat

CheckSite.reg
At the location where you copied the files, edit the file CheckSite.reg, as described in the Values of CheckSite.reg table below.

The file provides a sample configuration, which adds the following sites to users’ Trusted Sites lists:
- https://www.microsoft.com
- https://www.myPortal.com
Note the following in the sample configuration:
- Users can add sites to the Trusted Sites list on demand, but they cannot add HTTP sites to the list.
- Users will not be prompted if a trusted site’s certificate is not valid; in this case, detection will not be performed.
- Users will be prompted if an untrusted site’s certificate is not valid, and will be able to add it to the Trusted Sites list on demand.
Deploy the CheckSite.bat file to the end users whose Trusted Sites list you wish to configure.

Note:

Make sure the file CheckSite.reg resides in the same folder as the file CheckSite.bat.

At the endpoints where you deployed the configuration, the following Registry key is added or updated according to your definitions:

HKEY_CURRENT_USER\Software\WhaleCom\Client\CheckSite

The Trusted Sites configuration is applied on the endpoint, with the settings you defined here.

Note:
Make sure the file CheckSite.reg resides in the same folder as the file CheckSite.bat.

Values of CheckSite.reg

Value

Type

Description

Data

Managed

DWORD

Mandatory. Determines whether this configuration is applied and whether the computer’s Trusted Sites list is managed remotely or not.

1: managed.
0: unmanaged.

Note:
Any number other than 1 is considered a zero.

CanAddSites

DWORD

Optional. Determines whether the user can add other sites to the Trusted Sites list on demand.

1: users can add sites to list.
0: users cannot add sites to list. If this value is not defined, users cannot add sites to the list.

CanAddHttpSites

DWORD

Optional. Determines whether the user can add HTTP sites to the list on demand. Applicable only when the value of “CanAddSites” is 1.

1: users can add HTTP sites to Trusted Sites list.
0: users cannot add HTTP sites to Trusted Sites list.

If this value is not defined, users cannot add HTTP sites to the list.

PromptInvalidCertTrusted

DWORD

Optional. Determines behavior when a trusted site’s certificate is not valid.

1: users are prompted and can select whether to add the site to the Trusted Sites list or not.
0: users are not prompted; access to the site is denied.

If this value is not defined, users are not prompted.

PromptInvalidCertUntrusted

DWORD

Optional. Determines whether users are prompted when an untrusted site’s certificate is not valid.

1: users are prompted and can select whether to add the site to the Trusted Sites list or not.
0: users are not prompted; access to the site is denied.

If this value is not defined, users are prompted.

TrustedSite<#>

String

Mandatory. List of trusted sites.

Define a site as follows: *

Schema: HTTPS or HTTP**

Host: FQDN or IP

Port number; optional for default ports (443 and 80).

PilotExpirationTime

String

Optional. End date of “pilot” mode. While in this mode, the identity of sites on the Trusted Sites list you defined here is not verified.

Caution:
Use this option for a very limited time and not while the system is in production.

Date, using the following format: mm/dd/yyyy

By default, no pilot period is configured.

* Values are case-insensitive.

** The identity of trusted HTTP sites will not be verified, because they do not use a server certificate.