This topic is designed to help you understand the planning requirements for a Forefront Unified Access Gateway (UAG) application and farm publishing design, as follows:

Planning certificate requirements

Certificate requirements for application publishing include the following:

  • If endpoints connect to Forefront UAG trunks using, the Forefront UAG server must be able to present a server certificate that is trusted by connecting endpoints. This usually requires you to acquire a certificate from an external certification authority (CA).

  • If you want to configure an HTTPS connection between the Forefront UAG server and backend published applications, the published server must have a server certificate that is trusted by the Forefront UAG server.

Planning authentication requirements

Authentication requirements include the following:

  • If client authentication is required, Forefront UAG receives an authentication request from clients accessing a trunk, and queries an authentication server to verify credentials. This ensures that only authenticated client requests are passed to backend corporate servers and applications. To implement client authentication, ensure that you have an authentication infrastructure in your corporate environment. Forefront UAG can use a variety of authentication servers. For more information, see Planning for client authentication. If you do not require clients to authenticate, Forefront UAG uses passthrough, and authentication takes place on backend servers only.

  • If backend published applications require client authentication, using Forefront UAG you can implement a single sign-on mechanism that passes credentials provided during trunk authentication to backend servers, using basic authentication (HTTP 401), an HTML form, Kerberos constrained delegation, or Active Directory Federation Services (AD FS).

    To use Kerberos authentication, note the following:

    • Forefront UAG servers must belong to a domain.

    • You must define at least one authentication server for the trunk to which the application belongs.

    • All domain controllers in the internal network must be computers running Windows Server 2008 or Windows Server 2003.

    • Authenticating clients must be part of the same Active Directory forest as the Forefront UAG server and the application servers.

    • Forefront UAG servers and the application servers must be part of the same domain.

    To use AD FS, note the following:

    • Forefront UAG servers must belong to a domain.

    • An AD FS server must be deployed.

    • Active Directory must be used for authentication.

    • Forefront UAG requires a certificate that is trusted by endpoints because AD FS-enabled applications can only be published in an HTTPS trunk.

Planning endpoint access policy requirements

Using Forefront UAG, you can verify endpoint settings against predefined access policies, and allow or restrict access based on endpoint compliance. You can use predefined or custom inbuilt Forefront UAG access policies, or download Network Access Protection (NAP) policies.

Note the following endpoint access policy requirements:

  • Predetermine your health requirements for endpoints connecting to internal applications and resources.

  • To use NAP policies, you must have a Network Policy Server (NPS) in your corporate infrastructure. The NPS can be co-located on the Forefront UAG server.

Planning domain and workgroup requirements

During publishing deployment, Forefront UAG servers must be domain members in the following scenarios:

  • Providing remote access to internal file structures and shares.

  • Providing remote access to the entire internal network using SSTP.

  • Configuring single sign on using Kerberos constrained delegation to forward session credentials to backend published applications.

  • Configuring single sign on and federated access using AD FS.

Planning DNS requirements

DNS planning requirements include the following:

  • When publishing applications via a Forefront UAG trunk and a Web portal, a public DNS server must be able to resolve the portal’s public host name, which is specified in the browser of remote endpoints, to reach a Forefront UAG portal page. In addition, the Forefront UAG server requires internal name resolution to resolve the names and IP addresses of backend published servers, and infrastructure servers such as authentication servers.

  • When publishing applications via a Forefront UAG trunk with a connection directly to the published application, you can publish an application by using an application-specific host name instead of the portal host name, so that endpoints connect directly to the application. In order for remote endpoints to reach these applications, a public DNS server must be able to resolve each application-specific host name that you configure. Note that the application-specific host name must resolve to the same IP address as the portal host name.

Planning for publishing specific applications

In addition to the general planning information provided on this page, you can find application-specific planning information in the following solution guides:

Next steps

For information on creating trunks and publishing applications, see the Publishing deployment guide.