Enabling remote access to Exchange applications with Forefront Unified Access Gateway (UAG) provides the following benefits:
- Pre-authentication—In a standard
Exchange deployment, users authenticate directly against the
Exchange Client Access server. By publishing Exchange applications
with Forefront UAG, you can allow users to preauthenticate against
the Forefront UAG server, before they gain access to the internal
Exchange Client Access server.
Forefront UAG supports the following preauthentication methods:
- Basic—Users are prompted for a user
name and password. When using Basic authentication, the user name
and password are not encrypted when they are transmitted, unless
you are also using Secure Sockets Layer (SSL) to encrypt the HTTP
session.
- NTLM/KCD—Users are not prompted for a
user name and password. This authentication method provides the
highest level of security when accessing Exchange services. When
the end user accesses the portal, a hashed version of the password
is transmitted automatically (without user interaction) to
Forefront UAG, and then Kerberos constrained delegation is used to
provide access to the Client Access server.
- Basic—Users are prompted for a user
name and password. When using Basic authentication, the user name
and password are not encrypted when they are transmitted, unless
you are also using Secure Sockets Layer (SSL) to encrypt the HTTP
session.
- Web farm load balancing (WFLB)—A large
organization can have many Exchange Client Access servers. To
ensure that traffic is distributed evenly between each Exchange
Client Access server, load balancing is used, as follows:
Forefront UAG uses a round-robin mechanism to ensure that user requests to a web application serviced by a web farm are distributed fairly among farm members that are online, by spreading requests from different IP addresses evenly among the web farm members. This even spread is preserved during failover. When failover occurs, servers that are not responding are detected, and the load is distributed among the available servers.
Forefront UAG uses affinity to ensure that, after a user has been routed once to a particular Client Access server, the user continues to be routed to that server. To keep this persistency, Forefront UAG supports session affinity and IP affinity.
- Traffic inspection—Forefront UAG
includes an application-level control engine that stops
application-level HTTP-based attacks, and enforces application data
validation, thus preventing web server exploits such as URL
manipulation and buffer overflows. Forefront UAG provides the
following traffic inspection features:
- URL inspection—Forefront UAG inspects
not only basic URLs, but also parameters and any other incoming
data. Application-level information can be inspected to the degree
of exact lengths and types of URLs, parameters, methods, and their
combinations, which are permitted and expected by the application
server. For example, attempts to crash or compromise the server by
sending very long URLs, unexpected parameters, or unexpected
methods, will fail.
- Predefined URL rule sets—Forefront UAG
supplies predefined, application-aware rule sets that are designed
to protect the portal and the internal website, and to meet the
specific needs of each of the web and browser-embedded applications
you enable through the trunk. You can also create customized rules
for proprietary applications.
- HTTP filtering—You can configure
Forefront UAG to check HTTP headers and filter requests, based on
header types, sizes, lengths, character ranges, and values. HTTP
filtering uses positive logic; only explicitly allowed traffic is
permitted to pass through the Forefront UAG server. Traffic that
does not conform is automatically rejected.
- URL inspection—Forefront UAG inspects
not only basic URLs, but also parameters and any other incoming
data. Application-level information can be inspected to the degree
of exact lengths and types of URLs, parameters, methods, and their
combinations, which are permitted and expected by the application
server. For example, attempts to crash or compromise the server by
sending very long URLs, unexpected parameters, or unexpected
methods, will fail.
- Session clean up—The Forefront UAG
Endpoint Session Cleanup component deletes persistent browser data
that is downloaded to a client endpoint browser from the sites
protected by Forefront UAG, or created by a client endpoint
browser, when any of the following occurs:
- A Forefront UAG session ends, for example,
when the user closes the browser.
- When the user logs off a Forefront UAG site
by using the site’s logoff mechanism.
- During a scheduled logoff or scheduled
cleanup.
- A Forefront UAG session ends, for example,
when the user closes the browser.
- Edge readiness—Forefront UAG was
developed and designed as an Internet and perimeter network
appliance, and it is hardened and secured according to industry
standards.
- Monitoring functionality—Forefront UAG
Web Monitor can be used to monitor the number of sessions and users
that are connecting to Exchange through the Forefront UAG portal.
The Web Monitor can also be used to view statistics on which mail
services the end users are currently using, or have used in the
past. You can also export the SQL data and use it to perform
queries for reporting purposes.
- Using Outlook Web Access (OWA) in
deployments provides the following additional benefits:
- Strong authentication—When using OWA,
you can use Integrated Windows authentication (IWA), which includes
the Negotiate, Kerberos, and NTLM authentication methods to provide
strong authentication.
- Single sign on—Users need to sign on
only once during a session. After they do, Forefront UAG saves
their credentials, and they are then automatically signed on to any
system they want to access during the session. This is useful if a
user receives a mail containing a link to a SharePoint site or
additional applications.
- Health inspection—Forefront UAG
provides a number of endpoint policies that can be used to check
the health of endpoint clients. For example, you can provide
unrestricted access to clients running an up-to-date firewall and
antivirus, while restricting (or blocking) access to clients that
only have an up-to-date firewall.
Network Access Protection (NAP)—Forefront UAG also supports the use of a Network Policy Server (NPS) to provide NAP, which is a platform that allows network administrators to define specific levels of network access based on a client’s identity, the groups to which the client belongs, and the degree to which the client complies with corporate governance policy. If a client is not compliant, NAP provides a mechanism for automatically bringing the client into compliance (a process known as remediation), and then dynamically increasing its level of network access.
- Upload/download policies—In addition
to the endpoint policies that check the health of endpoint clients,
Forefront UAG also provides policies that restrict the actions that
end users can do when connected to the website. For example, you
can create a policy such that if the client endpoint does not have
an antivirus installed, it can download files that are included as
e-mail attachments, but cannot upload files as e-mail
attachments.
- Strong authentication—When using OWA,
you can use Integrated Windows authentication (IWA), which includes
the Negotiate, Kerberos, and NTLM authentication methods to provide
strong authentication.