This topic provides an overview of the Forefront Unified Access Gateway (UAG) features that affect your infrastructure design.
Forefront UAG single server or array deployment
Depending on your requirements, you can deploy a single Forefront UAG server, or an array of Forefront UAG servers. An array consists of multiple Forefront UAG servers that share the same configuration and provide scalability and high availability. You can implement load balancing among array members, using the Windows Network Load Balancing feature that is integrated into Forefront UAG or using a hardware load balancer.
For more information, see Introduction to array design. For more information about deploying Forefront UAG, see the Forefront UAG DirectAccess planning guide.
Forefront UAG as a DirectAccess server
Forefront UAG can be deployed as a DirectAccess server to extend the benefits of Windows DirectAccess across your infrastructure, enhancing scalability, simplifying deployment and management, and providing remote users the experience of being seamlessly connected to your internal network any time that they have Internet access. Depending on your requirements, you can deploy a single Forefront UAG DirectAccess server, or an array of servers to provide scalability and high availability. You can implement load balancing among array members, using the Windows Network Load Balancing feature that is integrated into Forefront UAG or using a hardware load balancer.
For more information, see Forefront UAG DirectAccess planning guide, Configuring NLB for a Forefront UAG DirectAccess array, and Configuring external load balancing for a Forefront UAG DirectAccess array.
Forefront UAG as a publishing server
Forefront UAG can be configured as a publishing server. Internal applications and resources are published via Forefront UAG, and can then be access by remote client endpoints, either directly, or via a Forefront UAG Web portal.
Application publishing
Using Forefront UAG you create trunks to publish a wide range of internal applications and resources for access by remote endpoints. For more information about Forefront UAG concepts such as trunks and portals, and about the types of applications you can publish, see Introduction to publishing design.
Endpoint deployment
Forefront UAG deploys endpoint components on managed and unmanaged remote client endpoints connecting to Forefront UAG portals and published applications. These components are required to enable endpoints to access a number of Forefront UAG features. Components can only be installed on endpoints that comply with system requirements.
For more information, see System requirements for Forefront UAG client devices, and Introduction to endpoint component deployment design.
Endpoint access control
Forefront UAG provides a number of mechanisms for controlling and securing endpoint access to Forefront UAG portals and published applications including, client authentication, endpoint health checking, and application authorization.
- Client authentication─You can require remote clients to
authenticate in order to establish a session with a Forefront UAG
portal. You can use a number of different client authentication
mechanisms. In addition, you can implement single sign-on, so that
client credentials that are provided during session logon are
passed to backend published servers that require authentication, so
clients only need to provide credentials once.
For more information, see Planning for client authentication.
- Endpoint health checking─You can compare endpoint
settings with Forefront UAG access policies. Only endpoints that
comply with policies can access published resources. You can create
inbuilt Forefront UAG access policies, or use Network Access
Protection (NAP) policies that are downloaded from a Network Policy
Server (NPS).
For more information, see Planning for endpoint health checking.
- Portal application authorization─You can implement
portal application authorization to limit access to portal
applications to specific users and groups.
For more information, see Planning for portal application authorization.
Logging and monitoring
Forefront UAG can log to a variety of formats, including a syslog server, RADIUS accounting server, SMTP server, and SQL Server. In addition, you can monitor Forefront UAG using Microsoft System Center Operations Manager 2007.
For more information, see Configuring monitoring and logging.