Using the Create Trunk Wizard, you can create a trunk that is configured with basic trunk properties. After completing the wizard, you can modify the trunk properties, if required.

Trunk properties include:

1. Names and IP addresses—You specify a unique internal trunk name, a public host name that endpoints enter to access the trunk, and an IP address and port combination on which Forefront UAG listens for requests to the trunk. You configure these settings on the main page and on the General tab of the trunk properties.
   
   
2. Authentication settings—You can require that endpoint users authenticate in order to access the trunk, using a variety of authentication mechanisms. You configure these settings on the Authentication tab of the trunk properties.
   
   
3. Certificate—For HTTPS trunks, you specify a server certificate that is used to authenticate the Forefront UAG server to endpoints connecting to the trunk. You select the certificate on the General tab of the trunk properties.
   
   
4. Endpoint access policy—Using Forefront UAG, you can control remote access by specifying that endpoints must comply with access policy requirements in order to access a trunk. You can create inbuilt access policies, or download Network Access Protection (NAP) policies from an Network Policy Server (NPS). Endpoint settings are evaluated, and only those that comply with the access policy can connect to the trunk. You configure these settings on the Endpoint Access Settings tab of the trunk properties
   
   
5. Web portal home page— You can associate a Web portal home page with each trunk. Via the portal page, endpoints can access one or more applications published via the trunk. Forefront UAG provides a default portal page, or you can create a custom home page.
   
   
6. Portal settings─There are a number of portal features that you can configure for a trunk. These include, allowing users to select an authentication server against which they authenticate, enabling users to authenticate dynamically if they attempt to access an application that they cannot access using credentials with which they are currently logged on, and allowing users to manage their credentials and change passwords via the portal. You configure these settings on the Authentication tab of the trunk properties.
   
   
7. Logon settings─You can specify how users log on to a trunk, including using a default or custom logon page, setting maximum logon attempts, applying an Outlook Web Access look and feel to a logon page, and configuring logoff behavior. You configure these settings on the Authentication tab of the trunk properties.
   
   
8. Session settings─You can specify how users access a trunk session, including configuring a maximum number of concurrent session connections (both authenticated and unauthenticated), specifying how endpoint components are installed during a session, and configuring cleanup behavior when a session ends. You configure session settings on the Session tab of the trunk properties.
   
   
9. Portal application template—Forefront UAG provides a default template for the trunk portal home page. You can use the default template, or configure and use a customized template. In addition, you can configure the global Content-Type lists, and specify how to handle compression in responses. You select the template on the Application Customization tab of the trunk properties.
   
   
10. Traffic inspection—Forefront UAG can apply inspection to basic URLs, parameters and other incoming data. You can configure general URL inspection settings, such as a level of enforcement for a URL set, and a maximum size of pages sent using HTTP POST and PUT. You can configure URL inspection rules that deny access to URLs that are not present in the URL inspection rule list, and define global parameters rules that are applied to a URL when its URL inspection rule is set to handle parameters. Forefront UAGprovides predefined URL rule sets for a number of applications. In addition, you can configure Forefront UAGto check HTTP headers and filter requests, so that only explicitly allowed traffic passes through the Forefront UAGserver. You configure inspection on the URL Inspection, Global URL Settings, and URL Set tabs of the trunk properties.
    
    
11. HTTP compression-You can configure how Forefront UAG handles HTTP compression. You configure HTTP compression settings on the Application Customization tab of the trunk properties.
    
    
12. HAT settings─You can use the host address translation (HAT) mechanism to translate multiple internal host names to a single external host name, by encrypting the address of the internal resource and inserting it into the URL. When endpoints communicate with Forefront UAG to request and receive data from internal applications and resources, Forefront UAG transparently parses the requests and responses using content-type parsers, and dynamically manipulates the URLs in them. HAT configuration includes, defining a list of URLs on which you do not want to run the content-type parsers in the request or response body, defining a list of URLs on which you want to run a search and replace parsers on the response body, and defining a list of URLs that, when requested, will be redirected or rerouted to a specific location. You configure HAT on the Portal tab of the trunk properties.
    
    

The following table lists the internal resources you can publish via a Forefront UAG trunk.

Using the Add Application Wizard, you can define the basic settings for publishing applications in a trunk. After completing the wizard, you can define additional application settings, if required.

Application settings include the following:

1. General application settings─You can configure the name by which an application is referenced in the portal, and any prerequisite applications that must be running in order for the application to run (for client/server and legacy applications only).
   
   
2. Inactivity period for monitoring application usage─You can configure an inactivity period for an application. When a user does not use the application within the specified time, an “application exited” message is sent to the Web Monitor. When a user resumes application use, an “application accessed” message is sent. If the period is set to zero, the application closes only when the user session ends.
   
   
3. Backend server settings─You can configure the name, IP addresses, and ports of backend servers, so that a Forefront UAG server can communicate with published applications hosted on the servers.
   
   
4. Authentication settings─You can configure authentication settings to specify how credentials, provided by users during portal logon, are forwarded to published backend servers that require users to authenticate.
   
   
5. Application inspection─You can specify how application traffic is inspected. You can configure how URL requests are checked against URL and other rules, and specify how HTTP data is inspected. For Web applications, you can enable HTTP request smuggling protection. In addition, you can configure cookie encryption for Set-Cookie headers.
   
   
6. Socket Forwarding component─For non-HTTP and non-HTTPS applications, you can specify how the Forefront UAG Socket Forwarding component is activated on remote endpoints.
   
   
7. Application access policies─In addition to configuring an access policy for the portal, you can configure an access policy with which endpoints must comply in order to access the application, and to download and upload files associated with the application. If applicable, you can also configure a policy which controls access to restricted zones for a published application.
   
   
8. Application authorization─You can control application access by configuring authorization settings that restrict access to specific users and groups.
   
   
9. Application link in portal─If you are using the Forefront UAG default portal home page, you can specify how applications are presented in the portal.
   
   

Endpoints can connect to Forefront UAG by means of a portal Web page, which allows users to type in a single URL to reach a consolidated gateway, for access to one or more applications published in a trunk. Requiring users to access resources via a portal page provides, a consolidated gateway to multiple applications, allows users to view and manage endpoint component installation, and manage their credentials, including selecting authentication servers, inputting additional credentials as required by portal applications, and changing passwords. To allow access to multiple internal resources using a single external IP address, Forefront UAG trunks automatically use the HAT mechanism to identify the internal address. For more information, see About host address translation (HAT).

Forefront UAG uses a feature known as application-specific host headers to allow users to connect directly to a specific Web application, rather than accessing the application via a Forefront UAG portal. This feature provides an alternative to the host address translation (HAT) mechanism. When the Forefront UAG server receives a request for an application-specific host name, it performs authentication, and then automatically opens the required application, bypassing the Forefront UAG portal home page. Note that this option requires end users to remember the public host name for each application that is published directly. Note the following design requirements:

1. The application-specific host name must be resolvable by a public DNS server.
   
   
2. The application host name should resolve to the same IP address as the public host name of the trunk via which the application is published.
   
   
3. The public host name of the application must be in or above the domain-level namespace of the portal’s public host name
   
   
4. In HTTPS trunks, it is recommended that both the public host name of the trunk and the public host name of the application should be included on the server certificate used by the trunk.  Alternatively you can use a wildcard certificate. You can also use names that do not match the certificate. In this case, ignore the certificate warning that pops up during trunk configuration. If names do not match, connecting endpoints will be presented with a browser warning that there might be a problem with the Web site’s security certificate, and must choose to continue for site access.
   
   
5. 
   
   

When multiple Forefront UAG servers are deployed in an array, the same trunks are configured on each array member.

Endpoints connect to single servers and arrays as follows:

• Connecting to a single Forefront UAG server─If you have a single Forefront UAG server, each trunk on the server must have a public host name, and a unique combination of public IP address and port number. When a user connects to the trunk portal by entering the public host name in the endpoint browser, the name must be resolvable by a public DNS server to the IP address of the trunk. To create multiple portals, you must either have multiple public IP addresses, or the same IP address and a different port on which to receive requests for the second portal.
  
  
• Connecting to an array of Forefront UAG servers─If multiple Forefront UAG servers are deployed in an array, all array members share the same trunks. If load balancing is enabled on the array, each trunk requires a unique virtual IP address (VIP). The IP address must be resolvable by a public DNS server, so that when a user specifies the public host name of the portal in the endpoint browser, it resolves to the correct portal VIP address. You can only use the same VIP address for multiple trunks if each trunk is listening for endpoint requests on a different port. If you do not enable load balancing on the array, each trunk must have a unique public IP address and port combination, as required for a single server.