After using the Forefront Unified Access Gateway (UAG) Add Application Wizard to publish an application directly or via a portal, you can modify and configure the settings of published applications. This topic provides a summary of the application properties and settings.

• General tab
  
  
• Web Servers tab
  
  
• Server Settings tab
  
  
• Web Settings tab
  
  
• Client Settings tab
  
  
• Web Server Security tab
  
  
• Cookie Encryption tab
  
  
• Endpoint Policy tab
  
  
• Download/Upload tab
  
  
• Authorization tab
  
  
• Portal Link tab
  
  

General tab

Name

Configure the name used to identify the application in the trunk.

Prerequisite applications

Specify the application that must be running in order for the published application to run. This setting applies only to client/server and legacy applications published in portal trunks. Forefront Unified Access Gateway (UAG) automatically launches prerequisite applications before starting a dependent application. For example, if an application requires a connection to an internal share, you can add a local drive mapping application that maps the required drive, and define it as a prerequisite application. The number of prerequisite applications available is indicated in Number of Prerequisite Applications.

Inactivity period

Define the inactivity period for the application. This setting is useful in monitoring application usage. When a user does not use the application for the time specified, an “application exited” message is sent to the Web Monitor. When a user resumes application use any “application accessed” message is sent. If the period is set to zero, the application is closed only when the user session ends.

Web Servers tab

IP/Host

Click IP/Host to identify the Web server with one or more IP addresses or DNS host names. Click Subnet to define the multiple IP addresses with a subnet and mask. Click Regular Expression to define multiple IP addresses using the Regex++ regular expression syntax to define the address range in Addresses. For example: [0—9A—Z—]+\.contoso\.com. When you use regular expressions, a corresponding rule is added in Forefront Threat Management Gateway (TMG), to allow traffic from the local host network (the Forefront UAG server) to any server in the Forefront TMG internal network, on the configured port.

Addresses

If you select IP/Host, double-click in the Addresses list to add a value.

Paths

If the Paths list appears, double-click in the list to specify the path of the published application. A path must start with a slash (/) character. You can specify regular expressions (using the Regex++ regular expression syntax) to define a path. Special characters should be preceded by the escape character ("\").

HTTP port; HTTPS port

Specify the port on which the application is published. To use the default port for the application type Auto. To enable all ports type All. To disable all ports leave the field empty.

Server Settings tab

Web Settings tab

Use single sign-on to send credentials to published applications

Select this setting to enable single sign-on using credentials presented by the user. When this check box is selected, and after users enter credentials that are valid for the application, users do not need to reauthenticate against the published application server, such as during portal logon. If this check box is selected, and authentication data is not validated by the application server, access is denied.

Select authentication servers

Select this setting to select the authentication servers against which user credentials will be evaluated for the published application server. To add an authentication server, click Add. In the Authentication and Authorization Servers dialog box, add the required servers.

Use Kerberos constrained delegation for single sign-on

Select this setting to specify Kerberos constrained delegation as the single-sign authentication method. In the Application box, enter the service principal name (SPN) of the application. If you use Kerberos constrained delegation, you can only select the 401 Request authentication method. Each instance of a service that uses Kerberos constrained delegation authentication must have an SPN defined for it, so that clients can identify that instance of the service on the network. The SPN is registered in the Active Directory Service-Principal-Name attribute of the Windows account under which the instance of the service is running. This means that the SPN is associated with the account under which the instance of the service specified by the SPN is running. When a service needs to authenticate to another service running on a specific computer, it uses that service's SPN to differentiate it from other services running on that computer. You can set the SPN explicitly, or you can use the wildcard *, for example: owa/*. If you use a wildcard, the addresses for all the servers of this application (defined in the Web Servers tab) must not be IP addresses but host names. (The wildcard is translated to each of the host names defined in the Web Servers tab.)

Note:
In a Forefront UAG array, the SPN should be registered on each array member.

401 request

Select to authenticate users to published Web applications using HTTP 401. If you select to use an HTTP 401 request, and you want to forward authentication using NLTM and not Basic, you must add a registry key, as follows: Click Start, and then type Regedit to open Registry Editor. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\. Right-click UrlFilter, click New, and then click Value. Add the string FullAuthPassthru as a DWORD value, and set it to 1.

Warning:
Serious problems may occur if you modify the registry incorrectly using the Registry Editor or another method. These problems may require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

HTML form

Select to authenticate users to published Web applications using an HTML form.

Both

Select to authenticate users with an HTTP 401 and an HTML form.

Verify URLs

Select this setting to inspect URL requests from the application against the URL inspection rules configured for the application-type. Application-type settings are configured on the URL Set tab of the trunk properties. If you do not select Verify URLs, URL inspection is disabled for the specific application only. Application requests are still checked against general rules, such as internal site rules. To completely disable URL inspection, you must enable Debug Mode on the General tab of the trunk properties.

Evaluate without enforcement

Select this setting to specify that URL requests from the application will be inspected against URL inspection rules for this application rule, but not enforced. When this check box is selected, if a request is not accepted by one of the application rules, the failure is logged in the security log, but the request is allowed.

Allow data using WebDAV methods

Select this setting to allow browsers to send HTTP data to the application, in requests that use WebDAV methods.

Check XML data integrity

Select this setting to inspect XML integrity in the HTTP data.

Apply URL character rules

Select this method to verify URLs against the URL character rules configured for the application-type. Application-type settings are configured on the URL Inspection tab of the trunk properties.

Use user-dependent variables

Select this setting if any of the application's URLs use variables.

Allow POST requests without a content-type handler

Select this setting to specify that HTTP POST requests without a content-type header will be handled. If this check box is not selected, such requests are rejected.

Ignore predefined URL list in session timeout calculation

Select this setting to specify that for each out-of-the-box application type, Forefront UAG automatically configures a list of application-aware URLs that will be ignored in the calculation of the inactive session timeout. The list can be edited on the Global URL Settings tab of the trunk properties.

Client Settings tab

Socket Forward Mode: Disabled

Select to indicate that the Socket Forwarding component is not used with the application.

Socket Forward Mode: Bind tunnel to client executable

Select this setting to restrict client endpoint access to the server IP addresses and ports of the application to the processes or processes you define in the Client Executable list.

Allow data using WebDAV methods

Select this setting to allow browsers to send HTTP data to the application, in requests that use WebDAV methods.

Check XML data integrity

Select this setting to inspect XML integrity in the HTTP data.

Apply URL character rules

Select this method to verify URLs against the URL character rules configured for the application-type. Application-type settings are configured on the URL Inspection tab of the trunk properties.

Use user-dependent variables

Select this setting if any of the application's URLs use variables.

Allow POST requests without a content-type handler

Select this setting to specify that HTTP POST requests without a content-type header will be handled. If this check box is not selected, such requests are rejected.

Ignore predefined URL list in session timeout calculation

Select this setting to specify that for each out-of-the-box application type, Forefront UAG automatically configures a list of application-aware URLs that will be ignored in the calculation of the inactive session timeout. The list can be edited on the Global URL Settings tab of the trunk properties.

Web Server Security tab

Activate smuggling protection

Enable to protect the application against HTTP request smuggling attacks, by blocking requests if the following conditions apply:

• The method is POST.
  
  
• The content-type is not listed in the content-type list.
  
  
• The length is greater than the specified maximum length.
  
  

This option should be enabled only for servers that are vulnerable to HRS attacks. If you enable this option when it is not required, applications may not behave as expected.

Content Types

Specify content-types that are allowed. POST requests of content-types that are not listed are blocked if they are greater than the size defined in Maximum HTTP body.

Maximum HTTP body

Specify the maximum size of a POST request. Requests larger than the specified maximum are blocked.

Cookie Encryption tab

Enable cookie encryption

Select to enable cookie encryption.

Exclude

Select to specify that only Set-Cookie headers specified in the per-application cookie list will be encrypted.

Include

Select to specify that only Set-Cookie headers specified in the per-application cookie list will be encrypted. Note that encrypted cookie names and values are decrypted by Forefront UAG when they are returned by the browser in the cookie header. If the cookie encryption process encounters problems when a remote user requests a page, the cookie header in the request is blocked and not forwarded to the server.

Endpoint Policy tab

Access policy

Specify the access policy with which endpoints must comply in order to access the published application.

Upload policy

Specify the access policy with which endpoints must comply in order to upload files associated with the published application.

Download policy

Specify the access policy with which endpoints must comply in order to download files associated with the published application.

Restricted zone policy

Specify the access policy with which endpoints must comply in order to access restricted zones for the published application, if restricted zones are defined.

Download/Upload tab

Identify by URLs

Select this setting to specify that URLs should be identified by checking against the Download URL or Upload URL lists. These lists can be viewed and modified in the Global URL Settings tab of the trunk properties.

Identify by extensions

Select to specify that URLs should be identified by checking file extensions.

Identify by extensions: Exclude

Select to specify that only file extensions listed are allowed when an endpoint policy is enforced.

Identify by extensions: Include

Select to specify that the file extensions listed are blocked. Note that extensions should not include the preceding dot (.). For example, you should specify exe and not .exe. To allow or block uploading or downloading of files without an extension, specify no ext in the relevant extension list. Ensure that for extensions in the list, the association between the extensions and content-types is the same on Forefront UAG as on the application server.

Unknown content-type

Specify the unknown content type settings of an application. This is required to block downloads by extension.

Identify by size

Select to specify that URLs should be identified based on the size of transfer data. Specify a size limit in kilobytes. Note that HTTP GET requests are treated as downloads. HTTP POST and PUT requests are treated as uploads.

Authorization tab

Authorize all users

Leave this default setting selected to specify that all users authenticated for portal access can access the application. To specify that only specific users and groups can access an application in the portal, clear the check box.

Add

If the Authorize all users setting is cleared, click Add. On the Select Users and Groups dialog box, in Look in, select the user and group repository server. In the Users and Groups list, select the required user or group, and then click Add. Select the group and click the Allow, View, or Deny columns to set the application authorization permission for the user or group.

Save as Local Group

Select to save the user or group defined on the repository server as a local group.

Portal Link tab

Add portal and toolbar link

Select to specify that a link to the application appears on the default portal homepage and toolbar.

Portal application

Specify the name of the application as it appears on the default homepage and toolbar.

Folder

Specify a folder or subfolder on the portal homepage from which users can access the application. This enables you to group a number of applications under one folder. For example, you can create a folder called DriveMappings and place all Local Drive Mapping applications under it. Only the DriveMappings folder will be visible on the portal homepage. Specify the same folder information for all applications that will reside under the folder. If there are no subfolders, specify only the folder name. For a subfolder, use the format: folder/subfolder A/subfolder B. The name of the root folder in the folder structure is the name of the Forefront UAG portal application, as defined in the Portal application name box. The folder structure is not retained in the Forefront UAG toolbar.

Portal application

Specify the name of the application as it appears on the default homepage and toolbar.

Application URL

Specify the internal entry link URL from the portal to the application. You must specify an absolute URL. For example, https://www.fabrikam.com.

Icon URL

Specify the location of the icon representing the application. The icon is displayed together with the application name in the portal.

Short description/description

Specify more information about the application. The descriptions are displayed adjacent to the application name in the portal.

Startup page

Specify a page to assign to the application. The startup page contains functionality you want to assign to the application, in addition to the default functionality enabled by Forefront UAG. When this setting is enabled, the defined page is included by the default application startup page, and operations defined in the page are implemented at the beginning of the application startup process. Default application startup for all applications is set in the StartApp.asp page, located in the \Microsoft Forefront Unified Access Gateway\von\InternalSite folder. When you select the Startup page check box, this page redirects the user to the appropriate server, according to the definitions of the repository against which the user authenticated when accessing the application. The "notes" page is located in the following location: \Microsoft Forefront Unified Access Gateway\von\InternalSite\Inc. Place your own page in the following location: \Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate\.The file extension must be .inc. For example, \Microsoft Forefront Unified Access Gateway\von\InternalSite\Inc\CustomUpdate\MyPage.inc.

Open in new window

Select to specify that the application opens in a new window.

Application supported on

Select the type of device on which the link is displayed. This setting applies only to Web applications.

Allow rich clients to bypass trunk authentication

Select this setting to allow rich client applications that cannot use the session authentication method configured for the trunk to authenticate directly with the authentication server used by the backend published application (this is the authentication server that is configured on the Web Settings tab of the application properties.

Portal link on clients that do not comply with the application access policy

Select Grayed to specify that the application link should be unavailable, or select Invisible to specify that the application link should not be shown for these client endpoints.

---

Copyright © 2010 by Microsoft Corporation. All rights reserved.