After using the Forefront Unified Access Gateway (UAG) Add Application Wizard to publish an application directly or via a portal, you can modify and configure the settings of published applications. This topic provides a summary of the application properties and settings.
- General tab
- Web Servers
tab
- Server
Settings tab
- Web Settings
tab
- Client
Settings tab
- Web Server
Security tab
- Cookie Encryption
tab
- Endpoint
Policy tab
- Download/Upload
tab
- Authorization
tab
- Portal Link
tab
General tab
Configure the name used to identify the application in the trunk, and specify prerequisite applications that must be running, in order to run the application.
- Name
- Configure the name used to identify the application in the trunk.
- Prerequisite applications
- Specify the application that must be running in order for the published application to run. This setting applies only to client/server and legacy applications published in portal trunks. Forefront Unified Access Gateway (UAG) automatically launches prerequisite applications before starting a dependent application. For example, if an application requires a connection to an internal share, you can add a local drive mapping application that maps the required drive, and define it as a prerequisite application. The number of prerequisite applications available is indicated in Number of Prerequisite Applications.
- Inactivity period
- Define the inactivity period for the application. This setting is useful in monitoring application usage. When a user does not use the application for the time specified, an “application exited” message is sent to the Web Monitor. When a user resumes application use any “application accessed” message is sent. If the period is set to zero, the application is closed only when the user session ends.
Web Servers tab
On the Web Servers tab, configure the settings for built-in services, Web applications, and browser-embedded applications, published in a portal.
- IP/Host
- Click IP/Host to identify the Web server with one or more IP addresses or DNS host names. Click Subnet to define the multiple IP addresses with a subnet and mask. Click Regular Expression to define multiple IP addresses using the Regex++ regular expression syntax to define the address range in Addresses. For example: [0—9A—Z—]+\.contoso\.com. When you use regular expressions, a corresponding rule is added in Forefront Threat Management Gateway (TMG), to allow traffic from the local host network (the Forefront UAG server) to any server in the Forefront TMG internal network, on the configured port.
- Addresses
- If you select IP/Host, double-click in the Addresses list to add a value.
- Paths
- If the Paths list appears, double-click in the list to specify the path of the published application. A path must start with a slash (/) character. You can specify regular expressions (using the Regex++ regular expression syntax) to define a path. Special characters should be preceded by the escape character ("\").
- HTTP port; HTTPS port
- Specify the port on which the application is published. To use the default port for the application type Auto. To enable all ports type All. To disable all ports leave the field empty.
Server Settings tab
On the Server Settings tab, configure the server settings for non-Web applications published in a portal. Server settings vary, depending on the application. For application-specific information, see Server settings reference (non-Web applications).
Web Settings tab
On the Web Settings tab, specify how remote user credentials are forwarded to application servers that require user authentication.
- Use single sign-on to send credentials to published applications
- Select this setting to enable single sign-on using credentials presented by the user. When this check box is selected, and after users enter credentials that are valid for the application, users do not need to reauthenticate against the published application server, such as during portal logon. If this check box is selected, and authentication data is not validated by the application server, access is denied.
- Select authentication servers
- Select this setting to select the authentication servers against which user credentials will be evaluated for the published application server. To add an authentication server, click Add. In the Authentication and Authorization Servers dialog box, add the required servers.
- Use Kerberos constrained delegation for single sign-on
- Select this setting to specify Kerberos constrained delegation
as the single-sign authentication method. In the Application
box, enter the service principal name (SPN) of the application. If
you use Kerberos constrained delegation, you can only select the
401 Request authentication method. Each instance of a service that
uses Kerberos constrained delegation authentication must have an
SPN defined for it, so that clients can identify that instance of
the service on the network. The SPN is registered in the Active
Directory Service-Principal-Name attribute of the Windows account
under which the instance of the service is running. This means that
the SPN is associated with the account under which the instance of
the service specified by the SPN is running. When a service needs
to authenticate to another service running on a specific computer,
it uses that service's SPN to differentiate it from other services
running on that computer. You can set the SPN explicitly, or you
can use the wildcard *, for example: owa/*. If you use a wildcard,
the addresses for all the servers of this application (defined in
the Web Servers tab) must not be IP addresses but host names. (The
wildcard is translated to each of the host names defined in the Web
Servers tab.)
Note: In a Forefront UAG array, the SPN should be registered on each array member.
- 401 request
- Select to authenticate users to published Web applications
using HTTP 401. If you select to use an HTTP 401 request, and you
want to forward authentication using NLTM and not Basic, you must
add a registry key, as follows: Click Start, and then type Regedit
to open Registry Editor. Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\. Right-click
UrlFilter, click New, and then click Value. Add the string
FullAuthPassthru as a DWORD value, and set it to 1.
Warning: Serious problems may occur if you modify the registry incorrectly using the Registry Editor or another method. These problems may require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
- HTML form
- Select to authenticate users to published Web applications using an HTML form.
- Both
- Select to authenticate users with an HTTP 401 and an HTML form.
- Verify URLs
- Select this setting to inspect URL requests from the application against the URL inspection rules configured for the application-type. Application-type settings are configured on the URL Set tab of the trunk properties. If you do not select Verify URLs, URL inspection is disabled for the specific application only. Application requests are still checked against general rules, such as internal site rules. To completely disable URL inspection, you must enable Debug Mode on the General tab of the trunk properties.
- Evaluate without enforcement
- Select this setting to specify that URL requests from the application will be inspected against URL inspection rules for this application rule, but not enforced. When this check box is selected, if a request is not accepted by one of the application rules, the failure is logged in the security log, but the request is allowed.
- Allow data using WebDAV methods
- Select this setting to allow browsers to send HTTP data to the application, in requests that use WebDAV methods.
- Check XML data integrity
- Select this setting to inspect XML integrity in the HTTP data.
- Apply URL character rules
- Select this method to verify URLs against the URL character rules configured for the application-type. Application-type settings are configured on the URL Inspection tab of the trunk properties.
- Use user-dependent variables
- Select this setting if any of the application's URLs use variables.
- Allow POST requests without a content-type handler
- Select this setting to specify that HTTP POST requests without a content-type header will be handled. If this check box is not selected, such requests are rejected.
- Ignore predefined URL list in session timeout calculation
- Select this setting to specify that for each out-of-the-box application type, Forefront UAG automatically configures a list of application-aware URLs that will be ignored in the calculation of the inactive session timeout. The list can be edited on the Global URL Settings tab of the trunk properties.
Client Settings tab
On the Client Settings tab, for client/server, legacy, and browser-embedded applications published in a portal, you can specify how the Forefront UAG Socket Forwarding component is activated on client endpoints.
- Socket Forward Mode: Disabled
- Select to indicate that the Socket Forwarding component is not used with the application.
- Socket Forward Mode: Bind tunnel to client executable
- Select this setting to restrict client endpoint access to the server IP addresses and ports of the application to the processes or processes you define in the Client Executable list.
- Allow data using WebDAV methods
- Select this setting to allow browsers to send HTTP data to the application, in requests that use WebDAV methods.
- Check XML data integrity
- Select this setting to inspect XML integrity in the HTTP data.
- Apply URL character rules
- Select this method to verify URLs against the URL character rules configured for the application-type. Application-type settings are configured on the URL Inspection tab of the trunk properties.
- Use user-dependent variables
- Select this setting if any of the application's URLs use variables.
- Allow POST requests without a content-type handler
- Select this setting to specify that HTTP POST requests without a content-type header will be handled. If this check box is not selected, such requests are rejected.
- Ignore predefined URL list in session timeout calculation
- Select this setting to specify that for each out-of-the-box application type, Forefront UAG automatically configures a list of application-aware URLs that will be ignored in the calculation of the inactive session timeout. The list can be edited on the Global URL Settings tab of the trunk properties.
Web Server Security tab
On the Web Server Security tab, configure settings to protect applications against HTTP request smuggling (HRS). Note that you cannot configure HRS for client/server and legacy applications.
- Activate smuggling protection
- Enable to protect the application against HTTP request
smuggling attacks, by blocking requests if the following conditions
apply:
- The method is POST.
- The content-type is not listed in the
content-type list.
- The length is greater than the specified
maximum length.
- The method is POST.
- Content Types
- Specify content-types that are allowed. POST requests of content-types that are not listed are blocked if they are greater than the size defined in Maximum HTTP body.
- Maximum HTTP body
- Specify the maximum size of a POST request. Requests larger than the specified maximum are blocked.
Cookie Encryption tab
On the Cookie Encryption tab, specify that all Set-Cookie headers will be encrypted, except for those defined in the global and per-application cookie lists.
- Enable cookie encryption
- Select to enable cookie encryption.
- Exclude
- Select to specify that only Set-Cookie headers specified in the per-application cookie list will be encrypted.
- Include
- Select to specify that only Set-Cookie headers specified in the per-application cookie list will be encrypted. Note that encrypted cookie names and values are decrypted by Forefront UAG when they are returned by the browser in the cookie header. If the cookie encryption process encounters problems when a remote user requests a page, the cookie header in the request is blocked and not forwarded to the server.
Endpoint Policy tab
On the Endpoint Policy tab, specify the conditions with which remote client endpoints must comply in order to access the published application.
- Access policy
- Specify the access policy with which endpoints must comply in order to access the published application.
- Upload policy
- Specify the access policy with which endpoints must comply in order to upload files associated with the published application.
- Download policy
- Specify the access policy with which endpoints must comply in order to download files associated with the published application.
- Restricted zone policy
- Specify the access policy with which endpoints must comply in order to access restricted zones for the published application, if restricted zones are defined.
Download/Upload tab
On the Downloads/Uploads tab, apply a download or upload policy for published applications. You can specify the method by which Forefront UAG identifies URLs to enforce a download or upload policy. Note that if none of the options in the Download/Upload tab are selected, no downloads or uploads will be blocked, regardless of the download or upload policies for the applications.
- Identify by URLs
- Select this setting to specify that URLs should be identified by checking against the Download URL or Upload URL lists. These lists can be viewed and modified in the Global URL Settings tab of the trunk properties.
- Identify by extensions
- Select to specify that URLs should be identified by checking file extensions.
- Identify by extensions: Exclude
- Select to specify that only file extensions listed are allowed when an endpoint policy is enforced.
- Identify by extensions: Include
- Select to specify that the file extensions listed are blocked. Note that extensions should not include the preceding dot (.). For example, you should specify exe and not .exe. To allow or block uploading or downloading of files without an extension, specify no ext in the relevant extension list. Ensure that for extensions in the list, the association between the extensions and content-types is the same on Forefront UAG as on the application server.
- Unknown content-type
- Specify the unknown content type settings of an application. This is required to block downloads by extension.
- Identify by size
- Select to specify that URLs should be identified based on the size of transfer data. Specify a size limit in kilobytes. Note that HTTP GET requests are treated as downloads. HTTP POST and PUT requests are treated as uploads.
Authorization tab
On the Authorization tab, specify which users and groups can access the portal application. By default, all users who authenticate successfully to the portal can access all portal applications.
- Authorize all users
- Leave this default setting selected to specify that all users authenticated for portal access can access the application. To specify that only specific users and groups can access an application in the portal, clear the check box.
- Add
- If the Authorize all users setting is cleared, click Add. On the Select Users and Groups dialog box, in Look in, select the user and group repository server. In the Users and Groups list, select the required user or group, and then click Add. Select the group and click the Allow, View, or Deny columns to set the application authorization permission for the user or group.
- Save as Local Group
- Select to save the user or group defined on the repository server as a local group.
Portal Link tab
On the Portal Link tab, configure application links in a Forefront UAG portal. You can control the link format on the portal homepage for applications published in the portal. Note that portal link settings are only applied if you use the Forefront UAG default portal homepage.
- Add portal and toolbar link
- Select to specify that a link to the application appears on the default portal homepage and toolbar.
- Portal application
- Specify the name of the application as it appears on the default homepage and toolbar.
- Folder
- Specify a folder or subfolder on the portal homepage from which users can access the application. This enables you to group a number of applications under one folder. For example, you can create a folder called DriveMappings and place all Local Drive Mapping applications under it. Only the DriveMappings folder will be visible on the portal homepage. Specify the same folder information for all applications that will reside under the folder. If there are no subfolders, specify only the folder name. For a subfolder, use the format: folder/subfolder A/subfolder B. The name of the root folder in the folder structure is the name of the Forefront UAG portal application, as defined in the Portal application name box. The folder structure is not retained in the Forefront UAG toolbar.
- Portal application
- Specify the name of the application as it appears on the default homepage and toolbar.
- Application URL
- Specify the internal entry link URL from the portal to the application. You must specify an absolute URL. For example, https://www.fabrikam.com.
- Icon URL
- Specify the location of the icon representing the application. The icon is displayed together with the application name in the portal.
- Short description/description
- Specify more information about the application. The descriptions are displayed adjacent to the application name in the portal.
- Startup page
- Specify a page to assign to the application. The startup page contains functionality you want to assign to the application, in addition to the default functionality enabled by Forefront UAG. When this setting is enabled, the defined page is included by the default application startup page, and operations defined in the page are implemented at the beginning of the application startup process. Default application startup for all applications is set in the StartApp.asp page, located in the \Microsoft Forefront Unified Access Gateway\von\InternalSite folder. When you select the Startup page check box, this page redirects the user to the appropriate server, according to the definitions of the repository against which the user authenticated when accessing the application. The "notes" page is located in the following location: \Microsoft Forefront Unified Access Gateway\von\InternalSite\Inc. Place your own page in the following location: \Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate\.The file extension must be .inc. For example, \Microsoft Forefront Unified Access Gateway\von\InternalSite\Inc\CustomUpdate\MyPage.inc.
- Open in new window
- Select to specify that the application opens in a new window.
- Application supported on
- Select the type of device on which the link is displayed. This setting applies only to Web applications.
- Allow rich clients to bypass trunk authentication
- Select this setting to allow rich client applications that cannot use the session authentication method configured for the trunk to authenticate directly with the authentication server used by the backend published application (this is the authentication server that is configured on the Web Settings tab of the application properties.
- Portal link on clients that do not comply with the application access policy
- Select Grayed to specify that the application link should be unavailable, or select Invisible to specify that the application link should not be shown for these client endpoints.