In order for remote client endpoints to access internal applications and resources via a Forefront Unified Access Gateway (UAG) portal or Web site, Forefront UAG installs endpoint components on client endpoints. Different remote access features require different endpoint components. When a user first accesses the Forefront UAG site, Forefront UAG detects whether it can install the components on the endpoint, according to the endpoint prerequisites described in System requirements for Forefront UAG client devices. Forefront UAG installs the components in line with the system requirements for each component. On client endpoints that do not meet these prerequisites, the components are not installed. Endpoint components include:

Validating the identity of a proxy server

When validating the identity of a proxy server for client endpoint access, Forefront UAG endpoint components check the certificate revocation list (CRL). If the CRL check fails, Forefront UAG endpoint components notify the user that the CRL cannot be checked and disable client-side functionality.

Forefront UAG can verify that the CRL clients do not have a proxy server set explicitly (for example, the client uses automatic discovery with Web Proxy Automatic Discovery (WPAD) or a configuration script). The CRL check behavior is as follows:

  • The initial CRL check using WinHTTP is compliant with the WPAD method of automatic discovery.

  • If the CRL check using WinHTTP fails, components revert to using WinInet checking.

  • If browser settings are not configured to check the CRL, client components do not check it.

  • If the CRL check fails, the user is prompted to continue without checking the URL.

Note that if the CRL check confirms that the certificate is revoked, the end user is notified, and the client-side functionality is disabled.

The change in CRL checking behavior does not apply to offline installation of the client components. If customers want to use an offline installation, they must install the offline endpoint components.
Forefront UAG can detect client security applications by using the Windows Management Instrumentation (WMI) interface, in addition to the existing detection mechanism.