Overview of endpoint components

In order for remote client endpoints to access internal applications and resources via a Forefront Unified Access Gateway (UAG) portal or Web site, Forefront UAG installs endpoint components on client endpoints. Different remote access features require different endpoint components. When a user first accesses the Forefront UAG site, Forefront UAG detects whether it can install the components on the endpoint, according to the endpoint prerequisites described in System requirements for Forefront UAG client devices. Forefront UAG installs the components in line with the system requirements for each component. On client endpoints that do not meet these prerequisites, the components are not installed. Endpoint components include:

Endpoint Component Manager component—Downloads, installs, manages, and removes all the endpoint components. There are two versions of this component: ActiveX and Java Applet.
Endpoint Session Cleanup component—There are two versions of this component: ActiveX and Java Applet. For more information, see About the Endpoint Session Cleanup component.
Endpoint Detection component—There are two versions of this component: ActiveX and Java Applet. For more information, see Planning to implement endpoint access policies.
Non-Web tunneling components—These include:
- SSL Application Tunneling component—There are two versions of this component: ActiveX and Java Applet. In cases where the SSL Application Tunneling Active X component is not installed on an endpoint, when the endpoint attempts to access a non-Web application, the SSL Application Tunneling Java applet runs to enable access to the application. The Java applet provides SSL tunneling functionality only, and does not enable any of the other feature that are enabled by the endpoint components, such as client endpoint detection, Endpoint Session Cleanup, Socket Forwarding, or SSL Network Tunneling. For more information, see About SSL tunneling.
- Socket Forwarding component—For more information see About the Socket Forwarding component.
- SSL Network Tunneling component─For more information, see About SSL tunneling.
- Socket Forwarding Helper component—Used for support purposes.

Validating the identity of a proxy server

When validating the identity of a proxy server for client endpoint access, Forefront UAG endpoint components check the certificate revocation list (CRL). If the CRL check fails, Forefront UAG endpoint components notify the user that the CRL cannot be checked and disable client-side functionality.

Forefront UAG can verify that the CRL clients do not have a proxy server set explicitly (for example, the client uses automatic discovery with Web Proxy Automatic Discovery (WPAD) or a configuration script). The CRL check behavior is as follows:

The initial CRL check using WinHTTP is compliant with the WPAD method of automatic discovery.
If the CRL check using WinHTTP fails, components revert to using WinInet checking.
If browser settings are not configured to check the CRL, client components do not check it.
If the CRL check fails, the user is prompted to continue without checking the URL.

Note that if the CRL check confirms that the certificate is revoked, the end user is notified, and the client-side functionality is disabled.

Note:
The change in CRL checking behavior does not apply to offline installation of the client components. If customers want to use an offline installation, they must install the offline endpoint components.

Note:
Forefront UAG can detect client security applications by using the Windows Management Instrumentation (WMI) interface, in addition to the existing detection mechanism.