In order for remote client endpoints to access internal applications and resources via a Forefront Unified Access Gateway (UAG) portal or Web site, Forefront UAG installs endpoint components on client endpoints. Different remote access features require different endpoint components. When a user first accesses the Forefront UAG site, Forefront UAG detects whether it can install the components on the endpoint, according to the endpoint prerequisites described in System requirements for Forefront UAG client devices. Forefront UAG installs the components in line with the system requirements for each component. On client endpoints that do not meet these prerequisites, the components are not installed. Endpoint components include:
- Endpoint Component Manager
component—Downloads, installs, manages, and removes all the
endpoint components. There are two versions of this component:
ActiveX and Java Applet.
- Endpoint Session Cleanup
component—There are two versions of this component: ActiveX and
Java Applet. For more information, see About the Endpoint
Session Cleanup component.
- Endpoint Detection component—There are
two versions of this component: ActiveX and Java Applet. For more
information, see Planning to implement
endpoint access policies.
- Non-Web tunneling components—These
include:
- SSL Application Tunneling
component—There are two versions of this component: ActiveX and
Java Applet. In cases where the SSL Application Tunneling Active X
component is not installed on an endpoint, when the endpoint
attempts to access a non-Web application, the SSL Application
Tunneling Java applet runs to enable access to the application. The
Java applet provides SSL tunneling functionality only, and does not
enable any of the other feature that are enabled by the endpoint
components, such as client endpoint detection, Endpoint Session
Cleanup, Socket Forwarding, or SSL Network Tunneling. For more
information, see About SSL
tunneling.
- Socket Forwarding component—For more
information see About the Socket
Forwarding component.
- SSL Network Tunneling component─For
more information, see About SSL
tunneling.
- Socket Forwarding Helper
component—Used for support purposes.
- SSL Application Tunneling
component—There are two versions of this component: ActiveX and
Java Applet. In cases where the SSL Application Tunneling Active X
component is not installed on an endpoint, when the endpoint
attempts to access a non-Web application, the SSL Application
Tunneling Java applet runs to enable access to the application. The
Java applet provides SSL tunneling functionality only, and does not
enable any of the other feature that are enabled by the endpoint
components, such as client endpoint detection, Endpoint Session
Cleanup, Socket Forwarding, or SSL Network Tunneling. For more
information, see About SSL
tunneling.
Validating the identity of a proxy server
When validating the identity of a proxy server for client endpoint access, Forefront UAG endpoint components check the certificate revocation list (CRL). If the CRL check fails, Forefront UAG endpoint components notify the user that the CRL cannot be checked and disable client-side functionality.
Forefront UAG can verify that the CRL clients do not have a proxy server set explicitly (for example, the client uses automatic discovery with Web Proxy Automatic Discovery (WPAD) or a configuration script). The CRL check behavior is as follows:
- The initial CRL check using WinHTTP is
compliant with the WPAD method of automatic discovery.
- If the CRL check using WinHTTP fails,
components revert to using WinInet checking.
- If browser settings are not configured to
check the CRL, client components do not check it.
- If the CRL check fails, the user is prompted
to continue without checking the URL.
Note that if the CRL check confirms that the certificate is revoked, the end user is notified, and the client-side functionality is disabled.
Note: |
---|
The change in CRL checking behavior does not apply to offline installation of the client components. If customers want to use an offline installation, they must install the offline endpoint components. |
Note: |
---|
Forefront UAG can detect client security applications by using the Windows Management Instrumentation (WMI) interface, in addition to the existing detection mechanism. |