When using Forefront Unified Access Gateway (UAG) and supporting non-Web applications over a secure sockets layer (SSL) connection, SSL tunneling causes the application traffic at the client endpoint to be overlaid with SSL encryption and tunneled to the SSL VPN gateway, that is, Forefront UAG. The SSL VPN gateway decrypts the traffic and sends the payload to the application server in the internal network. The Forefront UAG Socket Forwarding component add-on, which is based on Layered Service Provider and Named Service Provider technologies, can be used to support a wider variety of applications, such as supporting applications that jump ports, without the need to make changes to the running operating system. The Forefront UAG SSL Network Tunneling component can be used to provide full VPN access to the corporate network.
The SSL Application Tunneling component tunnels application traffic through SSL using one of the following relay types:
- Simple relay—Opens a port on the
client endpoint, and tunnels the TCP traffic to and from a specific
port on the application server. Using this type of relay, to
communicate with the application server, the application client on
the endpoint must communicate through the locally opened port. The
SSL Application Tunneling component makes changes, such as changes
to the application client settings, Windows registry, or Windows
hosts file, to enable the application client to communicate through
this tunnel.
- HTTP Proxy and SOCKS Proxy
relays—Opens a port on the client endpoint. The SSL Application
Tunneling component acts as either an HTTP or a SOCKS proxy server,
and it tunnels the HTTP or SOCKS traffic to and from the
application server. Using this type of relay, the application
client on the endpoint can communicate through the locally opened
port with multiple servers and ports. The SSL Application Tunneling
component makes changes, such as changes to the application client
settings, Windows registry, or Windows hosts file, to enable the
application client to communicate through this tunnel. This type of
relay enables the SSL VPN proxy to request more than one server,
thus enabling the support of dynamic ports.
Note:In browsers where the Java applet is used, when multiple portals are open concurrently, only applications that are launched from the portal that was accessed first can listen on HTTP or SOCKS proxy ports. Users cannot launch applications that use HTTP proxy and SOCKS proxy relays from additional portals. - Transparent relay—Automatically
creates a relay between the client endpoint and the application
server, for every application client on the endpoint that wants to
communicate with the internal network. This type of relay is
supported only by the Forefront UAG Socket Forwarding component and
does not require any changes on the endpoint.
Note:The Socket Forwarding component is an ActiveX component and can run only on Windows operating systems with Internet Explorer. - SSL Network Tunneling component—This
component supports full connectivity over a virtual transparent
connection, and enables you to install, run, and manage remote
connections, as if the endpoint were part of the corporate network.
The SSL Network Tunneling component uses either the proprietary
Forefront UAG Network Connector, or a standards-based approach
using the Secure Socket Tunneling Protocol (SSTP). The operating
system of the client endpoint and the type of the SSL Network
Connector deployed on the server, determine which type of SSL
Network Tunneling component is used, as follows:
- SSL Network Tunneling (Network
Connector)—Used on client endpoints running the Windows XP
and Windows Vista operating systems.
Note:The SSL Network Tunneling (Network Connector) component can run only on Windows operating systems with Internet Explorer. - SSL Network Tunneling (SSTP)—Used on
client endpoints running the Windows 7 operating system.
- SSL Network Tunneling (Network
Connector)—Used on client endpoints running the Windows XP
and Windows Vista operating systems.
Note that if you are running XCompress on Forefront UAG, you must set the streaming optimization to "Low latency". You can automate the process by copying the file XCompress.js from the following location:
...\Microsoft Forefront Unified Access Gateway\von\conf\samples\CustomHooks
to the following location:
...\Microsoft Forefront Unified Access Gateway\common\bin\CustomHooks
Open the file you copied, and follow the instructions in the file to configure it for your system.
The following topics describe the endpoint components used for SSL connections: