The Forefront Unified Access Gateway (UAG) Endpoint Detection component is used to assess the compliance of an endpoint to the Forefront UAG endpoint policies. As soon as a user attempts to access the site, Forefront UAG attempts to determine which security components are installed and running on the endpoint. The Forefront UAG Endpoint Detection component, which is installed on the endpoint, verifies the identity of the Forefront UAG site against the site’s server certificate, and checks whether the site is on the user’s Trusted Sites list. Only if the site is trusted, will the component run on the endpoint computer and collect the data that identifies which components are installed and running on the computer. When detection is not functional on an endpoint computer, access may be denied, even though the endpoint might comply with the requirements of the policy. For example, if an application’s policy requires a running antivirus program, and such a program is already running on the computer, access to the application is still denied, because Forefront UAG cannot detect that the program is running on this computer.

Forefront UAG provides a default endpoint detection script (Detection.vbs). You can also create customized detection scripts.

Compliance with Forefront UAG endpoint policies is determined when a client endpoint computer first accesses the site. If a client’s computer settings that affect compliance are changed after login, users must log in again to apply the changes. When using NAP policies, enforcement is performed for the duration of the session.

For information about endpoint policies, see Planning to implement endpoint access policies.

Information collected from client endpoints

While working with the Forefront UAG site, if endpoint detection is enabled on the client endpoint, in addition to identifying settings and features on the client endpoint, the following information is collected by the Endpoint Detection component:

  • Network domains—Domain Name System (DNS) and NetBIOS.

  • User information—User name and user type.

  • Certificates in “My certificate store”—Certificate issuer and certificate subject.

If required (for example, to comply with legal or corporate guidelines), you can configure Forefront UAG so that users are notified before the information is retrieved from their device, and are prompted to give their consent for the site to collect such information. You configure this setting by selecting the Prompt user before retrieving information from endpoint check box on the Endpoint Access Settings tab of the Advanced Trunk Configuration dialog box. On endpoints on which users do not give their consent, detection is not performed.