To enable a Forefront Unified Access Gateway (UAG) portal trunk for Active Directory Federation Services (AD FS) 2.0, you must configure the Forefront UAG portal trunk that publishes the applications for which you want to allow AD FS 2.0 access to use the AD FS 2.0 authentication server.

This topic describes how to create a Forefront UAG portal trunk for AD FS 2.0. The following procedure assumes that you have already defined an AD FS 2.0 authentication server.

To create a portal trunk with AD FS 2.0

  1. In the Forefront UAG Management console, right-click HTTPS Connections to create a trunk accessible over HTTPS. Then click New Trunk.

  2. On the Welcome to the Create Trunk Wizard page of the Create Trunk Wizard, click Next.

  3. On the Select Trunk Type page of the Create Trunk Wizard, click Portal trunk, and then click Next.

  4. On the Setting the Trunk page of the Create Trunk Wizard, do the following:

    1. In Trunk name, specify the name by which you want to identify the trunk. This name will be used as the name of the website that is created in IIS running on the Forefront UAG server. Each trunk name in HTTPS Connections must be unique. The trunk name cannot contain the public host name.

    2. In Public host name, specify the name or IP address that remote endpoints will use to access the portal site of the trunk. The host name must match the Secure Sockets Layer (SSL) certificate that you will use on this trunk.

    3. In IP address specify the IP address of the external website. In HTTPS port, you must use the default port of 443.

  5. On the Authentication page of the Create Trunk Wizard, select the AD FS 2.0 authentication server. Click Add to open the Authentication and Authorization Servers dialog box, select the AD FS 2.0 server that you previously created, and then click Select. Then on the Authentication page of the Create Trunk Wizard, click Next.

  6. On the Certificate page of the Create Trunk Wizard, select the server certificate that will be used to authenticate the Forefront UAG server to the remote endpoint. If the required server certificate does not appear in the list, click Launch Certificate Manager to open the Microsoft Management Console (MMC) which enables you to import the certificate into the IIS Certificate store.

    1. To import a certificate, in the MMC window, in the left pane, under Console Root, verify that Certificates (Local Computer) > Personal is selected.

    2. From the Action menu, click All Tasks, and then click Import.

    3. Follow the instructions in the Certificate Import Wizard.

    4. Close the MMC window.

  7. On the Endpoint Security page of the Create Trunk Wizard, control access to trunk sessions by selecting policies that allow or deny access, based on the health of client endpoints. Click Use Forefront UAG access policies to determine the health of endpoints using built-in Forefront UAG access policies. Click Use Network Access Protection (NAP) policies, to determine endpoint health using NAP policies downloaded from Network Policy Server (NPS) servers. Ensure that you have an NPS server configured before selecting this option.

    • If you selected to use Forefront UAG policies, on the Endpoint Policies page of the Create Trunk Wizard, select policies that define the minimum prerequisites for session access. In addition, apply a policy that defines the prerequisites for client endpoints defined as privileged.

    • If you selected to use NAP, on the NAP Policies page of the Create Trunk Wizard, select the NPS that provides NAP policies to be enforced for session access and for privileged endpoints. Select Deny access to endpoint devices that do not have NAP installed or running to specify that only endpoints compliant with NAP policy can access a trunk session. Select Use Forefront UAG endpoint policies when endpoints do not have NAP installed or running to specify that non-NAP compliant endpoints should be evaluated against Forefront UAG policies.

  8. On the Completing the Create Trunk Wizard page of the Create Trunk Wizard, click Finish.

    The URL of the federation metadata file is shown on this page of the wizard. The federation metadata file is not available until after you activate the configuration.

    An AD FS 2.0 application is automatically created. This application represents the AD FS 2.0 authentication repository.

  9. After completing the Create Trunk Wizard, in the Forefront UAG Management console, on the toolbar, click the Activate configuration icon, and then on the Activate configuration dialog box, click Activate.

    After successfully activating the configuration, the federation metadata file that is required for creating the relying party trust with the AD FS 2.0 server is created in the following folder: ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\ADFSv2Sites\<trunk_name>\FederationMetadata\2007-06. If the AD FS 2.0 server has access to the Internet, you can access the federation metadata file using the following URL: https://<Portal_FQDN>/InternalSite/ADFSv2Sites/<trunk_name>/FederationMetadata/2007-06/FederationMetadata.xml. You cannot access this URL on the internal network.

You can check the following items in your configuration:

  • Make sure that the federation metadata file was successfully created on the Forefront UAG server and that the AD FS 2.0 application was successfully added to the Forefront UAG trunk.

  • Make sure that the server address and the public host name are identical on the Web Servers tab of the Application Properties dialog box.

  • You can also check that the passive endpoints in the Paths box on the Web Servers tab correspond with the settings on the AD FS 2.0 server.

For troubleshooting information, see Troubleshooting Forefront UAG with AD FS 2.0 activation errors (

Next Steps