Identifying your endpoint access deployment goals

For the successful deployment of Forefront Unified Access Gateway (UAG), you must identify your endpoint access deployment goals correctly. This topic is designed to help you identify your endpoint access deployment goals. By identifying these goals, you can clearly pinpoint the endpoint access design requirements necessary to meet each goal. Depending on the size of your organization, implementing a solution might require the involvement of other IT staff, in addition to the infrastructure specialist or systems architect. You can take advantage of existing, documented, and predefined endpoint access deployment goals that are relevant to endpoint access designs, and develop a working solution for your endpoint access scenarios.

This topic describes the following predefined goals:

Providing remote access for employees—The primary goal for using Forefront UAG is to provide employees of your organization with secure remote access to applications and resources located on your internal network. This goal requires you to plan an authentication scheme for end users who access your portal, an authentication scheme for end users to connect to the published applications and resources, single sign-on (SSO) if required, and access policies to check the health of endpoints.

Within this goal are two possible scenarios: providing access for managed devices, and providing access for nonmanaged devices.

If you are providing access for employees using managed devices, you can use an authentication scheme that already exists within the organization. The authentication scheme may use smart cards, tokens, or certificates. When determining the health of the endpoint, you must ensure that the health checks that you perform, that is, the settings and features that you check using access policies, will accurately identify the endpoints as being managed or not managed.

When providing access for employees using nonmanaged devices, you must ensure that you can correctly identify the employee who is attempting to gain access to the internal applications and resources. To authenticate employees in this scenario, you may use a basic level of authentication to provide a minimal level of access. If the employee attempts to access restricted information, you can require them to provide further credentials. As you do not have control over the settings and features on the device, this may limit the thoroughness of the health checking performed on the device, which means that you can provide only a subset of functionality to these users. For example, if an end user on a managed device can download and save files stored on a SharePoint site, an end user accessing the same site from a nonmanaged device is not allowed to view the files.
Providing remote access for partners—If your organization works with partners, it may be necessary to provide individual employees or groups of employees from the partner organization with remote access to applications and resources from your organization. To implement this goal, you can use Active Directory Federation Services (AD FS) to provide the identity information of the partner employees to your organization.

If you are unable to use AD FS to identify the partner employees, you can use shadow accounts within your own Active Directory domains.

When providing access to partner employees who are not using devices managed by your organization, you must try to find a balance in the health checking that you perform. If you are too restrictive, partner employees who should have access to the resources and applications that you publish may not be able to access them. However, if you are not restrictive enough, partner employees may be able to access and distribute proprietary information.

Note:

It is recommended that you use a dedicated Forefront UAG trunk when publishing applications for partners.
Providing remote access for customers—Many companies must provide access to internal applications and resources to customers. For this goal, you should use or create a repository to store the customer identity information. When customers attempt to access the applications and resources that you publish, Forefront UAG authenticates the customer against this repository. Forefront UAG supports a variety of authentication schemes, or you can configure a user-defined authentication server.

To ensure that all of your customers can access the applications and resources that you publish, you should only perform generic health checking. You must also take care when defining the trunks and applications to ensure the integrity of your own network.