You can publish claims-based applications through Forefront Unified Access Gateway (UAG) that use an external federation service, such as the Windows Live ID service, instead of an organizational Active Directory Federation Services (AD FS) 2.0 server. To publish applications to use an external federation service, you should publish the application with identical internal and external URLs. If you do not use identical internal and external URLs, the application may be unreachable from inside your organization.

Do not use this procedure to publish SharePoint applications; instead, use Configuring SharePoint 2010 AAM applications with AD FS 2.0 or Configuring SharePoint 2007 AAM applications with AD FS 2.0.


  • The claims-based application must be configured as a relying party of the external federation service.

To publish a claims-based application with an external federation service

  1. In the Forefront UAG Management console, click the trunk through which that application will be published, and then in the Applications area, click Add.

  2. On the Select Application page of the Add Application wizard, click Web, and then in the list, select Other Web Application (application specific hostname).

  3. On the Configure Application page of the wizard, type an application name and application type.

  4. On the Web Servers page of the wizard, in Addresses type the internal FQDN of the application server, and in Public host name type the public facing name (the external name) of the application. It is recommended that you use matching internal and external URLs.

    Configure any other settings as required.

  5. If you cannot use identical internal and external URLs and the application uses the WS-Federation Authentication Module (FAM), configure the WREPLY parameter in the published application to be the same as the application’s external URL.

    1. On the application server, open the web.config file.

    2. Locate the <wsFederation> tag, and within the tag, type reply=<externalURI>. For example:

        Copy Code
      	<wsFederation reply= />
  6. On the Authentication page of the wizard, do not configure an authentication server.

  7. Complete the Add Application wizard.

  8. Activate the configuration.