Before you begin to create Forefront Unified Access Gateway (UAG) portals and publish applications, make sure you complete the following steps:

  1. If you are creating HTTPS trunks that require endpoints to connect to a portal over HTTPS, ensure that you have a server certificate from a public certification authority (CA) on the Forefront UAG server, or on each Forefront UAG array member. This is required in order to authenticate the server to remote endpoints.

  2. If you are using an HTTPS connection from the trunk to published backend application servers, ensure that the backend server has a server certificate for authenticating the HTTPS connection to the Forefront UAG server.

  3. If you want to authenticate clients connecting to portal sessions, or to authenticate client credentials on backend published servers, you must have an authentication server set up to verify credentials.

  4. If authentication is required on backend published servers, and you want to implement single sign-on using Kerberos constrained delegation, a Kerberos infrastructure must be configured. In addition, if you want to use Active Directory Federation Services (ADFS), an ADFS server must be deployed.

  5. You can verify endpoint health against inbuilt Forefront UAG access policies, or against Network Access Protection policies downloaded from a Network Policy Server (NPS). If you want to use NAP policies, you must set up an NPS in your network infrastructure before creating a trunk.

For detailed planning information about application publishing, see the Publishing planning guide.