Before you begin to create Forefront Unified Access Gateway (UAG) portals and publish applications, make sure you complete the following steps:
- If you are creating HTTPS trunks that require endpoints to
connect to a portal over HTTPS, ensure that you have a server
certificate from a public certification authority (CA) on the
Forefront UAG server, or on each Forefront UAG array member. This
is required in order to authenticate the server to remote
- If you are using an HTTPS connection from the trunk to
published backend application servers, ensure that the backend
server has a server certificate for authenticating the HTTPS
connection to the Forefront UAG server.
- If you want to authenticate clients connecting to portal
sessions, or to authenticate client credentials on backend
published servers, you must have an authentication server set up to
- If authentication is required on backend published servers, and
you want to implement single sign-on using Kerberos constrained
delegation, a Kerberos infrastructure must be configured. In
addition, if you want to use Active Directory Federation Services
(ADFS), an ADFS server must be deployed.
- You can verify endpoint health against inbuilt Forefront UAG
access policies, or against Network Access Protection policies
downloaded from a Network Policy Server (NPS). If you want to use
NAP policies, you must set up an NPS in your network infrastructure
before creating a trunk.
For detailed planning information about application publishing, see the Publishing planning guide.