Using Forefront Unified Access Gateway (UAG), you publish corporate applications via a Forefront UAG trunk. Users then access the applications through the portal home page of the trunk.
Read the following to ensure that you understand the Forefront UAG features required to configure application publishing:
trunks─You create and configure trunks to control how remote
endpoints interact with the Forefront UAG server, and how they
access applications published via the trunk.
- About portals─Each trunk has a portal
home page that provides a Web gateway to one or more published
- About application publishing─You add
applications to a trunk in order to make them accessible (via the
portal home page) to remote endpoints. In addition to trunk
settings that specify how endpoints access the portal, you can
configure settings for each application. Application settings
control how the application appears in the portal, and how
endpoints access a specific application.
A Forefront UAG portal trunk is a transfer channel that allows endpoints to connect to the trunk’s portal home page over HTTP or HTTPS. You can also create a redirect trunk that redirects HTTP endpoint requests to an HTTPS trunk.
Each trunk has a portal home page to which remote endpoints connect to interact with the trunk, and access published applications. For each trunk you create, Forefront UAG adds the Portal application to the trunk in order to provide a default home page. Alternatively, you can define a customized home page.
In addition to publishing applications, there are a number of trunk settings that you can configure. These include authentication requirements and access policies for users accessing the trunk, and session and inspection settings that specify how users requests are handled by the trunk. You create a trunk with basic settings using the Create Trunk Wizard, and define additional settings after completing the wizard. Trunk settings include the following:
- Address settings─For each trunk, you configure a public
host name that is specified in the endpoint browser to reach the
portal. Optionally, you can configure an alternative port if
endpoints will connect to a portal by making a request to a
computer other than the Forefront UAG server (for example, to an
external load balancer that is listening on a different port). In
addition, you can specify the IP address and port on which the
Forefront UAG server is listening for endpoint requests.
- Portal home page─You must specify a home page for the
portal. You can use the default home page provided for each portal
by Forefront UAG, or you can configure a customized home page.
- Server certificate─If endpoints connect to a portal over
HTTPS, the trunk for that portal requires a server certificate that
will authenticate the Forefront UAG server to the endpoint. The
certificate should be issued by a public certification authority
(CA) because the CA must be trusted by all endpoints.
- IIS logging──You can log trunk traffic to the IIS Web
server running on the Forefront UAG server. You can log source IP
addresses and user names entered during logon.
- Frontend authentication─You can require endpoints to
authenticate for access to a portal session using a number of
authentication methods. You can specify how users interact with
authentication servers on the portal home page. For example, you
can enable clients to select the authentication server against
which they authenticate, require users to authenticate to multiple
servers either separately or with a single user name, enable users
to add credentials in real-time if the current credentials are
denied when accessing a portal application, and allow users to
change their passwords.
- Session settings─You can configure a number of settings
that control endpoint sessions to the portal. These include,
connection limits for sessions, session timeout settings, automatic
logoff settings, and specifying how Forefront UAG endpoint
components are installed during a portal session.
- Endpoint access settings─You can configure an access
policy for a portal session. Endpoint settings are verified against
these access policies, allowing only compliant endpoints to access
- Traffic inspection settings─Forefront UAG includes an
application-level control engine that helps to stop HTTP-based
attacks and enforce application data validation, thus helping to
prevent Web server exploits, such as URL manipulation and buffer
overflows. Traffic inspection mechanisms that you can configure
- URL inspection─In addition to basic URLs, Forefront UAG
inspects parameters and any other incoming data. Application-level
information that can be inspected includes, exact lengths and types
of URLs, parameters, methods, and combinations of them that are
permitted and accepted by the application server. This helps to
ensure that attempts to compromise the server by sending long URLs,
unexpected parameters, or unexpected methods, will fail.
- URL rules─Forefront UAG includes predefined
application-aware rules that are designed to help protect the
portal and the internal Web site, and to meet the specific needs of
many applications that you publish via a trunk. You can also create
customized rules for proprietary applications.
- HTTP filtering─You can configure Forefront UAG to check
HTTP headers and filter requests, based on header types, sizes,
lengths, character ranges, and values. HTTP filtering uses positive
logic, allowing only specifically permitted traffic to pass through
the Forefront UAG server. Traffic that does not conform is
- HTTP compression─Forefront UAG includes HTTP compression
capabilities. Content requested by a Web browser can be sent in an
encoded form according to the encoding type specified by
- URL inspection─In addition to basic URLs, Forefront UAG inspects parameters and any other incoming data. Application-level information that can be inspected includes, exact lengths and types of URLs, parameters, methods, and combinations of them that are permitted and accepted by the application server. This helps to ensure that attempts to compromise the server by sending long URLs, unexpected parameters, or unexpected methods, will fail.