The Publish Application Wizard helps you to publish internal applications and servers via a Forefront Unified Access Gateway (UAG) portal. This topic provides a summary of the pages and settings available when you run the wizard to publish an application in a portal.
- Select Application page
- Application Setup
- Web Servers
- Connectivity Verifier
- Portal Link
Select Application page
On the Select Application page you select the application you want to publish in the portal.
- Built-in services
- Select to publish predefined services and applications, such as, File Access and SSL Tunneling (with Network Connector or SSTP).
- Web applications
- Select to publish applications that use the HTTP or HTTPS protocol, and have a Web interface. You can publish a single Web application, or a farm of backend Web servers.
- Client/server and legacy applications
- Select to publish applications that use non-Web (HTTP or HTTPS) protocols. Applications of this type are handled by the SSL Application Tunneling endpoint component.
- Browser-embedded applications
- Select to publish Web-initiated applications that use a Web-based interface to create a non-Web connection. Applications of this type are handled by the SSL Wrapper endpoint component. You can publish a single browser-embedded application or a farm of backend servers.
Application Setup page
On the Application Setup page you specify the name and type of the application.
- Application name
- Specify the name of the application as it will appear on the portal page.
- Application type
- Specify this value if you are publishing a generic Web application; otherwise, Forefront UAG will determine the application type. If you publish multiple generic Web applications of the same type in a portal, this value should be identical for each application.
Endpoint Security page
In the Endpoint Security page, select the access policies for your application. Note that not all of the policies may be available for some published applications.
- Access policy
- Select a policy with which endpoints must conform in order to access the published application.
- Upload policy
- Select a policy with which endpoints must conform in order to upload content associated with the published application.
- Download policy
- Select a policy with which endpoints must conform in order to download content associated with the published application.
- Restricted zone policy
- Select a policy with which endpoints must conform in order to gain access to the restricted zone of an application, if one is configured.
- Edit Endpoint Policies
- Click to modify default Forefront UAG access policies, or to create new policies.
Application Deployment page
If you are publishing a Web application, on the Application Deployment page, specify whether you want to publish a single server or a Web farm.
- Publish a Web site
- Select this option to publish a single Web application
- Publish a farm of load-balanced Web servers
- Select this option to publish a farm of mirrored Web servers
Web Servers page
If you are publishing a Web application, on the Web Servers page, configure settings for the backend Web server that you want to publish.
- Address type
- Click IP/Host to identify the Web server with one or more IP addresses or DNS host names. Click Subnet to define the multiple IP addresses with a subnet and mask. Click Regular Expression to define multiple IP addresses using the Regex++ regular expression syntax to define the address range in Addresses. For example: [0—9A—Z—]+\.contoso\.com. When you use regular expressions, a corresponding rule is added in Forefront Threat Management Gateway (TMG), to allow traffic from the local host network (the Forefront UAG server) to any server in the Forefront TMG internal network, on the configured port.
- If you select IP/Host, double-click in the Addresses list to add a value.
- If the Paths list appears, double-click in the list to specify the path of the published application. A path must start with a slash (/) character.
- HTTP Port
- Specify the port on which the application is published. To use the default port for the application, type Auto. To enable all ports type All. To disable all ports leave the field empty. To define multiple ports, use comma-separated entries (for example: 81, 82, 83). To define a range of ports, use a dash (for example: 81-84).
- Public host name
- If this field appears, specify the URL that the user types to access the Web application. This field is only used for Web applications that support public host names. The public host name must match the server certificate, and reside in the same domain as the public host name of the trunk. If you are publishing a Web farm, the name should be the FQDN of a real host, including the domain name.
- Replace host header with the following field
- If this field appears, specify a URL to be used to distinguish the internal host name of the application from its public host name. The URL should include the domain in which the trunk is located. For example, if the public host name of the application is HRPortal, and the trunk resides in the domain contoso.com, specify: http://HRPortal-External.contoso.com.
- Server farm host
- If you are publishing a Web farm, in Server farm host, specify the host name of the Web server farm. This name is used for link translation, IP session affinity, and optionally the HTTP host header.
- Use the farm name in the HTTP host header
- If you are publishing a Web farm, enable this value to specify that the host name in the HTTP request should be replaced with the farm host name. For the load-balancing method, select the affinity method to be used for Web farm requests.
Connectivity Verifier Settings page
If you are publishing a Web farm, use this page to specify how the state of Web farm members should be detected.
- Verification Method
- Select the method by which server farm member status will be
verified. In order to check server availability, the connectivity
verifier resolves farm names and caches the resolution information.
If DNS resolution changes for a farm member, this may not be
detected by the connectivity verifier which continues to use cached
settings, and will consider the farm member as unavailable.
- Send an HTTP GET request—Click this
option to verify the server farm members with an HTTP GET request.
In the Request path box, specify the path to be used to
determine whether the server farm members are running.
- Send a Ping request—Click this option
to verify the server farm members with a Ping request.
- Establish a TCP connection—Click this
option to verify the server farm members by establishing a TCP
- In Timeout response threshold, specify
the length of time (in milliseconds) that a connectivity verifier
will wait for a response from a server.
- In Successful response threshold,
specify the number of consecutive responses that Forefront UAG must
receive from the server before the server is considered to be
- In Failed response threshold, specify
the number of consecutive responses that Forefront UAG must receive
from the server before the server is considered to be down.
- Send an HTTP GET request—Click this option to verify the server farm members with an HTTP GET request. In the Request path box, specify the path to be used to determine whether the server farm members are running.
Server Settings page
If you are publishing a non-Web server, on the Server Settings page, configure backend server settings. Each application has a unique user interface, depending on the required parameters.
On the Authentication page, specify how clients provide credentials to published backend Web servers that require authentication.
- Use single sign-on to send credentials to published applications
- Enable this setting to forward credentials (provided by users when accessing the Forefront UAG portal) to backend Web servers.
- Select authentication servers
- Click Add to select the server or servers that will be used to authenticate users to backend Web servers. To select a server, in the Authentication and Authorization Servers dialog box, select authentication servers in the list, and then click Select. Click Add to add an additional authentication server.
- 401 request
- Select to authenticate users to published Web applications using HTTP 401.
- HTML form
- Select to authenticate users to published Web applications using an HTML form.
- Select to authenticate users with an HTTP 401 and an HTML form. Note that you can also delegate user credentials to backend applications using Kerberos. This setting is not provided in the wizard, but can be configured on the application property pages, after you complete the publishing wizard.
Portal Link page
On the Portal Link page specify how the application appears in the portal.
- Add a portal and toolbar link
- Enable this setting to add an application link to the default portal home page and toolbar.
- Portal name
- If required, modify the name by which the application is defined in the portal. The default is the name you specified on the first page of the wizard.
- Specify a folder or subfolder via which the user can access the application if required. The URL must be an absolute URL (for example, https://www.contoso.com). Note that if you defined the application address using the IP address/Host name address type, the URL that is displayed here is, by default, a combination of the values of the Addresses and Paths fields. Ensure that it is the URL of the application link.
- Application URL
- Specify the internal entry link URL from the portal to the application. The URL must be an absolute URL (for example, https://www.contoso.com). Note that if you defined the application address using the IP address/Host name address type, the URL that is displayed here is, by default, a combination of the values of the Addresses and Paths fields. Ensure that it is the URL of the application link.
- Mobile URL
- Specify the internal entry link URL from the mobile portal to the application. The URL must be an absolute URL (for example, https://www.contoso.com/contoso).
- Icon URL
- Specify the URL of the icon representing the application (displayed in the portal to the left of the application name).
- Open in a new window
- Enable to specify that the application should open in a new window.
Specify which portal users can access the published application.
- Authorize all users
- Enable to specify that all remote clients authenticated for portal access can view and access the application. If you clear this check box, you must configure authorization settings for the application.
- Users and Groups
- In Users and groups, click Add to add users and groups who are authorized to access this portal application. For more information about configuring users and groups, see Implementing users and groups for application authorization.