Forefront Unified Access Gateway (UAG) allows you to provide access to published RemoteApps and Remote Desktops, by integrating a Remote Desktop Gateway (RD Gateway) to provide an application-level gateway for RDS services and applications. Previously, RDS was published by tunneling Remote Desktop Protocol (RDP) traffic from the endpoint to RDS servers using the Socket Forwarding component; tunneled traffic was not controlled or inspected, and client endpoints required installation of the Socket Forwarding endpoint component.

The following sections describe:

For information about the benefits of publishing RDS via Forefront UAG, see Why publish Remote Desktop Services with Forefront UAG?.

For the steps required to publish RDS, see Publishing Remote Desktop Services.

How Forefront UAG integrates with RD Gateway

Forefront UAG integrates with RD Gateway, as follows:

  • Remote access─Remote users can access Remote Desktops and RemoteApp applications via a Forefront UAG portal using a single RDS server, or by using a Remote Desktop Connection Broker (RD Connection Broker):

    • Remote Desktops─Allow full access to Remote Desktops within the organization. The remote desktops can be physical computers or virtual computers that are available through Virtual Desktop Infrastructure (VDI).

    • RemoteApp applications─Publish a single or multiple RemoteApps.

  • Firewall traversal─RD Gateway transmits RDP traffic on port 443 using an HTTP SSL/TLS tunnel. Most corporations open this port for Internet connectivity. Forefront UAG uses this traversal capability to allow users to connect to internal applications and resources hosted behind firewalls in private networks, and across network address translation (NAT) devices, without the need to install additional software on the client endpoint.

How Forefront UAG handles RDC client requests

Forefront UAG handles requests from RDC clients to the RDS hosts, as follows:

  1. A client accesses a Forefront UAG portal using a Web browser.

  2. The client logs in. The client authenticates as required for the portal session, and Forefront UAG evaluates the settings and features of the endpoint against its session access policies.

  3. The end user starts a RemoteApp or Remote Desktop application in the portal.

  4. The portal uses the RDS ActiveX component to activate the RDC client software running on the endpoint.

    The ActiveX component is activated with parameters that are based on the health of the endpoint to ensure that only the features that are available on that endpoint are presented to the end user.
  5. The RDC client on the endpoint initiates an RDP-over-HTTPS connection with the Forefront UAG server.

  6. The HTTPS connection terminates on the Forefront UAG server. Forefront UAG uses its integrated RD Gateway to handle the connection. Forefront UAG verifies that the user logged on to the portal successfully, and was authenticated using a session cookie, and then enforces the endpoint access policies.

  7. An RDP session is established from Forefront UAG to the backend RDS hosts.