Forefront Unified Access Gateway (UAG) online Help
Documentation Home
Welcome to Forefront Unified Access Gateway (UAG)
Newly published content
Product Evaluation
Forefront UAG technical overview
Forefront UAG DirectAccess technical overview
Benefits
Needs and challenges
Key elements and requirements
Connections and tunnels
Connection process
Separating Internet and intranet traffic
Using IPsec
Client authentication
Extending IPsec policies to selected application servers
Using IPv6
Using transition technologies
Network location server
Certificate revocation checking
Using DNS
Using integrated NAT64 and DNS64 with Forefront UAG DirectAccess
Load balancing
Using Network Access Protection (NAP)
Additional references
Obtaining the Forefront UAG Evaluation Version
What's new
What's new in Forefront UAG Service Pack 1
What's new in Forefront UAG Update 2
What's new in Forefront UAG Update 1
What's new in Forefront UAG
Comparing Forefront UAG DirectAccess RTM and SP1
Comparing IAG 2007 and Forefront UAG RTM
Getting Started
Frequently Asked Questions (FAQ)
Release notes for Forefront UAG 2010
Release notes for Forefront UAG SP1
System requirements for Forefront UAG servers
System requirements for Forefront UAG client devices
System requirements for Forefront UAG DirectAccess
Test lab guides
Support boundaries
Planning and Design
Infrastructure planning guide
Introduction
Identifying your infrastructure design requirements
Forefront UAG DirectAccess performance information
Identifying your infrastructure deployment goals
Mapping your deployment goals to a design
Single server infrastructure design
Multiple server infrastructure design
Single Forefront UAG DirectAccess server infrastructure design
Multiple Forefront UAG DirectAccess server infrastructure design
Endpoint component infrastructure design
Client authentication infrastructure design
Endpoint health checking infrastructure design
Application authorization infrastructure design
Privileged (certified) endpoint infrastructure design
Application publishing infrastructure design
Logging and monitoring infrastructure design
Array planning guide
Introduction to array design
Identifying your deployment goals
Mapping your deployment goals to a design
Array design
Load balancing design
Forefront UAG DirectAccess array and load balancing design
Forefront UAG DirectAccess with SP1 planning guide
Planning checklist
Planning for a single or multiple servers
Verifying hardware requirements
Planning a core deployment
Planning for DirectAccess deployment
Planning for DirectAccess GPOs
Planning for DirectAccess client deployment
Planning for DirectAccess client authentication
Planning server network settings
Planning for IP-HTTPS
Planning CAs and certificates
Planning management servers
Planning a network location server
Planning DNS requirements
Planning Active Directory
Planning optional deployment scenarios
Planning for DCA deployment
Planning for NAP health verification
Planning Internet access for DirectAccess clients
Planning DirectAccess client two-factor authentication
Planning for extended authentication and encryption
Forefront UAG DirectAccess planning guide
Introduction to Forefront UAG DirectAccess design
Understanding the design process
Identifying your deployment goals
Mapping your deployment goals to a design
Planning a Forefront UAG DirectAccess deployment strategy
Resources available to Forefront UAG DirectAccess clients
Choosing an intranet IPv6 connectivity design
Choosing a solution for IPv4-only intranet resources
Choosing an access model
Choosing a configuration method
Designing Forefront UAG DirectAccess for remote management
Designing packet filtering for Forefront UAG DirectAccess
Packet filtering for the Internet firewall
Packet filtering for intranet firewalls
Confining ICMPv6 traffic to the intranet
Packet filtering for Teredo connectivity
Packet filtering for management computers
Forefront UAG DirectAccess and Third-party host firewalls
Choosing an authentication and authorization scheme
Designing addressing and routing for the Forefront UAG DirectAccess server
Designing Active Directory for Forefront UAG DirectAccess
Designing a DNS infrastructure for Forefront UAG DirectAccess
Designing your PKI for Forefront UAG DirectAccess
Designing your Web servers for Forefront UAG DirectAccess
Choosing an Internet traffic separation design
Designing protection for traffic between DirectAccess clients
Designing your intranet for corporate connectivity detection
Choosing a Forefront UAG DirectAccess and VPN coexistence design
Planning the placement of a Forefront UAG DirectAccess server
Planning the placement of a network location server
Planning the placement of CRL distribution points
Planning Forefront UAG DirectAccess with Network Access Protection (NAP)
Planning Forefront UAG DirectAccess with an existing server and domain isolation deployment
Capacity planning for Forefront UAG DirectAccess
Documenting your Forefront UAG DirectAccess design
Publishing planning guide
Introduction to publishing design
Identifying your deployment goals
Mapping your deployment goals to a publishing design
Planning for application and server farm publishing
Planning for internal network access
Planning for file access
Access control for publishing planning guide
Introduction to endpoint access design
Identifying your deployment goals
Mapping your deployment goals to a design
Planning for client authentication
Planning for frontend authentication
LDAP authentication
SSL client certificate authentication
RADIUS authentication
RSA SecurID authentication
TACACS authentication
WINHTTP authentication
Planning for backend authentication to published servers
Basic, NTLM, or HTTP forms authentication
Kerberos constrained delegation
Planning for federation with AD FS
Planning for endpoint health checking
Planning to implement endpoint access policies
Planning for portal application authorization
Client component deployment planning guide
Introduction to endpoint component deployment design
About the Endpoint Session Cleanup component
About the Endpoint Detection component
About SSL tunneling
About the SSL Application Tunneling component
About the Socket Forwarding component
About the SSL Network Tunneling component
Identifying your deployment goals
Mapping your deployment goals to a design
Allowing remote client access
Securing remote access
Installation
Preparing for installation
Installing SP1 for Forefront UAG 2010
Installing Forefront UAG SP1
Installing SP1 on an array using NLB
Installing SP1 on an array using external load balancing
Uninstalling and rolling back SP1
Installing Update 2 for Forefront UAG
Installing Update 2 on an array using NLB
Installing Update 1 for Forefront UAG
Installing Update 1 on an array using NLB
Installing Forefront UAG 2010
Installing the Forefront UAG application
Running an attended installation
Running an unattended installation
Running the Getting Started Wizard
Verifying installation settings
Uninstalling Forefront UAG
Hardening the Forefront UAG server
Migrating from IAG 2007
Installing Forefront TMG Service Pack 1
Deployment
Deployment checklist
Array deployment guide
Overview of arrays and load balancing
Planning to deploy arrays and load balancing
Implementing an array and load balancing design
Configuring the array manager server
Joining a server to an array
Removing an array member from an array
Changing the array manager server
Modifying credentials used by an array member
Modifying credentials used by the array manager
Configuring NLB for a Forefront UAG array
Configuring NLB for a Forefront UAG DirectAccess array
Configuring external load balancing for a Forefront UAG DirectAccess array
Configuring NLB for a Forefront UAG DirectAccess array in SP1
Verifying the array and load balancing deployment
Forefront UAG DirectAccess deployment guide for SP1
Overview
Planning to deploy
Prerequisites for SP1
Implementing a core deployment for SP1
Installing Forefront UAG DirectAccess SP1
Step1: Configuring DirectAccess clients and GPOs
Before configuring DirectAccess clients and GPOs in SP1
Selecting a deployment model in SP1
Selecting client domains in SP1
Configuring DirectAccess GPOs
Specifying client groups in SP1
Step 2: Configuring the Forefront UAG DirectAccess server
Before configuring the Forefront UAG DirectAccess server
Choosing a load balancing method
Assigning IP addresses
Selecting an IP-HTTPS certificate
Configuring IPv6 prefixes
Selecting the CA for IPsec authentication
Step 3: Configuring infrastructure servers
Before configuring infrastructure servers
Specifying the network location server URL
Specifying DNS servers
Specifying authentication domains
Specifying management servers
Applying or exporting the Forefront UAG DirectAccess configuration
Implementing optional settings
Before configuring optional settings
Configuring the DirectAccess Connectivity Assistant (DCA)
Configuring NAP
Configuring an Internet connectivity method
Configuring two-factor authentication
Configuring server groups
Step 4: Extending authentication and encryption
Before configuring extended authentication and encryption to application servers in SP1
Configuring extended authentication and encryption to application servers in SP1
Additional tasks
Allowing IPv6 in Forefront TMG system policy rules
Disabling and enabling Forefront UAG DirectAccess in SP1
Modifying the Forefront UAG DirectAccess export script in SP1
Disabling DNS64 and NAT64 in SP1
Configuring pre-created GPOs
DirectAccess Connectivity Assistant 1.5 Deployment Guide
Forefront UAG DirectAccess deployment guide
Overview of Forefront UAG DirectAccess
Planning to deploy Forefront UAG DirectAccess
Forefront UAG DirectAccess prerequisites
Implementing a Forefront UAG DirectAccess deployment
Installing Forefront UAG DirectAccess
Configuring clients for Forefront UAG DirectAccess
Disabling and enabling Forefront UAG DirectAccess
Configuring the Forefront UAG DirectAccess server
Configuring load balancing
Assigning IP addresses to the server interfaces
Configuring NAT64 and DNS64
Configuring IPv6 prefix addresses
Configuring authentication options
Identifying the infrastructure servers
Specifying the network location server
Identifying DNS servers
Managing remote client computers
Identifying and configuring application servers
Applying or exporting the Forefront UAG DirectAccess configuration
Modifying the Forefront UAG DirectAccess export script
Running a script to manage IPv6 in Forefront TMG
Publishing deployment guide
Overview of application publishing
Planning an application publishing deployment
Implementing a trunk
Setting up a trunk
Configuring trunk settings
Adding applications to a trunk
Configuring application settings
Redirecting HTTP requests to HTTPS trunks
Setting up Remote Network Access
Publishing remote network access with SSTP
Configuring Forefront TMG to block users over SSTP
Publishing remote network access with Network Connector
Setting up the File Access application
Configuring Local Drive Mapping
Configuring File Access
Configuring file server and share permissions
Configuring access to home folders and mapped drives
Configuring access to file servers
Configuring access to Novell NetWare servers
Publishing File Access and Local Drive Mapping applications
Access control for publishing deployment guide
Overview of access control
Planning to deploy access control mechanisms
Implementing frontend authentication
Configuring Active Directory authentication
Configuring LDAP authentication
Configuring SSL client certificate authentication
Authenticating with e-mail in the certificate subject
Authenticating with CN in the certificate subject
Authenticating with UPN in the certificate SAN
Configuring Notes Directory authentication
Configuring Novell Directory authentication
Configuring NT Domain authentication
Configuring RADIUS authentication
Configuring RSA SecurID authentication
Configuring TACACS authentication
Configuring WINHTTP authentication
Configuring custom authentication
Implementing backend authentication mechanisms
Deploying a single sign-on solution
Configuring single sign-on with Kerberos constrained delegation
Implementing cross-site single sign-on
Implementing access policies for endpoint health validation
Configuring Forefront UAG access policies
Configuring Forefront UAG platform-specific access policies
Configuring NAP access policies
Implementing users and groups for application authorization
Implementing certified endpoints
Setting up a local CA
Setting up a remote CA
Configuring certified endpoints
Specifying how endpoints request certificates
SharePoint publishing solution guide
Overview of SharePoint publishing
Why enable SharePoint extranet access with Forefront UAG?
SharePoint publishing topologies
Before you publish SharePoint applications
Publishing a SharePoint application
Publishing multiple SharePoint applications on unique ports
Publishing a SharePoint application with identical internal and public host addresses
Publishing multiple SharePoint applications on a single port
Configuring error reporting
Publishing an AD RMS server
Publishing the Forefront UAG portal as a SharePoint Web Part
Blocking automatic SharePoint library synchronization
Verifying SharePoint publishing
Exchange services publishing solution guide
Overview of Exchange services publishing
Why enable remote access to Exchange services with Forefront UAG?
Exchange services publishing deployment options
Publishing Exchange services scenarios
Before you publish Exchange services
Publishing Outlook Web Access on a Forefront UAG portal
Publishing Outlook Anywhere on a Forefront UAG portal
Publishing load-balanced Web farms
Publishing an AD RMS server
Configuring error reporting
Configuration recommendations
Modifying Exchange endpoint policies
Verifying Exchange services publishing
Dynamics CRM publishing solution guide
Why publish Dynamics CRM with Forefront UAG?
Publishing Dynamics CRM
Remote Desktop Services publishing solution guide
Overview of Remote Desktop Services publishing
Why publish Remote Desktop Services with Forefront UAG?
Publishing Remote Desktop Services
Publishing RemoteApp applications
Publishing Desktop Connections
Customizing Remote Desktop Services publishing
Customizing user defined Desktop Connections
Customizing RemoteApp RDP parameters
Modifying RDP parameters
Modifying RemoteApp and Remote Desktop icons
Endpoint component deployment guide
Overview of endpoint components
Implementing an endpoint component deployment
Preparing to deploy endpoint components online
Preparing to deploy endpoint components offline
Installing endpoint components using the Client Components Installer
Installing endpoint components using an installation file
Configuring client endpoints to trust Forefront UAG sites
Restoring endpoint components default settings
Preparing to uninstall endpoint components
Active Directory Federation Services 2.0 solution guide
Overview of AD FS 2.0
Why deploy Forefront UAG with AD FS 2.0?
Supported scenarios and prerequisites
AD FS 2.0 topologies
Partner employee access using claims
Remote employee access using claims
Partner employee access with non-federated application authentication
Remote employee access with non-federated application authentication
Remote employee access using non-federated trunk authentication and federated application authentication
Remote partner employee access using claims
Deploying AD FS 2.0
Configuring an AD FS 2.0 authentication repository
Creating a portal trunk for AD FS 2.0
Creating a Relying Party Trust using Federation Metadata
Creating a rule to pass-through or filter an incoming claim
Creating a rule to transform an incoming claim
Optional deployment tasks
Configuring SharePoint 2010 AAM applications with AD FS 2.0
Configuring SharePoint 2007 AAM applications with AD FS 2.0
Creating and managing the AD FS 2.0 application
Configuring single sign-on with Kerberos constrained delegation to non-claims-aware applications
Configuring claims-based application authorization
Publishing claims-based applications with an external federation service
Verifying the deployment
Active Directory Federation Services 1.x solution guide
Overview of AD FS 1.x publishing
Deploying federation with AD FS
Installing and configuring an AD FS server
Installing the AD FS web agent
Enabling a portal trunk for AD FS
Configuring applications with AD FS
Configuring SharePoint AAM applications with AD FS
Configuring an AD FS proxy replacement trunk
Configuring IIS to support federation
Granting access to AD FS users
Running the AD FS configuration script
Deploying Forefront UAG for mobile devices
Overview of the mobile browsing experience
Configuring Forefront UAG for mobile browsing
Configuring mobile logon
Publishing Exchange ActiveSync
Publishing SharePoint sites for SharePoint Workspace Mobile
Operations
Hardening the Forefront UAG server
Customizing Forefront UAG
Customizing the portal
Customizing text in the portal
Adding toolbar buttons
Hiding the application tree
Hiding the portal header, footer, and application tree
Customizating icons for portal applications
Customizing the InternalSite
Customizing text in the InternalSite
Enabling UPN logon for forms-based authentication
Customizing user agents for rich clients
Displaying the Forefront UAG server and incoming IP address
Customizing the detection module
Customizing endpoint components
Customizing the endpoint components detection script
Modifying the list of automatically installed client components
Enabling the offline client components installer
Manipulating HTTP responses with AppWrap
Customizing the Web Monitor
Customizing Web Monitor charts
Customizing the appearance of the top monitor strip
Customizing Web Monitor style definitions
Modifying network and server settings
Configuring monitoring and logging
Configuring event logging
Configuring log limits
Configuring logging
Logging SSL events
Customizing event messages
Disabling logging
Logging to a SQL Server
Using Web Monitor to view events
Using System Center Operations Manager (SCOM)
Introduction to the Forefront UAG Management Pack
What's new
Supported configurations
Getting started with the Management Pack
Before you import the Management Pack
Recommended Additional Management Packs
How to import the Management Pack
Create a new Management Pack for customizations
Understanding Management Pack operations
Objects the Management Pack discovers
Classes
How health rolls up
Viewing information in the Operations Manager monitoring pane
Key monitoring scenarios
Monitors
Events
Collection rules
Placing monitored objects in maintenance mode
Appendix: scripts
Appendix: tasks
Performing scheduled and on demand operations
Understanding Forefront UAG operations
Preparing for operation tasks
Daily operations
Checking the health of arrays
Monitoring the status of Forefront UAG services
Monitoring Windows Event Viewer messages
Monitoring Forefront UAG logs
Verifying the network location server is functioning
Checking Forefront UAG DirectAccess connectivity
Monitoring with System Center Operations Manager (SCOM)
Weekly and monthly operations
Monitoring the status of updates
Monitoring the status of certificates
On-demand operations
Monitoring users
Monitoring endpoint sessions
Monitoring applications
Monitoring and managing array members
Monitoring server resources
Checking connectivity
Checking that authentication servers are available
Querying events
Backing up Forefront UAG
Backing up and restoring with export and import
Maintaining Forefront UAG DirectAccess
Monitoring Forefront UAG DirectAccess clients and users in RTM
Changing an internal IP address on the Forefront UAG server in SP1
Monitoring Forefront UAG DirectAccess SP1
Monitoring Forefront UAG DirectAccess clients and users in SP1
Monitoring Forefront UAG DirectAccess clients and users with PowerShell in SP1
Monitoring Forefront UAG DirectAccess server health in SP1
Monitoring client Network Access Protection (NAP) non-compliance in SP1
Performing end-user operations
Enabling RDS on Windows Vista and Windows XP
Requiring signature validation for custom detection scripts
Installing endpoint components using the online installer
Installing endpoint components using an installation file
Using DirectAccess Connectivity Assistant (DCA) 1.0
Using DirectAccess Connectivity Assistant (DCA) 1.5
Technical Reference
User interface help reference
Create Trunk Wizard Help
Add Application Wizard help
Trunk properties help
Application properties help
User interface consoles
About the Editor console
About the Activation Monitor console
SQL Server logging fields
Forefront UAG registry keys
About Regex++ syntax
About host address translation (HAT)
Compliance notes
AppWrap file description
Event Messages
Troubleshooting
Troubleshooting installation
Installation common issues
Installation troubleshooting flow
Troubleshooting IP address changes
Using tracing
Using the Best Practices Analyzer (BPA)
Documentation Home