Book Image

Microsoft Forefront UAG 2010 Administrator's Handbook

Book Image

Microsoft Forefront UAG 2010 Administrator's Handbook

Overview of this book

Microsoft Forefront Unified Access Gateway (UAG) is the latest in a line of Application Publishing (Reverse Proxy) and Remote Access (VPN) Server products. The broad set of features and technologies integrated into UAG makes for a steep learning curve. Understanding all the features and abilities of UAG is a complex task that can be daunting even to experienced networking and security engineers. This book is the first to be dedicated solely to Microsoft Forefront UAG. It guides you step-by-step throughout all the stages of deployment, from design to troubleshooting. Written by the absolute experts who have taken part of the product’s development, official training and support, this book covers all the primary features of UAG in a friendly style and a manner that is easy to follow. It takes you from the initial planning and design stage, through deployment and configuration, up to maintenance and troubleshooting. The book starts by introducing UAG's features and and abilities, and how your organization can benefit from them. It then goes on to guide you through planning and designing the integration of the product into your own unique environment. Further, the book guides you through the process of publishing the various applications, servers and resources - from simple web applications to complex client/server based applications. It also details the various VPN technologies that UAG provides and how to take full advantage of them. The later chapters of the book educate you with common routine “upkeep” tasks like monitoring, backup and troubleshooting of common issues. Finally, the book includes an introduction to ASP, which some of the product's features are based on, and can help the advanced administrator with enhancing and customizing the product.
Table of Contents (21 chapters)
Microsoft Forefront UAG 2010 Administrator's Handbook
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Preface
Index

Domain membership


An important consideration for UAG is whether to have the server as a domain member or not. From a security perspective, the less connection the server has to other infrastructure, the better, and so most organizations would prefer to have the server be a stand-alone server (member of a workgroup that is). However, some UAG features and scenarios necessitate domain membership. Also, even when not a domain member, UAG usually needs to provide it's users with access to the published applications based on the user's domain membership. In that case, even though the server does not have to be a member, it does need the type of access a domain member would need in order to authenticate the user. For example, free passage for the RPC (Remote Procedure Call) protocol is necessary to let UAG query a user's group membership.

As mentioned before, the following specific scenarios do require explicit domain membership:

  • ADFS

  • Publishing applications that use Kerberos Constrained Delegation (KCD) to authenticate users

  • Publishing the UAG File-Access application

  • DirectAccess

  • SSTP VPN

  • UAG Array

We will discuss these scenarios in further detail in Chapter 6, and Chapter 11. Please note that if your plan is to use this server for DirectAccess, then you might need to address some additional requirements. In that case, don't start the installation before reading Chapter 11.