Book Image

Microsoft Forefront UAG 2010 Administrator's Handbook

By : Erez Ben-Ari, Ran Dolev, Erez Y Ben
Book Image

Microsoft Forefront UAG 2010 Administrator's Handbook

By: Erez Ben-Ari, Ran Dolev, Erez Y Ben

Overview of this book

Microsoft Forefront Unified Access Gateway (UAG) is the latest in a line of Application Publishing (Reverse Proxy) and Remote Access (VPN) Server products. The broad set of features and technologies integrated into UAG makes for a steep learning curve. Understanding all the features and abilities of UAG is a complex task that can be daunting even to experienced networking and security engineers. This book is the first to be dedicated solely to Microsoft Forefront UAG. It guides you step-by-step throughout all the stages of deployment, from design to troubleshooting. Written by the absolute experts who have taken part of the product’s development, official training and support, this book covers all the primary features of UAG in a friendly style and a manner that is easy to follow. It takes you from the initial planning and design stage, through deployment and configuration, up to maintenance and troubleshooting. The book starts by introducing UAG's features and and abilities, and how your organization can benefit from them. It then goes on to guide you through planning and designing the integration of the product into your own unique environment. Further, the book guides you through the process of publishing the various applications, servers and resources - from simple web applications to complex client/server based applications. It also details the various VPN technologies that UAG provides and how to take full advantage of them. The later chapters of the book educate you with common routine “upkeep” tasks like monitoring, backup and troubleshooting of common issues. Finally, the book includes an introduction to ASP, which some of the product's features are based on, and can help the advanced administrator with enhancing and customizing the product.
Table of Contents (21 chapters)
Microsoft Forefront UAG 2010 Administrator's Handbook
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Preface
Index

Planning remote connectivity


UAG supports several types of remote connectivity that are beyond simple application publishing, and these sometimes require additional considerations. The first such scenario is, of course, DirectAccess—a.k.a. the VPN Celebrity of 2010. DirectAccess configuration is pushed out to clients using Group Policy, so this has to be factored in as well. Just having a group policy active is not enough, of course. UAG will create the proper policy, but collateral policies may need to be adjusted. For example, the local Firewall service on each client needs to be on (although the Firewall itself can be off). If your organization's group policy has been defined to set Firewalls to off, you might have to go in and change that.

Another consideration for DirectAccess is to have an elaborate infrastructure of digital certificates, also known as PKI or Public Key Infrastructure set up, in order to satisfy the requirements that are imposed by the highly secure IPSec tunnels, which are the fundamental tunnels used by DA. The UAG servers need to have digital certificates with their public hostnames, and the Certificate Authority (CA) that issued those needs to be trusted by the clients. In fact, you will have to have each client computer connect to the corporate network at least once to obtain the DirectAccess Group Policy, so if you were counting on sending out an email with instructions and going home early, think again. We will discuss DirectAccess in more detail in Chapter 11.

Another way of providing remote connectivity with UAG is SSL Network Tunneling, formerly known as Network Connector, and its successor, SSTP (Secure Socket Tunneling Protocol) . Network Connector has been around for ages, and as such, it has some limitations, the most important being that it is unable to support Windows 7 clients. SSTP can be a suitable solution for some scenarios, because it supports Windows 7. SSL Network Tunneling is not difficult to configure, but it does require careful planning of the IP and Network configuration assignment, as well as the split-tunneling mode. You will have to configure SSL Network Tunneling with an IP pool that does not overlap with your Network's range. You can also assign a specific IP range and Networking configuration so as to control the client's access to various servers. For example, you might feel that connecting clients should have access to RDP to their own corporate computers from home, but not to the corporate servers—or the other way around.

You could also decide to set your NC clients to a non- split tunneling mode, which routes their connection to internet servers through the corporate network instead of directly through their local ISP. The advantages and disadvantages of each of those will be discussed in Chapter 5.

SSTP has a configuration that's somewhat similar to NC, although SSTP can be used by Windows 7 clients, which NC cannot. Many companies will have to set up both an NC option and an SSTP one to cover all their clients. SSTP is a little simpler to plan and configure—you simply enable it, and set a range of IP addresses for connecting clients. You can even set it to assign the IPs from DHCP in non-array scenarios, which is probably the most convenient for almost everybody.

Chapter 5, which discusses remote connectivity, will also discuss topics that are not categorized as VPN, but are still more related to connectivity than to simple application publishing. Of these technologies, it's worth noting File Access and Drive Mapping, as these pose additional requirements and considerations. File Access allows connecting clients to browse network shares, retrieve and save files, and more. Drive Mapping maps a server's share as a temporary network drive that allows the user to retrieve data from places like their own folder on the company's file server, or from generally available network shares. These two, however, require that the UAG server has access to the shares itself. This is not about file-level permissions, but more about ports and protocols. File Access and Drive Mapping use RPC, which may require special routing and IP configuration if an internal firewall or load balancer is in use.