Microsoft Forefront UAG 2010 Administrator's Handbook
By Erez Ben-Ari and Ran Dolev
()
About this ebook
Microsoft Forefront Unified Access Gateway (UAG) is the latest in a line of Application Publishing (Reverse Proxy) and Remote Access (VPN) Server products. The broad set of features and technologies integrated into UAG makes for a steep learning curve. Understanding all the features and abilities of UAG is a complex task that can be daunting even to experienced networking and security engineers.
This book is the first to be dedicated solely to Microsoft Forefront UAG. It guides you step-by-step throughout all the stages of deployment, from design to troubleshooting. Written by the absolute experts who have taken part of the product's development, official training and support, this book covers all the primary features of UAG in a friendly style and a manner that is easy to follow. It takes you from the initial planning and design stage, through deployment and configuration, up to maintenance and troubleshooting.
The book starts by introducing UAG's features and and abilities, and how your organization can benefit from them. It then goes on to guide you through planning and designing the integration of the product into your own unique environment. Further, the book guides you through the process of publishing the various applications, servers and resources - from simple web applications to complex client/server based applications. It also details the various VPN technologies that UAG provides and how to take full advantage of them. The later chapters of the book educate you with common routine "upkeep" tasks like monitoring, backup and troubleshooting of common issues. Finally, the book includes an introduction to ASP, which some of the product's features are based on, and can help the advanced administrator with enhancing and customizing the product.
Explore Microsoft Forefront Unified Access Gateway's wide range of features and abilities to publish applications to remote users or partners, and provide remote-access to your network with world-class security.
ApproachThis book is a hands-on guide, describing concepts, ideas and terminology related to UAG and related technologies. The book starts with a discussion of terms that UAG technology is based on, and proceeds with step-by-step guidance for performing the various tasks related to UAG's core features. Each topic is preceded by a discussion of considerations that the administrator and the organization needs to go through to prepare for the task at hand, and includes plenty of screenshots illustrating what the administrator should expect to see on-screen, with real-life examples of configuration options.
Who this book is forIf you are a Networking or Security engineer who intends to integrate UAG into the organization network, then this book is for you. You need no experience with UAG or its predecessors, though basic understanding of Networking and Windows Server management and engineering is required. Experience with security systems like Firewalls would also help you to better understand some of the topics covered by this book.
Erez Ben-Ari
Erez Ben-Ari is a long time Technologist and Journalist, and has worked in the Information Technology industry since 1991. During his career, Erez has provided security consulting and analysis services for some of the leading companies and organizations in the world, including Intel, IBM, Amdocs, CA, HP, NDS, Sun Microsystems, Oracle and many others. His work has gained national fame in Israel, and he has been featured in the press regularly. Having joined Microsoft in 2000, Erez has worked for many years in Microsoft's Development Center in Israel, where Microsoft's ISA Server was developed. Being a part of the release of ISA 2000, ISA 2004 and ISA 2006, Erez held several roles, including Operation engineering, Software testing, Web-based software design and testing automation design. Now living in the United States, Erez still works for Microsoft, currently as a senior support escalation engineer for UAG. Erez is also the author of the successful "Microsoft Forefront UAG 2010 Administrator's Handbook", and the book "Mastering Microsoft Forefront UAG customizations", both published by Packt. Both books have been extremely popular with customers, and both received 5-star reviews on Amazon.
Read more from Erez Ben Ari
Windows Server 2012 Unified Remote Access Planning and Deployment Rating: 0 out of 5 stars0 ratingsMastering Microsoft Forefront UAG 2010 Customization Rating: 5 out of 5 stars5/5
Related to Microsoft Forefront UAG 2010 Administrator's Handbook
Related ebooks
Getting Started with Citrix XenApp 6.5 Rating: 0 out of 5 stars0 ratingsOracle SOA Suite 11g Administrator's Handbook Rating: 0 out of 5 stars0 ratingsThe Best Damn Windows Server 2008 Book Period Rating: 0 out of 5 stars0 ratingsSecuring Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization Rating: 0 out of 5 stars0 ratingsMicrosoft Hyper-V Cluster Design Rating: 0 out of 5 stars0 ratingsGetting Started with XenDesktop® 7.x Rating: 0 out of 5 stars0 ratingsBuilding Telephony Systems with OpenSER Rating: 0 out of 5 stars0 ratingsVMware Horizon View High Availability Rating: 0 out of 5 stars0 ratingsThe Real MCTS/MCITP Exam 70-640 Prep Kit: Independent and Complete Self-Paced Solutions Rating: 1 out of 5 stars1/5Windows 2000 Active Directory Rating: 0 out of 5 stars0 ratingsMCTS 70-680 Exam Questions: Microsoft Windows 7, Configuring Rating: 4 out of 5 stars4/5The Real Citrix CCA Exam Preparation Kit: Prepare for XenApp 5.0 Rating: 2 out of 5 stars2/5Citrix XenDesktop Implementation: A Practical Guide for IT Professionals Rating: 0 out of 5 stars0 ratingsWindows Server 2012 Hyper-V Cookbook Rating: 0 out of 5 stars0 ratingsDeploying Citrix MetaFrame Presentation Server 3.0 with Windows Server 2003 Terminal Services Rating: 0 out of 5 stars0 ratingsThe Best Damn Exchange, SQL and IIS Book Period Rating: 0 out of 5 stars0 ratingsJuniper(r) Networks Secure Access SSL VPN Configuration Guide Rating: 5 out of 5 stars5/5Mastering Citrix® XenDesktop® Rating: 0 out of 5 stars0 ratingsGISF A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCisco AVVID and IP Telephony Design and Implementation Rating: 0 out of 5 stars0 ratingsvSphere Virtual Machine Management Rating: 0 out of 5 stars0 ratingsMicrosoft Forefront Identity Manager 2010 R2 Handbook Rating: 0 out of 5 stars0 ratingsMicrosoft System Center Orchestrator 2012 R2 Essentials Rating: 0 out of 5 stars0 ratingsManaging Virtual Infrastructure with Veeam® ONE™ Rating: 0 out of 5 stars0 ratingsVMware vSphere Security Cookbook Rating: 0 out of 5 stars0 ratingsGIAC Certified Windows Security Administrator The Ultimate Step-By-Step Guide Rating: 0 out of 5 stars0 ratingsConfiguring IPCop Firewalls: Closing Borders with Open Source Rating: 0 out of 5 stars0 ratingsThe Real MCTS/MCITP Exam 70-647 Prep Kit: Independent and Complete Self-Paced Solutions Rating: 1 out of 5 stars1/5Netstat A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratings
Networking For You
Unlock Any Roku Device: Watch Shows, TV, & Download Apps Rating: 0 out of 5 stars0 ratingsLinux Bible Rating: 0 out of 5 stars0 ratingsThe Compete Ccna 200-301 Study Guide: Network Engineering Edition Rating: 5 out of 5 stars5/5Networking All-in-One For Dummies Rating: 5 out of 5 stars5/5SharePoint For Dummies Rating: 0 out of 5 stars0 ratingsNetworking Fundamentals: Develop the networking skills required to pass the Microsoft MTA Networking Fundamentals Exam 98-366 Rating: 0 out of 5 stars0 ratingsAWS Certified Solutions Architect Study Guide: Associate SAA-C02 Exam Rating: 0 out of 5 stars0 ratingsHacking Android Rating: 4 out of 5 stars4/5Networking For Dummies Rating: 5 out of 5 stars5/5TCP/IP Clearly Explained Rating: 4 out of 5 stars4/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5CCNA Certification Study Guide, Volume 2: Exam 200-301 Rating: 0 out of 5 stars0 ratingsQuantum Computing For Dummies Rating: 0 out of 5 stars0 ratingsCisco Networking All-in-One For Dummies Rating: 4 out of 5 stars4/5AWS Certified Cloud Practitioner Study Guide: CLF-C01 Exam Rating: 5 out of 5 stars5/5CompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsNetwork+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Raspberry Pi Electronics Projects for the Evil Genius Rating: 3 out of 5 stars3/5Emergency Preparedness and Off-Grid Communication Rating: 0 out of 5 stars0 ratingsPractical Ethical Hacking from Scratch Rating: 5 out of 5 stars5/5Computer Networking: An introductory guide for complete beginners: Computer Networking, #1 Rating: 5 out of 5 stars5/5The Windows Command Line Beginner's Guide: Second Edition Rating: 4 out of 5 stars4/5MCA Microsoft Certified Associate Azure Administrator Study Guide: Exam AZ-104 Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Certification Study Guide: Exam N10-004: Exam N10-004 2E Rating: 4 out of 5 stars4/5Programming Arduino: Getting Started with Sketches Rating: 4 out of 5 stars4/5Mike Meyers' CompTIA Network+ Certification Passport, Sixth Edition (Exam N10-007) Rating: 1 out of 5 stars1/5Cisco CCNA Command Guide: An Introductory Guide for CCNA & Computer Networking Beginners: Computer Networking, #3 Rating: 0 out of 5 stars0 ratingsA Beginner's Guide to Ham Radio Rating: 0 out of 5 stars0 ratings
Reviews for Microsoft Forefront UAG 2010 Administrator's Handbook
0 ratings0 reviews
Book preview
Microsoft Forefront UAG 2010 Administrator's Handbook - Erez Ben-Ari
Table of Contents
Microsoft Forefront UAG 2010 Administrator's Handbook
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers and more
Why Subscribe?
Free Access for Packt account holders
Instant Updates on New Packt Books
Preface
What this book covers
What you need for this book
Who this book for
UAG versus IAG
What's in the box?
Conventions
Reader feedback
Errata
Piracy
Questions
1. Planning Your Deployment
Basic principles
How UAG works
Software requirements
Hardware requirements
Considerations for placing the server
Planning the networking infrastructure
Domain membership
Planning remote connectivity
Load balancing and high availability
Choosing clients
From test to production
Tips for a successful deployment
Deployment checklist
Do's and Don'ts for a successful deployment
Summary
2. Installing UAG
What the installation contains
Service Packs and updates
Preparing your server
Pre-installation checklist
Preparing the installation files
Installation
Verifying the installation
Running the Getting Started Wizard
Applying updates or Service Packs
Common issues during installation
Post installation issues
Summary
3. UAG Building Blocks
What are trunks and applications?
Types of trunks
Types of applications
Built-in services
Web applications
Client/Server and Legacy
Browser-embedded applications
Terminal Services (TS) / Remote Desktop Services (RDS)
What is URL signing and how does it work?
Designing your trunks, applications, and nesting
Some common applications and the appropriate templates
DNS name resolution
Preparing for an HTTPS trunk
Asymmetric encryption
Digital certificates
Creating an HTTPS trunk
Publishing an HTTP trunk
What happens when you add a trunk?
Summary
4. Publishing Web Applications
The four steps to application publishing
Application specific hostname applications versus Portal hostname applications
The Add Application Wizard
Application order
Considerations for Exchange publishing
Considerations for SharePoint publishing
Different internal and external names
Same internal and external FQDN names but different protocols
Same internal and external names and protocols
Sharepoint and IE security enhancements
What is the Active Directory Federation Services 2.0 application?
Certificate validation for published web servers
Did you remember to activate?
Summary
5. Advanced Applications and Services
Advanced application types
Remote connectivity
Configuring browser embedded applications
Configuring client/server applications
Enhanced Generic Client Applications
Enhanced HAT
Generic HTTP Proxy Enabled Client Application
Generic SOCKS Enabled Client Application
Citrix Program Neighborhood (Direct)
Outlook (corporate/workgroup mode)
SSL Application Tunneling component automatic disconnection
Local Drive Mapping
Remote Network Access
SSL Network Tunneling (Network Connector)
Planning for Network Connector
Adding Network Connector to the portal
Configuring the Network Connector server
Activating and testing the Network Connector
Network Connector disconnecting?
SSTP
Remote Desktop applications
Remote Desktop RDG templates
Remote Desktop—predefined and user defined
Remote Desktop considerations
File Access
Preparing to Publish File Access
Configuring File Access Domains, Servers, and Shares
Using File Access
More fun with File Access
Summary
6. Authenticating and Controlling Access
UAG session and authentication concepts
The basic authentication flow
Trunk level authentication settings
Authentication servers
RADIUS
RSA SecurID
WinHTTP
Authentication server of the type Other
Smart card/client certificate authentication
Special handling for MS Office Rich Clients
Application level authentication settings
Handling form based authentication to backend applications
Kerberos constrained delegation
Application authorization settings
Local groups
AD FS 2.0
Requirements and limitations for AD FS 2.0 in UAG
Configuring the AD FS 2.0 authentication server in UAG
Additional configuration steps on the AD FS 2.0 server
Summary
7. Configuring UAG Clients
What are the client components?
Endpoint detection
SSL Application Tunneling component
Socket Forwarding
SSL Network Tunneling component
Endpoint Session Cleanup component
Supported platforms
Installing and uninstalling the client components
Preemptive installation of the components
Checking the client components version
The trusted sites list
Don't need the Client components?
Summary
8. Endpoint Policies
What endpoint policies can do and how they work?
How it works?
Endpoint policies access type
Platform specific policies
Assigning endpoint policies
Built-in policies
Choosing or designing the appropriate policies for your organization
Creating policies using the policy editor
Editing policies in script mode
Configuring upload and download settings
Identify by URL
Identify by extension
Identify by size
Configuring restricted zone settings
Certified Endpoints
Integration with Network Access Protection
How does NAP work?
Configuring UAG to use NAP
Summary
9. Server Maintenance and Upkeep
Who needs monitoring?
The UAG activation monitor
The UAG Web Monitor
Monitoring sessions
General
Applications
Endpoint Information
Parameters
Session Statistics
Monitoring applications and users
Monitoring server farms
Monitoring server array members
Event Viewer
Event Query
Configuring UAG event logging
Queue and report size
Built-in
RADIUS and Syslog
UAG services
UAG and the System Event Log
Publishing the UAG Web Monitor
Live Monitoring using TMG
The Windows Performance Monitor
Running a server trace
Updating the server with Windows Updates
Updating the server with UAG updates
Other updates
Antivirus on the server and other tools
Backing up UAG
Restoring UAG (to itself, and to other servers)
Summary
10. Advanced Configuration
Basic trunk configuration
Advanced configuration overview
The General tab
The Authentication tab
The Session tab
The Application Customization tab
The Portal tab
The URL Inspection tab
Global URL Settings and URL Set tabs
Rule editing and modification
NLB and Arrays
Adding load balancing into the mix
Putting it all together
Summary
11. DirectAccess
What's in it for me?
A little bit of history
How does DirectAccess work?
IPSec and its tunnels
IPv6—what's the big deal?
Hardware considerations
Connecting your server to the Internet
The Network Location Server
More infrastructure considerations
Client connection modes
Setting up the IP-HTTPS public site
DirectAccess name resolution
ISATAP, DNS64, and NAT64
Tunneling mode
DirectAccess Connectivity Assistant
Putting it all together
Wizard Rime
Client and GPO configuration
The DirectAccess Connectivity Assistant
DirectAccess Server configuration
Infrastructure Servers configuration
End-to-End Access configuration
Keeping an eye on the server
Trouble?
Removing DirectAccess
Setup and configuration errors
Whose fault is it?
DCA to the rescue
Server related issues
Client side issues
Transition technology issues
Advanced troubleshooting
Additional resources
Summary
12. Troubleshooting
Whodunnit?
Administrative errors
File Access
SSL Network Tunneling
Certificate problems during activation
Backup and restore
Updating the server
Portal and Trunk issues
Application issues
Common application publishing mishaps
Blocking uploads and downloads
URL limits
Server Performance
Other optimizations
SharePoint issues
SSL tunneling
SSTP
Other server and application issues
Client issues
Client misbehavior
RDS client issues
Misc client issues
Customization issues
General errors
Tracing problems
What's next?
Summary
A. Introduction to RegEx RegEx
Why do I need this?
What are Regular Expressions?
The UAG RegEx RegEx syntax
Literals
Special characters
B. Introduction to ASP
What is ASP, and how does it work?
What can you do with it?
Getting started with ASP
Putting the pieces together
Some more ASP principles
No one likes to repeat himself
So, what's in it for me?
Index
Microsoft Forefront UAG 2010 Administrator's Handbook
Microsoft Forefront UAG 2010 Administrator's Handbook
Copyright © 2011 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: January 2011
Production Reference: 1170111
Published by Packt Publishing Ltd.
32 Lincoln Road
Olton
Birmingham, B27 6PA, UK.
ISBN 978-1-849681-62-9
www.packtpub.com
Cover Image by Tina Negus (<tina_manthorpe@sky.com>)
Credits
Authors
Erez Ben-Ari
Ran Dolev
Reviewers
Ben Bernstein
Dennis E. Lee
Dominik Zemp
Acquisition Editor
Stephanie Moss
Development Editors
Rukhsana Khambatta
Mayuri Kokate
Technical Editor
Arani Roy
Indexers
Monica Ajmera Mehta
Rekha Nair
Editorial Team Leader
Gagandeep Singh
Project Team Leader
Ashwin Shetty
Project Coordinator
Poorvi Nair
Proofreaders
Lesley Harrison
Kevin McGowan
Graphics
Geetanjali Sawant
Production Coordinator
Shantanu Zagade
Cover Work
Shantanu Zagade
About the Authors
Erez Ben-Ari is a long time technologist and journalist, and has worked in the information technology industry since 1991. During his career, Erez has provided security consulting and analysis services for some of the leading companies and organizations in the world; including Intel, IBM, Amdocs, CA, HP, NDS, Sun Microsystems, Oracle, and many others. His work has gained national fame in Israel, and he has been featured in the press regularly. Having joined Microsoft in 2000, Erez has worked for many years in Microsoft's Development Center in Israel, where Microsoft's ISA Server was developed. Being a part of the release of ISA 2000, ISA 2004, and ISA 2006, he held several roles, including Operation engineering, Software testing, Web-based software design, and testing automation design. Now living in the United States, Erez still works for Microsoft, currently as a senior support engineer for UAG.
As a writer, Erez has been a journalist since 1995, and has written for some of the leading publications in Israel and in the United States. He has been a member of the Israeli National Press Office since 2001, and his personal blogs are read by thousands of visitors per month. Erez has also written, produced, and edited content for TV and radio, working for Israel's TV Channel 2, Ananey Communications, Radio Haifa, and other venues.
Most recently, Erez has completed his work on a courseware book titled Planning, deploying, and managing Microsoft Forefront Threat Management Gateway 2010, in collaboration with several other authors.
Ran Dolev is a veteran of network security and SSL VPN industries. Ran has worked with the UAG product for more than twelve years, since the product's inception at the start-up company Whale Communications in 1998, where Ran was the first full-time developer of the product. After several years he moved to a services position as the EMEA Professional Services Manager for the team. In this role he has designed and delivered numerous IAG and UAG training sessions in North America, Europe, Middle East, Asia, and Australia, to customers, partners, and Microsoft employees. Ran also provides consulting and deployment services for many of Microsoft's enterprise UAG customers.
About the Reviewers
Ben Bernstein is a senior program manager with the Microsoft UAG DirectAccess development team. Ben has worked for Microsoft since 2001, and has held several software development and leadership positions. During his time with Microsoft, Ben has been deeply involved with the development of many of Microsoft's security product suites, including ISA 2004, ISA 2006, TMG, and UAG. Ben often speaks at conferences and public events related to information security and holds a BA and MBA degrees from the The Interdisciplinary Center and Technion Institute in Israel.
Dennis E. Lee is a noted network security expert specializing in Microsoft Forefront Security products. His journey in technology began as soon as he was able to take apart his old electronic toys. Self-taught in the art of web design, he used the Internet as a forum to foster discussion on topics such as computer self-help, graphic design, and programming. That led him into network security in which he actively attends community events and contributes to many different forums and blogs. As a consultant for Celestix Networks, Inc., Dennis travels the globe designing security solutions for organizations of all sizes. Whether it's a startup or global organization, he thrives on the opportunity to help the world do its job better. Checking out the local cuisine in all the places he visits is cool too. He wants you to read this book because while he enjoys traveling, it's unlikely that he'll be able to get to everyone in the world and believes that this book will guide you on how to build the most secure remote access solution using UAG.
Thank you to Sally, my colleagues at Celestix Networks and the people at Microsoft for sharing my passion of working with great products.
Dominik Zemp is a technical solutions specialist for Microsoft' security solutions and has worked in the security market since 2004. He is going to graduate in February 2011 from Lucerne University of Applied Sciences and Arts with a Bachelor's degree in Information Technology specialization in Software Systems. He has served as network engineer, system engineer, and security consultant. He uses Microsoft's Forefront and security products on a daily basis and is specialized in Microsoft's Identity and Access Management solutions such as Forefront Unified Access Gateway 2010.
www.PacktPub.com
Support files, eBooks, discount offers and more
You might want to visit www.PacktPub.com for support files and downloads related to your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books.
Why Subscribe?
Fully searchable across every book published by Packt
Copy and paste, print and bookmark content
On demand and accessible via web browser
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.
Instant Updates on New Packt Books
Get notified! Find out when new books are published by following @PacktEnterprise on Twitter, or the Packt Enterprise Facebook page.
Dedicated to my wife, Paula, who forgave me for locking myself up in my study for so many months while writing this book, and to my son, Sol, who, despite just being born, kept quiet and let me do this.
— Erez Ben-Ari
I dedicate this to the memory of my father, Dan Costescu, writer, novelist, journalist, newspaper founder and editor, who used writing to fight from exile for justice and for a better life for his fellow countrymen. I miss you, Dad!
— Ran Dolev
Preface
The Israeli department of defence has one of the strictest information security guidelines in the world, and a part of these guidelines is the requirement to have complete physical separation between the public and internal networks. A regular firewall just won't do, and this requirement gave birth to the concept of the Air-Gap, a revolutionary product for its time. The Air-Gap and e-Gap products used a physical switch that enabled the transfer of data from one network to the other, but still kept them physically disconnected. One might think of this like a shuttle transferring passengers from one land-mass to another. Whether this is more secure than advanced software-based firewalls can be debated, but the product did meet the guidelines and became very successful in Israel.
Building on this success, Whale Communications distributed the e-Gap appliance throughout the world, and continued its development. In 2006, Whale Communications was purchased by Microsoft, and the next version, named Intelligent Application Gateway or IAG, had similar capabilities, but ditched the physical switch and the dual-server design with a software firewall—Microsoft's ISA 2006 server.
The success of IAG led, of course, to the next version—UAG, short for Unified Access Gateway. UAG has some new capabilities although fundamentally it is very similar to its predecessor, IAG. Like IAG, UAG combines two major functions:
Application publishing (also known as reverse proxy )
VPN server
For those who are familiar with proxy servers, a reverse proxy does exactly the opposite. A proxy sits at the edge of an organization's network, and fetches data from the Internet for the employees inside the network. A reverse proxy also sits at the edge, but fetches data from within the internal network, and delivers it to people connecting from outside. This allows employees to be away from the office, at their home or on the road, but still have access to the sensitive organization applications in a way that's easy to use, but secure at the same time.
For those who are not familiar with the concept of a VPN—Virtual Private Network, this is a common way to let employees connect to the internal network remotely. Many products on the market provide VPN services including the built-in Windows service RRAS. However, using a reverse proxy instead allows quicker and easier access. Using a VPN service requires the end user to create configurations that may be complicated and are often not very secure. For example, an employee that uses his own home computer to connect to the organization's network may be sharing the same computer with his family, and that computer could be home to a virus zoo, or be exposed to external penetration via an unsecured Wi-Fi home network. If the computer is a laptop, it could potentially be stolen or lost, allowing the thief or finder to connect to the internal network and compromise it.
UAG's feature-set offers solutions to these problems using advanced features. The reverse-proxy side of the house allows easy access through most modern web browsers, with no configuration required by the user. The user simply types in the designated URL, waits for the special client-components to be installed automatically, and after a simple log-on, they can run the organization's web-based applications. While almost all firewalls offer the ability to do simple server-publishing, using a reverse-proxy is more secure. The reason is that a firewall, even one that does stateful inspection, is only passing data back-and-forth between the internal server and the client. A reverse proxy, on the other hand, stands-in for the internal server. The client is talking to the proxy, which impersonates the internal server. Even if the proxy is successfully attacked and taken-down, the internal server is never touched, and service is not interrupted.
Unfortunately, the reverse proxy service is only usable for Web-based applications. It's good for things such as Outlook Web Access and SharePoint, but many other applications require more complicated TCP/IP traffic. A good example is RDP, which works on port 3389, and cannot be simply reverse proxied. For that reason, the original e-Gap server included a feature called SSL-VPN, which has been expanded to a full range of VPN options with UAG. VPN allows pretty much any networked application to connect to internal servers by simulating a full network connection to the corporate network. Originally, e-Gap and IAG offered a VPN connection which was encrypted using SSL (Secure Socket Layer) and offered better security than many of the VPN products that existed in the market at the time. With UAG, SSL-VPN is still included, but also with several other options, most notable of which is DirectAccess. DirectAccess was originally developed to be integrated into the Windows Server 2008 R2 and Windows 7 Client platform, but the integration of this technology with UAG adds several additional security mechanisms that make for an easier and more secure deployment.
Using DirectAccess (frequently referred to as DA) with UAG includes several components that allow for a better integration with networks that are based on the IPv4 protocol, and also includes very advanced endpoint security, which has been a strong selling point for IAG and e-Gap for many years. UAG's endpoint security allows an administrator to enforce certain security policies by preventing client computers that do not meet these policies from connecting, or from accessing specific applications. These policies can include, for example, the requirement to have an antivirus product installed on the computer as a condition for allowing a connection. A policy can be even more granular and require a specific AV product, and even when the AV definitions were updated on the client. In fact, an advanced administrator can even write his own policy using VBScript to obtain the utmost granular control, down to the registry-key level.
What this book covers
Chapter 1, Planning Your Deployment, will cover the hardware and software requirements for using UAG, and what needs to be planned before purchasing the product, such as Load Balancers, client-support (PC, Mac, and Linux), and so on.
Chapter 2, Installing UAG, will cover the required steps to prepare and install UAG. We will discuss the critical settings you will need to configure before the installation and how to prepare the server for it, and then we will go through the setup process step-by-step. Finally, we will review how to verify that the installation went successfully and learn how to handle some common issues we might face.
Chapter 3, Trunk Types and Uses, will cover UAG's building blocks—trunks and applications. We will review the various types of each, what they are used for, and how to create them. We will not cover specific application publishing, but we will introduce some of the concepts that make the whole thing tick.
Chapter 4, Publishing Web Applications, will cover web applications and how to publish them, including focusing on the most popular applications types—SharePoint and Exchange.
Chapter 5, Advanced Applications and Services, will review the various applications, how to choose to appropriate templates, and how to configure them. We will also discuss in detail some of the additional built-in applications, and briefly introduce DirectAccess.
Chapter 6, Authenticating and Controlling Access, will explain the various types of authentication that UAG can use with Windows servers and third party servers. The chapter will also talk about managing user access to applications and trunks (authorization).
Chapter 7, Configuring UAG Clients, will cover UAG's client components. The client components are what the end-user sees, and they control the user's access to the portal and applications, so it's very important to understand how they work, and what they can and cannot do.
Chapter 8, Endpoint Policies discusses endpoint policies—how they can be used to provide high security, how to configure them, and how to manage them.
Chapter 9, Server Maintenance and upkeep, will cover ways to keep an eye on the server using built-in tools such as the Web Monitor, the Event Log, and the TMG live monitoring console. It will also discuss keeping the server in top shape by performance monitoring, applying patches, updates and service packs, and performing backups.
Chapter 10, Advanced Configuration, will discuss the Advanced Trunk Configuration, which allows the admin to control various aspects of the portal behavior and special-functions.
Chapter 11, DirectAccess, will introduce the admin to various DA related concepts such as IPv6, Teredo, IPHTTPS, DNS64, and NAT64. It will then detail how to configure DA in various scenarios.
Chapter 12, Troubleshooting, will discuss common problems and how to address them, as well as more generic troubleshooting concepts and technologies such as Netmon, PerfMon. The chapter will also offer a collection of external resources, such as blogs, wikis, and articles.
Appendix A, Introduction to RegEx, introduces us to Regular Expressions and the UAG RegEx syntax.
Appendix B, Introduction to ASP, gives a short introduction to ASP programming. Since UAG has quite a bit of web-based user interface, knowing a little about ASP and how it works will allow you to customize it to some degree.
What you need for this book
You will need Microsoft Forefront Unified Access Gateway (UAG) with Update 1 for this book. UAG is offered to the public in two distinct distributions. A company can choose to purchase the product in the form of an appliance, or as a downloadable ISO image file, which can be burned to DVD or mounted on a virtual DVD drive. UAG is a server product, and can only be installed on a Windows Server 2008 R2 or later, therefore the hardware requirements are combined with those of R2. The primary requirement for R2 is having a 64 bit processor and 32 GB of free disk space. UAG's minimum requirements are that the processor is a dual-core one running at 2.66 GHz or faster, and that the system has 4 GB of memory, and an extra 2.5 GB of disk space.
Who this book for
This book is intended for IT Personnel, Network Engineers, System Engineers, System Administrators, and Security Engineers who are planning to implement UAG in their organization, or have already implemented it and want to discover more about the product's abilities and how to use them effectively. To properly use the book, you should have some understanding of IT and networking technologies and terminology, such as IP, DNS, Ethernet, Web Server, and VPN. Programming knowledge is not required; though it might be of benefit for advanced customization techniques that are supported by UAG, this is not within the scope of this book. The book also requires fundamental understanding of Microsoft technologies and systems, such as Windows and Internet Explorer. For some chapters, understanding of more advanced concepts may be needed, such as SSL, Firewalls, IPv6, Adv. TCP/IP, XML, and HTML.
UAG versus IAG
As mentioned before, the basic functionality of the product from IAG to UAG has not changed much. UAG adds some broader functionality for newer applications, and support for more modern VPN technologies. The application publishing that was a part of IAG is mostly still here, with some updates to the user-interface, and some new application templates like Exchange 2010 and RemoteApp publishing. The SSL Wrapper and Network connector are also still here, but SSTP (Secure Socket Tunneling Protocol) and DA (DirectAccess) are now also included. The client components have gone through some improvements as well, and now support Windows 7, Internet Explorer 8, and several 64 bit operating systems. The user interface has gone through a nice face-lift, both on the server side and client-side (the look and feel
of the portal).
A significant change in UAG compared to the previous generations is the availability of UAG as an installable software. IAG has been traditionally available as a hardware appliance, and recently as a virtual-appliance (a VHD file that can be run on Hyper-Visor or other virtualization products), but with UAG, an administrator can now install the product on any server he wishes to (assuming, of course, it meets the specifications for the minimum hardware support and for running Windows Server 2008 R2). This makes UAG much more readily available, and far easier to integrate into complex enterprise environments, reducing the total-cost of ownership (TCO) for IT resources.
Another improvement added to UAG over IAG is the built-in support for arrays, and integration with Windows NLB (Network Load Balancing). In the past, integration of IAG was only possible with third-party load balancing solutions, and even then, it was somewhat limited, as administrators had to manually mirror the configuration between servers, and repeat the manual sync whenever a change was required. With UAG's built-in array management functionality, an administrator can build a cluster of up to eight UAG servers. If using an array, it can be load balanced using external load balancers, or integrated with Windows NLB.
Another notable addition to the functionality of UAG is the integration with NAP (Network Access Protection), which provides an extensive platform for maintaining endpoint health and sanity that goes beyond even the native endpoint policy management that IAG had. For example, NAP continually monitors the client's health and can respond to changes even during a session. It can also direct a client to an update server or other remediation server, so the client can address the health issues and reconnect, rather than just getting blocked from access.
From the management side of the house, UAG now allows the server administrator more control over logging and monitoring of user activity. This is achieved by enabling logging to SQL, which allows for better performance and easier analysis of logged data, and creating highly customized reports.
What's in the box?
Just like IAG included ISA 2006 as its built-in firewall, UAG similarly includes Forefront TMG (Threat Management Gateway) 2010, which is the latest incarnation of Microsoft's highly regarded firewall server. TMG is automatically installed as a part of the UAG setup process, and once in place, protects the server from the outside world using its well known stateful inspection engine. Although it's tempting to think of this as two products in one, in reality, the use of TMG is somewhat limited, because it's controlled by UAG. Whenever the UAG configuration is changed and activated, UAG pushes various configuration elements and rules directly into TMG's configuration containers, and these might override or conflict with manual configuration done by the administrator. This poses some security risk; such manual configuration may unintentionally expose the server to outside threats. The same goes for IIS (Internet Information Services), which are a part of Windows Server. To perform its reverse-proxy functionality, UAG pushes various configurations directly into IIS, and changes to IIS's configuration, puts it at risk of a conflict or vulnerability which could jeopardize the entire server. For this reason, Microsoft recommends against attempting to leverage a UAG server for additional functions within organizations, and does not support this.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: but you can also use the command gpudate /force, which forces the computer to update its group policy right away
.
Any command-line input or output is written as follows:
auditpol.exe /set /SubCategory:IPsec Main Mode
,IPsec Extended Mode
/success:enable /failure:enable
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: To do so, open Administrative Tools and open Group Policy Management.
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <feedback@packtpub.com>, and mention the book title via the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or e-mail
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book on, see our author guide on www.packtpub.com/authors.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the let us know link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <copyright@packtpub.com> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
Questions
You can contact us at <questions@packtpub.com> if you are having a problem with any aspect of the book, and we will do our best to address it.
Chapter 1. Planning Your Deployment
In this chapter, we will discuss the various environmental issues that need to be planned ahead of deploying UAG (Unified Access Gateway). We shall look at what makes UAG tick and look at software, hardware, and networking considerations. We will review how UAG interacts with what's around it and discuss where in your network to place the server for optimal usability and ease of deployment, as well as looking at how clients fit into the picture.
Basic principles
Even though installing a UAG server is quite straightforward, it is very important to plan your deployment ahead of time and prepare your hardware, software, and network correctly. Failing to do so might end in an installation failure, or even worse—a situation requiring a lengthy re-planning of the integration, not to mention explaining all of this to the guys upstairs
.
When planning the installation, one must keep in mind that a UAG server is fundamentally a router. It has an external side that would be the access point for connecting clients from the internet, and an internal side through which the server can fetch data from internal corporate servers. While it is theoretically possible to use the server with a single network card, this option is not supported, and will not work for most of UAG's functionality. UAG includes Forefront TMG (Threat Management Gateway) 2010, Microsoft's well known enterprise-class firewall; therefore it is possible to have the external interface connected directly to the internet. Nonetheless, many organizations choose to play it extra-safe and place the server behind an additional firewall, which can also improve UAG's performance by eliminating junk traffic that might otherwise burden it. This, of course, requires careful planning of the routing, as well as opening the proper ports on the firewall to allow traffic to take its course.
UAG is designed to enable remote access in two primary roles: application publishing and VPN. A regular proxy is a server that resides at the edge of an organization's network, like a guard at the building's reception. The regular proxy fetches data from the outside world for the company's employees, much like a guard would escort a guest to an employee's office. A reverse proxy does the exact opposite—it fetches data from within the internal network, and delivers it to people on the outside. A regular proxy is usually about speeding things up, but also about protecting the network from uncontrolled access, while a reverse proxy is mostly about security. This is especially so for UAG, which might slow things down a bit, but provides a high level of security.
The benefit to an organization is that, using reverse proxy publishing, employees working from home or on-the-go can access the organization's internal applications from wherever they are, while still maintaining the organizational network safely and securely. Those of you who know their firewalls must be thinking But...any firewall can do this!
That is correct – almost all modern firewalls allow various forms of server publishing, but UAG adds additional levels of security. Firewall server publishing is usually quite simplistic – an administrator specifies the internal IP and port, and the firewall listens and forwards the requests and responses to and from the internal servers. From a security standpoint, this is almost equivalent to allowing the users to interact directly with the internal server, as the firewall inspection usually takes place at the TCP packet level only. Sure, it can recognize and stop some common Denial of Service (DoS) and other attacks like Port scan and half scan, but hardly any application-level attacks. UAG, on the other hand, is much cleverer:
Firstly, UAG includes TMG—a firewall, so it does exactly what was described above.
UAG also impersonates the internal server, so the end-user is actually interacting only with UAG. If the user is able to mount a successful attack and crash the server, UAG may go down (this has never happened, by the way), but the sensitive internal server will march on, undisturbed.
Another security layer on top of that is endpoint detection, which boosts security even further. Clients connecting to UAG must undergo a configurable security policy check that can eliminate many threats. For example, it can reject connections from computers that have not gone through a specific preparation
by the organization, so that potential attackers are turned away even before they try to log in. It can reject connections from computers which are not well protected by an Anti-Virus or a personal firewall, to reduce the risk of a worm infecting the internal network. If this is not enough, the UAG logon process can be customized extensively, to boost security even further. We will not discuss this sort of customization in this book, but just to give you an idea, one example is the ability to include a CAPTCHA mechanism, so automated brute-force attacks cannot be executed to try to obtain a login to the server.
The second major functionality of UAG is VPN, which allows remote users to connect to the organization's network in a way that emulates them being connected directly to the network while at the office. This sort of connection can allow them to do anything they could do in the office, and provide the most advanced work environment (pyjamas notwithstanding). This functionality was included with previous versions of UAG under the name Network Connector. Network connector, or NC for short, was a VPN ability that was based on encrypting the connection with SSL, and was a proprietary technology developed by Whale Communications. At the time, Windows Servers also had built-in VPN abilities, but only based on the PPTP protocol, which is considered to be not very secure, and L2TP, which is quite secure, but difficult to deploy because of its complexity.
Today, with UAG, multiple VPN technologies are included. NC is still there, though it has been renamed to SSL Network Tunneling. SSL Network Tunneling is also limited to classic client operating systems like Windows XP and Windows Vista. A new addition is SSTP, which is a more modern incarnation of SSL-VPN for Windows 7 users The most important remote-access technology included with UAG is DirectAccess ( DA for short), which offers a new and unique seamless VPN-like integration. With DA, users are virtually connected to the corporate network as soon as they connect to the internet, with no interaction or any need to configure components and launch diallers. All these will be covered in detail later in the book.
How UAG works
UAG's core functionality is as an ISAPI filter and extension, as well as various mechanisms to control other parts of Windows. ISAPI (Internet Server Application Programming Interface) is a technology that allows programmers to build add-ons for websites, enriching their functionality. UAG is heavily reliant on ISAPI to do its job, and integrates itself into Internet Information Services (IIS), Microsoft's Web server components that ships with Windows. This integration gives UAG its face
—users logging in see a website that is generated by UAG, and UAG's ISAPI filter and extension are the components that fetch data from internal servers and show it to the user.
To do this, UAG has a mechanism that allows it to manipulate the IIS configuration directly. It creates one or more sites in IIS, and integrates itself into them by registering its ISAPI filter. Since the UAG ISAPI components are integrated into the IIS website, content going to and from the site goes through these, and they can manipulate the data directly and efficiently. To learn more about ISAPI, read the following article: http://msdn.microsoft.com/en-us/library/at50e70y(VS.80).aspx
If you take a look at IIS on a fresh UAG installation, you will notice that the Default Website contains some new virtual directories, such as InternalSite
, which has been created by UAG. This virtual directory hosts the login screen that users see, as well as other pages like the log-off page, error pages, and others. InternalSite
also includes the various authentication mechanisms, the client detection and installation system and more. It looks darn good, if you ask us. As you'll start configuring portals on UAG, new virtual directories will appear under the Default Web Site of IIS running on the