Microsoft Forefront UAG 2010 Administrator's Handbook

Table of Contents

Microsoft Forefront UAG 2010 Administrator's Handbook

Credits

About the Authors

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers and more

Why Subscribe?

Free Access for Packt account holders

Instant Updates on New Packt Books

Preface

What this book covers

What you need for this book

Who this book for

UAG versus IAG

What's in the box?

Conventions

Reader feedback

Errata

Piracy

Questions

1. Planning Your Deployment

Basic principles

How UAG works

Software requirements

Hardware requirements

Considerations for placing the server

Planning the networking infrastructure

Domain membership

Planning remote connectivity

Load balancing and high availability

Choosing clients

From test to production

Tips for a successful deployment

Deployment checklist

Do's and Don'ts for a successful deployment

Summary

2. Installing UAG

What the installation contains

Service Packs and updates

Preparing your server

Pre-installation checklist

Preparing the installation files

Installation

Verifying the installation

Running the Getting Started Wizard

Applying updates or Service Packs

Common issues during installation

Post installation issues

Summary

3. UAG Building Blocks

What are trunks and applications?

Types of trunks

Types of applications

Built-in services

Web applications

Client/Server and Legacy

Browser-embedded applications

Terminal Services (TS) / Remote Desktop Services (RDS)

What is URL signing and how does it work?

Designing your trunks, applications, and nesting

Some common applications and the appropriate templates

DNS name resolution

Preparing for an HTTPS trunk

Asymmetric encryption

Digital certificates

Creating an HTTPS trunk

Publishing an HTTP trunk

What happens when you add a trunk?

Summary

4. Publishing Web Applications

The four steps to application publishing

Application specific hostname applications versus Portal hostname applications

The Add Application Wizard

Application order

Considerations for Exchange publishing

Considerations for SharePoint publishing

Different internal and external names

Same internal and external FQDN names but different protocols

Same internal and external names and protocols

Sharepoint and IE security enhancements

What is the Active Directory Federation Services 2.0 application?

Certificate validation for published web servers

Did you remember to activate?

Summary

5. Advanced Applications and Services

Advanced application types

Remote connectivity

Configuring browser embedded applications

Configuring client/server applications

Enhanced Generic Client Applications

Enhanced HAT

Generic HTTP Proxy Enabled Client Application

Generic SOCKS Enabled Client Application

Citrix Program Neighborhood (Direct)

Outlook (corporate/workgroup mode)

SSL Application Tunneling component automatic disconnection

Local Drive Mapping

Remote Network Access

SSL Network Tunneling (Network Connector)

Planning for Network Connector

Adding Network Connector to the portal

Configuring the Network Connector server

Activating and testing the Network Connector

Network Connector disconnecting?

SSTP

Remote Desktop applications

Remote Desktop RDG templates

Remote Desktop—predefined and user defined

Remote Desktop considerations

File Access

Preparing to Publish File Access

Configuring File Access Domains, Servers, and Shares

Using File Access

More fun with File Access

Summary

6. Authenticating and Controlling Access

UAG session and authentication concepts

The basic authentication flow

Trunk level authentication settings

Authentication servers

RADIUS

RSA SecurID

WinHTTP

Authentication server of the type Other

Smart card/client certificate authentication

Special handling for MS Office Rich Clients

Application level authentication settings

Handling form based authentication to backend applications

Kerberos constrained delegation

Application authorization settings

Local groups

AD FS 2.0

Requirements and limitations for AD FS 2.0 in UAG

Configuring the AD FS 2.0 authentication server in UAG

Additional configuration steps on the AD FS 2.0 server

Summary

7. Configuring UAG Clients

What are the client components?

Endpoint detection

SSL Application Tunneling component

Socket Forwarding

SSL Network Tunneling component

Endpoint Session Cleanup component

Supported platforms

Installing and uninstalling the client components

Preemptive installation of the components

Checking the client components version

The trusted sites list

Don't need the Client components?

Summary

8. Endpoint Policies

What endpoint policies can do and how they work?

How it works?

Endpoint policies access type

Platform specific policies

Assigning endpoint policies

Built-in policies

Choosing or designing the appropriate policies for your organization

Creating policies using the policy editor

Editing policies in script mode

Configuring upload and download settings

Identify by URL

Identify by extension

Identify by size

Configuring restricted zone settings

Certified Endpoints

Integration with Network Access Protection

How does NAP work?

Configuring UAG to use NAP

Summary

9. Server Maintenance and Upkeep

Who needs monitoring?

The UAG activation monitor

The UAG Web Monitor

Monitoring sessions

General

Applications

Endpoint Information

Parameters

Session Statistics

Monitoring applications and users

Monitoring server farms

Monitoring server array members

Event Viewer

Event Query

Configuring UAG event logging

Queue and report size

Built-in

RADIUS and Syslog

Mail

UAG services

UAG and the System Event Log

Publishing the UAG Web Monitor

Live Monitoring using TMG

The Windows Performance Monitor

Running a server trace

Updating the server with Windows Updates

Updating the server with UAG updates

Other updates

Antivirus on the server and other tools

Backing up UAG

Restoring UAG (to itself, and to other servers)

Summary

10. Advanced Configuration

Basic trunk configuration

Advanced configuration overview

The General tab

The Authentication tab

The Session tab

The Application Customization tab

The Portal tab

The URL Inspection tab

Global URL Settings and URL Set tabs

Rule editing and modification

NLB and Arrays

Adding load balancing into the mix

Putting it all together

Summary

11. DirectAccess

What's in it for me?

A little bit of history

How does DirectAccess work?

IPSec and its tunnels

IPv6—what's the big deal?

Hardware considerations

Connecting your server to the Internet

The Network Location Server

More infrastructure considerations

Client connection modes

Setting up the IP-HTTPS public site

DirectAccess name resolution

ISATAP, DNS64, and NAT64

Tunneling mode

DirectAccess Connectivity Assistant

Putting it all together

Wizard Rime

Client and GPO configuration

The DirectAccess Connectivity Assistant

DirectAccess Server configuration

Infrastructure Servers configuration

End-to-End Access configuration

Keeping an eye on the server

Trouble?

Removing DirectAccess

Setup and configuration errors

Whose fault is it?

DCA to the rescue

Server related issues

Client side issues

Transition technology issues

Advanced troubleshooting

Additional resources

Summary

12. Troubleshooting

Whodunnit?

Administrative errors

File Access

SSL Network Tunneling

Certificate problems during activation

Backup and restore

Updating the server

Portal and Trunk issues

Application issues

Common application publishing mishaps

Blocking uploads and downloads

URL limits

Server Performance

Other optimizations

SharePoint issues

SSL tunneling

SSTP

Other server and application issues

Client issues

Client misbehavior

RDS client issues

Misc client issues

Customization issues

General errors

Tracing problems

What's next?

Summary

A. Introduction to RegEx RegEx

Why do I need this?

What are Regular Expressions?

The UAG RegEx RegEx syntax

Literals

Special characters

B. Introduction to ASP

What is ASP, and how does it work?

What can you do with it?

Getting started with ASP

Putting the pieces together

Some more ASP principles

No one likes to repeat himself

So, what's in it for me?

Index

Microsoft Forefront UAG 2010 Administrator's Handbook

Microsoft Forefront UAG 2010 Administrator's Handbook

Copyright © 2011 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: January 2011

Production Reference: 1170111

Published by Packt Publishing Ltd.

32 Lincoln Road

Olton

Birmingham, B27 6PA, UK.

ISBN 978-1-849681-62-9

www.packtpub.com

Cover Image by Tina Negus (<tina_manthorpe@sky.com>)

Credits

Authors

Erez Ben-Ari

Ran Dolev

Reviewers

Ben Bernstein

Dennis E. Lee

Dominik Zemp

Acquisition Editor

Stephanie Moss

Development Editors

Rukhsana Khambatta

Mayuri Kokate

Technical Editor

Arani Roy

Indexers

Monica Ajmera Mehta

Rekha Nair

Editorial Team Leader

Gagandeep Singh

Project Team Leader

Ashwin Shetty

Project Coordinator

Poorvi Nair

Proofreaders

Lesley Harrison

Kevin McGowan

Graphics

Geetanjali Sawant

Production Coordinator

Shantanu Zagade

Cover Work

Shantanu Zagade

About the Authors

Erez Ben-Ari is a long time technologist and journalist, and has worked in the information technology industry since 1991. During his career, Erez has provided security consulting and analysis services for some of the leading companies and organizations in the world; including Intel, IBM, Amdocs, CA, HP, NDS, Sun Microsystems, Oracle, and many others. His work has gained national fame in Israel, and he has been featured in the press regularly. Having joined Microsoft in 2000, Erez has worked for many years in Microsoft's Development Center in Israel, where Microsoft's ISA Server was developed. Being a part of the release of ISA 2000, ISA 2004, and ISA 2006, he held several roles, including Operation engineering, Software testing, Web-based software design, and testing automation design. Now living in the United States, Erez still works for Microsoft, currently as a senior support engineer for UAG.

As a writer, Erez has been a journalist since 1995, and has written for some of the leading publications in Israel and in the United States. He has been a member of the Israeli National Press Office since 2001, and his personal blogs are read by thousands of visitors per month. Erez has also written, produced, and edited content for TV and radio, working for Israel's TV Channel 2, Ananey Communications, Radio Haifa, and other venues.

Most recently, Erez has completed his work on a courseware book titled Planning, deploying, and managing Microsoft Forefront Threat Management Gateway 2010, in collaboration with several other authors.

Ran Dolev is a veteran of network security and SSL VPN industries. Ran has worked with the UAG product for more than twelve years, since the product's inception at the start-up company Whale Communications in 1998, where Ran was the first full-time developer of the product. After several years he moved to a services position as the EMEA Professional Services Manager for the team. In this role he has designed and delivered numerous IAG and UAG training sessions in North America, Europe, Middle East, Asia, and Australia, to customers, partners, and Microsoft employees. Ran also provides consulting and deployment services for many of Microsoft's enterprise UAG customers.

About the Reviewers

Ben Bernstein is a senior program manager with the Microsoft UAG DirectAccess development team. Ben has worked for Microsoft since 2001, and has held several software development and leadership positions. During his time with Microsoft, Ben has been deeply involved with the development of many of Microsoft's security product suites, including ISA 2004, ISA 2006, TMG, and UAG. Ben often speaks at conferences and public events related to information security and holds a BA and MBA degrees from the The Interdisciplinary Center and Technion Institute in Israel.

Dennis E. Lee is a noted network security expert specializing in Microsoft Forefront Security products. His journey in technology began as soon as he was able to take apart his old electronic toys. Self-taught in the art of web design, he used the Internet as a forum to foster discussion on topics such as computer self-help, graphic design, and programming. That led him into network security in which he actively attends community events and contributes to many different forums and blogs. As a consultant for Celestix Networks, Inc., Dennis travels the globe designing security solutions for organizations of all sizes. Whether it's a startup or global organization, he thrives on the opportunity to help the world do its job better. Checking out the local cuisine in all the places he visits is cool too. He wants you to read this book because while he enjoys traveling, it's unlikely that he'll be able to get to everyone in the world and believes that this book will guide you on how to build the most secure remote access solution using UAG.

Thank you to Sally, my colleagues at Celestix Networks and the people at Microsoft for sharing my passion of working with great products.

Dominik Zemp is a technical solutions specialist for Microsoft' security solutions and has worked in the security market since 2004. He is going to graduate in February 2011 from Lucerne University of Applied Sciences and Arts with a Bachelor's degree in Information Technology specialization in Software Systems. He has served as network engineer, system engineer, and security consultant. He uses Microsoft's Forefront and security products on a daily basis and is specialized in Microsoft's Identity and Access Management solutions such as Forefront Unified Access Gateway 2010.

www.PacktPub.com

Support files, eBooks, discount offers and more

You might want to visit www.PacktPub.com for support files and downloads related to your book.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

http://PacktLib.PacktPub.com

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books.

Why Subscribe?

Fully searchable across every book published by Packt

Copy and paste, print and bookmark content

On demand and accessible via web browser

Free Access for Packt account holders

If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.

Instant Updates on New Packt Books

Get notified! Find out when new books are published by following @PacktEnterprise on Twitter, or the Packt Enterprise Facebook page.

Dedicated to my wife, Paula, who forgave me for locking myself up in my study for so many months while writing this book, and to my son, Sol, who, despite just being born, kept quiet and let me do this.

— Erez Ben-Ari

I dedicate this to the memory of my father, Dan Costescu, writer, novelist, journalist, newspaper founder and editor, who used writing to fight from exile for justice and for a better life for his fellow countrymen. I miss you, Dad!

— Ran Dolev

Preface

The Israeli department of defence has one of the strictest information security guidelines in the world, and a part of these guidelines is the requirement to have complete physical separation between the public and internal networks. A regular firewall just won't do, and this requirement gave birth to the concept of the Air-Gap, a revolutionary product for its time. The Air-Gap and e-Gap products used a physical switch that enabled the transfer of data from one network to the other, but still kept them physically disconnected. One might think of this like a shuttle transferring passengers from one land-mass to another. Whether this is more secure than advanced software-based firewalls can be debated, but the product did meet the guidelines and became very successful in Israel.

Building on this success, Whale Communications distributed the e-Gap appliance throughout the world, and continued its development. In 2006, Whale Communications was purchased by Microsoft, and the next version, named Intelligent Application Gateway or IAG, had similar capabilities, but ditched the physical switch and the dual-server design with a software firewall—Microsoft's ISA 2006 server.

The success of IAG led, of course, to the next version—UAG, short for Unified Access Gateway. UAG has some new capabilities although fundamentally it is very similar to its predecessor, IAG. Like IAG, UAG combines two major functions:

Application publishing (also known as reverse proxy )

VPN server

For those who are familiar with proxy servers, a reverse proxy does exactly the opposite. A proxy sits at the edge of an organization's network, and fetches data from the Internet for the employees inside the network. A reverse proxy also sits at the edge, but fetches data from within the internal network, and delivers it to people connecting from outside. This allows employees to be away from the office, at their home or on the road, but still have access to the sensitive organization applications in a way that's easy to use, but secure at the same time.

For those who are not familiar with the concept of a VPN—Virtual Private Network, this is a common way to let employees connect to the internal network remotely. Many products on the market provide VPN services including the built-in Windows service RRAS. However, using a reverse proxy instead allows quicker and easier access. Using a VPN service requires the end user to create configurations that may be complicated and are often not very secure. For example, an employee that uses his own home computer to connect to the organization's network may be sharing the same computer with his family, and that computer could be home to a virus zoo, or be exposed to external penetration via an unsecured Wi-Fi home network. If the computer is a laptop, it could potentially be stolen or lost, allowing the thief or finder to connect to the internal network and compromise it.

UAG's feature-set offers solutions to these problems using advanced features. The reverse-proxy side of the house allows easy access through most modern web browsers, with no configuration required by the user. The user simply types in the designated URL, waits for the special client-components to be installed automatically, and after a simple log-on, they can run the organization's web-based applications. While almost all firewalls offer the ability to do simple server-publishing, using a reverse-proxy is more secure. The reason is that a firewall, even one that does stateful inspection, is only passing data back-and-forth between the internal server and the client. A reverse proxy, on the other hand, stands-in for the internal server. The client is talking to the proxy, which impersonates the internal server. Even if the proxy is successfully attacked and taken-down, the internal server is never touched, and service is not interrupted.

Unfortunately, the reverse proxy service is only usable for Web-based applications. It's good for things such as Outlook Web Access and SharePoint, but many other applications require more complicated TCP/IP traffic. A good example is RDP, which works on port 3389, and cannot be simply reverse proxied. For that reason, the original e-Gap server included a feature called SSL-VPN, which has been expanded to a full range of VPN options with UAG. VPN allows pretty much any networked application to connect to internal servers by simulating a full network connection to the corporate network. Originally, e-Gap and IAG offered a VPN connection which was encrypted using SSL (Secure Socket Layer) and offered better security than many of the VPN products that existed in the market at the time. With UAG, SSL-VPN is still included, but also with several other options, most notable of which is DirectAccess. DirectAccess was originally developed to be integrated into the Windows Server 2008 R2 and Windows 7 Client platform, but the integration of this technology with UAG adds several additional security mechanisms that make for an easier and more secure deployment.

Using DirectAccess (frequently referred to as DA) with UAG includes several components that allow for a better integration with networks that are based on the IPv4 protocol, and also includes very advanced endpoint security, which has been a strong selling point for IAG and e-Gap for many years. UAG's endpoint security allows an administrator to enforce certain security policies by preventing client computers that do not meet these policies from connecting, or from accessing specific applications. These policies can include, for example, the requirement to have an antivirus product installed on the computer as a condition for allowing a connection. A policy can be even more granular and require a specific AV product, and even when the AV definitions were updated on the client. In fact, an advanced administrator can even write his own policy using VBScript to obtain the utmost granular control, down to the registry-key level.

What this book covers

Chapter 1, Planning Your Deployment, will cover the hardware and software requirements for using UAG, and what needs to be planned before purchasing the product, such as Load Balancers, client-support (PC, Mac, and Linux), and so on.

Chapter 2, Installing UAG, will cover the required steps to prepare and install UAG. We will discuss the critical settings you will need to configure before the installation and how to prepare the server for it, and then we will go through the setup process step-by-step. Finally, we will review how to verify that the installation went successfully and learn how to handle some common issues we might face.

Chapter 3, Trunk Types and Uses, will cover UAG's building blocks—trunks and applications. We will review the various types of each, what they are used for, and how to create them. We will not cover specific application publishing, but we will introduce some of the concepts that make the whole thing tick.

Chapter 4, Publishing Web Applications, will cover web applications and how to publish them, including focusing on the most popular applications types—SharePoint and Exchange.

Chapter 5, Advanced Applications and Services, will review the various applications, how to choose to appropriate templates, and how to configure them. We will also discuss in detail some of the additional built-in applications, and briefly introduce DirectAccess.

Chapter 6, Authenticating and Controlling Access, will explain the various types of authentication that UAG can use with Windows servers and third party servers. The chapter will also talk about managing user access to applications and trunks (authorization).

Chapter 7, Configuring UAG Clients, will cover UAG's client components. The client components are what the end-user sees, and they control the user's access to the portal and applications, so it's very important to understand how they work, and what they can and cannot do.

Chapter 8, Endpoint Policies discusses endpoint policies—how they can be used to provide high security, how to configure them, and how to manage them.

Chapter 9, Server Maintenance and upkeep, will cover ways to keep an eye on the server using built-in tools such as the Web Monitor, the Event Log, and the TMG live monitoring console. It will also discuss keeping the server in top shape by performance monitoring, applying patches, updates and service packs, and performing backups.

Chapter 10, Advanced Configuration, will discuss the Advanced Trunk Configuration, which allows the admin to control various aspects of the portal behavior and special-functions.

Chapter 11, DirectAccess, will introduce the admin to various DA related concepts such as IPv6, Teredo, IPHTTPS, DNS64, and NAT64. It will then detail how to configure DA in various scenarios.

Chapter 12, Troubleshooting, will discuss common problems and how to address them, as well as more generic troubleshooting concepts and technologies such as Netmon, PerfMon. The chapter will also offer a collection of external resources, such as blogs, wikis, and articles.

Appendix A, Introduction to RegEx, introduces us to Regular Expressions and the UAG RegEx syntax.

Appendix B, Introduction to ASP, gives a short introduction to ASP programming. Since UAG has quite a bit of web-based user interface, knowing a little about ASP and how it works will allow you to customize it to some degree.

What you need for this book

You will need Microsoft Forefront Unified Access Gateway (UAG) with Update 1 for this book. UAG is offered to the public in two distinct distributions. A company can choose to purchase the product in the form of an appliance, or as a downloadable ISO image file, which can be burned to DVD or mounted on a virtual DVD drive. UAG is a server product, and can only be installed on a Windows Server 2008 R2 or later, therefore the hardware requirements are combined with those of R2. The primary requirement for R2 is having a 64 bit processor and 32 GB of free disk space. UAG's minimum requirements are that the processor is a dual-core one running at 2.66 GHz or faster, and that the system has 4 GB of memory, and an extra 2.5 GB of disk space.

Who this book for

This book is intended for IT Personnel, Network Engineers, System Engineers, System Administrators, and Security Engineers who are planning to implement UAG in their organization, or have already implemented it and want to discover more about the product's abilities and how to use them effectively. To properly use the book, you should have some understanding of IT and networking technologies and terminology, such as IP, DNS, Ethernet, Web Server, and VPN. Programming knowledge is not required; though it might be of benefit for advanced customization techniques that are supported by UAG, this is not within the scope of this book. The book also requires fundamental understanding of Microsoft technologies and systems, such as Windows and Internet Explorer. For some chapters, understanding of more advanced concepts may be needed, such as SSL, Firewalls, IPv6, Adv. TCP/IP, XML, and HTML.

UAG versus IAG

As mentioned before, the basic functionality of the product from IAG to UAG has not changed much. UAG adds some broader functionality for newer applications, and support for more modern VPN technologies. The application publishing that was a part of IAG is mostly still here, with some updates to the user-interface, and some new application templates like Exchange 2010 and RemoteApp publishing. The SSL Wrapper and Network connector are also still here, but SSTP (Secure Socket Tunneling Protocol) and DA (DirectAccess) are now also included. The client components have gone through some improvements as well, and now support Windows 7, Internet Explorer 8, and several 64 bit operating systems. The user interface has gone through a nice face-lift, both on the server side and client-side (the look and feel of the portal).

A significant change in UAG compared to the previous generations is the availability of UAG as an installable software. IAG has been traditionally available as a hardware appliance, and recently as a virtual-appliance (a VHD file that can be run on Hyper-Visor or other virtualization products), but with UAG, an administrator can now install the product on any server he wishes to (assuming, of course, it meets the specifications for the minimum hardware support and for running Windows Server 2008 R2). This makes UAG much more readily available, and far easier to integrate into complex enterprise environments, reducing the total-cost of ownership (TCO) for IT resources.

Another improvement added to UAG over IAG is the built-in support for arrays, and integration with Windows NLB (Network Load Balancing). In the past, integration of IAG was only possible with third-party load balancing solutions, and even then, it was somewhat limited, as administrators had to manually mirror the configuration between servers, and repeat the manual sync whenever a change was required. With UAG's built-in array management functionality, an administrator can build a cluster of up to eight UAG servers. If using an array, it can be load balanced using external load balancers, or integrated with Windows NLB.

Another notable addition to the functionality of UAG is the integration with NAP (Network Access Protection), which provides an extensive platform for maintaining endpoint health and sanity that goes beyond even the native endpoint policy management that IAG had. For example, NAP continually monitors the client's health and can respond to changes even during a session. It can also direct a client to an update server or other remediation server, so the client can address the health issues and reconnect, rather than just getting blocked from access.

From the management side of the house, UAG now allows the server administrator more control over logging and monitoring of user activity. This is achieved by enabling logging to SQL, which allows for better performance and easier analysis of logged data, and creating highly customized reports.

What's in the box?

Just like IAG included ISA 2006 as its built-in firewall, UAG similarly includes Forefront TMG (Threat Management Gateway) 2010, which is the latest incarnation of Microsoft's highly regarded firewall server. TMG is automatically installed as a part of the UAG setup process, and once in place, protects the server from the outside world using its well known stateful inspection engine. Although it's tempting to think of this as two products in one, in reality, the use of TMG is somewhat limited, because it's controlled by UAG. Whenever the UAG configuration is changed and activated, UAG pushes various configuration elements and rules directly into TMG's configuration containers, and these might override or conflict with manual configuration done by the administrator. This poses some security risk; such manual configuration may unintentionally expose the server to outside threats. The same goes for IIS (Internet Information Services), which are a part of Windows Server. To perform its reverse-proxy functionality, UAG pushes various configurations directly into IIS, and changes to IIS's configuration, puts it at risk of a conflict or vulnerability which could jeopardize the entire server. For this reason, Microsoft recommends against attempting to leverage a UAG server for additional functions within organizations, and does not support this.

Conventions

In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.

Code words in text are shown as follows: but you can also use the command gpudate /force, which forces the computer to update its group policy right away.

Any command-line input or output is written as follows:

auditpol.exe /set /SubCategory:IPsec Main Mode,IPsec Extended Mode /success:enable /failure:enable

New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: To do so, open Administrative Tools and open Group Policy Management.

Note

Warnings or important notes appear in a box like this.

Tip

Tips and tricks appear like this.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.

To send us general feedback, simply send an e-mail to <feedback@packtpub.com>, and mention the book title via the subject of your message.

If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or e-mail .

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book on, see our author guide on www.packtpub.com/authors.

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the let us know link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.

Piracy

Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at <copyright@packtpub.com> with a link to the suspected pirated material.

We appreciate your help in protecting our authors, and our ability to bring you valuable content.

Questions

You can contact us at <questions@packtpub.com> if you are having a problem with any aspect of the book, and we will do our best to address it.

Chapter 1. Planning Your Deployment

In this chapter, we will discuss the various environmental issues that need to be planned ahead of deploying UAG (Unified Access Gateway). We shall look at what makes UAG tick and look at software, hardware, and networking considerations. We will review how UAG interacts with what's around it and discuss where in your network to place the server for optimal usability and ease of deployment, as well as looking at how clients fit into the picture.

Basic principles

Even though installing a UAG server is quite straightforward, it is very important to plan your deployment ahead of time and prepare your hardware, software, and network correctly. Failing to do so might end in an installation failure, or even worse—a situation requiring a lengthy re-planning of the integration, not to mention explaining all of this to the guys upstairs.

When planning the installation, one must keep in mind that a UAG server is fundamentally a router. It has an external side that would be the access point for connecting clients from the internet, and an internal side through which the server can fetch data from internal corporate servers. While it is theoretically possible to use the server with a single network card, this option is not supported, and will not work for most of UAG's functionality. UAG includes Forefront TMG (Threat Management Gateway) 2010, Microsoft's well known enterprise-class firewall; therefore it is possible to have the external interface connected directly to the internet. Nonetheless, many organizations choose to play it extra-safe and place the server behind an additional firewall, which can also improve UAG's performance by eliminating junk traffic that might otherwise burden it. This, of course, requires careful planning of the routing, as well as opening the proper ports on the firewall to allow traffic to take its course.

UAG is designed to enable remote access in two primary roles: application publishing and VPN. A regular proxy is a server that resides at the edge of an organization's network, like a guard at the building's reception. The regular proxy fetches data from the outside world for the company's employees, much like a guard would escort a guest to an employee's office. A reverse proxy does the exact opposite—it fetches data from within the internal network, and delivers it to people on the outside. A regular proxy is usually about speeding things up, but also about protecting the network from uncontrolled access, while a reverse proxy is mostly about security. This is especially so for UAG, which might slow things down a bit, but provides a high level of security.

The benefit to an organization is that, using reverse proxy publishing, employees working from home or on-the-go can access the organization's internal applications from wherever they are, while still maintaining the organizational network safely and securely. Those of you who know their firewalls must be thinking But...any firewall can do this! That is correct – almost all modern firewalls allow various forms of server publishing, but UAG adds additional levels of security. Firewall server publishing is usually quite simplistic – an administrator specifies the internal IP and port, and the firewall listens and forwards the requests and responses to and from the internal servers. From a security standpoint, this is almost equivalent to allowing the users to interact directly with the internal server, as the firewall inspection usually takes place at the TCP packet level only. Sure, it can recognize and stop some common Denial of Service (DoS) and other attacks like Port scan and half scan, but hardly any application-level attacks. UAG, on the other hand, is much cleverer:

Firstly, UAG includes TMG—a firewall, so it does exactly what was described above.

UAG also impersonates the internal server, so the end-user is actually interacting only with UAG. If the user is able to mount a successful attack and crash the server, UAG may go down (this has never happened, by the way), but the sensitive internal server will march on, undisturbed.

Another security layer on top of that is endpoint detection, which boosts security even further. Clients connecting to UAG must undergo a configurable security policy check that can eliminate many threats. For example, it can reject connections from computers that have not gone through a specific preparation by the organization, so that potential attackers are turned away even before they try to log in. It can reject connections from computers which are not well protected by an Anti-Virus or a personal firewall, to reduce the risk of a worm infecting the internal network. If this is not enough, the UAG logon process can be customized extensively, to boost security even further. We will not discuss this sort of customization in this book, but just to give you an idea, one example is the ability to include a CAPTCHA mechanism, so automated brute-force attacks cannot be executed to try to obtain a login to the server.

The second major functionality of UAG is VPN, which allows remote users to connect to the organization's network in a way that emulates them being connected directly to the network while at the office. This sort of connection can allow them to do anything they could do in the office, and provide the most advanced work environment (pyjamas notwithstanding). This functionality was included with previous versions of UAG under the name Network Connector. Network connector, or NC for short, was a VPN ability that was based on encrypting the connection with SSL, and was a proprietary technology developed by Whale Communications. At the time, Windows Servers also had built-in VPN abilities, but only based on the PPTP protocol, which is considered to be not very secure, and L2TP, which is quite secure, but difficult to deploy because of its complexity.

Today, with UAG, multiple VPN technologies are included. NC is still there, though it has been renamed to SSL Network Tunneling. SSL Network Tunneling is also limited to classic client operating systems like Windows XP and Windows Vista. A new addition is SSTP, which is a more modern incarnation of SSL-VPN for Windows 7 users The most important remote-access technology included with UAG is DirectAccess ( DA for short), which offers a new and unique seamless VPN-like integration. With DA, users are virtually connected to the corporate network as soon as they connect to the internet, with no interaction or any need to configure components and launch diallers. All these will be covered in detail later in the book.

How UAG works

UAG's core functionality is as an ISAPI filter and extension, as well as various mechanisms to control other parts of Windows. ISAPI (Internet Server Application Programming Interface) is a technology that allows programmers to build add-ons for websites, enriching their functionality. UAG is heavily reliant on ISAPI to do its job, and integrates itself into Internet Information Services (IIS), Microsoft's Web server components that ships with Windows. This integration gives UAG its face—users logging in see a website that is generated by UAG, and UAG's ISAPI filter and extension are the components that fetch data from internal servers and show it to the user.

To do this, UAG has a mechanism that allows it to manipulate the IIS configuration directly. It creates one or more sites in IIS, and integrates itself into them by registering its ISAPI filter. Since the UAG ISAPI components are integrated into the IIS website, content going to and from the site goes through these, and they can manipulate the data directly and efficiently. To learn more about ISAPI, read the following article: http://msdn.microsoft.com/en-us/library/at50e70y(VS.80).aspx

If you take a look at IIS on a fresh UAG installation, you will notice that the Default Website contains some new virtual directories, such as InternalSite, which has been created by UAG. This virtual directory hosts the login screen that users see, as well as other pages like the log-off page, error pages, and others. InternalSite also includes the various authentication mechanisms, the client detection and installation system and more. It looks darn good, if you ask us. As you'll start configuring portals on UAG, new virtual directories will appear under the Default Web Site of IIS running on the