Forefront Unified Access Gateway 2010: An Introduction To Enterprise Features


Published on

A short introduction to UAG and to its features. VPN, Direct Access and Publishing are the main topics. System requirements and hints to a successful deployment are given during the speech.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Inserite l’eventuale vostro logo in basso a destra
  • Slide da mostrare prima di iniziare la sessione – non rimuovere!
  • Ultima slide, obbligatoria
  • Forefront Unified Access Gateway 2010: An Introduction To Enterprise Features

    1. 1. Grazie a Sponsor
    2. 2. Agenda• User Experience• UAG Usage• Forefront UAG architecture• UAG 2010: Support boundaries• UAG Access Model• Windows 2012 Direct Access And UAG• UAG Publishing
    3. 3. User Experience
    4. 4. User Experience - SharePoint WorkSpace Mobile
    5. 5. A Good Reason To Talk About UAG
    6. 6. UAG Usage Allow Integration anywhere with SSTP access DirectAccess Forefront UAG is used only Portal for inbound access control Endpoint AllowCustomization compliance integration scan with NAP
    7. 7. Forefront UAG architecture Image from : Deploying Microsoft Forefront Unified Access Gateway 2010 Microsoft Press
    8. 8. What’s New In UAG64-Bit SoftwareEnhanced Host-based and Network FirewallMulti-Server ArraysNetwork Load BalancingUAG and DirectAccessPublishing CapabilitiesRemote Access Client VPN Services
    9. 9. Forefront UAG Service Pack 3 : Whats New
    10. 10. UAG 2010: Support boundaries – Direct Access can use Forefront UAG as a publishing server, creating trunks to publishcorporate applications for access by remote client endpoints either directly, orvia a Web portal. In addition, you can deploy Forefront UAG as a DirectAccessserver, to extend the benefits of Windows DirectAccess across yourinfrastructure, providing transparent access for DirectAccess clients. Note thefollowing :• A single server can be configured as both a Forefront UAG publishing server, and as a Forefront UAG DirectAccess server• An array can consist of Forefront UAG servers that act as both remote access publishing servers, and as Forefront UAG DirectAccess servers• You cannot publish the Network Connector application when Forefront UAG is configured as a DirectAccess server.
    11. 11. UAG 2010: Support boundaries – Network adapters• Forefront UAG supports configuration of two networks – internal and external. Connecting to different switches for network redundancy is supported, providing that both are defined as part of the internal or external network• Using Forefront TMG running on the Forefront UAG server to provide multiple network routing is not supported• Deployment with a single network adapter is not supported
    12. 12. UAG 2010: Support boundaries – Forefront TMG running on Forefront UAG default, Forefront Threat Management Gateway (TMG) is installing duringForefront Unified Access Gateway (UAG) Setup. Forefront TMG is installed as acomplete product, and is not modified to run on a Forefront UAG serverForefront UAG uses Forefront TMG, as follows:• Forefront TMG acts as a firewall, protecting the Forefront UAG server• Forefront UAG uses Forefront TMG infrastructure and functionality in some deployment and monitoring scenarios
    13. 13. Forefront UAG client devices Explorer version Non-Internet Explorer browser Mobile browser support - Mobile operating system support -Brower versionInternet Explorer 6 Windows RT Firefox 2.0.x Firefox 3.0.x Windows Phone 7, Windows Phone 7.5, Windows Phone 8Internet Explorer 7 Firefox 3.5.x Windows Mobile 2005 for Pocket PC; Windows Mobile 6; WindowsInternet Explorer 8 Firefox 4 Mobile 6.5 Firefox 10 Firefox 11Internet Explorer 9 iPhone version 3.0.x Safari 3.2.xInternet Explorer 10 (64-bit) iOS: 4.x and 5.x on iPhone and iPad Safari 4.0.x Safari 5.0.x Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0Internet Explorer 10 (32-bit) Opera 9 Nokia : S60 3rd edition, S60 3rd edition, Feature Pack 2, S60 5th edition
    14. 14. Windows 2012 Direct Access And UAGUAG features for DirectAccesshave been rolled into Server 2012Side-by-Side Migration ofForefront UAG DirectAccess
    15. 15. UAG Access Model Non Web BasedWeb Applications Reverse Port Applications Proxy And Forwarding Portal Direct SSTP or Network Vpn «Transparent» Access Connector Remote Access
    16. 16. UAG Standalone Or Domain Member ?UAG can be deployed as either a domain member or aworkgroup member SSTP VPN connection Scenarios that REQUIRE Certifcate based authentication domain membership : File server access
    17. 17. Fault Tolerance and Load Balancing• A Forefront UAG server array is configured as, and acts like, a single logical Forefront UAG server• Configuration is performed once, at the array manager, and then is distributed automatically to all the array member• Forefront UAG is integrated with Network Load Balancing• Do not configure NLB on the Forefront UAG server in the Windows Network Load Balancing console• Alternative : external load balancer (check for compliance with Direct Access)
    18. 18. UAG Requirements• The minimum hardware requirements are as follows: – 2.66 GHz, Dual core CPU – 4 GB memory and 2.5 GB of free disk space – Two network adapters• There is no official sizing guide for UAG• Reserve enough disk space for the logs
    19. 19. UAG Publishing• Access to our applications and resources to people coming from different locations, and from different devices• Single web application or a Forefront UAG portal (that consolidates multiple resources in a single gateway)
    20. 20. Publishing – PortalsAll applicationsthat you want topublish throughForefront UAGneed to be partof a portal
    21. 21. Publishing – TrunksUAG establishes A series of rules A website in IIS a listener in TMG
    22. 22. Multiple Trunks• A UAG server can contain multiple trunks, depending on how many IP addresses are assigned to its external interface• At any point, an administrator can add IP addresses to the external NIC of the UAG server, add public DNS mappings to these addresses, and add more trunks
    23. 23. UAG Applications• An "application" for UAG is a collection of settings and rules that determine how UAG publishes a certain internal website or application
    24. 24. Types Of Applications• Over 40 «templates» – Built-in services – Web (applications) – Client/Server and Legacy • Remote Network Access -> Full VPN – Browser-embedded • XenApp – Terminal Services and Remote Desktop
    25. 25. HAT and AAM• Host Address Translation (HAT) to publish internal servers with no FQDN resolvable on the external networks – Publish multiple servers from within the organization, all on a single IP and port• SharePoint has a feature called Alternate Access Mappings (AAM) that modifies the URLs before they are sent to UAG
    26. 26. Portal And Direct connection Portal Direct connectionWe are able to create a We can publish a web Applications will beweb portal to act as a application with a public published in the portal gateway FQDN
    27. 27. Authentication RepositoryExternal users areauthenticatedagainst a variety ofauthenticationdirectories
    28. 28. Creating a PortalDEMO
    29. 29. Publishing SharePoint
    30. 30. Publishing SharePointDEMO
    31. 31. Publishing Exchange• Outlook Web App• Outlook Anywhere(RPC-over-HTTPS)• ActiveSync• Configure Exchange publishing : – As a normal application – Directly during the process of creating a trunk (Create Trunk Wizard)
    32. 32. Remote Connectivity• Network Connector – Listens and tunnels ALL traffic into the internal network• Secure Socket Tunneling Protocol – SSTP is a Windows Server feature that is new to Windows Server 2008 – On the client side, the SSTP "client" is also built-in – UAG adds clients auto configuration• DirectAccess
    33. 33. Publishing remote network access with SSTPDEMO
    34. 34. Remote Desktop • Configure the RemoteApp on your Terminal Server RemoteApp • Export the RemoteApp configuration as a TSPUB • Make it available to UAGRemote Desktop (Predefined)Remote Desktop (User Defined)
    35. 35. Publishing File Access and Local Drive Mapping applicationsDEMO
    36. 36. Client Components• The UAG client components are automatically installed on computer that connects to the UAG portal : – Endpoint detection – They contain the SSL tunneling components – Endpoint Session Cleanup component, which cleans up the users system after a session has ended
    37. 37. Q&ATutto il nateriale di questa sessione su