Endpoint component deployment design guide Web viewMicrosoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter

Forefront Unified Access Gateway 2010

Endpoint Component Deployment Design GuideMicrosoft® Corporation

Published: January, 2010

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, and MS-DOS, Windows, Windows Server, and Active Directory are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

ContentsEndpoint component deployment design guide..............................................................................5

About this guide........................................................................................................................... 5

Introduction to endpoint component deployment design.................................................................5About endpoint components........................................................................................................5

About the Endpoint Session Cleanup component...........................................................................7

About the Endpoint Detection component.......................................................................................8Information collected from client endpoints.................................................................................8

About SSL tunneling....................................................................................................................... 9

About the SSL Application Tunneling component.........................................................................10

About the Socket Forwarding component.....................................................................................11

About the SSL Network Tunneling component..............................................................................12About remote user interaction...................................................................................................13

Identifying your client endpoint component deployment goals......................................................13

Mapping your deployment goals to client endpoint component deployment design.....................14

Allowing remote client access.......................................................................................................15What applications do you want to publish?................................................................................15Who are the clients and what are their limitations?...................................................................15

Notes...................................................................................................................................... 18How do you install the components on the client endpoint?......................................................18When do you need to customize the endpoint components?....................................................19

Securing remote access...............................................................................................................20

Endpoint component deployment design guideRemote access to internal applications published by the Forefront Unified Access Gateway (UAG) server may come from a variety of client endpoints, such as, company-owned laptops, home computers, and public Internet kiosks. Forefront UAG has the required technology to identify settings and features on an endpoint computer, and allow or deny access accordingly.

About this guideThis Endpoint component deployment design guide is intended for the system administrator who is responsible for providing remote access to end users through Forefront UAG. The guide is designed to help you understand how to use Forefront UAG client endpoint components and client endpoint policies, to allow or deny access to published applications.

Use this guide to:

Understand client endpoint component concepts. For more information, see Introduction to endpoint component deployment design.

Identify the goals you want to achieve when deploying client endpoint components. For more information, see Identifying your client endpoint component deployment goals.

Map your deployment goals to a component deployment design. For more information, see Mapping your deployment goals to client endpoint component deployment design.

Introduction to endpoint component deployment designThis topic provides an overview of endpoint components, and how they are used in your endpoint component deployment in Forefront Unified Access Gateway (UAG).

When designing your endpoint component deployment, make sure you know which applications will be published through the Forefront UAG server, because different types of applications require the use of different endpoint components.

About endpoint componentsForefront UAG installs client components on client endpoints to enable Forefront UAG remote access features. Different remote access features require different client components on the client endpoint. As soon as the client endpoint attempts to access a Forefront UAG site, Forefront UAG attempts to determine which client components are installed and running on the endpoint

5

computer. Detection is performed by the Forefront UAG Endpoint Detection component that is installed on the client endpoint. The Endpoint Detection component verifies the identity of the Forefront UAG site against the site’s server certificate, and checks whether the site is on the client endpoint’s Trusted Sites list. Only if the site is trusted, can the component run on the client endpoint, and collect the data that identifies settings and features on the client endpoint, and identify which client components are installed and running on the computer.

The Forefront UAG endpoint components that are installed on client endpoints to enable Forefront UAG features and functionality, include:

Forefront UAG Endpoint Component Manager—Downloads, installs, manages, and removes all the Forefront UAG endpoint components. There are two versions of this component: ActiveX and Java Applet.

Forefront UAG Endpoint Session Cleanup—There are two versions of this component: ActiveX and Java Applet. For more information, see About the Endpoint Session Cleanup component.

Forefront UAG Endpoint Detection —There are two versions of this component: ActiveX and Java Applet. For more information, see About the Endpoint Detection component.

Non-Web tunneling—Several components are used to provide SSL tunneling capabilities. For more information, see About SSL tunneling.

The SSL tunneling components are:

Forefront UAG SSL Application Tunneling—There are two versions of this component: ActiveX and Java Applet. For more information, see About the SSL Application Tunneling component.

Forefront UAG Socket Forwarding—For more information see About the Socket Forwarding component.

Forefront UAG SSL Network Tunneling—For more information, see About the SSL Network Tunneling component.

Socket Forwarding Helper—Used for support purposes.

When a user first accesses the Forefront UAG site, Forefront UAG detects whether it can install the client components on the endpoint computer, according to the prerequisites described in Who are the clients and what are their limitations?.

Note the following:

On endpoint computers that meet these prerequisites, the Forefront UAG Component Manager installs only the client components required by the published application.

By default, the following components are installed automatically:

Forefront UAG Endpoint Session Cleanup

Client Trace utility

Forefront UAG Endpoint Detection

On client endpoints that do not meet these prerequisites, the Forefront UAG client components are not installed.

6

In cases where the SSL Application Tunneling ActiveX component is not installed and cannot be installed on a client endpoint, when the client endpoint attempts to access a non-Web application, the SSL Application Tunneling Java applet runs to enable access to the application. The Java applet provides SSL Tunneling functionality only, and does not enable any of the other features that are enabled by the Forefront UAG client components, such as client endpoint detection, Forefront UAG Endpoint Session Cleanup, Socket Forwarding, or SSL Network Tunneling.

About the Endpoint Session Cleanup componentThe Forefront Unified Access Gateway (UAG) Endpoint Session Cleanup component deletes persistent data that is downloaded to a client endpoint from the sites protected by Forefront UAG or data related to the Forefront UAG session that is created by the client endpoint browser. This occurs when:

A Forefront UAG session ends, for example, when the user closes the browser.

When the user logs off from a Forefront UAG site by using the site’s logoff mechanism.

During a scheduled logoff, or a scheduled cleanup.

After an unscheduled power outage, or an unscheduled reboot.

The Endpoint Session Cleanup component deletes items that are saved in the browser’s cache during the session, such as Web pages, cookies, and also application-specific cached files that are stored in the application’s temporary folder. The Endpoint Session Cleanup component also deletes items that are saved in the browser’s offline folder. These include files that were opened from within the browser for editing by an external application, such as an Office application (for example, a document that was opened via the browser for editing in Microsoft Office Word). The offline folder is cleaned only when all Forefront UAG sessions on the client endpoint end. Only items that were written to the offline folder after the Endpoint Session Cleanup component was first activated during the initial login, are deleted.

Optionally, you can configure the Endpoint Session Cleanup component to delete items that are saved outside the cache, including the browser history, Web address auto complete, intelliforms, forms autocomplete, and cached passwords. The Endpoint Session Cleanup component deletes these items only when the component shuts down, and not at the end of each session. If the user closes the browser without first logging out of the site, the Endpoint Session Cleanup component does not shut down immediately; it shuts down only on the next scheduled logoff or scheduled cleanup. Note that all items are deleted according to the DOD 5220.22-M standard.

The Endpoint Session Cleanup component includes a built-in crash recovery mechanism that ensures that all items are removed even under extreme circumstances, such as a power shutdown. If, under those circumstances, the component is terminated without deleting all of the

Note:

7

required items, when the computer is next started, the component automatically runs and cleans up any remaining items.

Endpoint Session Cleanup is one of the Forefront UAG client endpoint components which users are prompted to download when they try to access a Forefront UAG site, prior to logon. You can set a client endpoint policy whereby users can access a site or launch an application only if the Endpoint Session Cleanup component is running on the client.

About the Endpoint Detection componentThe Forefront Unified Access Gateway (UAG) Endpoint Detection component is used to assess the compliance of an endpoint to the Forefront UAG endpoint policies. As soon as a user attempts to access the site, Forefront UAG attempts to determine which security components are installed and running on the endpoint. The Forefront UAG Endpoint Detection component, which is installed on the endpoint, verifies the identity of the Forefront UAG site against the site’s server certificate, and checks whether the site is on the user’s Trusted Sites list. Only if the site is trusted, will the component run on the endpoint computer and collect the data that identifies which components are installed and running on the computer. When detection is not functional on an endpoint computer, access may be denied, even though the endpoint might comply with the requirements of the policy. For example, if an application’s policy requires a running antivirus program, and such a program is already running on the computer, access to the application is still denied, because Forefront UAG cannot detect that the program is running on this computer.

Forefront UAG provides a default endpoint detection script (Detection.vbs). You can also create customized detection scripts.

Compliance with Forefront UAG endpoint policies is determined when a client endpoint computer first accesses the site. If a client’s computer settings that affect compliance are changed after login, users must log in again to apply the changes. When using NAP policies, enforcement is performed for the duration of the session.

For information about endpoint policies, see Planning to implement endpoint access policies.

Information collected from client endpointsWhile working with the Forefront UAG site, if endpoint detection is enabled on the client endpoint, in addition to identifying settings and features on the client endpoint, the following information is collected by the Endpoint Detection component:

Network domains—Domain Name System (DNS) and NetBIOS.

User information—User name and user type.

Certificates in “My certificate store”—Certificate issuer and certificate subject.

If required (for example, to comply with legal or corporate guidelines), you can configure Forefront UAG so that users are notified before the information is retrieved from their device, and are

Note:

8

prompted to give their consent for the site to collect such information. You configure this setting by selecting the Prompt user before retrieving information from endpoint check box on the Endpoint Access Settings tab of the Advanced Trunk Configuration dialog box. On endpoints on which users do not give their consent, detection is not performed.

About SSL tunnelingWhen using Forefront Unified Access Gateway (UAG) and supporting non-Web applications over a secure sockets layer (SSL) connection, SSL tunneling causes the application traffic at the client endpoint to be overlaid with SSL encryption and tunneled to the SSL VPN gateway, that is, Forefront UAG. The SSL VPN gateway decrypts the traffic and sends the payload to the application server in the internal network. The Forefront UAG Socket Forwarding component add-on, which is based on Layered Service Provider and Named Service Provider technologies, can be used to support a wider variety of applications, such as supporting applications that jump ports, without the need to make changes to the running operating system. The Forefront UAG SSL Network Tunneling component can be used to provide full VPN access to the corporate network.

The SSL Application Tunneling component tunnels application traffic through SSL using one of the following relay types:

Simple relay—Opens a port on the client endpoint, and tunnels the TCP traffic to and from a specific port on the application server. Using this type of relay, to communicate with the application server, the application client on the endpoint must communicate through the locally opened port. The SSL Application Tunneling component makes changes, such as changes to the application client settings, Windows registry, or Windows hosts file, to enable the application client to communicate through this tunnel.

HTTP Proxy and SOCKS Proxy relays—Opens a port on the client endpoint. The SSL Application Tunneling component acts as either an HTTP or a SOCKS proxy server, and it tunnels the HTTP or SOCKS traffic to and from the application server. Using this type of relay, the application client on the endpoint can communicate through the locally opened port with multiple servers and ports. The SSL Application Tunneling component makes changes, such as changes to the application client settings, Windows registry, or Windows hosts file, to enable the application client to communicate through this tunnel. This type of relay enables the SSL VPN proxy to request more than one server, thus enabling the support of dynamic ports.

In browsers where the Java applet is used, when multiple portals are open concurrently, only applications that are launched from the portal that was accessed first can listen on HTTP or SOCKS proxy ports. Users cannot launch applications that use HTTP proxy and SOCKS proxy relays from additional portals.

Note:

9

Transparent relay—Automatically creates a relay between the client endpoint and the application server, for every application client on the endpoint that wants to communicate with the internal network. This type of relay is supported only by the Forefront UAG Socket Forwarding component and does not require any changes on the endpoint.

The Socket Forwarding component is an ActiveX component and can run only on Windows operating systems with Internet Explorer.

SSL Network Tunneling component—This component supports full connectivity over a virtual transparent connection, and enables you to install, run, and manage remote connections, as if the endpoint were part of the corporate network. The SSL Network Tunneling component uses either the proprietary Forefront UAG Network Connector, or a standards-based approach using the Secure Socket Tunneling Protocol (SSTP). The operating system of the client endpoint and the type of the SSL Network Connector deployed on the server, determine which type of SSL Network Tunneling component is used, as follows:

SSL Network Tunneling (Network Connector)—Used on client endpoints running the Windows XP and Windows Vista operating systems.

The SSL Network Tunneling (Network Connector) component can run only on Windows operating systems with Internet Explorer.

SSL Network Tunneling (SSTP)—Used on client endpoints running the Windows 7 operating system.

Note that if you are running XCompress on Forefront UAG, you must set the streaming optimization to "Low latency". You can automate the process by copying the file XCompress.js from the following location:

...\Microsoft Forefront Unified Access Gateway\von\conf\samples\CustomHooks

to the following location:

...\Microsoft Forefront Unified Access Gateway\common\bin\CustomHooks

Open the file you copied, and follow the instructions in the file to configure it for your system.

The following topics describe the endpoint components used for SSL connections:

About the SSL Application Tunneling component

About the Socket Forwarding component

About the SSL Network Tunneling component

About the SSL Application Tunneling componentThe Forefront Unified Access Gateway (UAG) SSL Application Tunneling component provides SSL connectivity for non-Web protocols, such as those used by client/server and legacy

Note: Note:

10

applications, from the Internet to the internal network, thus enabling Forefront UAG users to safely access back-end applications.

Using the Forefront UAG portal homepage, remote users can access a range of applications, such as native messaging applications, standard e-mail applications, collaboration tools, connectivity products, and more. The SSL Application Tunneling component allows precise, per-user and per-server configurations, and can be used in conjunction with Forefront UAG endpoint policies, providing for an SSL VPN experience. Multi-platform application support ensures that users can access their applications from computers running Windows, Macintosh OS X, and Linux operating systems, by using a wide range of browsers.

For end users to run SSL Application Tunneling applications, the Forefront UAG site must be trusted by the client endpoint. When a user launches an SSL Application Tunneling application, the SSL Application Tunneling component verifies the identity of the Forefront UAG site against the site's server certificate, and checks whether the site is on the user's Trusted Sites list; only if the site is trusted will the application launch.

Note that when working with SSL Application Tunneling applications via an HTTP trunk, tunneled traffic is not encrypted.

About the Socket Forwarding componentThe Forefront Unified Access Gateway (UAG) Socket Forwarding component is used to support a wider variety of applications than the SSL Application Tunneling component, such as, applications that jump ports without the need to make changes to the running operating system.

The Forefront UAG Socket Forwarding component comprises two modules: Winsock2 Layered Service Provider (LSP) and Name Service Provider (NSP). When an application uses Winsock, Windows loads either the NSP module (when the application performs a name resolution), or the LSP module (when the application uses sockets to connect to a remote server).

The NSP and LSP modules intercept every networking activity performed by the application. Though this interception should not cause any problems and is completely transparent to the application, it is possible that the application will not function correctly because of the NSP or LSP interception.

To minimize the risk of potential problems, certain applications are included in the LSP and NSP modules' block list. Based on this list, the NSP and LSP modules can disable themselves, and stop intercepting network activities when they detect that the application within which they run, is on their block list. When disabled in this manner, the LSP and NSP modules do not enable access from this application to the corporate network.

When access to an application in the corporate network is blocked because it is included in the block list, users may still gain access to other application servers that reside on the local intranet or the Internet.

The LSP and NSP modules contain two inherent application lists:

Tip:

11

Block list—Contains applications that are known to be problematic. Access to these applications from within the corporate network is always blocked, regardless of the selected socket forwarding activation mode.

Allow list—Contains applications for which the LSP and NSP will always be active, regardless of the selected socket forwarding activation mode.

Blocking of additional applications depends on the following socket forwarding activation mode, defined during application configuration:

Basic—In this mode, none of the applications that load the LSP or NSP modules are enabled access to configured corporate resources, unless the Forefront UAG SSL Application Tunneling component is running, and at least one tunnel is open. In this mode, Windows services (non-interactive applications) are not allowed access to configured corporate resources, regardless of whether the SSL Application Tunneling component is running or not.

Extended—This mode is identical to the Basic mode, except that Windows services are enabled access to configured corporate resources.

Virtual private network (VPN)—In this mode, the LSP and NSP modules are always active in all applications; that is, access is enabled to configured corporate resources except for the applications listed in the block list.

Basic mode enables most applications to work via Forefront UAG, and is the recommended socket forwarding mode. For some applications, however, extended mode or VPN mode is required.

You select the Socket Forwarding activation mode for an application when you configure the application.

About the SSL Network Tunneling componentThis topic describes the Forefront Unified Access Gateway (UAG) SSL Network Tunneling component, which allows you to create remote client VPN connections to the internal corporate network.

The SSL Network Tunneling component provides the following features:

Auto-detection and manual tuning of corporate network settings, such as DNS, WINS, default gateway, and domain name, and includes support for computers with multiple connections.

Support for all types of IP-based unicast traffic, in any direction: client to server, server to client, and client to client.

Two IP provisioning methods.

Internet access configuration, including split tunneling, non-split tunneling, and no tunneling.

Protocol filters for IP-based protocols.

Note:

12

Access to additional networks.

After configuring an SSL Network Tunneling server, you can allow remote VPN access to internal networks by publishing the SSL Network Tunneling application in a portal. The type of network tunneling that is used (Network Connector or SSTP) is determined when client endpoints access your site.

About remote user interactionRemote VPN clients connecting to the internal network using SSL Network Tunneling are treated as if they are part of the corporate network, with full connectivity over a virtual and secure transparent connection. Depending on the SSL Network Tunneling server configuration, remote VPN clients can:

Communicate with all the computers in the network; for example, the system administrator can connect to remote VPN client endpoints to install software updates, configure existing applications, or help users to troubleshoot their systems.

Access corporate servers and systems such as, mail, FTP servers, databases, and voice over IP applications.

Communicate with other VPN remote clients connected with SSL Network Tunneling.

Remote users can launch the SSL Network Tunneling client using the SSL Network Tunneling application link on a portal homepage. After the application is launched, users are connected to the internal network. They can access and be accessed by other network computers. They can run additional internal applications, without having to launch the application from the portal homepage. User interaction with SSL Network Tunneling depends on the SSL Network Tunneling client component that is installed on their computer.

Note the following:

Only one SSL Network Tunneling client can run on a client endpoint at a time.

It is recommended that while SSL Network Tunneling is active, users do not access other Forefront UAG portal sites or close the Web browser.

Identifying your client endpoint component deployment goalsFor the successful deployment of Forefront Unified Access Gateway (UAG), you must identify your client endpoint component deployment goals correctly. This topic is designed to help you identify these goals. After identifying the goals, you can map them to a deployment design that meets each goal.

The possible goals for client endpoint component deployment include the following:

13

Provide remote access to internal applications and resources—Provide end users (such as, employees, vendors, partners) with remote access to applications that are published internally on the corporate network.

End users have different requirements when trying to access your internal applications, including:

Accessing e-mail.

Viewing company-sensitive presentations and documents.

Accessing internal file shares.

Accessing legacy applications that do not use Web protocols.

For each task, the end user may be working on a managed or unmanaged endpoint device, running a variety of operating systems, and using different Web browsers.

Ensure that remote access to internal applications is secure—Ensure that only clients that you want to remotely access applications can do so, and that content that is downloaded to a client endpoint browser from the sites protected by Forefront UAG or files created by a client endpoint browser, are removed from the client endpoint at the end of the session, or when the user logs off from the Forefront UAG site.

Items that you may want to remove include, items saved in the browser’s cache such as Web pages, cookies, and also application-specific cached files that are stored in the application’s temporary folder. You may also want to delete items that are saved in the browser’s offline folder; for example, files that were opened from the browser for editing by an external application, such as an Office application.

You may also want to delete items that are saved outside of the browser’s cache; for example, the browser history, Web address auto complete, intelliforms, forms auto complete, and cached passwords.

Mapping your deployment goals to client endpoint component deployment designThe following topics describe how to map your Forefront Unified Access Gateway (UAG) client endpoint deployment goals to a deployment design:

Allowing remote client access—Describes how to allow remote clients to access your internal applications and resources through a Forefront UAG portal.

Securing remote access—Describes how to ensure that only the clients that you want to access your applications and resources can do so, and that there is no data leakage from Forefront UAG portal sessions.

14

Allowing remote client accessThis topic provides answers to these questions you should ask when planning to deploy Forefront Unified Access Gateway (UAG) endpoint components on client endpoints.

What applications do you want to publish?

Who are the clients and what are their limitations?

How do you install the components on the client endpoint?

When do you need to customize the endpoint components?

What are the system requirements for Forefront UAG endpoints?

What applications do you want to publish?To design a solution that allows clients to access applications and resources remotely, you must first define the applications and resources that they will access. Forefront UAG can allow access to a large number of applications and resources within the following categories:

Built-in services—Services such as File Access and SSL Tunneling (remote VPN access).

Web applications—Applications that use the HTTP or HTTPS protocols and a Web interface.

Client/server and legacy applications—Applications that use non-HTTP/HTTPS protocols.

Browser-embedded applications—Web-initiated applications that use a Web-based interface to create a non-Web connection.

Different applications require different endpoint components. For example, client/server and legacy applications require you to use the SSL Application Tunneling component, whereas Web applications may require only the Endpoint Session Cleanup component.

For further information on planning application publishing and securing your applications, see Application publishing design guide and Securing remote access.

Who are the clients and what are their limitations?Although Forefront UAG can provide remote access to several operating systems and Web browsers, the user experience may differ depending on the operating system and the Web browser that is on the client endpoint.

The following table describes the prerequisites for installing and running Forefront UAG client endpoint components.

Supported operating system Supported browsers for Forefront UAG site access

Client component support

32-bit operating systems:

Windows XP with SP2, and

Internet Explorer 6; Internet Explorer 7;

For installing and running client components, computers running

15



Windows XP with SP3

Windows Vista and Windows Vista with SP1

Windows 7

Internet Explorer 8

Firefox 3.0.x; Firefox 3.5.x

Safari 3.2.x; Safari 4.0.x

Windows operating systems support Internet Explorer, Firefox, and Safari browsers.

The following client components are supported:

Endpoint Session Cleanup; Endpoint detection; SSL Application Tunneling; Socket Forwarding; Endpoint Quarantine Enforcement (from Windows XP SP3).

In addition, some components are supported only on selected operating systems:

Windows XP: SSL Network Tunneling (Network Connector)

Windows Vista: SSL Network Tunneling (Network Connector)

Windows 7: SSL Network Tunneling (SSTP)

Note: When using a Web browser other than Internet Explorer, when available, the Java applet version of the component is installed.

64-bit operating systems:

Windows Vista and Windows Vista with SP1

Windows 7

Windows Server 2008 R2

Only 32-bit browsers are supported:

Internet Explorer 6; Internet Explorer 7; Internet Explorer 8



For installing and running client components, computers running Windows operating systems support Internet Explorer, Firefox, and Safari browsers.


Endpoint Session Cleanup;

16



Endpoint detection; SSL Network Tunneling (SSTP); Endpoint Quarantine Enforcement.

Note: The Endpoint Detection component does not work on Windows Server 2008 R2.

In addition, some components are supported only on selected operating systems:

Macintosh OS X 10.4 and up (PowerPC and Intel)



Forefront UAG Java client components are supported for Macintosh computers running Firefox and Safari browsers.


Endpoint Session Cleanup; Endpoint detection; SSL Application Tunneling.

Linux 32-bit operating systems (RPM-based Linux distributions: Red Hat Enterprise 5, Fedora 10 and up. Debian Linux distributions; Debian 5 and up, Ubuntu 8.04 LTS and 9.04 and up)

Firefox 3.0.x; Firefox 3.5.x Forefront UAG Java client components are supported for Linux computers running a Firefox browser.


Endpoint Session Cleanup; Endpoint detection; SSL Application Tunneling.

Windows Mobile 2005 for Pocket PC; Windows Mobile 6; Windows Mobile 6.5

Pocket Internet Explorer

Windows Mobile 6.5 supports the premium mobile portal

iPhone version 3.0.x Safari (iPhone version), supports the premium mobile portal

17



Nokia:

S60 3rd edition, Feature Pack 1—Validated on E71, N95

S60 3rd edition, Feature Pack 2—Validated on E72, E52

S60 5th edition—Validated on N97

All handsets support the limited mobile portal

Notes Forefront UAG ActiveX client components are supported only on client endpoints running

Windows operating systems with an Internet Explorer browser. For online installation, the browser must be configured to enable the download and running of signed ActiveX objects.

The Forefront UAG Component Manager ActiveX object installs the other client components. For initial online installation of Forefront UAG Component Manager, administrator privileges are required on the client endpoint.

Java client components cannot be installed using offline installation.

For Java client components, Forefront UAG requires JRE version 1.5.

In Forefront UAG, the initial installation of the Endpoint Detection Java applet and the Endpoint Session Cleanup Java applet require administrator privileges on the client endpoint.

There are no specific requirements for the Forefront UAG Client Trace and Socket Forwarding Helper components.

Although browsers other than those in the table above may be functional for site access, for full feature functionality use only the recommended browsers.

How do you install the components on the client endpoint?There are three options for installing Forefront UAG client endpoint components:

Install the endpoint components on demand when a client accesses the portal (online installation mode)—This is useful when there are a number of different applications and resources published through the portal. As a client accesses a particular application or resource, the required endpoint components are downloaded and installed.

Online installation mode is suitable for end-users who have ActiveX download rights in Windows Internet Explorer, and are logged in with administrator privileges. In this mode, as

18

soon as users try to access the site, before logging in, Forefront UAG downloads the Component Manager to their endpoints. After the Component Manager is installed on the client endpoint, the Component Manager determines the need for installing the remaining components each time the user accesses the site, and then installs them.

By default, the following components are installed automatically:

Endpoint Session Cleanup.

Client Trace utility.

Endpoint Detection.

If required, you can configure other components that will be installed automatically.

The remaining components are installed, as required. For example, when the user accesses a non-Web application for the first time, the Component Manager installs the SSL Application Tunneling component.

By default, each portal or application that you publish automatically installs the endpoint components, unless you specifically change the setting to disable component installation and activation.

Install the endpoint components using an offline installer—This deployment method uses the Client Components Installer and is useful for end-users who do not have ActiveX download rights in Windows Internet Explorer, and are logged in with administrator privileges. It can also be used on browsers other than Internet Explorer, by end-users who are logged in with administrator privileges, to install the SSL Network Tunneling (Network Connector) component.

In this mode, users can download an auto-install file to their computer by using either an “installer” toolbar button or a link on the portal homepage. They can then log out of the site and use this file to install the components in an offline mode.

Install the endpoint components using an offline installation file—This method installs the client endpoint components using a download file, and is used for end-users who do not have ActiveX download rights on Windows Internet Explorer and are non-privileged (guest/user) users. In this setup, the administrator must log in to the endpoint computer by using power-user or Administrator privileges, and install the components before the user accesses the site.

When do you need to customize the endpoint components?The Forefront UAG Endpoint Session Cleanup and Forefront UAG Endpoint Detection components can be customized to more closely match your requirements:

Endpoint Session Cleanup—Before activating the Endpoint Session Cleanup component for portal and application sessions, there are several settings that you can modify, if required. These include:

Note:

19

Specifying which items saved outside the browser cache are cleaned up.

Configuring a scheduled cleanup after a preconfigured timeout period.

Enabling the Endpoint Session Cleanup component on a custom logoff page. The code that triggers the component to initiate the cleanup of the browser’s cache on the client, is embedded in the logoff message page that is supplied with Forefront UAG. If the trunk is configured to use a custom logoff page, you must add the code in the custom page.

Configuring the encrypted pages save setting. Usually, Windows Internet Explorer browsers save encrypted SSL pages to the “temp files” folder. To prevent the browser from saving SSL pages to the default “temp files” folder, users can enable the “Do not save encrypted pages to disk” setting in Internet Explorer, located by clicking the Tools menu, clicking Internet Options, and then clicking the Advanced tab. In this case, when users download an SSL page, they are prompted to provide an alternative location to where it should be saved. In this setup, when a session ends, the Endpoint Session Cleanup component clears the “temp files” folder but cannot identify the location to which the encrypted pages are saved. To prevent these pages from remaining on the endpoint computer, at the beginning of each session, the Endpoint Session Cleanup component automatically disables the “Do not save encrypted pages to disk” setting, if enabled, so that encrypted pages are saved to the “temp files” folder. At the end of the session, after the Endpoint Session Cleanup component stops monitoring all open sessions, the “Do not save encrypted pages to disk” setting reverts to its original status. You can cancel the disabling of the “Do not save encrypted pages to disk” setting.

Endpoint Detection—This component uses the default script Detection.vbs to detect applications on a client endpoint, based on the presence of files and registry keys. This file is located in the folder \Microsoft Forefront Unified Access Gateway\von\InternalSite. You can make create your own script based on the Detection.vbs script to perform your own customized endpoint detection.

Securing remote accessThis topic describes the options that are available to help you provide secure remote access to your published applications and resources through Forefront Unified Access Gateway (UAG).

When providing remote access to your applications, you must design a remote access policy. Designing a remote access policy requires you to determine who are your end users, what clients they are using, and decide if you want to provide access to only certified client endpoints.

Forefront UAG provides the following mechanisms to determine who the client endpoint is, whether they can access internal resources and applications, and if so, which internal resources and applications they can access:

Forefront UAG Endpoint Detection component—Used to determine the client type, including the operating system, firewall version, and antivirus software. This component is also used to determine the other endpoint components that are currently installed on the client endpoint.

20

Forefront UAG Endpoint policies—Forefront UAG is installed with a large number of default endpoint policies that can be used to provide or block access to certain applications and resources, based on the health of the client endpoint. Forefront UAG also contains policies that restrict a client from uploading content to the site, or downloading content from the site. For example, you may want to prevent users who are accessing the site from an internet kiosk from downloading documents, or prevent users who don’t have an up-to-date antivirus from uploading documents.

Authentication servers—Forefront UAG supports a wide range of authentication servers, such as, RADIUS, ACE SecureID, and Active Directory. These servers can be used to authenticate users before they even access the portal.

Application authorization—Enables individual users or groups of users to be granted access to specific applications within a portal. For example, members of the finance department can be granted access to financial applications but denied access to the customer relationship management application; or, members of the sales department can be granted access to the sales database but denied access to the company’s financial applications.

Forefront UAG Endpoint Session Cleanup component—The Endpoint Session Cleanup component can remove temporary data after a session ends. This can prevent the leaking of sensitive data, for example, if during the time someone is using the portal, files containing sensitive information are downloaded to the client endpoint.

Certified client endpoints—You can certify client endpoints by using a client certificate. You can create client endpoint policies whereby users can access a site or an application only if their computer is a certified endpoint. The certified endpoint feature is supported only on HTTPS trunks.

21

Documents

Endpoint component deployment design guide Web viewMicrosoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter