The following diagram shows a basic topology for Forefront UAG.
Forefront UAG can be configured as a publishing server. You publish internal corporate applications and resources via Forefront UAG, and remote client endpoints from a variety of locations access these published resources by connecting over HTTP or HTTPS to a Forefront UAG site or portal. You can publish Web and non-Web applications, Remote Desktop Services (RDS) applications, and allow full VPN client access to internal networks. To control endpoint access you can configure a number of mechanisms, including client authentication, and access controls that allow or deny access based on endpoint health checks.
In addition, Forefront UAG can be configured as a DirectAccess server. Forefront UAG DirectAccess allows remote managed computers to connect automatically and seamlessly to the corporate intranet any time Internet access is available, without the need to initiate a VPN connection. Bi-directional connectivity is established each time a user’s DirectAccess-enabled computer is connected to the Internet, even before the user logs on.
Portals and trunks
A Forefront UAG trunk is a transfer channel via which you publish corporate applications and resources. Remote endpoints can then connect to the trunk, and access the internal applications and resources. You can create HTTP or HTTPS trunks, thus specifying whether endpoints connect to the trunk over an HTTP or HTTPS connection. If you use an HTTPS connection, you require a server certificate obtained from a public certification authority, and it must be trusted by the connecting endpoint.
Remote endpoints can access applications and resources published via a trunk in one of two ways:
1.Connect to a portal─You can create a Forefront UAG portal for a trunk, to provide a consolidated Web gateway that allows remote endpoints to access one or more corporate applications in the portal.
2.Connect directly─You can publish Web applications with an application-specific public host name, thus allowing endpoints to type in the host name, and connect directly to the application.
On a single server, each trunk has a unique listener (a combination of IP address and portal). In an array of multiple Forefront UAG servers, each server in the array shares the same trunks. If traffic arriving at array members is load balanced, each trunk has a unique virtual IP (VIP) address. Traffic arriving at the trunk portal can be serviced by any of the array members, thus providing scalability, high availability, and failover.
There are a number of trunk properties that you can set, including IP addresses, public host name and ports, authentication requirements for users connecting to portal sessions, access policies with which endpoints must comply in order to access portals, a logoff policy for the portal, and a traffic inspection policy.
Supported Authentication
Forefront Unifed Access Gateway (UAG) supports the following authentication:
* RSA
* LDAP
* Active Directory
* ADFS 1.0 (Update 1 - Provides Support for ADFS 2.0)
* KDC (Kerberos Constraint Delegation)
* RADIUS
* Certificates ( PKI and CRL )
To be Continued........
No comments:
Post a Comment