access control for publishing design guidedownload.microsoft.com/.../accesscontrolplanning.docx ·...

Forefront Unified Access Gateway 2010

Access Control for Publishing Design Guide

Microsoft® Corporation

Published: January, 2010

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, and MS-DOS, Windows, Windows Server, and Active Directory are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

ContentsAccess control for publishing design guide.....................................................................................5

About this guide........................................................................................................................... 5

Introduction to endpoint access design...........................................................................................5

Identifying your endpoint access deployment goals........................................................................6

Mapping your deployment goals to an endpoint access design......................................................7

Planning for client authentication....................................................................................................8Client endpoint access over HTTPS............................................................................................8About session authentication.......................................................................................................9

Planning for frontend authentication...............................................................................................9

LDAP authentication.....................................................................................................................10LDAP authentication flow..........................................................................................................10

LDAP client certificate authentication............................................................................................11LDAP client certificate authentication flow.................................................................................12

RADIUS authentication................................................................................................................. 13Secret key................................................................................................................................. 13Challenge-response modes.......................................................................................................13RADIUS groups......................................................................................................................... 13RADIUS authentication flow......................................................................................................13

RSA SecurID authentication.........................................................................................................14Next Token mode.......................................................................................................................15New PIN mode.......................................................................................................................... 15RSA SecurID authentication flow...............................................................................................15

TACACS authentication................................................................................................................16TACACS authentication flow......................................................................................................17

WINHTTP authentication..............................................................................................................18WINHTTP authentication flow....................................................................................................18

Planning for backend authentication to published servers............................................................19

Basic, NTLM, or HTTP forms authentication.................................................................................20

Kerberos constrained delegation..................................................................................................20

System requirements................................................................................................................. 20

Planning for federation with AD FS...............................................................................................21Supported scenarios..................................................................................................................21AD FS prerequisites..................................................................................................................22

Planning for endpoint health checking..........................................................................................22Inbuilt access policies................................................................................................................22NAP access policies..................................................................................................................23

Planning to implement endpoint access policies...........................................................................23Using endpoint policies..............................................................................................................24Session endpoint policies..........................................................................................................25Application endpoint policies.....................................................................................................25Endpoint detection.....................................................................................................................25

Information collected from client endpoints............................................................................26

Planning for portal application authorization.................................................................................26

Access control for publishing design guideForefront Unified Access Gateway (UAG) provides a gateway for remote employees, mobile workers, partners, and other third-parties to access corporate applications and resources. To help secure applications published through the gateway, Forefront UAG allows you to define which users are allowed to access the applications, and how they will authenticate to Forefront UAG and to the applications. Forefront UAG allows you to use a number of authentication servers to authenticate users to the portal.

About this guideThis guide is designed to help you understand how you can use Forefront UAG with authentication servers to identify and preauthenticate end users to the portal, and to authenticate end users to the published applications.

The guide is intended for the system administrator who is responsible for ensuring that end users are properly authenticated to the Forefront UAG portal and to the published applications.

Use this guide to:

Understand endpoint access and identity concepts. For information, see Introduction to endpoint access design.

Identify your endpoint access and identity deployment goals. For information, see Identifying your endpoint access deployment goals.

Map your deployment goals to an endpoint access and identity design. For information, see Mapping your deployment goals to an endpoint access design.

Start planning your deployment strategy. For information, see Planning an endpoint access design.

Introduction to endpoint access designForefront Unified Access Gateway (UAG) enables you to provide remote access to corporate applications and resources for remote employees, mobile workers, partners, and other third-parties. However, providing remote access to applications and resources that are located on your corporate network could potentially lead to security breaches. Forefront UAG helps you to provide secure remote access only to the users and endpoints that you want to allow access to your applications and resources, by using a combination of endpoint health policies, authentication servers, and application access authorization.

Health policies—Forefront UAG provides inbuilt policies that check the health of endpoint devices by checking for system settings and features on the endpoint. Each of the policies can be edited to check for specific settings or features, as required. You can also define your

5

own policies. When checking the health of endpoint devices, you must try to find the correct balance between using strict policies or more permissive policies, for a wide range of end users, using different endpoints devices, and requiring access to many different applications.

Authentication servers—You can require users to authenticate for access to the Forefront UAG portal and application sessions. Forefront UAG supports a number of predefined authentication schemes; you can also create custom schemes. Configuring authentication requires you to set up authentication servers against which user credentials are verified.

User authorization—In addition to user authentication, you can configure authorization settings for specific applications published in a portal. You specify which users and groups can access specific applications, based on users and groups defined on user and group servers used for authorization. You can configure users and groups on the same server you use for authentication, or you can combine authentication against one type of authentication server, with the authorization of users and groups in a different authentication scheme.

Identifying your endpoint access deployment goalsFor the successful deployment of Forefront Unified Access Gateway (UAG), you must identify your endpoint access deployment goals correctly. This topic is designed to help you identify your endpoint access deployment goals. By identifying these goals, you can clearly pinpoint the endpoint access design requirements necessary to meet each goal. Depending on the size of your organization, implementing a solution might require the involvement of other IT staff, in addition to the infrastructure specialist or systems architect. You can take advantage of existing, documented, and predefined endpoint access deployment goals that are relevant to endpoint access designs, and develop a working solution for your endpoint access scenarios.

This topic describes the following predefined goals:

Providing remote access for employees—The primary goal for using Forefront UAG is to provide employees of your organization with secure remote access to applications and resources located on your internal network. This goal requires you to plan an authentication scheme for end users who access your portal, an authentication scheme for end users to connect to the published applications and resources, single sign-on (SSO) if required, and access policies to check the health of endpoints.

Within this goal are two possible scenarios: providing access for managed devices, and providing access for nonmanaged devices.

If you are providing access for employees using managed devices, you can use an authentication scheme that already exists within the organization. The authentication scheme may use smart cards, tokens, or certificates. When determining the health of the endpoint, you must ensure that the health checks that you perform, that is, the settings and features that you check using access policies, will accurately identify the endpoints as being managed or not managed.

6

When providing access for employees using nonmanaged devices, you must ensure that you can correctly identify the employee who is attempting to gain access to the internal applications and resources. To authenticate employees in this scenario, you may use a basic level of authentication to provide a minimal level of access. If the employee attempts to access restricted information, you can require them to provide further credentials. As you do not have control over the settings and features on the device, this may limit the thoroughness of the health checking performed on the device, which means that you can provide only a subset of functionality to these users. For example, if an end user on a managed device can download and save files stored on a SharePoint site, an end user accessing the same site from a nonmanaged device is not allowed to view the files.

Providing remote access for partners—If your organization works with partners, it may be necessary to provide individual employees or groups of employees from the partner organization with remote access to applications and resources from your organization. To implement this goal, you can use Active Directory Federation Services (AD FS) to provide the identity information of the partner employees to your organization.

If you are unable to use AD FS to identify the partner employees, you can use shadow accounts within your own Active Directory domains.

When providing access to partner employees who are not using devices managed by your organization, you must try to find a balance in the health checking that you perform. If you are too restrictive, partner employees who should have access to the resources and applications that you publish may not be able to access them. However, if you are not restrictive enough, partner employees may be able to access and distribute proprietary information.

It is recommended that you use a dedicated Forefront UAG trunk when publishing applications for partners.

Providing remote access for customers—Many companies must provide access to internal applications and resources to customers. For this goal, you should use or create a repository to store the customer identity information. When customers attempt to access the applications and resources that you publish, Forefront UAG authenticates the customer against this repository. Forefront UAG supports a variety of authentication schemes, or you can configure a user-defined authentication server.

To ensure that all of your customers can access the applications and resources that you publish, you should only perform generic health checking. You must also take care when defining the trunks and applications to ensure the integrity of your own network.

Mapping your deployment goals to an endpoint access designTo begin the Forefront Unified Access Gateway (UAG) endpoint access and identity design process, you must first identify your deployment goals (see Identifying your endpoint access

Note:

7

deployment goals). After evaluating these goals, you can select a design that meets your endpoint access and identity deployment objectives.

The following table maps each possible deployment goal to the planning tasks that you must perform to implement that goal.

Deployment goal Planning tasks

Remote employee access Planning for frontend authentication in particular LDAP authentication

Planning for backend authentication to published servers

Planning for portal application authorization

Planning for endpoint health checking

Planning to implement endpoint access policies

Partner access Planning for federation with AD FS




Customer access Planning for frontend authentication




Planning for client authenticationForefront Unified Access Gateway (UAG) allows you to control client endpoint access to published resources, by using the following methods:

Require an HTTPS channel between client endpoints and the Forefront UAG server.

Apply session authentication. You can require client endpoints to authenticate in order to connect to a portal or an individually published Web application.

Client endpoint access over HTTPSWhen you create a trunk to publish a portal or specific Web application, you can specify that client endpoints must communicate with the Forefront UAG server over an HTTPS connection. In

8

this case, you must select a server certificate when you configure the trunk. This certificate is used to authenticate the Forefront UAG server to the client endpoint.

About session authenticationForefront UAG enables you to control access to internal resources by verifying end user credentials against an authentication database. A portal or application session is opened only for end users who authenticate successfully; end users who cannot authenticate successfully do not gain access. Access is granted per end user, and each authentication instance is only valid for one session. Forefront UAG seamlessly integrates with numerous authentication schemes even if the application being protected has no inherent support for the method you choose to implement, such as, where Forefront UAG serves as a client of the third-party authentication server. In addition, Forefront UAG also enables periodic reauthentication by applying a logoff scheme. After a predetermined time, end users must resubmit credentials to continue working; otherwise, their sessions are terminated.

To define session authentication, you should define an authentication server against which the credentials of end users who connect to a portal or application session are verified. For more information about Forefront UAG client authentication schemes, see Deploying frontend authentication servers.

Planning for frontend authenticationForefront Unified Access Gateway (UAG) supports the use of a number of different authentication protocols to authenticate end users to the Forefront UAG portal. By using these authentications protocols, you can provide strong authentication, for example two-factor or smart card authentication.

The following topics describe the supported authentication protocols:

LDAP authentication

LDAP client certificate authentication

RADIUS authentication

RSA SecurID authentication

TACACS authentication

WINHTTP authentication

If you do not want to use one of the authentication schemes provided by Forefront UAG, you can configure a custom authentication scheme.

Note:

9

LDAP authenticationLightweight Directory Access Protocol (LDAP) is an Internet protocol for querying and modifying directory services. The LDAP authentication server keeps information about users, including authentication information such as user properties and authentication scripts, in special-purpose databases termed as Directories. When a connection request arrives at the Forefront Unified Access Gateway (UAG), the user name and password are authenticated against the LDAP Directory.

Forefront UAG implements the following LDAP authentication schemes:

Netscape Directory Server (V. 4.1)

Notes Directory Server

Novell Directory Server

Active Directory Lightweight Directory Services (AD LDS) for Windows Server 2008, and Active Directory directory service for Windows Server 2003 or Windows 2000 Server.

The supported LDAP authentication schemes are capable of the following:

Operating with two LDAP authentication servers—If the primary LDAP server fails, Forefront UAG accesses the alternate LDAP server.

Supporting a secure port—If the authentication server uses a secure port, Forefront UAG uses a secure connection, even if this was not configured when the scheme was defined.

In the Novell Directory Server, unique users do not need to enter their context when entering the user name. A unique user appears only in one context in the tree, or if a "Base" is defined, the user appears only in one context under the Base.

LDAP authentication flowThe following figure illustrates the authentication process for users when the LDAP authentication scheme is implemented with one authentication server.

The flow allows for three login attempts, after which login failure is final. The number of login attempts users are allowed is configurable.

LDAP Authentication Flow

Note:

10

LDAP client certificate authenticationClient certificate authentication schemes require end users to authenticate by supplying a client certificate, which is installed on their device. No login information, such as user name and password, is required for the authentication process. You can only use client certificate authentication for Forefront Unified Access Gateway (UAG) sites published over an HTTPS connection.

The LDAP client certificate authentication scheme supported by Forefront UAG operates with one or two LDAP authentication servers. LDAP authentication servers keep information about users in directories, including authentication and authorization information, such as user properties and access rights.

When a trunk is configured to apply the LDAP client certificate authentication scheme, and a connection request arrives at the Forefront UAG server, the authentication scheme does the following:

11

Authenticates the user—A user requesting to connect is prompted by the browser to select a client certificate. When the user selects a certificate, Forefront UAG verifies the validity of the certificate and the identity of the user.

Authorizes the user—After the certificate is validated and the user is recognized, Forefront UAG checks with the LDAP authentication server to verify that the user is authorized to access the application server.

Each registered user in the LDAP server is assigned a Distinguished Name (DN), which includes a hierarchical address, for example: organization\organizational_unit\username.

When the LDAP client certificate scheme operates with two LDAP authentication servers, if the primary LDAP server fails, the User Manager accesses the alternate LDAP server.

LDAP client certificate authentication flowThe following figure illustrates the authentication process for users when the LDAP client certificate authentication scheme is implemented with one authentication server.

LDAP client certificate Authentication Flow

12

RADIUS authenticationThe RADIUS scheme applies the Remote Authentication Dial-In User Service (RADIUS) protocol in order to manage the exchange of authentication information in the internal network. When using a RADIUS server for authentication in Forefront Unified Access Gateway (UAG), the RADIUS authentication server and Forefront UAG operate in a client-server mode, whereby Forefront UAG is configured as a client of the RADIUS server.

Secret keyThe RADIUS protocol utilizes a secret key to encrypt the credentials that the user enters in the login script. The authentication server then decrypts the data and compares it to its database.

Challenge-response modesThe RADIUS authentication scheme supports all the challenge-response authentication modes available on the RADIUS server; for example, allowing the user to create a new personal identification number (PIN), requiring the user to create a new PIN, requiring the user to enter the token that is displayed on the authenticator, and more.

RADIUS groupsYou can configure the RADIUS authentication scheme to extract users' group membership from a RADIUS attribute.

RADIUS authentication flowThe following figure illustrates a sample authentication process through which users pass when the RADIUS authentication scheme is implemented in a challenge-response mode. In this mode, the user can be challenged a number of times before the request is accepted, depending on the configuration of the RADIUS server.

The flow allows for three login attempts, after which login failure is final. The actual number of login attempts users are allowed is configurable.

RADIUS Authentication Scheme--Sample Flow

Note:

13

RSA SecurID authenticationForefront Unified Access Gateway (UAG) supports the RSA SecurID authentication scheme. This scheme authenticates the user on an RSA ACE/Server. When challenged, the user enters a

14

password that is a combination of two numbers: a personal identification number (PIN), supplied by RSA, and a token code, which is the number displayed on the RSA SecurID authenticator.

The RSA SecurID scheme also supports two additional challenge-response modes: Next Token and New PIN, as described below.

Next Token modeNext Token mode is applied in cases where the authentication process requires additional verification of the token code. The user is challenged to enter the next token code; that is, to wait for the number that is displayed on the authenticator to change, and enter the new number (without the PIN).

New PIN modeNew PIN mode is applied in cases where the authentication process requires additional verification of the PIN. In this case, the user must use a new PIN. Depending on the configuration of the RSA ACE/Server, the user is prompted to select and enter a new PIN, or the server supplies the user with a new PIN. The user then reauthenticates with the new PIN.

The use of the New PIN mode is optional and can be enabled or disabled in both the authentication server and the Forefront UAG Management console. If the settings are not the same, the Forefront UAG Management console takes precedence over the authentication server settings.

For security considerations, it is recommended that you do not enable the New PIN mode.

RSA SecurID authentication flowThe following figure illustrates the authentication process users pass through when the RSA SecurID scheme is implemented.

The flow includes both Next Token and New PIN modes, which are only applicable under the conditions described above.


RSA SecurID Authentication Flow

Note:

Notes:

15

TACACS authenticationForefront Unified Access Gateway (UAG) supports user authentication using a Terminal Access Controller Access Control System (TACACS). The TACACS protocol allows a network access server (NAS) to offload the user administration to a central server. When the TACACS authentication scheme is applied, user connection requests are directed by the NAS to the TACACS authentication server, where user identity is compared against the server's user database, and users are granted or denied access accordingly.

16

Forefront UAG and the TACACS authentication server operate in a client-server mode, where Forefront UAG is configured as a client of the TACACS server.

The TACACS authentication scheme uses a secret key to encrypt the authentication request. This key must be identically configured in both the Forefront UAG and the TACACS authentication server.

The TACACS authentication scheme was tested against the NTTacPlus authentication server.

TACACS authentication flowThe following figure illustrates the authentication process users pass through when the TACACS authentication scheme is implemented.


TACACS Authentication Flow

Note:

Note:

17

WINHTTP authenticationYou can authenticate users in Forefront Unified Access Gateway (UAG) using WINHTTP authentication.

The WINHTTP authentication scheme checks users' credentials as follows:

You assign a URL of a Web page that requires users to authenticate using an HTTP 401 request.

The web server you define checks if the user is authorized to access the requested URL. Only users that are authorized to access the URL are considered authenticated.

WINHTTP authentication flowThe following figure illustrates the authentication process users pass through when the WINHTTP authentication scheme is implemented.

WINHTTP Authentication Flow18


Planning for backend authentication to published serversForefront Unified Access Gateway (UAG) allows you to delegate credentials, so that when a client authenticates during logon to a Forefront UAG site session, the credentials that are provided can be sent to backend servers that require authentication. This single sign-on (SSO) mechanism allows the user to log on to Forefront UAG with a single set of credentials that are then used to authenticate and gain access to any application for which the credentials are valid.

Forefront UAG can implement single sign-on by using session credentials to authenticate to published backend applications using the following methods:

Note:

19

Basic, NTLM, or HTTP forms authentication─Forefront UAG supports Basic, NTLM, and HTTP forms-based authentication. When a backend server requires Basic or NTLM authentication, it sends an HTTP 401 response to the Forefront UAG server. When a backend server requires HTTP forms-based authentication, Forefront UAG can be configured to provide the user credentials automatically.

Kerberos constrained delegation—Forefront UAG supports the use of Kerberos constrained delegation to authenticate users, after Forefront UAG has verified their identity by using a non-Kerberos authentication method.

Basic, NTLM, or HTTP forms authenticationForefront Unified Access Gateway (UAG) allows you to authenticate users to published Web servers using Basic, NTLM, or HTTP forms-based authentication.

In order to use these authentication methods, Forefront UAG requires a username and password that is normally collected during the frontend authentication process. The username and password is sent to the backend server when a user tries to access a resource on that server.

Kerberos constrained delegationForefront Unified Access Gateway (UAG) can use Kerberos constrained delegation (KCD) to provide single sign-on (SSO) functionality. KCD allows end users to access both the Forefront UAG site and the applications that are enabled through it, by using client-certificate authentication, such as, smart-card authentication, Active Directory Federation Services (AD FS), or one-time passwords. When using KCD, end users authenticate to the site only once, and are not required to supply their credentials to log on to applications that require user authentication, and are not required to provide their domain password.

For more information about KCD technology, see Kerberos Protocol Transition and Constrained Delegation (http://go.microsoft.com/fwlink/?LinkId=122608).

System requirementsThe following are the requirements for using KCD in your Forefront UAG deployment:

The Forefront UAG server must be part of a domain.

You must define at least one authentication server for the trunk to which the application belongs.

All domain controllers in the internal network must be computers running Windows Server 2008 or Windows Server 2003.

Users must be part of the same Active Directory forest as the Forefront UAG server and the application servers.

20

http://go.microsoft.com/fwlink/?LinkId=122608

http://go.microsoft.com/fwlink/?LinkId=122608

Forefront UAG and the application servers must be part of the same domain.

Planning for federation with AD FSActive Directory Federation Services (AD FS) provides Web single sign-on technologies in order to authenticate a user to multiple Web applications, over the life of a single session. AD FS achieves this by securely sharing digital identity and entitlement rights, or "claims", across security and enterprise boundaries. When using the Active Directory Lightweight Directory Service (AD LDS) or the Active Directory directory service, an organization experiences the benefit of single sign-on functionality through Windows-integrated authentication, within the organization's security or enterprise boundaries. AD FS expands this functionality for Internet-facing applications, enabling customers, partners, and suppliers to have a similar, streamlined, Web single sign-on user experience when they access the organization’s Web-based applications. Furthermore, federation servers can be deployed in multiple organizations to facilitate business-to-business (B2B) federated transactions between partner organizations. For example, AD FS enables employees in company A to be identified by resources in company B, for the purpose of becoming authorized to perform actions on resources in company B. In Forefront Unified Access Gateway (UAG), federated users can access Forefront UAG sites, and the applications published via the site, by using AD FS passive model authentication.

Supported scenariosAD FS in Forefront UAG requires the following environment:

1. An AD FS v1 server.

2. The AD FS server is published by Forefront UAG. All user access to the AD FS server should be via Forefront UAG. The AD FS server should be published directly in an application trunk, and not in a portal trunk.

3. Shadowed accounts are required in the following cases:

If the resource organization must identify the exact user in the user organization. Alternatively, you can map users from the user organization to a group in the resource organization. Group mapping requires shadow groups, but not shadow accounts.

When the published application supports Kerberos constrained delegation, and you want to support single sign-on using Kerberos.

AD FS in Forefront UAG has the following applications and authentication requirements:

1. Logon to the Forefront UAG portal requires an NT token. Forefront UAG cannot consume claims.

2. Published backend applications can require either NT tokens or claims. In both cases, authentication between users and the backend application is performed directly. You should disable the setting Use single sign-on to send credentials to published applications in the application properties.

21

3. Kerberos constrained delegation can be used if it is supported by the published application.

AD FS prerequisitesTo use AD FS with Forefront UAG, the following is required:

1. You must define two static IP addresses on the external network adapter of the Forefront UAG server before you install Forefront UAG.

2. The Forefront UAG server must be a domain member, even when Forefront UAG is installed in a perimeter network. This is required by the AD FS Web agent that must be installed on the Forefront UAG server.

3. An Active Directory repository must be used for authentication.

4. AD FS-enabled applications can only be published using HTTPS trunks.

Planning for endpoint health checkingForefront Unified Access Gateway (UAG) access policies control remote endpoint access to Forefront UAG sessions and published resources. When client endpoints try to establish a session to a Forefront UAG site or portal, settings on the endpoint are compared with access policies to determine what type of access is allowed. You can use Forefront UAG client endpoint policies to create tiers of access to sites and applications. Endpoint policies enable you to determine whether or not client endpoint devices are allowed to access internal sites and applications, or perform certain operations on the application servers, depending on the settings and features of the endpoint devices.

You can configure the following types of access policies:

Inbuilt access policies─Forefront UAG provides inbuilt, predefined access policies. You can modify these predefined policies, if required, or create new policies.

Network Access Protection (NAP) policies─Forefront UAG can evaluate remote endpoints against NAP policies downloaded from a Network Policy Server (NPS).

Inbuilt access policiesForefront UAG inbuilt endpoint policies enable you to create tiers of access by determining whether or not endpoint devices are allowed to access internal sites and applications, or perform certain operations on the application servers, depending on the security settings of the endpoint devices.

An endpoint policy can contain:

Platform-specific policies—These are enforced according to the operating system of the endpoint device from which the user accesses the Forefront UAG site. The available choices are Windows, Mac OS, Linux, or any other platform.

22

Expressions—These are conditions that are made up of variables, free VBScript text, or a combination of both. An expression encompasses platform-specific expressions, which are enforced according to the platform of the endpoint device from which the user accesses the Forefront UAG site. You should use expressions to define a policy in deployments where you do not need to address platform-specific issues. You can also use expressions, including platform-specific expressions, to define multiple conditions once, and then use them in several policies.

You can use the policies that are provided with Forefront UAG, edit them, and define additional policies, as required. You can use policies to define multiple conditions once, and apply them to the Forefront UAG site and across several applications.

It is recommended that you tailor the default policies to your organization's security needs. For example, edit all platform-specific Default Web Application Access policies to check for the antivirus software that your corporate endpoint computers are running.

NAP access policiesIn addition to Forefront UAG inbuilt policies, you can evaluate endpoint settings as NAP policies downloaded from an NPS server. You specify the NPS server location and settings in the Forefront UAG Management console, and the NAP policies are retrieved from the specified server.

Planning to implement endpoint access policiesYou can use Forefront Unified Access Gateway (UAG) client endpoint policies to create tiers of access to sites and applications. Endpoint policies enable you to determine whether or not client endpoint devices are allowed to access internal sites and applications, or perform certain operations on the application servers, depending on the settings and features of the endpoint devices.

This topic describes:

Using endpoint policies—How to set up and use endpoint policies.

Session endpoint policies—What a session endpoint policy is, and how it helps control access to Forefront UAG.

Application endpoint policies—What an application endpoint policy is, and how it helps control access to Forefront UAG.

Endpoint detection—The Forefront UAG Endpoint Detection component, and how it provides the basis for allowing remote users to access Forefront UAG based on policies.

Note:

23

Using endpoint policiesYou can set up your endpoint policies so that access to internal applications is allowed, as follows:

From corporate laptops—All applications are accessible.

From an Internet kiosk—Only Microsoft Office Outlook Web Access is accessible.

Other access scenarios are possible, depending on your requirements.

You can use endpoint policies to control access to:

Forefront UAG sites for default and privileged sessions.

Specific applications.

Specific application features; such as, downloading or uploading for Web applications, zones of a Web application defined by URLs, or printer, clipboard, and drive redirection for RemoteApps.

To publish an application, you must create a Forefront UAG trunk and add the application to the trunk. When you create a trunk, you assign the relevant endpoint policies to the trunk. When you add an application to a trunk, you assign the relevant policies to the application. An endpoint policy encompasses the conditions that apply to all endpoint devices, and is interpreted according to the operating system on which the computer runs, such as Windows or Linux. Different conditions can apply to different operating systems, according to the policies that you define.

An endpoint policy can be made up of operating system-specific policies or expressions, as follows:

Platform-specific policies—Platform-specific policies are enforced according to the operating system of the endpoint device from which the user accesses the Forefront UAG site. Available operating systems are Windows, Mac OS, and Linux.

Expressions—Expressions are conditions that are made up of variables, free VBScript text, or a combination of both. Each expression encompasses platform-specific expressions, which are enforced according to the operating system of the endpoint device from which the user accesses the Forefront UAG site. Use expressions to define an endpoint policy in deployments in which you do not have to address platform-specific issues. You can also use expressions, including platform-specific expressions, to define multiple conditions once, and then use them in several policies.

You can use endpoint policies and expressions that are provided with Forefront UAG, edit them, and define additional policies and expressions, as required. You can use endpoint policies to define multiple conditions once only, and apply them to the Forefront UAG site and across several applications.

It is recommended that you tailor the default endpoint policies to your organization's security needs. For example, edit all platform-specific Default Web Application Access

Note:

Note:

24

policies to check for the antivirus software that your corporate endpoint computers are running.

For more information about creating, editing, and removing policies and expressions, see Configuring Forefront UAG access policies.

Session endpoint policiesWhen you create a trunk, you can assign it both of the following session policies:

Session Access Policy—Defines access permissions to the site. Only endpoints that comply with the selected policy are allowed access.

Privileged Endpoint Policy—Defines the conditions that render an endpoint a privileged endpoint, which can enjoy session privileges.

You first select the session policies when you create a trunk. You can change the session policies later from within the Forefront UAG Management console.

Application endpoint policiesApplication endpoint policies may be of the following types:

Access policies that control access to an application.

Download policies that help prevent the spreading of sensitive data to endpoints that should not have access to sensitive data (for Web applications and browser-embedded applications only).

Upload policies that help prevent endpoints from sending malicious data, such as viruses, into the internal network (for Web applications and browser-embedded applications only).

Restricted zone policies that restrict access to sensitive areas of an application (for Web applications and browser-embedded applications only).

Printer, clipboard, and drive redirection policies for RemoteApps.

You first select the application endpoint policies when you create a trunk. You can change the application endpoint policies later from within the Forefront UAG Management console.

Endpoint detectionTo assess the compliance of an endpoint to the Forefront UAG endpoint policies, Forefront UAG attempts to determine which security components are installed and running on the endpoint, as soon as the user attempts to access the site. This is done by the Forefront UAG Endpoint Detection component, which is installed on the endpoint. The Endpoint Detection component verifies the identity of the Forefront UAG site against the site’s server certificate, and checks whether the site is on the user’s Trusted Sites list. Only if the site is trusted, will the component run on the endpoint computer and collect the data that identifies which components are installed and running on the computer. When detection is not functional on an endpoint computer, access may be denied, even though the endpoint might comply with the requirements of the policy. For

25

example, if an application’s policy requires a running antivirus program, and such a program is already running on the computer, access to the application is still denied, because Forefront UAG cannot detect that the program is running on this computer.

Forefront UAG provides a default endpoint detection script (Detection.vbs). You can also create customized detection scripts.

Compliance with Forefront UAG endpoint policies is determined when a client endpoint computer first accesses the site. If a client’s computer settings that affect compliance are changed after login, users must log in again to apply the changes. When using NAP policies, enforcement is performed for the duration of the session.

Information collected from client endpointsWhile working with the Forefront UAG site, if endpoint detection is enabled on the client endpoint, in addition to identifying settings and features on the client endpoint, the following information is collected by the Endpoint Detection component:

Network domains—Domain Name System (DNS) and NetBIOS.

User information—User name and user type.

Certificates in “My certificate store”—Certificate issuer and certificate subject.

If required (for example, to comply with legal or corporate guidelines), you can configure Forefront UAG so that users are notified before the information is retrieved from their device and are prompted to give their consent for the site to collect such information. You configure this setting by selecting the Prompt user before retrieving information from endpoint check box on the Endpoint Access Settings tab of the Advanced Trunk Configuration dialog box. On endpoints where users do not give their consent, detection is not performed.

Planning for portal application authorizationBy default, all users are allowed to view and access an application published in a Forefront Unified Access Gateway (UAG) portal. You can disable the All Users Are Authorized default setting for an application, and configure application authorization. Application authorization allows you to control which users are authorized to view and access each of the applications published in a portal. This provides a personalized experience for different users, depending on their authorization permissions.

To use application authorization, you configure user or group authorization repositories against which users requesting access to portal applications can be evaluated. You can use repositories defined on existing authentication servers, or configure alternative authorization repositories. For more information, see Deploying users and groups for portal application authorization.

Note that application personalization only works when you use the default portal home page supplied with Forefront UAG. You can configure authorization with default or custom portal home pages.

26

To define authorization, do the following:

Define an authorization user or group server against which users requesting application access can be evaluated. You can use the servers you defined for user authentication, or specify a different server to be used for authorization. For information, see Planning for client authentication.

Set authorization settings for specific applications published in a portal.

27

access control for publishing design guidedownload.microsoft.com/.../accesscontrolplanning.docx ·...

Documents