Dominik ZempMicrosoft Switzerland Ltd Liab. Co.dominik.zemp@microsoft.com

Forefront UAG 2010Install and Configure Remote Access for SharePoint (and RemoteApp and DirectAccess) In An Hour

AgendaWhat is Forefront UAG?UAG Solution and Internal ArchitectureHow to Publish SharePoint via UAGLive DemosHow to Publish RemoteApps, DirectAccess, etc. via UAGQ & A

What are the different Microsoft Remote Access Solutions?

Answer: Threat Management Gateway (TMG)Direct AccessRemote Desktop ServicesWindows RAS (SSTP)Unified Access Gateway (UAG)

And which ones are for SharePoint?Answer:

Threat Management Gateway (TMG)Direct AccessRemote Desktop ServicesWindows RAS (SSTP)Unified Access Gateway (UAG)

What is Forefront UAG?

Solution and Internal Architecture

Unified Access Gateway (UAG) is next version of Intelligent Application Gateway (IAG) with a vision and mission to provide managed, unmanaged & mobile devices with unified secure anywhere access to on-premise and in-the-cloud applications.

What is Forefront UAG?W

hat (

Data

)

Who (Identity)

Where (Device)

UAG Connectivity Approach

Managed & Unmanaged

Devices

Internal & External Users

Private Resources

Financial Partner or

Field Agent

Project Manager Employee

Logistics Partner

Remote Technician Employee

Corporate Managed Laptop

Home PC

Unmanaged Partner PC

KioskWeb Apps

Client-Server Apps

Legacy Apps

Third-Party Apps

Homegrown Apps

File Access

FinancialPartner or Field Agent

Project ManagerEmployee

LogisticsPartner

CorporateLaptop

Home PC

Kiosk

SharePoint

Payroll & HR

Legacy Apps

Custom Financials

Supply Chain

File Access

Remote TechnicianEmployee

Unmanaged Partner PC Webmail Tech Support

App

Limited Webmail:

no attachments

Limited Intranet

Each session is tailored according to its user and the device in use, maximizing security and productivity for that session.

UAG Solution Architecture

DirectAccess

HTTPS (443)

Layer3 VPN

Business Partners /Sub-Contractors

AD, ADFS, RADIUS, LDAP….

Home / Friend / Kiosk

Employees Managed Machines

Mobile

ExchangeCRMSharePointIIS basedIBM, SAP, Oracle

Terminal / Remote Desktop Services

Non web

HTTPS /

HTTP

NPS, ILM

Internet

• Strong authentication• Endpoint health detection:• NAP and down-level

• Authorization:• Based on health status• Who + where

• Information leakage prevention• Attachment/Cache wiper

Active DirectoryLDAPTACACSRADIUSRSASmart CardCertificatesKCDADFSetc … using UAG Hooks

Authentication Repositories

No need for directory replication or repetition

Alternative approaches require local repository

Transparent Web authenticationHTTP 401 request Static Web formDynamic browser-sensitive Web formKerberos Constraint Delegation

Integrates with:Password change managementUser repositories

Single Sign-On

Inbuilt policies can check the health of endpoints connecting to UAG portal and applications

Check system settings and features on the endpointControl access to trunk and applications, as well as actions such as downloading and uploading filesSupports Windows, Mac OS, and Linux

Platform-specific policies enforced according to the operating system on the endpoint device

Predefined policies enabled by defaultCan be edited to check for specific settings or features, as requiredAdministrators can also define their own policies

UAG Endpoint Policies

Enforces compliance and provides remediation for clients connecting through portal trunks or DirectAccessEach scenario will use NAP in a different way

For portal trunks, UAG receives statement of health (SoH) from client and enforces policies directlyFor DirectAccess, IPSec policies require a “health certificate” issued independently by NAP

NAP Support

Wipes out the locally stored content upon session termination

Prevents information leakageRemoves:

Downloaded files and pagesAutoComplete form contentsAutoComplete URLsCookiesHistory informationAny user credentials

Endpoint Session Cleanup

UAG Internal Architecture

IP VPN

Adm

inCo

re

Web Application Publishing

Windows Server

TMG

Windows NLB

RRAS

IIS

TSG / RDG

UAG Filter

Session Manager User Manager Config. / Array Manager

Internal Site Portal

Direct Access

DirectAccess Server

DNS-

ALG

NAT-

PT

ISAT

APIP

-HTT

PS

Tere

do6t

o4

Nativ

e IP

v6

DTE / DoSP

Management UI SCOM MP

UAG Logic

Tracing & Logging

SSTP

Laye

r 3SSL

Tunn

el

How to Publish SharePoint?

Technical Details and Live Demos

Enables SharePoint to map Web requests to the correct Web sites and appsDefines alternative public and internal URL names for the SharePoint Web siteShould match the URLs typed by the user or provided by the reverse proxy (like UAG)Configured on the SharePoint Central Administration Site

Alternate Access Mappings

What every SharePoint Administrator needs to know about Alternate Access Mappings

Mistake #1: "I'm not deploying SharePoint in an unusual way, so I don't need to worry configuring Alternate Access Mappings."

Mistake #2: Your reverse proxy server's "link translation" feature is sufficient.

Mistake #3: Trying to reuse the same URL in AAM or not aligning the URLs to the same zone. Source: http://blogs.msdn.com/sharepoint/archive/2007/03/19/what-every-sharepoint-administrator-needs-to-know-

about-alternate-access-mappings-part-2-of-3.aspx

UAG vs TMGTMG 2010

UAG 2010

Wizards and predefined settings basic

Information leakage prevention (Session clean up)Endpoint health-based authorizationWeb farm load balancing (WFLB)Advanced authentication schemes (e.g. AD FS)Rich client authenticationSingle sign onUnified portalApplication protection (Web application firewall)

basic

Policy-based access (granular policies)Array supportAAM supportCustomization and manipulation (UI, applications)

basic

Live Demo

SharePoint Publishing

What’s next?

How to Publish RemoteApp and DirectAccess

UAG seamlessly integrates Remote Desktop Gateway (RDG) to provide application-level gateway for RDS applicationsEnables employees to securely access applications that are hosted on Terminal Server or their internal workstationBenefits:

Enhanced authenticationSingle sign-on experience

Granular policies based on client health: No anti-virus no driver sharing

RemoteApps are integrated into UAG portal side by side with Web applicationsIntegrated deployment and management with other remote access technologies

RD Gateway Publishing

In UAG, RD/TS client traffic goes over HTTPS. The HTTPS tunnel is terminated at UAG, therefore we can inspect the traffic.The traffic is then passed to the backend RD Session Host using the RDP protocol.

RD Gateway Publishing

UAG+

RDGRD/TS Client

(MSTSC) RDP over HTTPS RDPRD Session

Host(TS Server)

SSL-VPN

SSL-VPN

{

DirectAccess Server+

IPv6

Windows 7Always On

Windows Server 2008

R2

Windows Server 2008

R2

Windows Server 2008

R2

Windows 7

IPv6

Windows Server 2003

Legacy Application

Server

Non Windows Server

IPv4{

PDA

Windows Vista/ Windows XP

Non-Windows

IPv6

or I

Pv4

UAG and DirectAccess better together: Extends access to line of business servers with IPv4

supportAccess for down level and non Windows clientsEnhances scalability and management

Simplifies deployment and administrationHardened Edge Solution

UAG provides access for down-level and non- Windows clientsUAG improves adoption and extends access to existing infrastructure

UAG enhances scale and management with integrated LB and array capabilities

UAG uses wizards and tools to simplify deployments and ongoing management

UAG is a hardened edge appliance available in HW and virtual options

Under the Hood: IPv6 GatewayUAG provides IPv6 connectivity between Internet clients and internal servers

Native IPv6 connectivity or using transition technologies

23

Internet

UAGClient Machines

Intranet

Servers

6to4Teredo

IP-HTTPS

Native IPv6ISATAPNAT64

6to4Teredo

IP-HTTPS

Under the Hood: IPSec TunnelsConnectivity to corporate network is done using IPv6, protected by IPSec tunnels and transported over IPv4 using IPv6 transition technologies (6to4, Teredo, IP-HTTPS):

24

IPv6 Transition TechnologiesInfrastructure Tunnel

Intranet Tunnel

Internet

Client Machine

Domain Controllers,DNS, HRA, Management

Rest of the machines in corporate network

UAG

IPv4 via NAT64IPv6 NativeISATAPIPv4 via NAT64IPv6 NativeISATAP

Under the Hood: NAT64, DNS64Step 1: User machine tries to resolve address of an IPv4 only server:

Client Machin

e UAG

DNSServer

IPv4 only server

DNS64

NAT64

Host name: x.contoso.co

mIP:100.1.2.3

DNS AAAA Query for “x.contoso.com” DNS A Query

for “x.contoso.com”

DNS AAAA Query for “x.contoso.com”

DNS A ResponseIP: 100.1.2.3DNS AAAA Response IP:

2a01:110:6:6:6:6::100.1.2.3

NAT64 Prefix:2a01:110:6:6:6:6::/96

Under the Hood: NAT64, DNS64Step 2: User machine sends a packet to an IPv4 server:

Client Machin

e UAG

DNSServer

IPv4 only server

DNS64

NAT64

Host name: x.contoso.co

mIP:100.1.2.3

Packet to: 100.1.2.3

Send packet to:2a01:110:6:6:6:6::100.1.2.3

NAT64 Prefix:2a01:110:6:6:6:6::/96

Live Demo

RemoteApps and DirectAccess

Thank you for your Attention!For more Information please contact

Dominik ZempTSP Security

dominik.zemp@microsoft.com+41 (43) 456 66 94+41 (0) 78 844 66 94

Microsoft SwitzerlandRichtistrasse 38304 Wallisellen

UAG 2010 Eval Download:http://technet.microsoft.com/en-us/evalcenter/dd183100.aspx

UAG Team Blog:http://blogs.technet.com/edgeaccessblog/default.aspx

TMG Team Blog:http://blogs.technet.com/isablog/default.aspx

Forefront Edge IAG/UAG Support Forum:http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag

Resources