getting to know uag

Getting to know UAGTom DecaluwéBlog: http://trycatch.be/blogs/decaluwet/Email: [email protected]

Goal of today

• Help you understand what UAG is.• Help you get started with UAG Lingo• Help you get started with configuring UAG

Todays Agenda

• Some general thoughts on extranet / external access• What is UAG & compare with TMG• UAG architecture and internals• Using UAG to make you apps available

• File access• Webserver publishing• Client / Server app publishing• TS publishing• SSTP network connectivity

• Directaccess => 28/04 Sessions done by John Craddock• ADFS usage => 26/04 Sessions done by John Craddock

• Q&A

General thoughs on extranet

The killer sentence

• The ability to access any corporate application from anywhere in a secure manner, reliable and fast manner using any device if the business decides to do so.

Why do I need UAG in a world that is going cloud?

• The chance of the future being a hybrid setup cloud + on prem is very big.

Internet

You will still need to give your clients access to internal apps

You will need a bridge between your corpnet and the could-nets. (think of ADFS publishing)

Internet

What is UAG & compare with TMG

What is UAG => an SSL VPN Secure Gateway with Direct Access wizard

DirectAccess

Layer3 VPN

Business Partners /Sub-Contractors

AD, ADFS, RADIUS, LDAP….

Home / Friend / Kiosk

Employees Managed Machines

Mobile

ExchangeCRMSharePointIIS basedIBM, SAP, Oracle

Terminal / Remote Desktop Services

Non web

HTTPS /

HTTP

NPS, ILM

Internet

• Strong authentication• Endpoint health detection:• NAP and down-level

• Authorization:• Based on health status• Who + where

• Information leakage prevention• Attachment/Cache wiper

HTTP(S) (443 - 80 )

http://en.wikipedia.org/wiki/File:Internet_Explorer_7_Logo.png

What is UAG & Compare the Edge

Integrated and comprehensive protection from Internet-

based threats

Internet

Unified platform for all enterprise remote access

needs

Internet

TMG vs UAG (at the publishing level)

• TMG• De-emphesised on publishing• Limited to HTTP(s) publishing• Limited to auth as security• Client unaware• All in one box

• UAG• The future of publishing• Portal approach• HTTP(s) + Client / server app + VPN (inclueding DA)• Health check and cleanup• Very flexibel authentication • Loads of pre-built templates• Very detailed reporting

Why do you see so little UAG being used?

• Historical pricing => UAG used to bee expensive when it was still under the Whale communications flag and when first adopted by MS.

• TMG is widely adopted and works really well as it’s a combo box.• Commission war => Integrates will make more money selling you

and appliance than they will if you deploy UAG on your standard Dell/HP hardware and licenses bought through your VL agreements.

• Lack of skilled UAG deployers & training • Complex ?! to get to know and sometimes to use as it requires

understanding of the internal app’s you are publishing.• Weak on creating equal look and feel internal external

UAG architecture and internals

UAG Internal Architecture

IP VPN

Adm

inCo

re

Web Application Publishing

Windows Server

TMG

Windows NLB

RRAS

IIS

TSG / RDG

UAG Filter

Session Manager User Manager Config. / Array Manager

Internal Site Portal

Direct Access

DirectAccess Server

DNS-

ALG

NAT-

PT

ISAT

APIP

-HTT

PS

Tere

do6t

o4

Nativ

e IP

v6

DTE / DoSP

Management UI SCOM MP

UAG Logic

Tracing & Logging

SSTP

Laye

r 3SSL

Tunn

el

UAG in the core

• ISAPI extends the on the core functionality of IIS

• InternalSite Vdirectory

• New Vdirectories per portal

UAG buildup

IP

Port

HTTP/HTTPS Trunk

Group

Application

1 HTTP and 1 HTTPS trunk per IPYou can only bind to port 80 and 443

Colllection of settings and rules Logical unit

Two Keywords in UAG lingo

• Two types of trunks (*UAG can not publish on any other ports)

• HTTP (TCP 80)• HTTPS (TCP 443)

• Is like an IIS website or a TMG listener => ip + port

• A redirect Trunk can redirect http to https not the other way.

• Can be linked to the portal or direct to application

• Two options• Portal trunk => homepage of UAG• ADFS trunk => SSO over the

border of forests

ApplicationTrunk• +/- 40 tempaltes / 5 top-level apps

Build-in services (automatically added to trunk)File access => ntfs sharesWeb-Monitor => remote UAG mgt

Web (applications)SharepointExchange...Other => create your own setup

Client/server and legacyApps that run outside of the browserSSL vpn for specific appsWhen launching an app the UAG client components loadsRemote Network Access => full network ssl vpn

Browser-embeddedStarts in browser en shifts to binaryCitrixXenApp

Terminal services and remote desktop5 templates

DEMOCreate an application trunk and redirect trunk

Endpoint Policies

• One of UAG’s core features• Policies are a set of conditions that have to be met by the client inorde to gain access.• End result for blocked apps

• set to gray out• hidden

• Seem complex because they are 4 situations with each time 4 platforms and two ways to create them.

• Creation• GUI driven• Scripted mode

Top Level policyAccess policy - Upload policy - Download policy - Restricted zone policy

Windows MAC Linux Other

Require domain membership for

• ADFS• KCD• File-Access• DirectAccess• UAG Arry

Using UAG to make you apps available• File system publishing• Webserver publishing• Client / Server App publishing• TS publishing• SSTP publishing• Directaccess => 28/04 Sessions done by John Craddock

Why use it

• Not every filesystem has been migrated to sharepoint yet and not all filesystems will migrate to sharepoint.

• People want access to the corp files any time and where.• It ensures mobile users can upload there important files to

backup protected servers instead of their mobile clients.

Windows XP Windows 7

Full transparent file access Web based file access

Client experiance Server Experiance

Configure File Access

• You will need credentials of a user that can brows the network• Add the built-in service application > File access

DEMOShow File Access

Things to remember (File access)

• The computer browser must be started and requires a chagne in the

Application specific hostname vs portal hostname application

Portal Hostname applicationNon-AAM application

• If the application can only be access using the portal trunk’s public name

• HAT required for URL rewriting

Eg.

Trunk name = www.extranet.comApp name= www.extranet.com/uniquesig48cb675c4745e7d473e210fdf4f89f67

Dynamics CRM, sharepoint 2003, exchange 2003

Application specific hostname applicationAAM-like application

• If an application can be configured using its own specific public hostname, which usually differs from the trunk pbulic name

• Now requirement of HAT• Requires:

• DNS to point both url’s to same UAG ip• Cert for both url’s

• DNS suffix must match as session coockie is sharedEg.

Trunk name = www.extranet.comApp name= finance.extranet.com

OCS 2007, Forefront identiy manager, Sharepoint 2010, MS exchange 2010,...

http://www.extranet.com/



What is URL signing

• Also known as Host Address Translation (HAT)• URL signing allows UAG to publish mulitple servers on a single ip

(HostHeaders)• Add’s a url suffix to the TL domain • Incorporates link translation technology• UAG creates unique URL’s for each clickable link on the page by

buffering the page and adding a uniqua SRA string ensuring you are always accessing the target UAG.

• Supports• HTML• ASP• Java-script

• Eg. https://uag.createhive.com/uniquesig48cb675c4745e7d473e210fdf4f89f67/ uniquesig0/p.asp

DEMOPublish a web application

What it does

• Provides access to applicaions that where not designed for classic web and web publishing.

• SSL tunneling• A client app listners for connectins tunnels and delivers to UAG• UAG client components has two parts• Health checking appications• SSL applications Tunneling• Socket forwarding component

• Almost completely transparant to the end user

SSL Application Tunneling component

SSL Tunneling component

127.0.0.1:4785

SSL VPN UAG Back end server

10.10.10.100 23

2. Client/Server applications

• A lot of templates (most used are below)• Generic

• Generic client application • Uses Single SSL tunnel

• Generic client application (multiple server)• With multiple server we mean multiple ports to the same or other back-end

servers• Uses UAG’s Socket forwarding component

• Generic silent client application • No client prompt

• Enhanced => to tunnel the UAG client manipulates the client and changes (eg. Registry, config files, hosts file)• Hosts required => edit host file if fail to edit file => end• Hostes options => edit host file if fail to edit file => try to launch application• Hosts disabled => don’t edit host file

• All launch an SSL-VPN & launch a srcipt to run the application on the client

Auto connect

• %localip%

2. Client/Server applications

• A lot of templates (most used are below)• Enhanced HAT• Address translation beyond the scope of normal URL rewriting.

Eg. A PDF file with a link => a click on that link, UAG sees the unavailable server requests and sens an HTTP 302 redirect to the client with the UAG public trunck as link, from now on the client will redirect all this traffic tot he public trunck name.

• Generic http proxy enabled client application• Allow http proxying

• Generic socks enabled client application• Allow socks 4/5 porxying

• Citrix program neighbourhood (direct)• Replaced rpc over https for clients that don’t support it,...

Thing to remember

• Apps use the local loopback 127.0.0.x and a port locally

• If SSL tunneling does not work 3 alternatives• Network Connector (NC) => tunnels all traffic to the internal

network by creating a virtual NIC with ip address (SSL-VPN)• Secure Socket Tunnelling Protocol (SSTP) => uses built in

windows components, with auto client configuration (win7 and vista sp1 only)

• DirectAccess (DA) => ipsec tunneling

DEMOPublish telnet

Things to know

• How to create the tspub file

Remote SSL VPN

NC SSTP

• For down level clients• Creates a virutal NIC

• Win7 and above• Uses OS-built in SSTP

The hidden application

The app will dynamically detecIf you are win7 or downlevel client And activate SSTP or NC accordingly

DEMOPublish VPN

Thing to rembmer

• Cert chain must be ok also for computer container• Root cert trusted• CRL available

• Your internal servers must know how to route to those addresses

Goal of today

• Help you understand what UAG is.• • Help you get started with UAG Lingo

• Help you get started with configuring UAG

OKOK

OK

More info

• http://blogs.technet.com/b/edgeaccessblog/• http://www.amazon.co.uk/Microsoft-Forefront-Unified-

Administrator-27s-Handbook/dp/1849681627/ref=sr_1_3?ie=UTF8&s=books&qid=1303649443&sr=8-3

• http://www.amazon.co.uk/Deploying-Microsoft-Forefront-Unified-Professional/dp/0735649774/ref=sr_1_1?ie=UTF8&s=books&qid=1303649443&sr=8-1

• http://blogs.technet.com/b/tomshinder/

http://www.amazon.co.uk/Deploying-Microsoft-Forefront-Unified-Professional/dp/0735649774/ref=sr_1_1?ie=UTF8&s=books&qid=1303649443&sr=8-1




http://blogs.technet.com/b/tomshinder/

http://blogs.technet.com/b/tomshinder/

Stay up to date with TechNet Belux

Register for our newsletters and stay up to date:http://www.technet-newsletters.be

• Technical updates• Event announcements and registration• Top downloads

Join us on Facebookhttp://www.facebook.com/technetbehttp://www.facebook.com/technetbelux

LinkedIn: http://linkd.in/technetbelux/

Twitter: @technetbelux

Download MSDN/TechNet Desktop Gadget

http://bit.ly/msdntngadget

TechDays 2011 On-Demand

• Watch this session on-demand via TechNet Edge http://technet.microsoft.com/fr-be/edge/

http://technet.microsoft.com/nl-be/edge/• Download to your favorite MP3 or video player• Get access to slides and recommended resources by the speakers

THANK YOUTom DecaluwéBlog: http://trycatch.be/blogs/decaluwet/Email: [email protected]

If you have any more questions on anything, come and visit me at the ask the experts

booth.

getting to know uag

Documents

internalsusing uag

little uag

uag lingohelp

adfs publishing

https publishinglimited

internal appsyou

publishing leveltmgde

clients access