Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Step1: Configure the SharePoint server

1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.

2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.

3. On the Alternate Access Mappings page, in the Alternate Access Mapping Collection list, click Change Alternate Access Mapping Collection, and then on the Select an Alternate Access Mapping Collection dialog box, select the application that you want to publish.

4. On the Alternate Access Mappings page, click Edit Public URLs.

5. On the Edit Public Zone URLs page, in a zone box that is not yet defined, such as the Internet zone, enter the URL of the same public host name that you entered in the Public host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). Make sure that the URL includes the protocol, according to the trunk type.

6. For example, if you are publishing an application via an HTTPS trunk that resides in the domain xman.com, and the application’s public host name that you entered in Forefront UAG is Portal, enter the following URL: https://Portal.xman.com.

7. When you have finished, click Save.

8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:

9. In the URL protocol, host and port box, enter the URL that you assigned in the Farm host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). For example: http://PortalExternal.xman.com.

10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.

Step2: Create a New trunk

Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next

clip_image002

Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next

clip_image004

On the Authentication Page, Click Add, Select DC, Click Next

clip_image006

Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.

clip_image008

Select Use Forefront UAG Access Policies, Click Next

clip_image010

Select Default and Click Next

clip_image012

Click Finish.

clip_image014

clip_image016

Step3: add SharePoint web applications to the trunk.

In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.

In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Microsoft Office SharePoint Server 2013, Microsoft SharePoint Server 2010, or Microsoft Office SharePoint Server 2007.

clip_image018

clip_image020

On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.

clip_image022

On the Web Servers page, do the following:

In the Addresses box, enter the internal host name of the server running SharePoint Products and Technologies. If your SharePoint server is load balanced, use the load-balanced URL instead of a server name. Make sure that you enter a fully qualified domain name.

In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.

In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.

In the Public host name box, enter a public host name of your choice for the SharePoint web application.

Select the Replace host header with the following check box, and in the Farm host name box, enter a URL of your choice that will be used to differentiate the internal host name of the application from its public host name. Make sure that the URL includes the domain in which the trunk resides (the domain of the trunk appears on the Web Servers tab, to the right of the Public host name box). For example, if the public host name of the application is HRPortal and the trunk resides in the domain xman.com, enter the following replacement host header: HRPortalExternal.xman.com.

clip_image024

clip_image026

On the Authentication page, do the following:

To allow rich client applications, such as Microsoft Word or Microsoft Excel, to authenticate directly to the SharePoint application without authenticating to the portal, select the Allow rich clients to bypass trunk authentication check box.

To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.

clip_image028

On the Portal Link page of the wizard, if required, configure the portal link for the application.

If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.

clip_image030

clip_image032

When you have completed the wizard, click Finish.

The Add Application Wizard closes, and the application that you defined appears in the Applications list.

clip_image034

clip_image036

On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.

Step4: Configure Mobile devices Access for SharePoint

When end users access a SharePoint 2010 site from a mobile device using the Office Mobile client, to allow the device to download documents from a SharePoint site, you must make the following URL set changes:

1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.

2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.

3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.

4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.

5. When end users open an Excel file on a SharePoint site from their mobile device, the file opens correctly. If they then go to a different SharePoint site, the first time they try to open an Excel file it may not open as expected; end users must click the file again to open it.

Posted in Forefront Technologies | Tagged , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Install and Configure Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Forefront UAG Overview:

Forefront Unified Access Gateway 2010 (UAG) provides secure remote endpoint connections to corporate resources for employees, partners, and vendors on both computer and mobile devices. UAG provides many benefits. the following is the extract from http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx

  • Empowers employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.
  • Delivers simple and secure access optimized for applications such as SharePoint, Exchange, and Dynamics CRM.
  • Extends networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.
  • Protects IT assets through fine-grained and built-in policies that provide access to sensitive data based on identity and endpoint health.
  • Easily integrates with Active Directory and enables a variety of strong authentication methods.
  • Limits exposure and prevent data leakage to unmanaged endpoints.

Assumptions:

The following servers is installed and configured in a test environment.

image 

Systems Requirements:

Option

Description

Virtual Machine Name

DC1TVUAG01

Memory

8GB

vCPU

1

Hard Disk 1

50GB

Hard Disk 2

50GB

Network Adapter

2

Guest Operating System

Windows Server 2008 R2

Service Pack Level

SP1

Software Requirement:

Version

Microsoft Forefront Unified Access Gateway 2010

Service Pack Level

SP3

Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:

  • Microsoft .NET Framework 3.5 SP1
  • Windows Web Services API
  • Windows Update
  • Microsoft Windows Installer 4.5
  • SQL Server Express 2005
  • Forefront TMG is installed as a firewall during Forefront UAG setup
  • The Windows Server 2008 R2 DirectAccess component is automatically installed.

The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.

  • Network Policy Server
  • Routing and Remote Access Services
  • Active Directory Lightweight Directory Services Tools
  • Message Queuing Services
  • Web Server (IIS) Tools
  • Network Load Balancing Tools
  • Windows PowerShell

Supported Browser Clients:

Browser

Features

Firefox

Endpoint Session Cleanup

Endpoint detection

SSL Application Tunneling

Endpoint Quarantine Enforcement

Internet Explorer

Endpoint Session Cleanup

Endpoint detection

SSL Application Tunneling

Socket Forwarding

SSL Network Tunneling (Network Connector)

Endpoint Quarantine Enforcement

Supported Mobile Devices:

Device Name

Features

Windows Phone

Premium mobile portal

iOS: 4.x and 5.x on iPhone and iPad

Premium mobile portal

Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0

Premium mobile portal

Service Account for Active Directory Authentication:

Service Account

Privileges

Password

xman\SA-FUAG

Domain Users

Password set to never expired

Domain Joined Forefront UAG:

The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.

  • Add the server to an array of Forefront UAG servers at a later date.
  • Configure the server as a Forefront UAG DirectAccess server at a later date.
  • Deploy single sign on using Kerberos constrained delegation to forward session credentials to backend published servers requiring authentication.
  • Publish the File Access application via a Forefront UAG trunk.
  • Provide remote clients with access to the internal corporate network using SSTP.

Antivirus Exclusion:

Version

Paths

Processes

Forefront UAG 2010

UAG installation folder (may be changed during installation)
%ProgramFiles%\Microsoft Forefront Unified Access Gateway

Forefront UAG DNS-ALG Service
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\DnsAlgSrv.exe

Forefront UAG Monitoring Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\MonitorMgrCom.exe

Forefront UAG Session Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\SessionMgrCom.exe

Forefront UAG File Sharing
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\ShareAccess.exe

Forefront UAG Quarantine Enforcement Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagqessvc.exe

Forefront UAG Terminal Services RDP Data
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagrdpsvc.exe

Forefront UAG User Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\UserMgrCom.exe

Forefront UAG Watch Dog Service
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\WatchDogSrv.exe

Forefront UAG Log Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlerrsrv.exe

Forefront UAG SSL Network Tunneling Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlios.exe

Forefront UAG Placement:

The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.

There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:

  • Intranet content, such as servers published by Forefront UAG, can be isolated in the perimeter network and separated from corporate content intended for internal access only.
  • Integrity of the content in the corporate network is retained.
  • Securely publish backend applications and access infrastructure servers, such as authentication servers, as required.
  • Hide corporate network infrastructure from perimeter and external threat.

Scenario#1

image

Perimeter Port Requirement:

To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:

  • HTTP traffic (port 80)
  • HTTPS traffic (port 443)
  • FTP Traffic (Port 21)
  • RDP Traffic (Port 3389)

Backend Port Requirement

Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.

Infrastructure server

Protocol

Port

Direction

Domain controller

Microsoft-DS traffic

TCP 445

UDP 445

From UAG to DC

 

Kerberos authentication

TCP 88

UDP 88

From UAG to DC

 

LDAP

TCP 389

UDP 389

From UAG to DC

 

LDAPS

TCP 636

UDP 636

From UAG to DC

 

LDAP to GC

TCP 3268

UDP 3268

From UAG to DC

 

LDAPS to GC

TCP 3269

UCP 3269

From UAG to DC

 

DNS

TCP 53

UDP 53

From UAG to DC

Exchange, SharePoint, RDS

HTTPS

TCP 443

From external to internal server

FTP

FTP

TCP 21

From external to internal server

Scenario#2

In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.

image

UAG Network Configuration

The network adapter name used within the operating system should be changed to closely match the associated UAG network name. The following binding order will be maintained within Windows operating systems:

· First in Order- UAG internal adapter connected to the trusted network.

· Second in Order- UAG external adapter connected to the untrusted network.

The following are the network configuration for UAG server.

Option

IP Address

Subnet

Default Gateway

DNS

Internal Network

10.10.10.2

255.255.255.0

Not required

10.10.10.1

External Network

192.168.1.1

255.255.255.0

192.168.1.254

Not required

Important! External Network can be assigned public IP if UAG server isn’t placed behind frontend router/firewall. In an edge configuration UAG external network is configured with public IP and internal network is assigned an IP address of internal IP range.

Based upon Microsoft practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment. Extract from Recommended Network Adapter Configuration for Forefront UAG Servers

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:

  • UAG adapter connected to the trusted network: Internal Network
  • UAG adapter connected to the untrusted network: External Network

Configuration Step 2 – Configure Network Adapters:

The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.

Internal Network Adapter

  • Default Gateway should not be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Enabled
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.

External Network Adapter

  • Default Gateway should be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled
  • File and Print Sharing for Microsoft Networks binding – Disabled
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

Internal Network (Highest)
External Network (Lowest)

To amend network binding follow the steps below:

1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.

2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

clip_image005

Configuration Step 4 – Run the UAG Network Interfaces Wizard:

You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.

clip_image007

Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow.

DNS Forwarding:

The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:

Purpose

Public Host Name

Public IP Address

Exchange

webmail.xman.com.au

203.17.x.x

SharePoint

sharepoint.xman.com.au

203.17.x.x

RDS

remote.xman.com.au

203.17.x.x

FTP

ftp.xman.com.au

203.17.x.x

Scenario#1 Firewall Rules consideration

External NAT Rules

The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.

Rule(s)

Description

Source IP

Public IP Address

(Destination IP Address)

Port

NAT Destination

Status

1

Exchange

Any

203.17.x.x

443

10.10.10.2

Forward

2

SharePoint

Any

203.17.x.x

443

10.10.10.2

Forward

4

RDS

Any

203.17.x.x

443

10.10.10.2

Forward

5

FTP

Any

203.17.x.x

21

10.10.10.2

Forward

Internal Firewall Rules

The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:

Rules

Description

Source IP

Port

TCP & UDP

NAT Destination

Destination

Status

1

Exchange

10.10.10.2

TCP 443

Not Required

10.10.10.3

Forward

2

SharePoint

10.10.10.2

TCP 443

Not Required

10.10.10.4

Forward

4

RDS

10.10.10.2

TCP 443

Not Required

10.10.10.5

Forward

5

FTP

10.10.10.2

TCP 21

Not Required

10.10.10.6

Forward

6

Client

10.10.12.0/24

10.10.13.0/24

TCP 443

TCP 21

Not Required

10.10.10.2

Forward

7

Domain Controller

10.10.10.2

445, 88, 53

389, 636

3268, 3296

Not Required

10.10.10.1

Forward

Understanding Certificates requirements:

Forefront UAG supports wildcard certificates at the domain level and sub-domain level. Wildcard certificates in the form *.xman.com.au are supported. In addition the SAN certificate can specify the required host names.

Launch Certificate Manager

1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:

2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.

3. Follow the instructions in the Certificate Import Wizard.


Common Name

Subject Alternative Name

Certificate Issuer

RDS.xman.com.au

-

Verisign/Digicert

webmail.xman.com.au

autodiscover.xman.com.au

Verisign/Digicert

ftp.xman.com.au

-

Verisign/Digicert

sharepoint.xman.com.au

-

Verisign/Digicert

Understanding Properties of Trunk

  • Trunk name: Specify the name of the trunk. This name is assigned to the Web site that is created in IIS running on the Forefront UAG server. Within the set of HTTP connections and HTTPS connections, each trunk name must be unique. The trunk name cannot contain the public host name.
  • Public host name: Specify the host name used by client endpoints to reach the Web site. The host name must contain at least two periods.
  • IP address: Specify the external IP address used to reach the published Web application or portal.
  • Array Member: If the Forefront UAG server is part of an array, click the server entry in the IP address column, and select the external IP address of this array member.
  • HTTP/HTTPS port: Specify the port for the external Web site.

UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.

image

Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:

URL List

Methods

Allow Rich Content

InternalSite_Rule54

HEAD

Checked

SharePoint14AAM_Rule47

HEAD

Checked

Published Applications and Services:

image 

Install Forefront UAG:

Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.

Ensure that the Network List Service (Netprofm) and the Network Location Awareness (NlaSvc) services are running, before beginning the Forefront UAG installation. To begin installation, double-click Setup.hta.

clip_image009

On the Welcome page of Setup, do the following:

clip_image011

Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.

clip_image013

clip_image015

clip_image017

Restart the Server.

clip_image019

Initial Configuration Using Getting Started Wizard

clip_image021

In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.

On the Define Network Adapter Settings page, in the Adapter name list do the following:

To configure the adapter connected to the external network, click the External column. On the Define External Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required. Note that it is not recommended to configure DNS on the external adapter.

To configure the adapter connected to the internal network, click the Internal column. Adapter settings are displayed in the Adapter properties list. On the Define Internal Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required.

After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:

If you are running Forefront UAG on a single server, click Single server.

If you want to join this server to an array of Forefront UAG servers, click Array member. The Array Management Wizard opens, which enables you to join the server to an array, and manage other array settings. For help on running this wizard, see Implementing an array and load balancing design. For more information about planning an array design, read the Array planning guide.

After running the Network Configuration Wizard, click Join Microsoft Update to open the Server Configuration Wizard. On the Use Microsoft Update for Forefront UAG page, Click Use Microsoft Update when I check for updates if your corporate update policy uses Microsoft Updates. Note that an Internet connection is required both to opt in for updates and receive them. Forefront UAG updates will only be available after the RTM release.

If you are installing Forefront UAG with SP1, on the Customer Experience Improvement Program page of the wizard, Click No, I do not want to participate if you do not want to participate in the program.

Configure Remote Desktop (RDP) to Forefront UAG

After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:

Ensure that remote desktop is enabled on the Forefront UAG server.

Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.

To do this, open the Forefront TMG Management console from the Start menu.

1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.

2. On the Rule Action, Click Allow, Click Next

3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next

4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next

5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.

Posted in Forefront Technologies | Tagged , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Forefront UAG 2010 Deployment Guide

Forefront TMG Important URL and Guide

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Forefront UAG Event Messages

Forefront UAG registry keys

Posted in Forefront Technologies | Tagged , , , , , , , , | Leave a comment

Install and Configure IBM V3700, Brocade 300B Fabric and ESXi Host Step by Step

Step1: Hardware Installation

Follow the official IBM video tutorial to rack and stack IBM V3700.

 

image

image

image

Cabling V3700, ESX Host and Fabric.

  • Connect each canister of V3700 Storage to two Fabric. Canister1 FC Port 1—>Fabric1 and Canister 1 FC Port 2—>Fabric2. Canister2 FC Port 1—>Fabric1 and Canister 2 FC Port 2—>Fabric2.
  • Connect two HBAs of each Host to two Fabric.
  • Connect Disk Enclosure to two canister
  • Connect Both Power cable of each devices to multiple power supply

Step2: Initial Setup

Management IP Connection: Once you racked the storage, connect Canister1 Port 1 and Canister 2 Port 1 into two Gigabit Ethernet port in same VLAN. Make LACP is configured in both port in your switch.

image

Follow the official IBM video tutorial to setup management IP or download Redbook Implementation Guide and follow section 2.4.1

 

One initial setup is complete. Log on to V3700 storage using Management IP.

Click Monitoring>System>Enclosure>Canister. Record serial number, part number and machine signature.

image

Step3: Configure Event Notification

Click Settings>Event Notification>Edit. Add correct email address. You must add management IP address of v3700 into Exchange Relay Connector. Now Click test button to check you received email.

image

image

Step4: Licensing Features

Click Settings>General>Licensing>Actions>Automatic>Add>Type Activation Key>Activate. repeat the step for all licensed features.

image

IBM V3700 At a Glance

image

Simple Definition:

MDisk: Bounce of disk configured in preset RAID or User defined RAID. For example you have 4 SSD hard drive and 20 SAS hard drive. You can chose automatic configuration of storage which will be configured by Wizard. However you can chose to have 1 RAID5 single parity MDisk for SSD and 2x RAID5 MDisk with parity for 20 SAS hard drive. In this case you will have three MDisk in your controller. Simply MDisk is RAID Group.

Pool: Storage Pool act as container for MDisks and available capacity ready to be provisioned.

Volume: Volumes are logical segregation of Pools. Volume can defines as LUNs and ready to be mapped or connected to ESX host or Hyper-v Host.

Step5: Configure Storage

Click Pools>Internal Storage>Configure Storage>Select recommended or user defined. Follow the wizard to complete MDisk.

image

image

Step6: Configure Pool

image

Click Pools>Click Volumes by Pool>Click New Volume>Generic>Select Quantity, Size, Pool then Click Create.

image

image

image

Repeat the steps to create multiple volumes for Hyper-v Host or ESXI host.

Step7: Configure Fabric

Once you rack and stack Brocade 300B switches. Connect both Brocade switches using CAT6 cable to your Ethernet Switch. This could be your core switch or an access switch. Connect your laptop to network as well.

References are here. Quick Start Guide and Setup Guide

Default Passwords

username: root password: fibranne
username: admin password: password

Connect the console cable provided within brocade box to your laptop. Insert EZSetup cd into cdrom of your laptop. Run Easy Setup Wizard.

Alternatively, you can connect the switch to the network and connect to it via http://10.77.77.77 (Give yourself an IP address of 10.77.77.1/24). Use the username root and the password fibranne

If you don’t want to do that, connect the console cable (provided) to your PC and launch the EZ Setup Software supplied with the switch. Select English > OK.

At the Welcome Screen > Click Next > Click Next > accept the EULA > Install > Done > Select Serial Cable > Click Next > Click Next (make sure HyperTerminal is NOT on or it will fail). It should find the switch > Set its IP details.

image

Next > Follow Instructions.

Install Java on your laptop. Open browser, Type IP address of Brocade, you can connect to the switch via its web console Once logged in using default username:root and password: fibranne

image

Click Switch Admin>Type DNS Server, Domain Name, Apply. Click License>Add new License, Apply.

image

image

Click Zone Admin>Click Alias>New Alias>Type the name of Alias. Click Ok. Expand Switch Port, Select WWNN>Add members. Repeat for Canister Node 1, Canister Node 2, ESX Host1, ESX Host2, ESX Host 3….

image

image

Select Zone Tab> New Zone > Type the Name of Zone, Example vSphere or Hyper_v. Select Aliases>Click Add Members> Add all Aliases.

image

Select Zone Config Tab>New Zone Config>Type the name of Zone Config>Select vSphere or Hyper_V Zone>Add Members

image

Click Save Config. Click Enable Config.

image

image

Repeat above steps for all fabric.

Step8: Configure Hosts in V3700

Click Hosts>New Host>Fibre Channel Host>Generic>Type the Name of the Host>Select Port>Create Host.

image

image

image

image

Right Click on each host>Map Volumes.

image

Step9: Configure ESXi Host

Right Click on ESX Cluster>Rescan for datastores>

image

image

Click ESX Host>Configuration>Storage>Add Storage>Click Next>Select Correct and Matching UID>Type the matching Name same as volume name within IBM V3700. Click Next>Select VMFS5>Finish.

image

Rescan for datatores for all Host again. you will see same data store popped up in all Hosts.

Finding HBA, WWNN

Select ESX Host>Configuration>Storage Adapters

image

image

Verifying Multipathing

Right Click on Storage>property>Manage Paths

image

image

Finding and Matching UID

Log on to IBM V3700 Storage>Volume>Volumes

image

Click ESX Host>Configuration>Storage>Devices

image

Posted in Miscellaneous | Tagged , , , , , , , , , , , , , , | Leave a comment

How to configure SMB 3.0 Multichannel in Windows Server 2012 Step by Step

SMB Multichannel

The SMB protocol follows the client-server model; the protocol level is negotiated by the client request and server response when establishing a new SMB connection. Windows Server 2012 introduces a feature called SMB 3.0 Multichannel. Multichannel provides link aggregation and fault tolerance.

SMB 3.0 introduces multipath I/O (MPIO) where multiple TCP connections can be established with given SMB session. Benefits include increase bandwidth, enable transparent network interface failover and load balancing per session.

SMB Encryption

Open following registry key

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters

  • If value of EncryptData DWORD is set to 0 then communication between SMB client and server is encrypted
  • If value of RejectUnencryptedAccess DWORD is set to 1 then communication between SMB client and server is rejected.

SMB Multichannel Requirement:

  • At least two computers that run on Windows Server 2012 R2, Windows Server 2012, or Windows 8 operating systems. No additional features have to be installed—SMB Multichannel is enabled by default.
  • Multiple network adapters in all hosts
  • One or more network adapters that support Receive Side Scaling (RSS)
  • One of more network adapters that are configured by using NIC Teaming
  • One or more network adapters that support remote direct memory access (RDMA)
  • Both NICs must be in different subnets
  • Enable NICs for client access
  • Dedicated subnets SMB storage
  • Dedicated Storage VLAN depending on if/how you do converged fabrics
  • VNX File OE version 7.1.65 and later or SMB 3.0 compliant storage
  • Port Channel Group configured in Cisco switch

TCP/IP session without Multichannel Session

  • No Automatic failover or Automatic failover if NICs are teamed
  • No Automatic failover if RDMA capability is not used
  • Only one NIC engaged
  • Only one CPU engaged
  • Can not use combined NIC bandwidth

TCP/IP session without Multichannel Session

  • Automatic failover or faster automatic failover if NICs are teamed
  • Automatic failover if RDMA capability is used. Multiple RDMA connection
  • All NICs engaged
  • CPU work load shared across all CPU cores
  • Combine NIC bandwidth

Which one to use, RDMA or RSS?

If you are looking fault tolerance and throughput then obvious choice is NIC teaming with RSS.

Adding a SMB Share in VNX Storage

  1. Create a network. Go to Settings -> Network -> Settings for File, Setup your network information
  2. Go to Storage -> Storage Configuration -> File Systems to create storage. Setup your storage configuration
  3. Go to CIFS Servers tab and create your Server configuration.
  4. Go back to your CIFS Share configuration and assign your CIFS Server as allowed and allow SMB protocol.
  5. Connect your CIFS Share with \\CIFSServer\CIFSShare and your new administrator password.

Adding a port channel group in Switch

Configuration of Cisco Switch with 2 network ports (If you have Cisco)

Switch#conf t
Switch(config)#Int PORT (a.e. Gi3/1)
Switch(config)#switchport mode access
Switch(config)#spanning-tree portfast
Switch(config)#channel-group <40> mode active
Switch(config)#Int port (a.e. Gi3/1)
Switch(config)#switchport mode access
Switch(config)#spanning-tree portfast
Switch(config)#channel-group <40> mode active

Configuration of HP Procurve with 2 network ports (If you have HP)

PROCURVE#conf ter
PROCURVE# trunk PORT1-PORT2 (a.e. C1/C2) Trk<ID> (a.e. Trk99) LACP
PROCURVE# vlan <VLANID>
PROCURVE# untagged Trk<ID> (a.e. Trk99)
PROCURVE# show lacp
PROCURVE# show log lacp

Adding SMB 3.0 Share in Hyper-v

  1. From Server Manager, click Tools and then click Hyper-V Manager
  2. Click Hyper-v Settings, Click Virtual Hard Disk, Type UNC path of SMB 3.0. Click Virtual Machine, Type UNC path of SMB 3.0
  3. Click Ok.
  4. Open PowerShell Prompt, Enable Multichannel using the following cmdlets.
  5. Configure SMB Multichannel using Windows PowerShell

Get-SmbClientConfiguration | Select EnableMultichannel

Get-SmbServerConfiguration | Select EnableMultichannel

    6. Enable Multichannel

Set-SmbServerConfiguration -EnableMultiChannel $true

Set-SmbClientConfiguration -EnableMultiChannel $true

   7. Verify Multichannel

Get-SmbConnection

Get-SmbMultichannelConnection

Posted in Windows Server | Tagged , , , , , , , , , , , , , | Leave a comment

Why you should not use yourdomain.local domain?

Microsoft recommended use of .local domain when Microsoft released Microsoft Small Business Server. Microsoft also understood that an SBS customer may not have in house expertise to manage Active Directory Domain and Exchange Server. Microsoft understood that SBS user will not have proper firewall. It is obvious that Exchange autodiscovery, single sign on for SharePoint and Lync Server was not in scenario at that time. So Microsoft recommended use of .local domain in Active Directory. Those who worked in SBS environment thought that they could take that concept now and implement .local domain in any organization which is a fundamental design flaw.

You have to understand  that .local domain was a past concept. Moving forward technology has changed a lot since then. You should change yourself when technology changes. But when I visit clients I see that old dog doesn’t learn new trick. Which means their autodiscovery doesn’t work. These clients end up with many issues including blaming Microsoft. You should ask yourself did you design your Active Directory and DNS correctly. Why you expect your autodiscovery to function correctly when your DNS is messy?

When you are promoting a new domain or a new forest, it is highly recommended that you use registered domain name for example yourdomain.com.au. Again those who worked in past SBS era they will raise concern of hacking, TLD etc. I would address their concern by putting the question to them, did you design and configure a correct firewall and security in your corporate infrastructure. If not then you should hire a security professional who will address your concern. Simply promoting a yourdomain.local domain will not secure your domain and you will have a false sense of security that your Active Directory is safe. In realty your corporate network might be open and vulnerable to hacking.

Here are why you should use yourdomain.com.au or registered domain in Active Directory.

  • To implement correct Exchange Autodiscovery
  • To discover correct registered domain for SharePoint and Lync Server
  • To implement single sign on
  • To install correct public certificates for Exchange, SharePoint and Lync. Note that Public Certificate Authority no longer issue certificate using .local domain
  • To use correct UPN of your registered domain
  • To setup correct local and public DNS
  • To design correct Active Directory. You shouldn’t use SBS server as your model. Microsoft retired SBS for many reasons. Brutal truth is Microsoft didn’t want to lose poor customer who couldn’t afford an open license or software assurance so most of SBS users got OEM license through hardware vendor or a reseller.
  • To follow the guidelines of IANA and IEEE when you deal with a domain.

What should you do if you already have a .local domain in SBS server?

If your SBS server is 2008, then create an Active Directory DNS zone using registered domain example: yourdomain.com.au then add HOST (A) record with PTR of webmail or mail and autodiscovery in yourdomain.com.au zone. Create public DNS record for webmail.yourdomain.com.au and autodiscover.yourdomain.com.au.

http://www.yourdomain.com.au (example registered domain) doesn’t resolve after creating yourdomain.com.au?

This happened when http://www.yourdomain.com.au is hosted with third party web hoster not internally. There is an easy fix, create a DNS forwarder or conditional forward for your http://www.yourdomain.com.au. Follow this URL to configure a conditional forwarder. For example: you can forward http://www.yourdomain.com.au to Google DNS server or the DNS server of your ISP or your web hoster who is actually hosting http://www.yourdomain.com.au. To find out who is hosting your website and their DNS record, go to https://www.easywhois.com/ type yourdomain.com.au and hit enter.

Further Study:

http://microsoftguru.com.au/2011/05/28/microsoft-active-directory-best-practice/ 

http://microsoftguru.com.au/2012/07/29/microsoft-active-directory-best-practice-part-ii/

http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html 

http://technet.microsoft.com/en-us/library/cc757172%28v=ws.10%29.aspx

http://technet.microsoft.com/en-us/library/cc754941.aspx

http://technet.microsoft.com/en-us/library/cc794735%28v=ws.10%29.aspx

Posted in Microsoft Active Directory | Tagged , , , , , , , , , , , , | Leave a comment

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Assumption:

I assume you have the following infrastructure ready.

  • Domain Controller: DC1PVDC01
  • Certificate Authority: DC1PVCA01
  • AD FS Server: DC1PVADFS01
  • Exchange Server: DC1PVEXCH01

Naming Convention:

  • DC1= Data Center 1 (location)
  • P=Production Systems
  • V=Virtual Server
  • DC=Domain Controller

So on so forth.

Proposed Web Application Proxy Server:

Option

Description

Virtual Machine Name

DC1PVWAP01

Memory

4GB

vCPU

1

Hard Disk 1

50GB

Network Adapter

2

Guest Operating System

Windows Server 2012 R2

Hyper-v Integration Service Installed

Windows Server Role:

Role

Web Application Proxy

Network Configuration

The network adapter name used within the operating system should be changed to closely match the associated WAP network name. The following binding order will be maintained within Windows operating systems:

  1. First in Order- WAP internal adapter connected to the trusted network.
  2. Second in Order- WAP external adapter connected to the un-trusted network.

The following are the network configuration for WAP server.

Option

IP Address

Subnet

Default Gateway

DNS

Internal Network

10.10.10.2

255.255.255.0

Not required

10.10.10.1

External Network

192.168.1.1

255.255.255.0

192.168.1.254

Not required

Important! External Network can be assigned public IP if WAP server isn’t placed behind frontend router/firewall. In an edge configuration WAP external network is configured with public IP and internal network is assigned an IP address of internal IP range.

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and WAP wizard/console names. For example:

  • WAP adapter connected to the trusted network: Internal Network
  • WAP adapter connected to the un-trusted network: External Network

Configuration Step 2 – Configure Network Adapters:

The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.

Internal Network Adapter

  • Default Gateway should not be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Enabled
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

The External Network adapter will normally be connected to your un-trusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.

External Network Adapter

  • Default Gateway should be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled
  • File and Print Sharing for Microsoft Networks binding – Disabled
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the WAP Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a WAP cluster.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

  1. Internal Network (Highest)
  2. External Network (Lowest)

To amend network binding follow the steps below:

1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.

2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

DNS Forwarding:

The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:

Purpose

Public Host Name

Public IP Address

Exchange

webmail.yourdomain.com

203.17.x.x

SharePoint

sharepoint.yourdomain.com

203.17.x.x

External Firewall Rules

The following NAT rules will be added into perimeter network to publish application and services through WAP. This rule is only apply if you please Web Application Proxy (WAP) behind a firewall or Cisco ASA otherwise you don’t need it.

Rule(s)

Description

Source IP

Destination IP Address

Port

NAT Destination

1

Exchange

Any

203.17.x.x

443

192.168.1.2

2

SharePoint

Any

203.17.x.x

443

192.168.1.3

Building Web Application Proxy Server on Windows Server 2012 R2 Steps:

  1. Install Windows Server 2012 R2.
  2. Configure TCP/IP of Windows Server 2012 R2
  3. Join Web Application Proxy server to Domain
  4. Install Web Application Proxy Role
  5. Configure Kerberos Constraint Delegation
  6. Configure the firewall to allow HTTPS traffic on port 443 for clients to communicate with the AD FS server
  7. Configure Firewall if WAP Server placed behind a Cisco ASA
  8. Install Public certificate into Web Application Proxy Server
  9. Publish Application

Configure Kerberos Constraint delegation

1. On the domain controller, open Server Manager. To do this, click Server Manager on the Start screen.

2. Click Tools, and then click ADSI Edit.

3. On the Action menu, click Connect To, and then on the Connection Settings dialog box, accept the default settings to connect to the default naming context, and then click OK.

4. In the left pane, expand Default naming context, expand DC=yourdomain, DC=com, expand CN=Computers, right-click CN=DC1PVWAP01, and then click Properties.

5. On the CN=DC1PVWAP01 Properties dialog box, on the Attribute Editor tab, in the Attributes list, select servicePrincipalName, and then click Edit.

6. On the Multi-valued String Editor dialog box, in Value to add, enter HTTP/DC1PVWAP01.yourdomain.com and click Add. Then enter HTTP/DC1PVWAP01 and click Add. The Values list now contains two new entries; for example, HTTP/DC1PVWAP01.yourdomain.com and HTTP/DC1PVWAP01.

7. On the Multi-valued String Editor dialog box, click OK.

8. On the CN=DC1PVWAP01 Properties dialog box, click OK.

9. In Server Manager, click Tools, and then click Active Directory Users and Computers.

10. In the navigation pane, under yourdomain.com, click Computers. In the details pane, right-click the Web Application Proxy server, and then click Properties.

11. On the DC1PVWAP01 Properties dialog box, on the Delegation tab, click Trust this computer for delegation to specified services only, and then click Use any authentication protocol.

12. Click Add, and on the Add Services dialog box, click Users or Computers.

13. On the Select Users or Computers dialog box, in Enter the object names to select, enter the name of the web servers that use Integrated Windows authentication; for example, WebServ1, and then click OK.

14. On the Add Services dialog box, in the Available services list, select the http service type, and then click OK.

15. On the DC1PVWAP01 Properties dialog box, click OK.

Configure AD FS (Optional when using pass-through pre-authentication)

1. On the Start screen, type AD FS Management, and then press ENTER.

2. Under the AD FSTrust Relationships folder, right-click Relying Party Trusts, and then click Add Relying Party Trust to open the Add Relying Party Trust Wizard.

3. On the Welcome page, click Start.

4. On the Select Data Source page, click Import data about the relying party published online or on a local network. In Federation metadata address (host name or URL), type the federation metadata URL or host name for the partner, and then click Next.

5. On the Specify Display Name page type a name in Display name, under Notes type a description for this relying party trust, and then click Next.

6. On the Choose Issuance Authorization Rules page, select either Permit all users to access this relying party then click Next.

7. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.

8. On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box. For more information about how to proceed with adding claim rules for this relying party trust, see the Additional references.

9. in the AD FS Management console, you must set the endpoint to be Proxy Enabled

Configure Certificate Template in CA

Note: This steps is only applicable when using Enterprise certificate authority.  

1. Open the Certificate Templates snap-in.

2. In the details pane, right-click an existing certificate that will serve as the starting point for the new certificate, and then click Duplicate Template.

3. Choose whether to duplicate the template as a Windows Server 2003–based template or a Windows Server 2008–based template.

4. On the General tab, enter the Template display name and the Template name, and then click OK.

5. Define any additional attributes such as mark “private key exportable” for the newly created certificate template.

Export & Import Certificates into Web Application Proxy Server

This is a very important steps for published app to work correctly. You must export .pfx certificate from application servers (Exchange, SharePoint or Lync Server) to Web Application Proxy Server so that internet explorer, web application proxy server and application servers validate same certificates.

Exporting a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Export.
  7. Choose Yes, export the private key and include all certificates in certificate path if possible.
    Warning: Do not select the delete private key option.
  8. Leave the default settings and then enter your password if required.
  9. Choose to save the file and then click Finish. You should receive an “export successful” message. The .pfx file is now saved to the location you selected.

Importing from a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Import.
  7. Follow the certificate import wizard to import your primary certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.

Install Web Application Proxy Role

1. On the Web Application Proxy server, in the Server Manager console, in the Dashboard, click Add roles and features.

2. In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen.

3. On the Select server roles dialog, select Remote Access, and then click Next.

4. Click Next twice.

5. On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next.

6. On the Confirm installation selections dialog, click Install.

7. On the Installation progress dialog, verify that the installation was successful, and then click Close.

Configure Web Application Proxy

1. On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, click the Apps arrow. On the Apps screen, type RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

2. In the navigation pane, click Web Application Proxy.

3. In the Remote Access Management console, in the middle pane, click Run the Web Application Proxy Configuration Wizard.

4. On the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next.

5. On the Federation Server dialog, do the following, and then click Next:

  • In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.yourdomain.com.
  • In the User name and Password boxes, enter the credentials of a local administrator account on the AD FS servers.

6. On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, and then click Next.

7. The certificate you choose here should be the one that whose subject is the Federation Service name, for example, fs.yourdomain.com.

8. On the Confirmation dialog, review the settings. If required, you can copy the PowerShell cmdlet to automate additional installations. Click Configure.

9. On the Results dialog, verify that the configuration was successful, and then click Close.

Publish Application using AD FS Pre-Authentication

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Pre-authentication page, click Active Directory Federation Services (AD FS), and then click Next.

4. On the Relying Party page, in the list of relying parties select the relying party for the application that you want to publish, and then click Next.

5. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://sp.yourdomain.com/app1/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://sp/app1/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.

6. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

7. On the Results page, make sure that the application published successfully, and then click Close.

Publish an integrated Windows authenticated application

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Pre-authentication page, click Active Directory Federation Services (AD FS), and then click Next.

4. On the Relying Party page, in the list of relying parties select the relying party for the application that you want to publish, and then click Next.

5. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://owa.yourdomain.com/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://owa/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.
  • In the Backend server SPN box, enter the service principal name for the backend server; for example, HTTP/owa.yourdomain.com.

6. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

7. On the Results page, make sure that the application published successfully, and then click Close.

Publish Application using Client Certificate Pre-Authentication

You can publish an application using pre-authenticated client certificate. This steps only be performed using Windows PowerShell. Open Elevated Windows PowerShell prompt in WAP Server. Change the following command as required and issue the command.

Add-WebApplicationProxyApplication

-BackendServerURL ‘https://app.yourdomain.com/&#8217;

-ExternalCertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’

-ExternalURL ‘https://app.yourdomain.com/&#8217;

-Name ‘Client certificate preauthentication application’

-ExternalPreAuthentication ClientCertificate

-ClientCertificatePreauthenticationThumbprint ‘123456abcdef123456abcdef123456abcdef12ab’

Publish Application using Pass-through Pre-Authentication

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Preauthentication page, click Pass-through, and then click Next.

4. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://maps.yourdomain.com/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://maps/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.

5. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

6. On the Results page, make sure that the application published successfully, and then click Close.

Publish Application using Windows Store App or Oauth2

You can publish an application using pre-authenticated Windows Store App. This steps only be performed using Windows PowerShell. Open Elevated Windows PowerShell prompt in WAP Server. Change the following command as required and issue the command.

Set-WebApplicationProxyConfiguration –OAuthAuthenticationURL ‘https://fs.yourdomain.com/adfs/oauth2/&#8217;

Add-WebApplicationProxyApplication

-BackendServerURL ‘https://storeapp.yourdomain.com/&#8217;

-ExternalCertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’

-ExternalURL ‘https://storeapp.yourdomain.com/&#8217;

-Name ‘Windows Store app Server’

-ExternalPreAuthentication ADFS

-ADFSRelyingPartyName ‘Store_app_Relying_Party’

-UseOAuthAuthentication

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Posted in Windows Server | Tagged , , , , , , , , , , , , , , , , , , , | Leave a comment