Forefront UAG Overview:
Forefront Unified Access Gateway 2010 (UAG) provides secure remote endpoint connections to corporate resources for employees, partners, and vendors on both computer and mobile devices. UAG provides many benefits. the following is the extract from http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx
- Empowers employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.
- Delivers simple and secure access optimized for applications such as SharePoint, Exchange, and Dynamics CRM.
- Extends networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.
- Protects IT assets through fine-grained and built-in policies that provide access to sensitive data based on identity and endpoint health.
- Easily integrates with Active Directory and enables a variety of strong authentication methods.
- Limits exposure and prevent data leakage to unmanaged endpoints.
The following servers is installed and configured in a test environment.
|Virtual Machine Name||DC1TVUAG01|
|Hard Disk 1||50GB|
|Hard Disk 2||50GB|
|Guest Operating System||Windows Server 2008 R2|
|Service Pack Level||SP1|
|Version||Microsoft Forefront Unified Access Gateway 2010|
|Service Pack Level||SP3|
Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:
- Microsoft .NET Framework 3.5 SP1
- Windows Web Services API
- Windows Update
- Microsoft Windows Installer 4.5
- SQL Server Express 2005
- Forefront TMG is installed as a firewall during Forefront UAG setup
- The Windows Server 2008 R2 DirectAccess component is automatically installed.
The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.
- Network Policy Server
- Routing and Remote Access Services
- Active Directory Lightweight Directory Services Tools
- Message Queuing Services
- Web Server (IIS) Tools
- Network Load Balancing Tools
- Windows PowerShell
|Firefox||Endpoint Session CleanupEndpoint detectionSSL Application TunnelingEndpoint Quarantine Enforcement|
|Internet Explorer||Endpoint Session CleanupEndpoint detectionSSL Application TunnelingSocket Forwarding
SSL Network Tunneling (Network Connector)
Endpoint Quarantine Enforcement
|Windows Phone||Premium mobile portal|
|iOS: 4.x and 5.x on iPhone and iPad||Premium mobile portal|
|Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0||Premium mobile portal|
Service Account for Active Directory Authentication:
|xmanSA-FUAG||Domain Users||Password set to never expired|
The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.
- Add the server to an array of Forefront UAG servers at a later date.
- Configure the server as a Forefront UAG DirectAccess server at a later date.
- Deploy single sign on using Kerberos constrained delegation to forward session credentials to backend published servers requiring authentication.
- Publish the File Access application via a Forefront UAG trunk.
- Provide remote clients with access to the internal corporate network using SSTP.
|Forefront UAG 2010||UAG installation folder (may be changed during installation)
%ProgramFiles%Microsoft Forefront Unified Access Gateway
|Forefront UAG DNS-ALG Service
%ProgramFiles%Microsoft Forefront Unified Access GatewayDnsAlgSrv.exeForefront UAG Monitoring Manager
%ProgramFiles%Microsoft Forefront Unified Access GatewayMonitorMgrCom.exeForefront UAG Session Manager
%ProgramFiles%Microsoft Forefront Unified Access GatewaySessionMgrCom.exeForefront UAG File Sharing
%ProgramFiles%Microsoft Forefront Unified Access GatewayShareAccess.exe
Forefront UAG Quarantine Enforcement Server
Forefront UAG Terminal Services RDP Data
Forefront UAG User Manager
Forefront UAG Watch Dog Service
Forefront UAG Log Server
Forefront UAG SSL Network Tunneling Server
The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.
There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:
- Intranet content, such as servers published by Forefront UAG, can be isolated in the perimeter network and separated from corporate content intended for internal access only.
- Integrity of the content in the corporate network is retained.
- Securely publish backend applications and access infrastructure servers, such as authentication servers, as required.
- Hide corporate network infrastructure from perimeter and external threat.
Perimeter Port Requirement:
To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:
- HTTP traffic (port 80)
- HTTPS traffic (port 443)
- FTP Traffic (Port 21)
- RDP Traffic (Port 3389)
Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.
|Domain controller||Microsoft-DS traffic||TCP 445UDP 445||From UAG to DC|
|Kerberos authentication||TCP 88UDP 88||From UAG to DC|
|LDAP||TCP 389UDP 389||From UAG to DC|
|LDAPS||TCP 636UDP 636||From UAG to DC|
|LDAP to GC||TCP 3268UDP 3268||From UAG to DC|
|LDAPS to GC||TCP 3269UCP 3269||From UAG to DC|
|DNS||TCP 53UDP 53||From UAG to DC|
|Exchange, SharePoint, RDS||HTTPS||TCP 443||From external to internal server|
|FTP||FTP||TCP 21||From external to internal server|
In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.
UAG Network Configuration
The network adapter name used within the operating system should be changed to closely match the associated UAG network name. The following binding order will be maintained within Windows operating systems:
· First in Order- UAG internal adapter connected to the trusted network.
· Second in Order- UAG external adapter connected to the untrusted network.
The following are the network configuration for UAG server.
|Option||IP Address||Subnet||Default Gateway||DNS|
|Internal Network||10.10.10.2||255.255.255.0||Not required||10.10.10.1|
Important! External Network can be assigned public IP if UAG server isn’t placed behind frontend router/firewall. In an edge configuration UAG external network is configured with public IP and internal network is assigned an IP address of internal IP range.
Based upon Microsoft practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment. Extract from Recommended Network Adapter Configuration for Forefront UAG Servers
Configuration Step 1 – Rename Network Adapters:
Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:
- UAG adapter connected to the trusted network: Internal Network
- UAG adapter connected to the untrusted network: External Network
Configuration Step 2 – Configure Network Adapters:
The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.
Internal Network Adapter
- Default Gateway should not be defined
- DNS Servers should be defined
- Client for Microsoft Networks binding – Enabled
- File and Print Sharing for Microsoft Networks binding – Enabled
- Register this connection’s address in DNS – Enabled
- Enable LMHOSTS Lookup – Disabled
- NetBIOS over TCP/IP – Default
The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.
External Network Adapter
- Default Gateway should be defined
- DNS Servers should not be defined
- Client for Microsoft Networks binding – Disabled
- File and Print Sharing for Microsoft Networks binding – Disabled
- Register this connection’s address in DNS – Disabled
- Enable LMHOSTS Lookup – Disabled
- NetBIOS over TCP/IP – Disabled
Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.
Configuration Step 3 – Amend Bind Order:
Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:
Internal Network (Highest)
External Network (Lowest)
To amend network binding follow the steps below:
1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.
2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.
4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.
Configuration Step 4 – Run the UAG Network Interfaces Wizard:
You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.
Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow.
The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:
|Purpose||Public Host Name||Public IP Address|
Scenario#1 Firewall Rules consideration
External NAT Rules
The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.
|Rule(s)||Description||Source IP||Public IP Address
(Destination IP Address)
The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:
TCP & UDP
|7||Domain Controller||10.10.10.2||445, 88, 53
Understanding Certificates requirements:
Forefront UAG supports wildcard certificates at the domain level and sub-domain level. Wildcard certificates in the form *.xman.com.au are supported. In addition the SAN certificate can specify the required host names. Certificates must be in .pfx format with private key within the certificate.
Launch Certificate Manager
1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:
2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.
3. Follow the instructions in the Certificate Import Wizard.
|Common Name||Subject Alternative Name||Certificate Issuer|
Understanding Properties of Trunk
- Trunk name: Specify the name of the trunk. This name is assigned to the Web site that is created in IIS running on the Forefront UAG server. Within the set of HTTP connections and HTTPS connections, each trunk name must be unique. The trunk name cannot contain the public host name.
- Public host name: Specify the host name used by client endpoints to reach the Web site. The host name must contain at least two periods.
- IP address: Specify the external IP address used to reach the published Web application or portal.
- Array Member: If the Forefront UAG server is part of an array, click the server entry in the IP address column, and select the external IP address of this array member.
- HTTP/HTTPS port: Specify the port for the external Web site.
UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.
|Trunk Name||Public Host Name||HTTPS Port||External IP Address||Authentication Server(s)|
|URL List||Methods||Allow Rich Content|
Published Applications and Services:
Install Forefront UAG:
Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.
Ensure that the Network List Service (Netprofm) and the Network Location Awareness (NlaSvc) services are running, before beginning the Forefront UAG installation. To begin installation, double-click Setup.hta.
On the Welcome page of Setup, do the following:
Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.
Restart the Server.
Initial Configuration Using Getting Started Wizard
Before you run the initial configuration, you must patch the UAG with an order described in this article . To patch UAG, open command prompt using run as Administrator. Go to the location where you saved all the service packs and patches. Run one by one. Note that if you do not run the setup as an administrator setup will roll back and fail because it cannot modify registry.
In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.
On the Define Network Adapter Settings page, in the Adapter name list do the following:
To configure the adapter connected to the external network, click the External column. On the Define External Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required. Note that it is not recommended to configure DNS on the external adapter.
To configure the adapter connected to the internal network, click the Internal column. Adapter settings are displayed in the Adapter properties list. On the Define Internal Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required.
After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:
If you are running Forefront UAG on a single server, click Single server.
If you want to join this server to an array of Forefront UAG servers, click Array member. The Array Management Wizard opens, which enables you to join the server to an array, and manage other array settings. For help on running this wizard, see Implementing an array and load balancing design. For more information about planning an array design, read the Array planning guide.
After running the Network Configuration Wizard, click Join Microsoft Update to open the Server Configuration Wizard. On the Use Microsoft Update for Forefront UAG page, Click Use Microsoft Update when I check for updates if your corporate update policy uses Microsoft Updates. Note that an Internet connection is required both to opt in for updates and receive them. Forefront UAG updates will only be available after the RTM release.
If you are installing Forefront UAG with SP1, on the Customer Experience Improvement Program page of the wizard, Click No, I do not want to participate if you do not want to participate in the program.
Configure Remote Desktop (RDP) to Forefront UAG
After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:
Ensure that remote desktop is enabled on the Forefront UAG server.
Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.
To do this, open the Forefront TMG Management console from the Start menu.
1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.
2. On the Rule Action, Click Allow, Click Next
3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next
4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next
5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.