Publish FTP Using Microsoft Forefront UAG 2010

Recently I have completed a UAG project. The purpose of the project was to publish several websites, SharePoint and OWA. All went ok except I got stuck with FTP. After trying several times, publishing FTP failed with error “Your Computer does not meet the security policy requirements of this application”. I went through UAG events to find out a solution of this issue. No luck. I went thought Ben Ari’s blog. No luck. Actually Ben’s blog tells you a little on FTP and doesn’t tell you about backend FTP server and UAG in details. So I end up being calling Microsoft Tech support to help me sort out the issue. So here is my research on FTP and outcome for you guys who are struggling to publish FTP using UAG.

Prerequisites:

Forefront UAG 2010 SP3
Windows 7 or Windows 8 Client
Windows Server 2008 R2 Domain
Internet Explorer 9 or later
Passive Mode FileZilla FTP Client or passive mode CuteFTP Client
Passive mode IIS 7.5 FTP
Client Connection Port 20 & 21.
Passive mode port range 1024-65534

Create a separate FTP Trunk:

You need to create a separate trunk for FTP. Right Click HTTP/HTTPS Trunk, Create a new Trunk. In my case I have created a HTTPS Trunk which means you need a proper public certificate with matching Common Name of Certificate for HTTPS trunk to work correctly. Note that you need certificate with public key. You must import certificate in PFX format.

Once you configured a trunk with all default settings, Click Configure to configure Advanced settings of Trunk.

On the Authentication Tab, Uncheck Require users to authenticate at session logon. If you would like that user authenticate at session using domain credentials you can keep it. I don’t want user’s to authenticate twice so I un-ticked this one.

Click Session Tab, make sure disable component installation and disable scripting for portal are unchecked.

Click Endpoint Access Settings Tab, Click Edit Endpoint Policies, Select Default Session Access, Click Edit Policy, On the other, Click Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default non web access Policy. Click Ok.

Add Enhanced Generic Client Application (Multiple Servers)

Add a Enhanced generic client application (multiple servers) on this FTP trunk. Use all default settings except server settings which is shown in below screen shots.

On the Server Settings Tab, make sure you type fully qualified domain name of FTP server. In my test lab, I configured my domain controller as FTP server which is not best practice in production environment. This is only for demonstration purpose. On the Ports, Use 20,21,1024-65534, On the Executable type real path of FTP client installed in Windows 7 or Windows 8. In my case C:Program FilesFileZilla FTP ClientFileZilla.exe. Click Ok.

On the socket forwarding select basic.

On the Endpoint policy make sure other is set to always. Click Ok.

Activate the Trunk

Click File, Click Activate.

Wait for Activation to complete.

Open Command Prompt as an administrator. Type iisreset and hit enter.

Error and Warning:

Open a browser from Windows client, browse https://ftp.yourdomain.com and see the outcome. Make you sure FileZilla Client is installed in C:Program FilesFileZilla FTP Client location in Windows 7 or Windows 8. You may or may not receive warning depending on your client environment. To fix the warning open, UAG web monitor, Click Session monitor and select the FTP trunk, Click connected session, see endpoint information.

In my case I received “Your Computer does not meet the security policy requirements of this application” which says I don’t have any antivirus installed (Compliant antivirus not detected) but I have Symantec antivirus. Solution? Actually UAG is looking Microsoft security essentials in my computer. Work around is install Microsoft Security Essentials and turn on Windows firewall.

To avoid this issue, you can create a new endpoint policy. Click Configure on Trunk, Click Edit endpoint policies, Click Add policy.

Create a new policy allowing any antivirus, any firewall shown below screen shot. Click Ok.

Apply the policy into Endpoint Policy.

Again activate the trunk. run iisreset.

Testing FTP

Open browser, browse https://ftp.yourdomain.com

Click FTP to open FileZilla Client application. Once UAG component is installed. Type the ftp server name, username and password on ftp client to connect