Publish FTP Using Microsoft Forefront UAG 2010


Recently I have completed a UAG project. The purpose of the project was to publish several websites, SharePoint and OWA. All went ok except I got stuck with FTP. After trying several times, publishing FTP failed with error “Your Computer does not meet the security policy requirements of this application”. I went through UAG events to find out a solution of this issue. No luck. I went thought Ben Ari’s blog. No luck. Actually Ben’s blog tells you a little on FTP and doesn’t tell you about backend FTP server and UAG in details. So I end up being calling Microsoft Tech support to help me sort out the issue.  So here is my research on FTP and outcome for you guys who are struggling to publish FTP using UAG.

Prerequisites:

  1. Forefront UAG 2010 SP3
  2. Windows 7 or Windows 8 Client
  3. Windows Server 2008 R2 Domain
  4. Internet Explorer 9 or later
  5. Passive Mode FileZilla FTP Client or passive mode CuteFTP Client
  6. Passive mode IIS 7.5 FTP 
  7. Client Connection Port 20 & 21.
  8. Passive mode port range 1024-65534

image

image

Create a separate FTP Trunk:

You need to create a separate trunk for FTP. Right Click HTTP/HTTPS Trunk, Create a new Trunk. In my case I have created a HTTPS Trunk which means you need a proper public certificate with matching Common Name of Certificate for HTTPS trunk to work correctly. Note that you need certificate with public key. You must import certificate in PFX format.

image

Once you configured a trunk with all default settings, Click Configure to configure Advanced settings of Trunk. 

image

On the Authentication Tab, Uncheck Require users to authenticate at session logon. If you would like that user authenticate at session using domain credentials you can keep it. I don’t want user’s to authenticate twice so I un-ticked this one.

image

Click Session Tab, make sure disable component installation and disable scripting for portal are unchecked.

image

Click Endpoint Access Settings Tab, Click Edit Endpoint Policies, Select Default Session Access, Click Edit Policy, On the other, Click Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default non web access Policy. Click Ok.

image

image

Add Enhanced Generic Client Application (Multiple Servers)

Add a Enhanced generic client application (multiple servers) on this FTP trunk. Use all default settings except server settings which is shown in below screen shots.

image

image

On the Server Settings Tab, make sure you type fully qualified domain name of FTP server. In my test lab, I configured my domain controller as FTP server which is not best practice in production environment. This is only for demonstration purpose. On the Ports, Use 20,21,1024-65534, On the Executable type real path of FTP client installed in Windows 7 or Windows 8. In my case C:Program FilesFileZilla FTP ClientFileZilla.exe. Click Ok. 

image

image

On the socket forwarding select basic.

image

image

image

On the Endpoint policy make sure other is set to always. Click Ok.

image

Activate the Trunk

Click File, Click Activate.

image

Wait for Activation to complete.

image

Open Command Prompt as an administrator. Type iisreset and hit enter.

image

Error and Warning:

Open a browser from Windows client, browse https://ftp.yourdomain.com and see the outcome. Make you sure FileZilla Client is installed in C:Program FilesFileZilla FTP Client location in Windows 7 or Windows 8.   You may or may not receive warning depending on your client environment. To fix the warning open, UAG web monitor, Click Session monitor and select the FTP trunk, Click connected session, see endpoint information.

In my case I received “Your Computer does not meet the security policy requirements of this application” which says I don’t have any antivirus installed (Compliant antivirus not detected) but I have Symantec antivirus. Solution? Actually UAG is looking Microsoft security essentials in my computer. Work around is install Microsoft Security Essentials and turn on Windows firewall. 

image

image

image

image

image

To avoid this issue, you can create a new endpoint policy. Click Configure on Trunk, Click Edit endpoint policies, Click Add policy.

image

image

Create a new policy allowing any antivirus, any firewall shown below screen shot. Click Ok.

image

Apply the policy into Endpoint Policy.

image

Again activate the trunk. run iisreset.

Testing FTP

Open browser, browse https://ftp.yourdomain.com 

image

Click FTP to open FileZilla Client application. Once UAG component is installed. Type the ftp server name, username and password on ftp client to connect

image

image

image

Now go back to UAG web monitor. select FTP trunk, Go to Endpoint information, you will see client is compliant and connected.

image

image

Further Study

Publish FTP using TMG

Passive mode IIS 7.5 FTP 

UAG Articles

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

 

 

 

 

 

 

 

 

 

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s