Blog by Raihan Al-Beruni

Part 8: Publish Application Specific Host Name using UAG 2010

Supported Browser Clients:

Forefront UAG Overview:

Forefront Unified Access Gateway 2010 (UAG) provides secure remote endpoint connections to corporate resources for employees, partners, and vendors on both computer and mobile devices. UAG provides many benefits. the following is the extract from http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx

Empowers employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.
Delivers simple and secure access optimized for applications such as SharePoint, Exchange, and Dynamics CRM.
Extends networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.
Protects IT assets through fine-grained and built-in policies that provide access to sensitive data based on identity and endpoint health.
Easily integrates with Active Directory and enables a variety of strong authentication methods.
Limits exposure and prevent data leakage to unmanaged endpoints.

Assumptions:

The following servers is installed and configured in a test environment.

Systems Requirements:

Option	Description
Virtual Machine Name	DC1TVUAG01
Memory	8GB
vCPU	1
Hard Disk 1	50GB
Hard Disk 2	50GB
Network Adapter	2
Guest Operating System	Windows Server 2008 R2
Service Pack Level	SP1

Software Requirement:

Version	Microsoft Forefront Unified Access Gateway 2010
Service Pack Level	SP3

Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:

Microsoft .NET Framework 3.5 SP1
Windows Web Services API
Windows Update
Microsoft Windows Installer 4.5
SQL Server Express 2005
Forefront TMG is installed as a firewall during Forefront UAG setup
The Windows Server 2008 R2 DirectAccess component is automatically installed.

The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.

Network Policy Server
Routing and Remote Access Services
Active Directory Lightweight Directory Services Tools
Message Queuing Services
Web Server (IIS) Tools
Network Load Balancing Tools
Windows PowerShell

Browser

Features

Firefox

Endpoint Session Cleanup

Endpoint detection

SSL Application Tunneling

Endpoint Quarantine Enforcement

Internet Explorer

Endpoint Session Cleanup

Endpoint detection

SSL Application Tunneling

Socket Forwarding

SSL Network Tunneling (Network Connector)

Endpoint Quarantine Enforcement

Supported Mobile Devices:

Device Name	Features
Windows Phone	Premium mobile portal
iOS: 4.x and 5.x on iPhone and iPad	Premium mobile portal
Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0	Premium mobile portal

Service Account for Active Directory Authentication:

Service Account	Privileges	Password
xman\SA-FUAG	Domain Users	Password set to never expired

Domain Joined Forefront UAG:

The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.

Add the server to an array of Forefront UAG servers at a later date.
Configure the server as a Forefront UAG DirectAccess server at a later date.
Deploy single sign on using Kerberos constrained delegation to forward session credentials to backend published servers requiring authentication.
Publish the File Access application via a Forefront UAG trunk.
Provide remote clients with access to the internal corporate network using SSTP.

Antivirus Exclusion:

Version

Paths

Processes

Forefront UAG 2010

UAG installation folder (may be changed during installation)
%ProgramFiles%\Microsoft Forefront Unified Access Gateway

Forefront UAG DNS-ALG Service
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\DnsAlgSrv.exe

Forefront UAG Monitoring Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\MonitorMgrCom.exe

Forefront UAG Session Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\SessionMgrCom.exe

Forefront UAG File Sharing
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\ShareAccess.exe

Forefront UAG Quarantine Enforcement Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagqessvc.exe

Forefront UAG Terminal Services RDP Data
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagrdpsvc.exe

Forefront UAG User Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\UserMgrCom.exe

Forefront UAG Watch Dog Service
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\WatchDogSrv.exe

Forefront UAG Log Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlerrsrv.exe

Forefront UAG SSL Network Tunneling Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlios.exe

Forefront UAG Placement:

The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.

There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:

Intranet content, such as servers published by Forefront UAG, can be isolated in the perimeter network and separated from corporate content intended for internal access only.
Integrity of the content in the corporate network is retained.
Securely publish backend applications and access infrastructure servers, such as authentication servers, as required.
Hide corporate network infrastructure from perimeter and external threat.

Scenario#1

Perimeter Port Requirement:

To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:

HTTP traffic (port 80)
HTTPS traffic (port 443)
FTP Traffic (Port 21)
RDP Traffic (Port 3389)

Backend Port Requirement

Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.

Infrastructure server	Protocol	Port	Direction
Domain controller	Microsoft-DS traffic	TCP 445 UDP 445	From UAG to DC
	Kerberos authentication	TCP 88 UDP 88	From UAG to DC
	LDAP	TCP 389 UDP 389	From UAG to DC
	LDAPS	TCP 636 UDP 636	From UAG to DC
	LDAP to GC	TCP 3268 UDP 3268	From UAG to DC
	LDAPS to GC	TCP 3269 UCP 3269	From UAG to DC
	DNS	TCP 53 UDP 53	From UAG to DC
Exchange, SharePoint, RDS	HTTPS	TCP 443	From external to internal server
FTP	FTP	TCP 21	From external to internal server

Scenario#2

In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.

UAG Network Configuration

The network adapter name used within the operating system should be changed to closely match the associated UAG network name. The following binding order will be maintained within Windows operating systems:

· First in Order- UAG internal adapter connected to the trusted network.

· Second in Order- UAG external adapter connected to the untrusted network.

The following are the network configuration for UAG server.

Option	IP Address	Subnet	Default Gateway	DNS
Internal Network	10.10.10.2	255.255.255.0	Not required	10.10.10.1
External Network	192.168.1.1	255.255.255.0	192.168.1.254	Not required

Important! External Network can be assigned public IP if UAG server isn’t placed behind frontend router/firewall. In an edge configuration UAG external network is configured with public IP and internal network is assigned an IP address of internal IP range.

Based upon Microsoft practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment. Extract from Recommended Network Adapter Configuration for Forefront UAG Servers

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:

UAG adapter connected to the trusted network: Internal Network
UAG adapter connected to the untrusted network: External Network

Configuration Step 2 – Configure Network Adapters:

The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.

Internal Network Adapter

Default Gateway should not be defined
DNS Servers should be defined
Client for Microsoft Networks binding – Enabled
File and Print Sharing for Microsoft Networks binding – Enabled
Register this connection’s address in DNS – Enabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Default

The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.

External Network Adapter

Default Gateway should be defined
DNS Servers should not be defined
Client for Microsoft Networks binding – Disabled
File and Print Sharing for Microsoft Networks binding – Disabled
Register this connection’s address in DNS – Disabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Disabled

Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

Internal Network (Highest)
External Network (Lowest)

To amend network binding follow the steps below:

1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.

2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

Configuration Step 4 – Run the UAG Network Interfaces Wizard:

You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.

Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow.

DNS Forwarding:

The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:

Purpose	Public Host Name	Public IP Address
Exchange	webmail.xman.com.au	203.17.x.x
SharePoint	sharepoint.xman.com.au	203.17.x.x
RDS	remote.xman.com.au	203.17.x.x
FTP	ftp.xman.com.au	203.17.x.x

Scenario#1 Firewall Rules consideration

External NAT Rules

The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.

Rule(s)	Description	Source IP	Public IP Address (Destination IP Address)	Port	NAT Destination	Status
1	Exchange	Any	203.17.x.x	443	10.10.10.2	Forward
2	SharePoint	Any	203.17.x.x	443	10.10.10.2	Forward
4	RDS	Any	203.17.x.x	443	10.10.10.2	Forward
5	FTP	Any	203.17.x.x	21	10.10.10.2	Forward

Internal Firewall Rules

The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:

Rules	Description	Source IP	Port TCP & UDP	NAT Destination	Destination	Status
1	Exchange	10.10.10.2	TCP 443	Not Required	10.10.10.3	Forward
2	SharePoint	10.10.10.2	TCP 443	Not Required	10.10.10.4	Forward
4	RDS	10.10.10.2	TCP 443	Not Required	10.10.10.5	Forward
5	FTP	10.10.10.2	TCP 21	Not Required	10.10.10.6	Forward
6	Client	10.10.12.0/24 10.10.13.0/24	TCP 443 TCP 21	Not Required	10.10.10.2	Forward
7	Domain Controller	10.10.10.2	445, 88, 53 389, 636 3268, 3296	Not Required	10.10.10.1	Forward

Understanding Certificates requirements:

Forefront UAG supports wildcard certificates at the domain level and sub-domain level. Wildcard certificates in the form *.xman.com.au are supported. In addition the SAN certificate can specify the required host names.

Launch Certificate Manager

1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:

2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.

3. Follow the instructions in the Certificate Import Wizard.

Common Name	Subject Alternative Name	Certificate Issuer
RDS.xman.com.au	–	Verisign/Digicert
webmail.xman.com.au	autodiscover.xman.com.au	Verisign/Digicert
ftp.xman.com.au	–	Verisign/Digicert
sharepoint.xman.com.au	–	Verisign/Digicert

Understanding Properties of Trunk

Trunk name: Specify the name of the trunk. This name is assigned to the Web site that is created in IIS running on the Forefront UAG server. Within the set of HTTP connections and HTTPS connections, each trunk name must be unique. The trunk name cannot contain the public host name.
Public host name: Specify the host name used by client endpoints to reach the Web site. The host name must contain at least two periods.
IP address: Specify the external IP address used to reach the published Web application or portal.
Array Member: If the Forefront UAG server is part of an array, click the server entry in the IP address column, and select the external IP address of this array member.
HTTP/HTTPS port: Specify the port for the external Web site.

UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.

Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:

URL List	Methods	Allow Rich Content
InternalSite_Rule54	HEAD	Checked
SharePoint14AAM_Rule47	HEAD	Checked

Published Applications and Services:

Install Forefront UAG:

Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.

Ensure that the Network List Service (Netprofm) and the Network Location Awareness (NlaSvc) services are running, before beginning the Forefront UAG installation. To begin installation, double-click Setup.hta.

On the Welcome page of Setup, do the following:

Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.

Restart the Server.

Initial Configuration Using Getting Started Wizard

In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.

On the Define Network Adapter Settings page, in the Adapter name list do the following:

To configure the adapter connected to the external network, click the External column. On the Define External Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required. Note that it is not recommended to configure DNS on the external adapter.

To configure the adapter connected to the internal network, click the Internal column. Adapter settings are displayed in the Adapter properties list. On the Define Internal Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required.

After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:

If you are running Forefront UAG on a single server, click Single server.

If you want to join this server to an array of Forefront UAG servers, click Array member. The Array Management Wizard opens, which enables you to join the server to an array, and manage other array settings. For help on running this wizard, see Implementing an array and load balancing design. For more information about planning an array design, read the Array planning guide.

After running the Network Configuration Wizard, click Join Microsoft Update to open the Server Configuration Wizard. On the Use Microsoft Update for Forefront UAG page, Click Use Microsoft Update when I check for updates if your corporate update policy uses Microsoft Updates. Note that an Internet connection is required both to opt in for updates and receive them. Forefront UAG updates will only be available after the RTM release.

If you are installing Forefront UAG with SP1, on the Customer Experience Improvement Program page of the wizard, Click No, I do not want to participate if you do not want to participate in the program.

Configure Remote Desktop (RDP) to Forefront UAG

After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:

Ensure that remote desktop is enabled on the Forefront UAG server.

Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.

To do this, open the Forefront TMG Management console from the Start menu.

1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.

2. On the Rule Action, Click Allow, Click Next

3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next

4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next

5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.

Forefront UAG 2010 Deployment Guide

Posted on June 24, 2014 by LM Publications

Forefront TMG Important URL and Guide

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 8: Publish Application Specific Host Name using UAG 2010

Forefront UAG Event Messages

Forefront UAG registry keys

Microsoft Forefront Product Roadmap

Posted on January 22, 2014 by LM Publications

Microsoft is discontinuing any further releases of the following Forefront-branded solutions:

Forefront Protection 2010 for Exchange Server (FPE)
Forefront Protection 2010 for SharePoint (FPSP)
Forefront Security for Office Communications Server (FSOCS)
Forefront Threat Management Gateway 2010 (TMG)
Forefront Threat Management Gateway Web Protection Services (TMG WPS)
Forefront Unified Access Gateway 2010 (UAG)
Forefront Client Security
Forefront Security for Exchange Server

There is no change to the FIM roadmap. Microsoft will continue to develop next version of FIM.

References.

http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Forefront&Filter=FilterNO

http://redmondmag.com/articles/2013/12/17/microsoft-ending-uag-sales.aspx

Experience Mobile (iPhone & Android) Browsing with Forefront UAG

Posted on January 8, 2014 by LM Publications

If you are scratching your head how to grant access to your website for iPhone and Tablet published via Forefront UAG, there is way to achieve your goal. But before I articulate how to achieve this let’s revisit how UAG endpoint compliance works.

By default UAG checks compliance of every endpoint device. If you do now allow all endpoint devices in UAG Trunk it will be blocked due to policy violation. Since release of UAG SP3, mobile devices are identified as “Other” in UAG Endpoint Policy. “Other” includes iPhone, iPad, Android phone and tablet. Surprisingly I found that UAG also blocks Windows 8 mobile phone unless you allow it explicitly in endpoint policy.

When an endpoint device connect to Trunk portal or a published website, UAG automatically check Default Session Access and Default Web Application Access policy. However for FTP and similar policy UAG checks Default Web Application Upload and Default Web Application Download policy as well. You need to tweak little bit in the Trunk properties and application properties to make it work.

Let’s begin with Trunk properties. Log on the UAG server using administrative credential. Open UAG Management Console.

Step1: Advanced Trunk Configuration

Select the Trunk where you publish the application, in the Trunk Configuration area, click Configure.
On the Advanced Trunk Configuration dialog box, click the Endpoint Access Settings tab.
On the Endpoint Access Settings tab, click Edit Endpoint Policies.
On the Manage Policies and Expressions dialog box, click the Default Session Access policy, and then click Edit Policy.
On the Policy Editor dialog box, under Select platform-specific policies, in the Other drop-down list, click Always, and then click OK.
On the Manage Policies and Expressions dialog box, click the Default Web Application Access policy, and then click Edit Policy.
On the Policy Editor dialog box, under Select platform-specific policies, in the Other drop-down list, click Always, and then click OK.
Repeat the step 4 to step 7 on all the required policies. Example for FTP policies perform step4 to step7 for Default Web Application Upload and Default Web Application Download policies.
On the Manage Policies and Expressions dialog box, click Close.
On the Advanced Trunk Configuration dialog box, click OK.
Activate the configuration. Wait for activation to complete. Note that it takes few minutes.
Open elevated command prompt using run as administrator option. Type iisreset and hit enter.

Step2: Allow Premium Mobile Portal

Select the application you published through the Trunk where you configured advanced properties in previous steps. In the Applications area, click the required application, and then click Edit.
On the Application Properties dialog box, click the Portal tab.
On the Portal tab, select the Premium mobile portal and Non-premium mobile portal check box.
On the Application Properties dialog box, click OK.
Activate the configuration. Wait for activation to complete. Note that it takes few minutes.
Open elevated command prompt using run as administrator option. Type iisreset and hit enter.

Step3: Test Mobile Devices

Browse published website in Windows Phone or iPhone
Open Forefront UAG Monitor, Check the Session compliance, Authentication in Active Session.
Check all systems logs in UAG monitor. You will see a session is connected successfully with endpoint device type, endpoint IP and GUID mentioned in the logs.

Publish FTP Using Microsoft Forefront UAG 2010

Posted on December 25, 2013 by LM Publications

Recently I have completed a UAG project. The purpose of the project was to publish several websites, SharePoint and OWA. All went ok except I got stuck with FTP. After trying several times, publishing FTP failed with error “Your Computer does not meet the security policy requirements of this application”. I went through UAG events to find out a solution of this issue. No luck. I went thought Ben Ari’s blog. No luck. Actually Ben’s blog tells you a little on FTP and doesn’t tell you about backend FTP server and UAG in details. So I end up being calling Microsoft Tech support to help me sort out the issue. So here is my research on FTP and outcome for you guys who are struggling to publish FTP using UAG.

Prerequisites:

Forefront UAG 2010 SP3
Windows 7 or Windows 8 Client
Windows Server 2008 R2 Domain
Internet Explorer 9 or later
Passive Mode FileZilla FTP Client or passive mode CuteFTP Client
Passive mode IIS 7.5 FTP
Client Connection Port 20 & 21.
Passive mode port range 1024-65534

Create a separate FTP Trunk:

You need to create a separate trunk for FTP. Right Click HTTP/HTTPS Trunk, Create a new Trunk. In my case I have created a HTTPS Trunk which means you need a proper public certificate with matching Common Name of Certificate for HTTPS trunk to work correctly. Note that you need certificate with public key. You must import certificate in PFX format.

Once you configured a trunk with all default settings, Click Configure to configure Advanced settings of Trunk.

On the Authentication Tab, Uncheck Require users to authenticate at session logon. If you would like that user authenticate at session using domain credentials you can keep it. I don’t want user’s to authenticate twice so I un-ticked this one.

Click Session Tab, make sure disable component installation and disable scripting for portal are unchecked.

Click Endpoint Access Settings Tab, Click Edit Endpoint Policies, Select Default Session Access, Click Edit Policy, On the other, Click Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default non web access Policy. Click Ok.

Add Enhanced Generic Client Application (Multiple Servers)

Add a Enhanced generic client application (multiple servers) on this FTP trunk. Use all default settings except server settings which is shown in below screen shots.

On the Server Settings Tab, make sure you type fully qualified domain name of FTP server. In my test lab, I configured my domain controller as FTP server which is not best practice in production environment. This is only for demonstration purpose. On the Ports, Use 20,21,1024-65534, On the Executable type real path of FTP client installed in Windows 7 or Windows 8. In my case C:Program FilesFileZilla FTP ClientFileZilla.exe. Click Ok.

On the socket forwarding select basic.

On the Endpoint policy make sure other is set to always. Click Ok.

Activate the Trunk

Click File, Click Activate.

Wait for Activation to complete.

Open Command Prompt as an administrator. Type iisreset and hit enter.

Error and Warning:

Open a browser from Windows client, browse https://ftp.yourdomain.com and see the outcome. Make you sure FileZilla Client is installed in C:Program FilesFileZilla FTP Client location in Windows 7 or Windows 8. You may or may not receive warning depending on your client environment. To fix the warning open, UAG web monitor, Click Session monitor and select the FTP trunk, Click connected session, see endpoint information.

In my case I received “Your Computer does not meet the security policy requirements of this application” which says I don’t have any antivirus installed (Compliant antivirus not detected) but I have Symantec antivirus. Solution? Actually UAG is looking Microsoft security essentials in my computer. Work around is install Microsoft Security Essentials and turn on Windows firewall.

To avoid this issue, you can create a new endpoint policy. Click Configure on Trunk, Click Edit endpoint policies, Click Add policy.

Create a new policy allowing any antivirus, any firewall shown below screen shot. Click Ok.

Apply the policy into Endpoint Policy.

Again activate the trunk. run iisreset.

Testing FTP

Open browser, browse https://ftp.yourdomain.com

Click FTP to open FileZilla Client application. Once UAG component is installed. Type the ftp server name, username and password on ftp client to connect

Now go back to UAG web monitor. select FTP trunk, Go to Endpoint information, you will see client is compliant and connected.

Further Study

Publish FTP using TMG

Passive mode IIS 7.5 FTP

UAG Articles

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 8: Publish Application Specific Host Name using UAG 2010

3. UAG-KB2288900-v4.0.1269.200-ENU

How to Publish Application Specific Host Name using Pass Through Authentication in Forefront UAG 2010

Posted on December 3, 2013 by LM Publications

To avoid being caught into the following UAG events, follow the below procedure to create a correct Trunk and an Application in UAG 2010.

UAG Events:

Warning 58 “The requested URL is not associated with any configured application.”

Warning 51 Invalid Method

“A request from source IP address x.x.x.x, user on trunk Trunk Name; Secure=1 for application failed because the method used PUT is not valid for requested URL”

Solutions:

1. Bypass Active Directory authentication to allow application specific authentication.

Open Regedit>Go to HKLMSoftwareWhaleCome-GapvonURLFilter

Create a 32 Bit DWORD named KeepClientAuthHeader and set value to 1

Also make sure FullAuthPassThru value is set to 1.

2. Public Host Name in Trunk must be different then public host name in published application. The purpose of public host name in Trunk is to create the actual trunk. This public host name in Trunk will not be accessible from external network nor internal network. Why? simple reason without public host name, you can’t create a Trunk. Public host name in application is the Real FQDN which employee/roaming users will access from external network which means public IP will resolve the name of application public host name. Since public host name in Trunk and Public host name in application are different, when you activate this trunk and application, you will receive a certificate error which says your trunk FQDN doesn’t match with your certificate. As long as your certificate CN matches with application public host name you will be fine. If you don’t want to see this error then you can add a SAN certificate which has both Trunk public host name and application public host name. In my case I don’t mind the see that certificate warning, my Trunk and application public host name are as follows:

Trunk Public Host Name: Mobile.mydomain.com
Application Public Host Name: mymobile.mydomain.com

3. Correct URL Set

Name: MobilePortal_Rule1
Action: Accept
URL: /.*
Parameters: Ignore
Methods: PUT, POST, GET

Use the following steps to correctly publish mobile device, third party application implemented in IIS within a subdirectory.

Step1: Create a Separate Trunk for this Application

Before you begin, import certificate in UAG server. Certificate must be in .pfx format with private key. Open the Microsoft Management Console (MMC) which enables you to import a certificate into the IIS Certificate store.

Start Menu>Run>MMC
To import a certificate, in the MMC window, in the left pane, under Console Root, verify that Certificates (Local Computer) > Personal is selected.
From the Action menu, click All Tasks, and then click Import.
Follow the instructions in the Certificate Import Wizard.

In the Forefront UAG Management console, right-click HTTP Connections to create a trunk accessible over HTTP, or right-click HTTPS Connections to create a trunk accessible over HTTPS. Then click New Trunk.
On the Select Trunk Type page of the Create Trunk Wizard, click Portal trunk.
On the Setting the Trunk page of the Create Trunk Wizard, specify Trunk details. In my case I have the following:

i. Trunk Name: MobilePortal

ii. Public Host Name: Mobile.mydomain.com

iii. IP Address: Trunk IP (you must add additional IP address(s) in the TCP/IP properties of UAG external nic)

iv. Port: 443

On the Authentication page of the Create Trunk Wizard, I am going to add my domain controller but later stage I will remove the domain controller to make it application specific authentication not LDAP or AD. That means I will bypass AD authentication. For now select an authentication server that will be used to authenticate user requests for trunk sessions. Click Add to select a server, as follows:

In the Authentication and Authorization Servers dialog box, select a server and click Select. To add a new server to the list, click Add.
Select User selects from a server list to specify that during login to the trunk, users will be prompted to select an authentication server. If you configure one authentication server, users will authenticate to that server only. Select Show server names to allow users to select an authentication server from a list; otherwise, users must enter the server name. Select User provides credentials for each selected server to prompt users during login to authenticate to all the specified authentication servers. Select Use the same user name to specify that users must enter a single user name that will be used to authenticate to all specified servers.

On the Certificate page of the Create Trunk Wizard (HTTPS trunks only), select the server certificate that will be used to authenticate the Forefront UAG server to the remote endpoint.
On the Endpoint Security page of the Create Trunk Wizard, control access to trunk sessions by selecting policies that allow access, based on the health of client endpoints. Click Use Forefront UAG access policies to determine the health of endpoints using in-built Forefront UAG access policies.
Click Finish after completing the Trunk wizard.

Step2: Advanced Trunk Configuration

Click Configure Trunk. Click Endpoint Access Settings, Click Edit Endpoint Policies.

In this step, you will allow access of mobile phone and tablet. Microsoft UAG by default doesn’t allow mobile phone access. You need allow this access manually. Click Edit Endpoint Access Policies, Select Default Session Access, Click Edit, Click other, Select Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default Web Application Access Policy, Default Web Application Upload, Default Web Application download.
Click Authentication Page, de-select require user to authenticate at session logon. By deselecting this option, you have created pass through authentication.

Click on the session tab, deselect disabled component installation and disable scripting for portal applications.

Click URL Set Tab, Scroll down to bottom of the page. On the mobile portal rule, select PUT, POST, GET. Click Ok. Adding PUT will resolve the following issue:

After completing the Create Trunk Wizard, in the Forefront UAG Management console, on the toolbar, click the Activate configuration icon on the toolbar, and then on the Activate configuration dialog box, click Activate.

Step3: Add an Application Specific Host Name for iPhone, Android and Tablet

1. In the Forefront UAG Management console, select the portal trunk to which you want to add the application. In the main trunk properties page, in the Applications area, click Add to open the Add Application Wizard.

2. On the Select Application page, Click Web, choose the application specific host name you want to publish.

3. On the Application Setup page, specify the name and type of the application.

4. On the Endpoint Security page, select the access policies for your application. Note that not all of the policies may be available for some published applications. You must verify that other device is allowed in Endpoint security. See Step11 in creating a Trunk.

5. On the Application Deployment page, specify whether you want to publish a single server or a Web farm.

6. On the Web Servers page, if you are publishing a Web application, on the Web Servers page, configure settings for the backend Web server that you want to publish. On the application requires paths, add more / as your path. This will allow any sub directories of application hosted in Microsoft IIS server. On the address, type the fully qualified domain name of the web application which will be accessible from external network.

7. On the Connectivity Verifier Settings page, if you are publishing a Web farm, specify how the state of Web farm members should be detected.

8. On the Authentication page, deselect SSO. By deselecting this option, you have created pass through authentication.

9. On the Portal Link page, specify how the application appears in the portal home page of the trunk. If you have subdirectory in IIS, specify correct URL. For example, in my case I have subdirectory like https:// mymobile.mydomain.com/mobile/ .Select premium and non-premium mobile portal.

10. Once done, Click Finish.

11. On the Trunk , On the initial application, Select Portal Home page, as MobilePortal.

Step4: Activating Trunk and Post Check.

1. On the console toolbar, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

2. This is the simple step, most of techie doesn’t do and end up being calling Microsoft Tech support. You have to do this step so that published application works. Open command prompt as an administrator, run iisreset /restart.

3. Once everything is configured correctly, you will receive the following event in UAG Web Monitor> Event Viewer

The application MobilePortal was accessed on trunk; Secure=1 with user name and session ID EDD953BD-CB79-4180-B811-F1A0F53DCB33.

Forefront UAG 2010 Patching Order

Posted on November 15, 2013 by LM Publications

I have written the following articles few weeks back. One thing I would like to add on to these articles is the patching order of Forefront UAG 2010.

You must have a base build Windows Server 2008 R2 SP1 with all Microsoft security and critical updates. you install the UAG from the this source Forefront_UAG_Server_2010_64Bit_English_w_SP1 with correct product key from Microsoft volume licensing center.

The following the order of patching UAG before you start configuring UAG.

1. TMG-KB2555840-amd64-ENU

2. TMG-KB2689195-amd64-GLB

4. UAG-KB2585140-v4.0.1773.10100-ENU

5. UAG-KB2710791-v4.0.2095.10000-ENU

6. UAG-KB2744025-v4.0.3123.10000-ENU

UAG Articles:

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

TrendMicro Worry-Free Business Advanced Configuration Step by Step

Posted on November 14, 2013 by LM Publications

Trend Micro Worry-Free Business Security (WFBS) protects business users and assets from data theft, identity theft, risky websites, and spam (Advanced only).

Trend Micro offers the following editions:

Standard: Designed to protect clients (desktops, portable computers, and servers) on your local network. This edition includes Outbreak Defence, Firewall, and Antivirus/Anti-spyware scanning. It also comes with technical support, malware/virus pattern file downloads, real-time scanning, and program updates for one year.

Advanced: Designed to protect clients and Microsoft Exchange servers on your network. In addition to all the features in Worry-Free Business Security Standard, this edition includes Anti-spam, Content Filtering, Data Loss Prevention, and Attachment Blocking.

Features worry-free business Features

Component Updates
Device Control
Antivirus/Anti-spyware
Firewall
Web Reputation
URL Filtering
Behavior Monitoring
User Tools
Instant Messaging Content
Filtering
Mail Scan (POP3)
Mail Scan (IMAP)
Anti-Spam (IMAP)
Email Message Content
Filtering
Email Message Data Loss Prevention
Attachment Blocking

TrendMicro Components:

Registration Key

A Registration Key comes with your purchase of Worry-Free Business Security. It has

22 characters (including hyphens) and is in the following format: xx-xxxx-xxxxx-xxxxx-xxxxx

Use a fully licensed Registration Key to register Worry-Free Business Security on the Trend Micro website at http://olr.trendmicro.com.

Security Server

At the center of Worry-Free Business Security is the Security Server. The Security Server hosts the web console, the centralized web-based management console for Worry-Free Business Security. Hosts the Web Console, downloads updates from the Trend Micro ActiveUpdate Server, collects and stores logs, and helps control virus/malware Outbreaks Manages all agents from a single location

Scan Server

The Security Server includes a service called Scan Server, which is automatically installed during Security Server installation. As such, there is no need to install it separately. The Scan Server runs under the process name iCRCService.exe and appears as Trend Micro Smart Scan Service from Microsoft Management Console.

Downloads scanning-specific components from Trend Micro and uses them to scan clients

Agents

Agents protect clients from security threats. Clients include desktops, servers, and Microsoft Exchange servers.

Security Agent Protects desktops and servers from security threats and intrusions Protects Windows 7/Vista/XP/Server 2003/Server 2008 computers from malware/viruses, spyware/grayware, Trojans, and other threats

Messaging Security Agent Protects Microsoft Exchange servers from email-borne security Threats

Web Console

The web console is the central point for monitoring clients throughout the corporate network. It comes with a set of default settings and values that you can configure based on your security requirements and specifications. The web console uses standard Internet technologies, such as Java, CGI, HTML, and HTTP.

WFBS Ports

WFBS uses the following ports:

• Server listening port (HTTP port): Used to access the Security Server. By default, WFBS uses one of the following:

• IIS server default website: The same port number as your HTTP server’s TCP port.

• IIS server virtual website: 8059

• Apache server: 8059

• Client listening port: A randomly generated port number through which the Security Agent and Messaging Security Agent receive commands from the Security Server.

Trend Micro Security (for Mac) Communication port: Used by the Trend Micro Security (for Mac) server to communicate with Mac clients. The default is port 61617.

SMTP port: Used by the Security Server to send reports and notifications to administrators through email. The default is port 25.

Proxy port: Used for connections through a proxy server.

Systems requirements:

1 vCPU, 2GB RAM, 10GB additional space
IIS 7.5 Windows Server 2008 R2
Internet Explorer
Adobe Acrobat
Java client
Clients that use Smart Scan must be in online mode. Offline clients cannot use Smart Scan
Administrator or Domain Administrator access on the computer hosting the
Security Server
File and printer sharing for Microsoft Networks installed
Transmission Control Protocol/Internet Protocol (TCP/IP) support installed
If Microsoft ISA Server or a proxy product is installed on the network, you need to open the HTTP port (8059 by default) and the SSL port (4343 by default) to allow access to the Web Console and to enable client-server communications

TrendMicro Download Location:

WFB 8.0

Download Center

Installation:

1. Double-click the SETUP.EXE file. The Trend Micro Installation screen appears.

2. Click Next. The License Agreement screen appears.

3. Read the license agreement. If you agree with the terms, select I accept the terms of the license agreement.

4. Click Next. The Setup Type screen appears.

5. From the Setup Type page, choose one of the following options:

Typical install (Recommended) – This provides an easy solution for installing WFBS using Trend Micro default values. This method is suitable for a small business using a single Trend Micro Security Server and up to ten clients.
Minimal Install
Custom install – This provides flexibility in implementing your network security strategy. This method is suitable if you have many computers and servers or multiple Exchange servers.

6. Click Next. The Product Activation page appears Note: If you do not have an Activation Code, you may not have registered your copy of WFBS yet. Click Register Online to open a new browser window.

7. Click Next. The Setup Overview page appears. The Setup Overview page shows the components that you need configure in order to install the Trend Micro Security Server and the Security Agent (as well as the Messaging Security Agent [MSA] if you are using WFBS Advanced).

8. Click Next. If you selected Custom Installation, the Select Target Folder page would appear. The default WFBS install folder is C:Program FilesTrend MicroSecurity Server. If you want to install WFBS in another folder, click Browse.

9. Click Next. The Select Components page appears.

10. Select the components that you want to install. For WFBS Advanced only: The Configure Security Server page now highlights the Security Server.

Security Server (default): The Security Server hosts the centralized web-based management console.
Security Agent (default): The agent protects desktops and servers.
Messaging Security Agent (optional): When installing the Security Server on a computer that has a Microsoft Exchange server installed on the same computer, Setup prompts you to install a local MSA.
Remote Messaging Security Agent (optional):When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote MSA to remote servers.

11. Configure the Security Server. The Security Server configuration tasks consist of pre-scanning the server for malware as well as configuring the web server and the proxy server.

12. Click Next. The Computer Prescan page appears.

13. Choose whether or not to pre-scan your computer for threats by selecting one of the following options:

Prescan my computer for threats– The prescan targets the most vulnerable areas of the computer, which include the following:

the boot area and boot directory (for boot sector viruses)
the Windows folder
the Program Files folder
Do not prescan my computer for threats – Trend Micro highly recommends pre-scanning your computer for security threats to ensure that the installation goes into a clean environment. Not pre-scanning the computer could prevent a successful installation.

14. Click Next. If you selected Custom Installation, the Web Server page would appear. Select a web server to host the Security Server web console. Choose one of the following:

Internet Information Services (IIS) server
Apache Web server 2.0.xx

15. Click Next. The Web Server Identification page appears.

16. Choose from one of the following server identification options for client-server communication:

Server information – Choose domain name or IP address:
Fully Qualified Domain Name – Use the web server’s domain name to ensure successful client-server communications.
IP address – Verify that the target server’s IP address is correct.

17. Click Next. The Administrator Account Password page appears.

18. Specify different passwords for the Security Server web console and the Security Agent.

Note: The password field holds 1-24 characters and is case sensitive.

Security Server web console – You will need a password to log on the web console. Provide the password and confirm the password.
Security Agents – You will need the password to uninstall Security Agents and remove them from your computer.

19. Click Next. The SMTP Server and Notification Recipient(s) page appears.

20. Enter the required information:

SMTP server – the IP address of your email server
Port – the port that the SMTP server uses for communications
Recipient(s) – the email address(es) that the SMTP server uses to send alert notifications. You can enter multiple email addresses when more than one person needs to receive notifications.

21. Click Next. The Trend Micro Smart Protection Network page appears.

22. Choose whether or not you want to participate in the Trend Micro Smart Protection Network feedback program.

23. Click Next. If you selected Custom Installation, the General Proxy Settings page would appear. The Configuring Security Agent page highlights the Security Agent.

Proxy server type
Server name or IP address
Port
User name and Password – Provide these only if the proxy server requires authentication.

24. Configure the Security Agent. The Security Agent configuration tasks consist of setting the agent installation path, configuring the agent’s server and desktop settings as well as the proxy server settings for additional services.

25. Click Next. If you selected Custom Installation, the Security Agent Installation Path page would appear.

26. Set the following items:

Installation Path – This is the destination folder where the Security Agent files are installed.
Security Agent Listening Port – This is the port number used for Security Agent and Security Server communications.

27. Click Next. If you selected Custom Installation, the Configuring Security Agents Settings page would appear.

28. You can configure Security Agent settings for Servers and Desktops: In each group, you can configure the following components:

Servers – Windows Server 2003/2008 computers will be added to the default Servers group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
Desktops – Windows XP/Vista/7 computers will be added to the default Desktops group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
Smart Scan – Smart Scan uses a central scan server on the network to take some of the burden of the scanning of clients.
Antivirus and Anti-Spyware – This scans files for malicious code as they are accessed or created.
Firewall – This protects clients against malware attacks and network viruses by creating a barrier between the clients and the network.
Web Reputation – This blocks malicious websites through the credibility of web domains and assigning a reputation score based on several identifying factors.
URL Filtering – This blocks specified categories of websites (for example, pornographic sites and social networking) according to your company’s policy.
Behavior Monitoring – This analyses program behaviour to proactively detect known and unknown threats.
Device Control – This regulates access to external storage devices and network resources.

29. Click Next. If you selected Custom Installation, the Proxy Setting for Additional Services page would appear. The Smart Scan, Web Reputation, and Behaviour Monitoring services use the proxy server address and port used by Internet Explorer on client computers. If that proxy server requires authentication, use this page to specify logon credentials.

30. For WFBS Advanced only: Configure the MSA. You will be prompted to install the MSA at one of the following points: Note: This procedure applies to both local and remote MSA installation.

When installing the Security Server on a computer that has Microsoft Exchange server installed on the same computer, Setup prompts you to install a local Messaging Security Agent.
When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote Messaging Security Agent to remote servers.

31. Click Next. The Install Messaging Security Agent page appears.

32. Provide the following information:

i. Exchange Server

ii. Domain Administrator Account

iii. Password

33. Click Next. If you selected Custom Installation, the Messaging Security Agent Settings page would appear. Configure the following:

Target Folder – This is the folder where the MSA files are installed.
Temp Folder – This is the system root folder for MSA Agent installation.
Spam management
End User Quarantine – If selected, WFBS creates a separate spam folder on Microsoft Outlook in addition to the Junk E-mail folder.
Outlook Junk Email folder – If selected, WFBS stores spam mail into this folder. Since Outlook typically moves spam mail in the End User Quarantine (EUQ) folder to the Junk E-mail folder, Trend Micro recommends to select this option.

35. Proceed with the installation process. The Start Copying Files page shows a summary of all the parameters that will be used during the installation of WFBS. Do one of the following:

If you wish to verify previous installation settings, click Back.
Click Next to proceed with the actual installation.

The Install Third Party Components page appears. This page informs you which third party components will be installed.

36. Click Next to start installing the selected components. The entire installation process may take some time to complete. During the installation, a status page will show the progress being made. When the Setup Wizard Complete screen appears, click Finish.

Installing the Client/Server Security Agent (CSA) or Security Agent (SA) using Remote Install

Log on to the WFBS console.
Click Security Settings > Add. The Add Computer page appears.
Under Computer Type section, choose Desktop or server.
Under Method section, choose Remote install.
Click Next. The Remote Install page appears.
From the Groups and Computers list, select the computer on which you will install the CSA and click Add. A prompt for a username and password appears. Note: You need an account with administrator rights for the installation.
Type the username and password of an account with administrator rights, and click Login. For the domain computers, use the Domain_NameUsername format; for workgroup computers, use the Target_Computer_NameLocal_Administrator_User_Name format.
The computer is added to the Selected Computers list.
Repeat Steps 6-7 if you want to add more computers to the list.
Click Install, and then click Yes when the confirmation window shows up. A progress screen will show the installation status, and the computer names will have a green check mark when the installation is complete.

Installing Agent for Exchange Server

The Messaging Security Agent (MSA) can also be installed from the Web Console.

1. Log on to the Web Console.

2. Click the Security Settings tab, and then click the Add button.

3. Under the Computer Type section, click Microsoft Exchange server.

4. Under Microsoft Exchange Server Information, type the following information:

• Server name: The name of the Microsoft Exchange server to which you want

to install MSA.

• Account: The built-in domain administrator user name.

• Password: The built-in domain administrator password.

5. Click Next. The Microsoft Exchange Server Settings screen appears.

6. Under Web Server Type, select the type of Web server that you want to install on

the Microsoft Exchange server. You can select either IIS Server or Apache Server.

7. For the Spam Management Type, End User Quarantine will be used.

8. Under Directories, change or accept the default target and shared directories for

the MSA installation. The default target and shared directories are C:Program

FilesTrend MicroMessaging Security Agent and C$, respectively.

9. Click Next. The Microsoft Exchange Server Settings screen appears again.

10. Verify that the Microsoft Exchange server settings that you specified in the

previous screens are correct, and then click Next to start the MSA installation.

11. To view the status of the MSA installation, click the Live Status tab.

Configure Smart Host for Outbound Email

1. Open the Exchange Management Console.

2. Click on the plus sign (+) next to Organization Configuration.

3. Select Hub Transport and click the Send Connectors tab.

4. Right-click the existing Send Connector then select Properties and go to the Network tab.

5. Select Route mail through the following smart hosts and click Add.

6. Select Fully Qualified Domain Name (FQDN)and specify the HES relay servers:

o HES US / Other Regions Relay Record: relay.sjc.mx.trendmicro.com

o HES Europe, Middle East, and Africa (EMEA) Relay Record: relay.mx.trendmicro.eu

7. Click OK.

8. Go to the Address Space tab and click Add.

9. Add an asterisk (*) and then click OK.

10. Click Apply > OK.

11. Go to the Source Server tab and add your Exchange Server.

12. Click Apply > OK.

Before you begin next step, make sure you have a valid public DNS and MX record configured and available via ping or nslookup. To find Out MX Record, follow the step or contact your ISP.

C:Usersraihan >nslookup

> set type=mx

> domainname.com.au

Non-authoritative answer:

domainanme.com.au MX preference = 20, mail exchanger = mx1.domainname.net.au

domainanem.com.au MX preference = 10, mail exchanger = mail.domainname.com.au

mx1.domainname.net.au internet address = 203.161.x.x

mail.domainname.com.au internet address = 116.212.x.x

Pinging domainname.com.au [203.161.x.x] with 32 bytes of data:

Registered Hosted Email Security

Firstly you’ll need to have registered with Trend Micro Online https://olr.trendmicro.com/registration/ .

Create service account (See upcoming post on creating a secure services account)

Open ActiveDirectory Users and Computers
Create a user sa-TrendMicroHE with password never expires

Open Hosted Email Security Web console

Visit the link that applies to your location
- For EMEA users: https://emailsec.trendmicro.eu
- For others: https://us.emailsec.trendmicro.com
Login with your details you setup in the online registration earlier and don’t forget to tick Log on with Trend Micro Online Registration user name and password

Register Your Domains with Trend Micro

1. Go to the Trend Micro Online Registration portal.

2. Create a new OLR account.

a. Under the “Not registered” section, select your country and language from the dropdown list, then click Continue.

Enter your HES Registration Key.

If you have other Trend Micro products or services you want to register, enter their Registration Keys and click Continue. Otherwise, click No. The License Terms page appears.

Select I Accept, then click Submit.

Complete the registration information form.

Specify your OLR logon ID.

Note: The OLR logon ID will also serve as your HES portal login ID.

Click Submit.

The next page will show your HES Activation Code (AC). This means that you have successfully registered HES. You will receive an email copy containing your Activation Code, username and temporary password.

3. Using the provided OLR username and password, log on to the HES console:

For US: https://us.emailsec.trendmicro.com/loginPage.imss

For EMEA: https://emailsec.trendmicro.eu/loginPage.imss

Note: Make sure that the Log on with Trend Micro Online Registration user name and password checkbox is ticked.

4. Enter your domain and IP information, then click Add Domain.

5. Once your managed domain list is complete, tick the checkbox beside your managed domain and click Submit.

6. Wait for your confirmation email. This will take 48 hours at most. The confirmation email will guide you through the final steps needed before starting the service.

Navigate to Administration > Domain Management

All the fields are pretty much self-explanatory, except for Seats assigned: 1 (no need to use more)
Click Activate Domain
Now this you would think would be it, except it goes to the list below which you then need to check the tick box of the domain and then Click Check MX Record

Download the ActiveDirectory Sync Client

Navigate to Administration > Directory Management

Click Imported User Directories so it becomes Enabled with a green tick
Navigate to Administration > Web Services

Click on the Applications bar so it get’s a Green Tick as above
Click on Generate Service Authentication Key, copy this key for use later in the setup
Click and download the ActiveDirectory Sync Client

Install the ActiveDirectory Sync Client

http://esupport.trendmicro.com.au/solution/en-us/1059663.aspx

http://esupport.trendmicro.com.au/solution/en-us/1060411.aspx

1. Extract the ActiveDirectory Sync Client file and run setup.exe

2. Usual I agree, next, next stuff

3. Then you’ll need your DOMAIN, the user will be the sa-TrendMicroHE we created earlier along with it’s password.

4. Click Next

5. Leave installation path as is, and change to install for Everyone

6. Click Next

7. Click Next

8. Click Close when finish

9. The ActiveDirectory Sync Client will then open

10. For the source paths you’ll need to enter the LDAP source paths for your server where users and groups are located to get you start some defaults are (don’t forget to change it to <yourdomain>)

LDAP://OU=Users,,OU=CompanyName,DC=<yourdomain>,DC=com

11. Click Add

LDAP://OU=Distribution Groups, OU=companyname,DC=<yourdomain>,DC=com

12. Click Add

13. Click Configure

Username: as per web login
Service Auth Key: as the key we copied earlier from the web console under Administration> Web Services
Proxy: leave as automatic unless your network requires otherwise
Synchronize: leave at 1

14. Click OK

15. Click Apply

16. This will restart the service

Amend ClientMHS_AD_ACL.config

1. Open C:Program Files (x86)Trend MicroHosted Email Security ActiveDirectory Sync ClientIMHS_AD_ACL.config in notepad

2. Installed Config file looks like this:

<?xml version=”1.0″ encoding=”utf-8″?>
<ad_acl>
<ldap_path name=”default”>
<objectClass name=”User”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
</ad_acl>

3. Change the following to add groups and public folders. Ref

<?xml version=”1.0″ encoding=”utf-8″?>

<ad_acl>

<ldap_path name=”default”>

<displayNameAttr>displayName</displayNameAttr>

<emailAttr>proxyAddresses</emailAttr>

</objectClass>

</ldap_path>

<ldap_path name=”default”>

<displayNameAttr>displayName</displayNameAttr>

<emailAttr>proxyAddresses</emailAttr>

</objectClass>

</ldap_path>

<ldap_path name=”default”>

<displayNameAttr>displayName</displayNameAttr>

<emailAttr>proxyAddresses</emailAttr>

</objectClass>

</ldap_path>

<ldap_path name=”default”>

<displayNameAttr>displayName</displayNameAttr>

<emailAttr>proxyAddresses</emailAttr>

</objectClass>

</ldap_path>

</ad_acl>

4. Save this (you’ll need to save to desktop then move it back over the original file, otherwise it will Access Denied) and return the the ActiveDirectory Sync Client

5. Click Sync Now

6. Give it a few moments then click History

7. Here you should see the correct number of groups and users you expect. Check the times are correct for when you’ve pressed. And it should finish with Sync domain <yourdomain.com> successful

8. Click Close

9. Click Close

Post Configuration Check

open the Hosted Email Security Console
Navigate to Administration > Directory Management
Click the Export to CSV for the domain you’re wanting to check
This will generate a CSV file, which you can use notepad to check that all your email addresses have synced

Worry Free Business Files and Folder Exclusion

Worry-Free Business Best Practice

Replace Common Name (CN) and SAN Certificates with Wild Card Certificate— Step by Step

Posted on October 8, 2013 by LM Publications

If you have a Common Name certificate or Subject Alternative Name certificate in Exchange webmail or other website and you would like to change that to wild card certificate to consolidate your certificate uses in wide variety of infrastructure and save money. You can do so safely with a minor downtime with no or little loss of productivity.

Microsoft accept certified SSL provider which are recorded in this url http://support.microsoft.com/kb/929395/en-us

Here is a guide lines how to accomplish this objective.

Step1: Check Current Exchange SSL Certificate

Open Exchange Management Shell and Issue Get-ExchangeCertificate Command. Record the information for future reference.

Step2: Record Proposed Exchange SSL Wildcard Certificate

Common Name: *.yourdomain.com.au
SAN: N/A
Organisation: Your Company
Department: ICT
City: Perth
State: WA
Country: Australia
Key Size: 2048

Step3: Generate a wildcard certificate request

You can use https://www.digicert.com/easy-csr/exchange2007.htm to generate a certificate command for exchange server.

New-ExchangeCertificate -GenerateRequest -Path c:star_your_company.csr -KeySize 2048 -SubjectName “c=AU, s=Western Australia, l=Perth, o=Your Company, ou=ICT, cn=*.yourdomain.com.au” -PrivateKeyExportable $True

Step4: Sign the certificate request and download SSL certificate in PKCS#7 format

For more information, you can go to help file of your certificate provider. But for example I am using rapidSSL. Reference https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO14293&actp=search&viewlocale=en_US&searchid=1380764656808

1. Click https://products.geotrust.com/geocenter/reissuance/reissue.do

2. Provide the common name, technical contact e-mail address associated with the SSL order,
and the image number generated from the Geotrust User Authentication page.

3. Select Request Access against the correct order ID. An e-mail will be sent to the technical contact e-mail address specified above.

4. Click on the link listed in the e-mail to enter the User Portal Click View Certificate Information. Select the appropriate PKCS#7 or X.509 format from the drop down menu depending on the server requirements. NOTE: Microsoft IIS users select PKCS#7 format and save the file with .p7b extension.

5. Save the certificate locally and install per the server software.

Step5: Locate and Disable the Existing CA certificate

Now this step is a disruptive step for webmail. You must do it after hours.

1. Create a Certificate Snap-In in Microsoft Management Console (MMC) by following the steps from this link: SO14292

2. With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.

3. Locate the following certificate in the MMC: If this certificate is present, it must be disabled. Right click the certificate, Select Properties

4. In the Certificate purposes section, select Disable all purposes for this certificate
Click OK to close the MMC without saving the console settings.

Step6: Install Certificate

To install a SSL certificate onto Microsoft Exchange, you will need to use the Exchange
Management Shell (EMS). Microsoft reference http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx

1. Copy the SSL certificate file, for example newcert.p7b and save it to C: on your Exchange server.

2. Run the Import-ExchangeCertificate and Enable-ExchangeCertificate commands together. For Example

Import-ExchangeCertificate -Path C:newcert.p7b | Enable-ExchangeCertificate –Services “SMTP, IMAP, POP, IIS”

3. Verify that your certificate is enabled by running the Get-ExchangeCertificate command.

For Example Get-ExchangeCertificate -DomainName yourdomain.com.au

4. In the Services column, letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS). If your certificate isn’t properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument such as: Enable-ExchangeCertificate -ThumbPrint [paste] -Services ” IIS”

Step7: Configure Outlook settings

Microsoft reference http://technet.microsoft.com/en-us/library/cc535023(v=exchg.80).aspx

To use the Exchange Management Shell to configure Autodiscover settings by using the Set-OutlookProvider cmdlet if you are using Exchange 2007.

Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.yourdomain.com.au

To change Outlook 2007 connection settings to resolve a certificate error

1. In Outlook 2007, on the Tools menu, click Account Settings.

2. Select your e-mail address listed under Name, and then click Change.

3. Click More Settings. On the Connection tab, click Exchange Proxy Settings.

4. Select the Connect using SSL only check box.

5. Select the Only connect to proxy servers that have this principal name in their certificate: check box, and then, in the box that follows, enter msstd:*.yourdomain.com.au.

6. Click OK, and then click OK again.

7. Click Next. Click Finish. Click Close.

8. The new setting will take effect after you exit Outlook and open it again.

Step8: Export Certificate from Exchange in .pfx format

The following Step8 to Step 10 is for Forefront TMG 2010 configuration only. If you are using different method to publish Exchange then you don’t need to follow these steps. Use help file of your firewall/Edge product to configure SSL.

Open Exchange Management Shell, run

Export-ExchangeCertificate -Thumbprint D6AF8C39D409B015A273571AE4AD8F48769C61DB

010e -BinaryEncoded:$true -Path c:certificatesexport.pfx -Password:(Get-Credential).password

Step9: Import certificate in TMG 2010

1.Click Start and select Run and tape mmc
2.Click on the File menu and select   Add/Remove Snap in
3.Click Add, select Certificates among the list of   Standalone Snap-in and click   Add
4.Choose   Computer Account and click   Next
5.Choose   Local Computer and click   Finish
6.Close the window and click OK on the upper window
7.Go to Personal then Certificates
8.Right click, choose All tasks then Import
9.A wizard opens. Select the file holding the certificate you want to import.
10.Then validate the choices by default
11.Make sure your certificate appears in the list and that the intermediary and root certificates are in their respective files. If not, place them in the appropriate file and replace existing certificates if needed.

Step10: Replace Certificate in Web Listener

1. click Start Forefront Threat Management Gateway console. The Forefront TMG console starts.

2. In the console tree, expand the name of your Security Server, and then click Firewall Policy.

3. In the results pane, double-click Remote Web Workplace Publishing Rule.

4. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.

5. Select External Web Listener from the list, and then click Properties.

6. In External Web Listener Properties, click the Certificates tab.

7. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.

8. In the Select Certificate dialog box, click a certificate in the list of available certificates, and then click Select. Click OK twice to close the Properties dialog boxes.

9. To save changes and update the configuration, in the results pane, click Apply.

Step11: Test OWA from external and internal network

On the mobile phone, open browser, type webmail.yourdomain.com.au and log in using credential.

Make sure no certificate warning shows on IE.

Use the RapidSSL Installation Checker https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO9556 to verify your certificate.

Relevant References

Request an Internet Server Certificate (IIS 7)

Using wildcard certificates

Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Posted on September 19, 2013 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Step1: Configure the SharePoint server

1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.

2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.

4. On the Alternate Access Mappings page, click Edit Public URLs.

7. When you have finished, click Save.

8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:

10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.

Step2: Create a New trunk

Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next

Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next

On the Authentication Page, Click Add, Select DC, Click Next

Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.

Select Use Forefront UAG Access Policies, Click Next

Select Default and Click Next

Click Finish.

Step3: add SharePoint web applications to the trunk.

In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.

On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.

On the Web Servers page, do the following:

In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.

In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.

In the Public host name box, enter a public host name of your choice for the SharePoint web application.

On the Authentication page, do the following:

To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.

On the Portal Link page of the wizard, if required, configure the portal link for the application.

If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.

When you have completed the wizard, click Finish.

The Add Application Wizard closes, and the application that you defined appears in the Applications list.

On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.

Step4: Configure Mobile devices Access for SharePoint

1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.

2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.

3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.

4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.

Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Posted on September 19, 2013 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

When you create a Forefront Unified Access Gateway (UAG) HTTPS portal trunk, only HTTPS requests that arrive at the Forefront UAG are handled by the trunk. This topic describes how to create a redirect trunk to automatically redirect HTTP requests made by remote endpoints to the HTTPS trunk.

Web Sites	Inbound Requested Port	Request Redirected To
RDS.xman.com.au	80	443
ftp.xman.com.au	80	443
webmail.xman.com.au	80	443
sharepoint.xman.com.au	80	443

Step1: Before you create a redirect trunk, note the following:

1. Make sure that you have already created the HTTPS trunk to which you want to redirect HTTP requests.

2. Make sure you define all the parameters of the HTTPS Connections trunk before you create the redirect trunk, including the definitions you make in the Forefront UAG Management console after completing the New Trunk Wizard.

If at a later stage, you change the IP address or port number of the HTTPS Connections trunk, do one of the following:

1. Update the IP address or port number manually in the relevant redirect trunk.

2. Delete the existing redirect trunk and create a new one.

3. Redirect trunks are not monitored by the Forefront UAG Web Monitor.

4. Sessions in redirect trunks are not calculated in the session count of Forefront UAG. When an HTTP session is redirected to HTTPS via a redirect trunk, it is only counted as one HTTPS session.

Step2: create a redirect trunk

1. In the Forefront UAG Management console, in the left navigation tree, right-click HTTP Connections, and then select New Trunk.

2. In the Create Trunk Wizard, select HTTP to HTTPS redirection, and then click Next.

3. All HTTPS trunks for which no redirect trunk exists are listed.

4. Select the HTTPS trunk to which you want to redirect HTTP requests, and then click Finish.

5. A new trunk with the same name as the HTTPS trunk you selected is created in the left navigation tree.

6. HTTP requests that arrive at the external Web site that is defined for this trunk are redirected to the HTTPS trunk you selected in the wizard.

Publish Exchange Server 2010 using Forefront UAG 2010 Step by Step

Posted on September 19, 2013 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Step1: configure Exchange to use basic authentication

1. Start the Exchange Management Console.

2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.

3. Select your Client Access server, and then on the Outlook Web Access (or Outlook Web App) tab, select owa (Default Web Site).

4. In the Actions pane, under owa (Default Web Site), click Properties.

5. On the Authentication tab, click Use one or more of the following standard authentication methods, make sure that only the Basic authentication (password is sent in clear text) check box is selected, and then click OK.

Step2: publish Outlook Web Access on a Forefront UAG portal

Right Click on HTTPS Connections, Click New Trunk, Click Next

Select Portal Trunk and Publish Exchange Applications via portal, Click Next

Type the name of the trunk, type the name of the public host name i.e. FQDN of webmail. Click Next

Click Add on the Authentication page, Type the name of the domain Controller, Click Ok.

Type the service account which will talk to DC from UAG, Click Ok

Select the DC, Click Select. Leave rest of the settings as is. Click Next

Select the certificate which is issued by public certificate authority, exported from mail server and imported to UAG server. Click Next. Don’t worry about certificate screen shot. this is a test environment.

Select Use Forefront UAG Access Policies, Click Next. Don’t worry about the certificate shown in above screen shot. This is a test environment. In production environment, common name of the certificate will be webmail.xman.com.au

Select Default and Click next

Select OWA, Anywhere and ActiveSync, Select Exchange version from drop down menu, Click Next

Type the name of the application, Click next

Select default and click next

On the Deploying an Application page of the wizard, choose whether to publish a single Exchange Client Access server or a farm of load-balanced Exchange Client Access servers.

Click Configure an application server, Click Next

On the Web Servers page of the wizard:

In the Addresses list, enter the IP address or host name of the Client Access server.

In the Public host name box, enter the public host name for this application. The public host name must match the FQDN in the certificate. The public host name can be the same as the public host name of the trunk, if required.

On the Authentication page of the wizard, select an authentication server to authenticate users to the application, and click 401 request.

On the Outlook Anywhere Page, Select basic Authentication, Click next

On the Portal Link page of the wizard, configure the portal link for the application.

If you are publishing Exchange 2013 or Exchange 2010 and OWA is not the initial portal application, make sure that the Open in a new window check box is selected.

On the Authorization page of the wizard, select which users are authorized to access this application.

On the Completing the Add Application Wizard page of the wizard, click Finish.

Once configured, you will see the following screen.

If you want to define the Outlook Web Access application as the portal home page, in the Forefront UAG Management console, in the Initial application list, click the application that you added in this procedure.

To apply the Outlook Web Access look and feel to the Forefront UAG user interaction pages, in the Forefront UAG Management console, next to Configure trunk settings, click Configure, click the Authentication tab, and then select the Apply an Outlook Web Access look and feel check box. Confirm the changes to the logon settings, and then click OK.

On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

Publishing Remote Desktop Services Using Forefront UAG 2010 Step by Step

Posted on September 19, 2013 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

The following procedures describe how to export RemoteApp settings from RDS, and then publish RemoteApps and import the RemoteApp settings, via Forefront Unified Access Gateway (UAG).

Step1: Exporting RemoteApp settings from RDS

Before you can publish RemoteApp applications, you must export RemoteApp settings from RDS.

1. On the RD Session Host server, click Start, click Administrative Tools, click Remote Desktop Services, and then click RemoteApp Manager.

2. Ensure that the RemoteApp Programs list contains the programs that you want to provide to end users.

3. In the Actions pane, click Export RemoteApp Settings.

4. Click Export the RemoteApp Programs list and settings to a file, and then click OK.

5. Specify a location to save the .tspub file, and then click Save.

Step2: Publishing RemoteApps and importing RemoteApp settings

This procedure describes how to publish RemoteApps via Forefront UAG, and import RemoteApp settings during the publishing process.

1. In the Forefront UAG Management console, select the portal in which you want to publish RemoteApp applications. In the Applications area of the main portal properties page, click Add. The Add Application Wizard opens.

2. On the Select Application page of the wizard, select Terminal Services (TS)/Remote Desktop Services (RDS). In the list, select RemoteApp.

3. On the Configure Application page of the wizard, enter a name for the RemoteApp application.

4. On the Select Endpoint Policies page of the wizard, do the following:

5. In Access policy, select a Forefront UAG policy with which endpoints must comply in order to access the published RemoteApps in the portal. In Printers, Clipboard, and Drives, select access policies with which endpoints must comply in order to access these local resources during remote desktop sessions.

6. To enable single sign-on for the session, select the Use RDS Single Sign-On (SSO) Services check box.

7. If the trunk through which you are publishing the RemoteApp applications uses Network Access Protection (NAP) policies, and you have a Network Policy Server (NPS) configured, do the following:

8. Select Require Network Access Protection (NAP) compliance, to specify that only endpoints that comply with NAP policy can access published RemoteApps.

9. Select Require NAP compliance for RDS device redirection only, to specify that only endpoints that comply with NAP policy can access devices and resources on RDS servers, such as drives, printers, and the clipboard. Access to other resources and applications on RDS servers does not require NAP compliance.

10. Select Do not require NAP compliance, if you do not require clients to use NAP to access the published RemoteApps.

11. On the Import RemoteApp Programs page of the wizard, do the following:

12. In File to import, specify the location of the exported .tspub file, or click Browse to locate the file.

13. In RD Session Host or RD Connection Broker, specify the name of an RD Session Host (if different from that specified in the imported settings file), or the name of the RD Connection Broker server.

14. If you are using an RD Connection Broker server, in IP addresses, IP address ranges, FQDNs, or subnets, add the names of all RD Session Hosts that might be used by the RD Connection Broker. To specify multiple servers, use an IP address range or subnet.

15. On the Select Publishing Type page of the wizard, in the Available RemoteApps list, double-click each RemoteApp that you want to publish via Forefront UAG, to add it to the Published RemoteApps list. The list of available RemoteApps is retrieved from the imported .tspub file.

16. On the Configure Client Settings page of the wizard, specify how RemoteApps should be displayed. You can set a display resolution and color, or select to use display settings retrieved from the imported .tspub file.

17. Complete the Add Application Wizard.

Install and Configure Forefront UAG 2010 Step by Step

Posted on September 19, 2013 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Forefront UAG Overview:

Empowers employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.
Delivers simple and secure access optimized for applications such as SharePoint, Exchange, and Dynamics CRM.
Extends networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.
Protects IT assets through fine-grained and built-in policies that provide access to sensitive data based on identity and endpoint health.
Easily integrates with Active Directory and enables a variety of strong authentication methods.
Limits exposure and prevent data leakage to unmanaged endpoints.

Assumptions:

The following servers is installed and configured in a test environment.

Systems Requirements:

Option	Description
Virtual Machine Name	DC1TVUAG01
Memory	8GB
vCPU	1
Hard Disk 1	50GB
Hard Disk 2	50GB
Network Adapter	2
Guest Operating System	Windows Server 2008 R2
Service Pack Level	SP1

Software Requirement:

Version	Microsoft Forefront Unified Access Gateway 2010
Service Pack Level	SP3

Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:

Microsoft .NET Framework 3.5 SP1
Windows Web Services API
Windows Update
Microsoft Windows Installer 4.5
SQL Server Express 2005
Forefront TMG is installed as a firewall during Forefront UAG setup
The Windows Server 2008 R2 DirectAccess component is automatically installed.

The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.

Network Policy Server
Routing and Remote Access Services
Active Directory Lightweight Directory Services Tools
Message Queuing Services
Web Server (IIS) Tools
Network Load Balancing Tools
Windows PowerShell

Supported Browser Clients:

Browser

Features

Firefox

Endpoint Session CleanupEndpoint detectionSSL Application TunnelingEndpoint Quarantine Enforcement

Internet Explorer

Endpoint Session CleanupEndpoint detectionSSL Application TunnelingSocket Forwarding

SSL Network Tunneling (Network Connector)

Endpoint Quarantine Enforcement

Supported Mobile Devices:

Device Name	Features
Windows Phone	Premium mobile portal
iOS: 4.x and 5.x on iPhone and iPad	Premium mobile portal
Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0	Premium mobile portal

Service Account for Active Directory Authentication:

Service Account	Privileges	Password
xmanSA-FUAG	Domain Users	Password set to never expired

Domain Joined Forefront UAG:

The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.

Add the server to an array of Forefront UAG servers at a later date.
Configure the server as a Forefront UAG DirectAccess server at a later date.
Deploy single sign on using Kerberos constrained delegation to forward session credentials to backend published servers requiring authentication.
Publish the File Access application via a Forefront UAG trunk.
Provide remote clients with access to the internal corporate network using SSTP.

Antivirus Exclusion:

Version

Paths

Processes

Forefront UAG 2010

UAG installation folder (may be changed during installation)
%ProgramFiles%Microsoft Forefront Unified Access Gateway

Forefront UAG DNS-ALG Service
%ProgramFiles%Microsoft Forefront Unified Access GatewayDnsAlgSrv.exeForefront UAG Monitoring Manager
%ProgramFiles%Microsoft Forefront Unified Access GatewayMonitorMgrCom.exeForefront UAG Session Manager
%ProgramFiles%Microsoft Forefront Unified Access GatewaySessionMgrCom.exeForefront UAG File Sharing
%ProgramFiles%Microsoft Forefront Unified Access GatewayShareAccess.exe

Forefront UAG Quarantine Enforcement Server
%ProgramFiles%Microsoft Forefront Unified Access Gatewayuagqessvc.exe

Forefront UAG Terminal Services RDP Data
%ProgramFiles%Microsoft Forefront Unified Access Gatewayuagrdpsvc.exe

Forefront UAG User Manager
%ProgramFiles%Microsoft Forefront Unified Access GatewayUserMgrCom.exe

Forefront UAG Watch Dog Service
%ProgramFiles%Microsoft Forefront Unified Access GatewayWatchDogSrv.exe

Forefront UAG Log Server
%ProgramFiles%Microsoft Forefront Unified Access Gatewaywhlerrsrv.exe

Forefront UAG SSL Network Tunneling Server
%ProgramFiles%Microsoft Forefront Unified Access Gatewaywhlios.exe

Forefront UAG Placement:

The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.

There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:

Intranet content, such as servers published by Forefront UAG, can be isolated in the perimeter network and separated from corporate content intended for internal access only.
Integrity of the content in the corporate network is retained.
Securely publish backend applications and access infrastructure servers, such as authentication servers, as required.
Hide corporate network infrastructure from perimeter and external threat.

Scenario#1

Perimeter Port Requirement:

To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:

HTTP traffic (port 80)
HTTPS traffic (port 443)
FTP Traffic (Port 21)
RDP Traffic (Port 3389)

Backend Port Requirement

Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.

Infrastructure server	Protocol	Port	Direction
Domain controller	Microsoft-DS traffic	TCP 445UDP 445	From UAG to DC
	Kerberos authentication	TCP 88UDP 88	From UAG to DC
	LDAP	TCP 389UDP 389	From UAG to DC
	LDAPS	TCP 636UDP 636	From UAG to DC
	LDAP to GC	TCP 3268UDP 3268	From UAG to DC
	LDAPS to GC	TCP 3269UCP 3269	From UAG to DC
	DNS	TCP 53UDP 53	From UAG to DC
Exchange, SharePoint, RDS	HTTPS	TCP 443	From external to internal server
FTP	FTP	TCP 21	From external to internal server

Scenario#2

In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.

UAG Network Configuration

· First in Order- UAG internal adapter connected to the trusted network.

· Second in Order- UAG external adapter connected to the untrusted network.

The following are the network configuration for UAG server.

Option

IP Address

Subnet

Default Gateway

DNS

Internal Network

10.10.10.2

255.255.255.0

Not required

10.10.10.1

External Network

192.168.1.1192.168.1.2192.168.1.3

192.168.1.4

192.168.1.5

255.255.255.0

192.168.1.254

Not required

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:

UAG adapter connected to the trusted network: Internal Network
UAG adapter connected to the untrusted network: External Network

Configuration Step 2 – Configure Network Adapters:

Internal Network Adapter

Default Gateway should not be defined
DNS Servers should be defined
Client for Microsoft Networks binding – Enabled
File and Print Sharing for Microsoft Networks binding – Enabled
Register this connection’s address in DNS – Enabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Default

External Network Adapter

Default Gateway should be defined
DNS Servers should not be defined
Client for Microsoft Networks binding – Disabled
File and Print Sharing for Microsoft Networks binding – Disabled
Register this connection’s address in DNS – Disabled
Enable LMHOSTS Lookup – Disabled
NetBIOS over TCP/IP – Disabled

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

Internal Network (Highest)
External Network (Lowest)

To amend network binding follow the steps below:

1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.

2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

Configuration Step 4 – Run the UAG Network Interfaces Wizard:

You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.

DNS Forwarding:

The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:

Purpose	Public Host Name	Public IP Address
Exchange	webmail.xman.com.au	203.17.x.x
SharePoint	sharepoint.xman.com.au	203.17.x.x
RDS	remote.xman.com.au	203.17.x.x
FTP	ftp.xman.com.au	203.17.x.x

Scenario#1 Firewall Rules consideration

External NAT Rules

The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.

Rule(s)	Description	Source IP	Public IP Address (Destination IP Address)	Port	NAT Destination
1	Exchange	Any	203.17.x.x	443	192.168.1.2
2	SharePoint	Any	203.17.x.x	443	192.168.1.3
4	RDS	Any	203.17.x.x	443	192.168.1.4
5	FTP	Any	203.17.x.x	21	192.168.1.5

Internal Firewall Rules

The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:

Rule(s)	Description	Source IP	Port TCP & UDP	Destination
1	Exchange	10.10.10.2	TCP 443	10.10.10.3
2	SharePoint	10.10.10.2	TCP 443	10.10.10.4
4	RDS	10.10.10.2	TCP 443	10.10.10.5
5	FTP	10.10.10.2	TCP 21	10.10.10.6
6	Client	10.10.12.0/24	TCP 443 TCP 21	10.10.10.2
7	Domain Controller	10.10.10.2	445, 88, 53 389, 636 3268, 3296	10.10.10.1

Understanding Certificates requirements:

Launch Certificate Manager

1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:

2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.

3. Follow the instructions in the Certificate Import Wizard.

Common Name	Subject Alternative Name	Certificate Issuer
RDS.xman.com.au	–	Verisign/Digicert
webmail.xman.com.au	autodiscover.xman.com.au	Verisign/Digicert
ftp.xman.com.au	–	Verisign/Digicert
sharepoint.xman.com.au	–	Verisign/Digicert

Understanding Properties of Trunk

Trunk name: Specify the name of the trunk. This name is assigned to the Web site that is created in IIS running on the Forefront UAG server. Within the set of HTTP connections and HTTPS connections, each trunk name must be unique. The trunk name cannot contain the public host name.
Public host name: Specify the host name used by client endpoints to reach the Web site. The host name must contain at least two periods.
IP address: Specify the external IP address used to reach the published Web application or portal.
Array Member: If the Forefront UAG server is part of an array, click the server entry in the IP address column, and select the external IP address of this array member.
HTTP/HTTPS port: Specify the port for the external Web site.

UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.

Trunk Name	Public Host Name	HTTPS Port	External IP Address	Authentication Server(s)
Exchange	webmail.xman.com.au	443	192.168.1.2	DC1TVDC01
SharePoint	sharepoint.xman.com.au	433	192.168.1.3	DC1TVDC01
RDS	remote.xman.com.au	443	192.168.1.4	DC1TVDC01
FTP	ftp.xman.com.au	21	192.168.1.5	DC1TVDC01

Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:

URL List	Methods	Allow Rich Content
InternalSite_Rule54	HEAD	Checked
SharePoint14AAM_Rule47	HEAD	Checked

Published Applications and Services:

Install Forefront UAG:

Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.

On the Welcome page of Setup, do the following:

Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.

Restart the Server.

Initial Configuration Using Getting Started Wizard

Before you run the initial configuration, you must patch the UAG with an order described in this article . To patch UAG, open command prompt using run as Administrator. Go to the location where you saved all the service packs and patches. Run one by one. Note that if you do not run the setup as an administrator setup will roll back and fail because it cannot modify registry.

In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.

On the Define Network Adapter Settings page, in the Adapter name list do the following:

After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:

If you are running Forefront UAG on a single server, click Single server.

Configure Remote Desktop (RDP) to Forefront UAG

After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:

Ensure that remote desktop is enabled on the Forefront UAG server.

Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.

To do this, open the Forefront TMG Management console from the Start menu.

1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.

2. On the Rule Action, Click Allow, Click Next

3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next

4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next

5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.

Publish Exchange Server 2010 using Forefront UAG 2010 Step by Step

Posted on September 19, 2013 by LM Publications

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 8: Publish Application Specific Host Name using UAG 2010