Experience Mobile (iPhone & Android) Browsing with Forefront UAG

If you are scratching your head how to grant access to your website for iPhone and Tablet published via Forefront UAG, there is way to achieve your goal. But before I articulate how to achieve this let’s revisit how UAG endpoint compliance works.

By default UAG checks compliance of every endpoint device. If you do now allow all endpoint devices in UAG Trunk it will be blocked due to policy violation. Since release of UAG SP3, mobile devices are identified as “Other” in UAG Endpoint Policy. “Other” includes iPhone, iPad, Android phone and tablet. Surprisingly I found that UAG also blocks Windows 8 mobile phone unless you allow it explicitly in endpoint policy.

When an endpoint device connect to Trunk portal or a published website, UAG automatically check Default Session Access  and Default Web Application Access policy.  However for FTP and similar policy UAG checks  Default Web Application Upload and  Default Web Application Download policy as well. You need to tweak little bit in the Trunk properties and application properties to make it work.

Let’s begin with Trunk properties. Log on the UAG server using administrative credential. Open UAG Management Console.

Step1: Advanced Trunk Configuration

  1. Select the Trunk where you publish the application, in the Trunk Configuration area, click Configure.
  2. On the Advanced Trunk Configuration dialog box, click the Endpoint Access Settings tab.
  3. On the Endpoint Access Settings tab, click Edit Endpoint Policies.
  4. On the Manage Policies and Expressions dialog box, click the Default Session Access policy, and then click Edit Policy.
  5. On the Policy Editor dialog box, under Select platform-specific policies, in the Other drop-down list, click Always, and then click OK.
  6. On the Manage Policies and Expressions dialog box, click the Default Web Application Access policy, and then click Edit Policy.
  7. On the Policy Editor dialog box, under Select platform-specific policies, in the Other drop-down list, click Always, and then click OK.
  8. Repeat the step 4 to step 7 on all the required policies. Example for FTP policies perform step4 to step7 for Default Web Application Upload and Default Web Application Download policies.
  9. On the Manage Policies and Expressions dialog box, click Close.
  10. On the Advanced Trunk Configuration dialog box, click OK.
  11. Activate the configuration. Wait for activation to complete. Note that it takes  few minutes.
  12. Open elevated command prompt using run as administrator option. Type iisreset and hit enter.

Step2: Allow Premium Mobile Portal

  1. Select the application you published through the Trunk where you configured advanced properties in previous steps. In the Applications area, click the required application, and then click Edit.
  2. On the Application Properties dialog box, click the Portal tab.
  3. On the Portal tab, select the Premium mobile portal and Non-premium mobile portal check box.
  4. On the Application Properties dialog box, click OK.
  5. Activate the configuration. Wait for activation to complete. Note that it takes few minutes.
  6. Open elevated command prompt using run as administrator option. Type iisreset and hit enter.

Step3: Test Mobile Devices

  1. Browse published website in Windows Phone or iPhone
  2. Open Forefront UAG Monitor, Check the Session compliance, Authentication in Active Session.
  3. Check all systems logs in UAG monitor. You will see a session is connected successfully with endpoint device type, endpoint IP and GUID mentioned in the logs.

Other Articles:

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

 

How to Publish Application Specific Host Name using Pass Through Authentication in Forefront UAG 2010

To avoid being caught into the following UAG events, follow the below procedure to create a correct Trunk and an Application in UAG 2010.

UAG Events:

Warning 58 “The requested URL is not associated with any configured application.”

Warning 51 Invalid Method

“A request from source IP address x.x.x.x, user on trunk Trunk Name; Secure=1 for application failed because the method used PUT is not valid for requested URL”

Solutions:

1. Bypass Active Directory authentication to allow application specific authentication.

Open Regedit>Go to HKLMSoftwareWhaleCome-GapvonURLFilter

Create a 32 Bit DWORD named KeepClientAuthHeader and set value to 1

Also make sure FullAuthPassThru value is set to 1.

clip_image002

2. Public Host Name in Trunk must be different then public host name in published application. The purpose of public host name in Trunk is to create the actual trunk. This public host name in Trunk will not be accessible from external network nor internal network. Why? simple reason without public host name, you can’t create a Trunk. Public host name in application is the Real FQDN which employee/roaming users will access from external network which means public IP will resolve the name of application public host name. Since public host name in Trunk and Public host name in application are different, when you activate this trunk and application, you will receive a certificate error which says your trunk FQDN doesn’t match with your certificate. As long as your certificate CN matches with application public host name you will be fine. If you don’t want to see this error then you can add a SAN certificate which has both Trunk public host name and application public host name. In my case I don’t mind the see that certificate warning, my Trunk and application public host name are as follows:

  • Trunk Public Host Name: Mobile.mydomain.com
  • Application Public Host Name: mymobile.mydomain.com

3. Correct URL Set

  • Name: MobilePortal_Rule1
  • Action: Accept
  • URL: /.*
  • Parameters: Ignore
  • Methods: PUT, POST, GET

Use the following steps to correctly publish mobile device, third party application implemented in IIS within a subdirectory.

Step1: Create a Separate Trunk for this Application

  1. Before you begin, import certificate in UAG server. Certificate must be in .pfx format with private key. Open the Microsoft Management Console (MMC) which enables you to import a certificate into the IIS Certificate store.
  1. Start Menu>Run>MMC
  2. To import a certificate, in the MMC window, in the left pane, under Console Root, verify that Certificates (Local Computer) > Personal is selected.
  3. From the Action menu, click All Tasks, and then click Import.
  4. Follow the instructions in the Certificate Import Wizard.
  1. In the Forefront UAG Management console, right-click HTTP Connections to create a trunk accessible over HTTP, or right-click HTTPS Connections to create a trunk accessible over HTTPS. Then click New Trunk.
  2. On the Select Trunk Type page of the Create Trunk Wizard, click Portal trunk.
  3. On the Setting the Trunk page of the Create Trunk Wizard, specify Trunk details. In my case I have the following:

i. Trunk Name: MobilePortal

ii. Public Host Name: Mobile.mydomain.com

iii. IP Address: Trunk IP (you must add additional IP address(s) in the TCP/IP properties of UAG external nic)

iv. Port: 443

  1. On the Authentication page of the Create Trunk Wizard, I am going to add my domain controller but later stage I will remove the domain controller to make it application specific authentication not LDAP or AD. That means I will bypass AD authentication. For now select an authentication server that will be used to authenticate user requests for trunk sessions. Click Add to select a server, as follows:
  1. In the Authentication and Authorization Servers dialog box, select a server and click Select. To add a new server to the list, click Add.
  2. Select User selects from a server list to specify that during login to the trunk, users will be prompted to select an authentication server. If you configure one authentication server, users will authenticate to that server only. Select Show server names to allow users to select an authentication server from a list; otherwise, users must enter the server name. Select User provides credentials for each selected server to prompt users during login to authenticate to all the specified authentication servers. Select Use the same user name to specify that users must enter a single user name that will be used to authenticate to all specified servers.
  1. On the Certificate page of the Create Trunk Wizard (HTTPS trunks only), select the server certificate that will be used to authenticate the Forefront UAG server to the remote endpoint.
  2. On the Endpoint Security page of the Create Trunk Wizard, control access to trunk sessions by selecting policies that allow access, based on the health of client endpoints. Click Use Forefront UAG access policies to determine the health of endpoints using in-built Forefront UAG access policies.
  3. Click Finish after completing the Trunk wizard.

Step2: Advanced Trunk Configuration

  1. Click Configure Trunk. Click Endpoint Access Settings, Click Edit Endpoint Policies.

image

image

  1. In this step, you will allow access of mobile phone and tablet. Microsoft UAG by default doesn’t allow mobile phone access. You need allow this access manually. Click Edit Endpoint Access Policies, Select Default Session Access, Click Edit, Click other, Select Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default Web Application Access Policy, Default Web Application Upload, Default Web Application download.
  2. Click Authentication Page, de-select require user to authenticate at session logon. By deselecting this option, you have created pass through authentication.

image

  1. Click on the session tab, deselect disabled component installation and disable scripting for portal applications.

image

  1. Click URL Set Tab, Scroll down to bottom of the page. On the mobile portal rule, select PUT, POST, GET. Click Ok. Adding PUT will resolve the following issue:

image

  1. After completing the Create Trunk Wizard, in the Forefront UAG Management console, on the toolbar, click the Activate configuration icon on the toolbar, and then on the Activate configuration dialog box, click Activate.

Step3: Add an Application Specific Host Name for iPhone, Android and Tablet

1. In the Forefront UAG Management console, select the portal trunk to which you want to add the application. In the main trunk properties page, in the Applications area, click Add to open the Add Application Wizard.

2. On the Select Application page, Click Web, choose the application specific host name you want to publish.

3. On the Application Setup page, specify the name and type of the application.

4. On the Endpoint Security page, select the access policies for your application. Note that not all of the policies may be available for some published applications. You must verify that other device is allowed in Endpoint security. See Step11 in creating a Trunk.

5. On the Application Deployment page, specify whether you want to publish a single server or a Web farm.

6. On the Web Servers page, if you are publishing a Web application, on the Web Servers page, configure settings for the backend Web server that you want to publish. On the application requires paths, add more / as your path. This will allow any sub directories of application hosted in Microsoft IIS server. On the address, type the fully qualified domain name of the web application which will be accessible from external network.

image

7. On the Connectivity Verifier Settings page, if you are publishing a Web farm, specify how the state of Web farm members should be detected.

8. On the Authentication page, deselect SSO. By deselecting this option, you have created pass through authentication.

image

9. On the Portal Link page, specify how the application appears in the portal home page of the trunk. If you have subdirectory in IIS, specify correct URL. For example, in my case I have subdirectory like https:// mymobile.mydomain.com/mobile/ .Select premium and non-premium mobile portal.

image

10. Once done, Click Finish.

11. On the Trunk , On the initial application, Select Portal Home page, as MobilePortal.

image

Step4: Activating Trunk and Post Check.

1. On the console toolbar, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

2. This is the simple step, most of techie doesn’t do and end up being calling Microsoft Tech support. You have to do this step so that published application works. Open command prompt as an administrator, run iisreset /restart.

3. Once everything is configured correctly, you will receive the following event in UAG Web Monitor> Event Viewer

The application MobilePortal was accessed on trunk; Secure=1 with user name and session ID EDD953BD-CB79-4180-B811-F1A0F53DCB33.

Other Articles:

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Publish Lync Server 2013 using Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

The following features are available for external access through a UAG reverse proxy:

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book service.
  • Accessing the Microsoft Lync Web App client.
  • Accessing the Dial-in Conferencing Settings webpage.
  • Accessing the Location Information service.
  • Enabling external devices to connect to Device Update web service and obtain updates.
  • Enabling mobile applications to automatically discover mobility URLs from the Internet.

Prerequisites:

  • Lync Frontend, Lync Director and Lync Edge are configured and optional for internal users
  • Lync External Access Topology is published using Topology Builder
  • Lync Server is configured for External user Access
  • UAG server installed and initial configuration is completed
  • All Service pack and hot fixes installed in UAG and Lync Server.

Network Configuration:

Forefront UAG and Lync Edge must be assigned two NICs with external network adapter and the internal network adapter.

DNS Configuration

The reverse proxy must be able to resolve the internal Director and next hop pool FQDNs used in the web publishing rules to IP addresses. As with the Edge Servers, for security reasons, we recommend that you do not have Edge Servers access a DNS server located in the internal network. This means you either need DNS servers in the perimeter, or you need HOST file entries on the reverse proxy that resolves each of these FQDNs to the internal IP address of the servers.

DNS Name Record Type IP address Purpose
sip.xman.com.au HOST (A) Internal IP Sip domain
_sip_tls.xman.com.au SRV record Port 5061 Internal IP used for Edge deployment separate to UAG
meet.xman.com.au HOST (A) Internal IP Meeting
dialin.xman.com.au HOST (A) Internal IP Dial-in
discover.xman.com.au HOST (A) Internal IP Discover
webext.xman.com.au HOST (A) Internal IP Common external Lync access
UAGSRV.xman.com.au HOST (A) Internal IP UAG server internal DNS

To create Public DNS record, request your ISP to route these public FQDN to your premises i.e. to the external NIC of UAG server if there is no frontend firewall or route to your external router if UAG is behind frontend router and placed in perimeter.

DNS Name Record Type IP address Purpose
webext.xman.com.au HOST (A) Publicly routable

UAG External NIC IP IP should resolve Front Edge or Director

Lync external access
meet.xman.com.au CNAME webext.xman.com.au Lync meeting
dialin.xman.com.au CNAME webext.xman.com.au Lync Dial-in
discover.xman.com.au CNAME webext.xman.com.au Lync discover
LyncUAG. xman.com.au HOST (A) Publicly routable

UAG External IP Address

UAG external FQDN
sip.xman.com.au HOST (A) Publicly routable

Lync Edge External NIC IP separate to UAG

Lync External SIP domain
Sipexternal.xman.com.au CNAME sip.xman.com.au

used for Lync Edge deployment separate to UAG

CNAME of external SIP domain

Certificates Requirements

Common Name Subject alternative name Purpose Issuer
webext.xman.com.au webext.xman.com.au Pool FQDN Public CA
meet.xman.com.au Meeting simple URL
dialin.xman.com.au Dial-in simple URL
discover.xman.com.au External Autodiscover Service URL

NAT Requirements:

This topic describes the required NAT behaviour of UAG deployment if UAG server is placed after frontend firewall.

NAT Rule Source IP Public IP NATed Destination Port
1 Any Public IP of Lync web UAG External NIC IP 4443, 3478
2 Edge External NIC Internet/Extranet 3478
3 Internal Network UAG Internal NIC IP 4443,3478
Create a Lync Trunk

1. Start ForeFront UAG.
2. Right-Click HTTPS Connection and select New Trunk
3. Name the Trunk and enter the public hostname and IP address (this should match the DNS record created i.e LyncUAG.xman.com.au – this name should be different to the external name of the Lync Front End Pool. Click Next
4. Select the Authentication Server for your domain by clicking Add. Click Next.
5. Select the Public Certificate you have obtained. Click Next.
6. Select the default option of Use Forefront UAG access policies. Click Next.
7. Select the Default Endpoint Policies. Click Next.
8. Click Finish.

Create Lync Web Services Application

1. Select the trunk created above.
2. Click Add under Applications.
3. Click Next
4. Select Microsoft Lync Web App 2010 under Web. Click Next.
5. Enter a name for the application (i.e. LyncWeb). Click Next.
6. Leave the Endpoint Policies as default. Click Next.
7. Click Next.
8. Enter webext.xman.com.au under Addresses. This should resolve to the Front Edge (or Director) Server from the UAG server. This should also match the name that External Access URL is set in the Lync Topology. Enter the same public host name. Click Next.
9. Uncheck Use SSO. Click Next.
10. Remove “dialin” from Application URL. Click Next.
11. Click Finish.

Create LyncDiscovery Application


1. In the same Trunk click Add under Applications.
2. Select Microsoft Lync Web App 2010. Click Next.
3. Enter a name for the application (i.e. LyncDiscovery). Click Next.
4. Click Next.
5. Enter webext.xman.com.au as the IP/Host and Discover as the public hostname. Click Next.
6. Uncheck Use SSO. Click Next.
7. Remove “dialin” from the application URL and click Next.
8. Click Next
9. Click Finish.
The wizard will create two additional entries for meet and dialin for the LyncDiscover application. Remove them by selecting each one and click Remove.

Additional Trunk Configuration

1. Click Configure under Trunk Configure.
2. Select the Authentication tab. Uncheck Require users to authenticate at session logon.
3. Select the Session tab and check Disable component installation and activation and Disable scripting for portal applications.
4. Click OK.

Additional Registry Entry

Important! Modify the registry at your own risk.
1. Open Registry Editor
2. Navigate to HKLMSoftwareWhaleCome-GapvonUrlFilter
3. Right-Click and add a DWORD 32-bit registry  KeepClientAuthHeader and FullAuthPassthru, set the value to 1.
4. Close the registry editor.

Save and Activate the Configuration

1. Click the Save button in the UAG console.
2. Click Activate
3. Once the configuration has completed, click Finish
4. Start a Command Prompt (cmd) as an Administrator.
5. Perform an IISRESET.

Verify Website Access through the Internet

Open a web browser, type the URLs in the Address bar that clients use to access the Address Book files and the website for conferencing as follows:

References:

Publish Lync 2010 with ForeFront Unified Access Gateway 2010 (UAG)