This gallery contains 1 photo.
An Amazon WorkSpace is a cloud-based virtual desktop that can act as a replacement for a traditional desktop. A WorkSpace is available as a bundle of operating system, compute resources, storage space, and software applications that allow a user to … Continue reading
This gallery contains 1 photo.
Requirements for Azure connector The recommended VM size of Azure connector is F4s – 4 vCPUs and 8 GB RAM. Ensure that you have a sufficient Azure CPU quota in the region where you are deploying the connector. A Standard … Continue reading
This gallery contains 2 photos.
Microsoft announced Windows Virtual Desktop and began a private preview. Since then, we’ve been hard at work developing the ability to scale and deliver a true multi-session Windows 10 and Office 365 ProPlus virtual desktop and app experience on any … Continue reading
This gallery contains 4 photos.
Forrester Research Inc evaluates and rates server hosted virtual desktops. Forrester identified seven contenders in desktop virtualization platform. The following are the outcome of Forrester Research on VDI providers. Product Evaluated: Citrix XenDesktop 7.6 Wyse vWorkspace 8.5 Listed BoXedVDI 3.2.1 … Continue reading
Remote Desktop Services is a server role consists of several role services. Remote Desktop Services (RDS) accelerates and securely extends desktop and applications to any device and anyplace for remote and roaming worker. Remote Desktop Services provide both a virtual desktop infrastructure (VDI) and session-based desktops.
In Windows Server 2012 R2, the following roles are available in Remote Desktop Services:
| Role service name | Role service description |
| RD Virtualization Host | RD Virtualization Host integrates with Hyper-V to deploy pooled or personal virtual desktop collections |
| RD Session Host | RD Session Host enables a server to host RemoteApp programs or session-based desktops. |
| RD Connection Broker | RD Connection Broker provides the following services
|
| RD Web Access | RD Web Access enables you the following services
|
| RD Licensing | RD Licensing manages the licenses for RD Session Host and VDI. |
| RD Gateway | RD Gateway enables you to authorized users to connect to VDI, RemoteApp |
For a RDS lab, you will need following servers.
This test lab consist of 192.168.1.1/24 subnets for internal network and a DHCP Client i.e. Client1 machine using Windows 8 operating system. A test domain called testdomain.com. You need a Shared folder hosted in File Server or SAN to Hyper-v Cluster as Virtualization Host server. All RD Virtualization Host computer accounts must have granted Read/Write permission to the shared folder. I assume you have a functional domain controller, DNS, DHCP and a Hyper-v cluster. Now you can follow the steps below.
Step1: Create a Server Group
1. Open Server Manager from Task bar. Click Dashboard, Click View, Click Show Welcome Tile, Click Create a Server Group, Type the name of the Group is RDS Servers
2. Click Active Directory , In the Name (CN): box, type RDS, then click Find Now.
3. Select RDSWEBSRV01, RDSSHSRV01, RDSCDSRV01, RDSVHSRV01 and then click the right arrow.
4. Click OK.
Step2: Deploy the VDI standard deployment
1. Log on to the Windows server by using the testdomain\Administrator account.
2. Open Server Manager from Taskbar, Click Manage, click Add roles and features.
3. On the Before You Begin page of the Add Roles and Features Wizard, click Next.
4. On the Select Installation Type page, click Remote Desktop Services scenario-based Installation, and then click Next.
5. On the Select deployment type page, click Standard deployment, and then click Next. A standard deployment allows you to deploy RDS on multiple servers splitting the roles and features among them. A quick start allows you to deploy RDS on to single servers and publish apps.
6. On the Select deployment scenario page, click Virtual Desktop Infrastructure, and then click Next.
7. On the role services page, review roles then click Next.
8. On the Specify RD Connection Broker server page, click RDSCBSRV01.Testdomain.com, click the right arrow, and then click Next.
9. On the Specify RD Web Access server page, click RDSWEBSRV01.Testdomain.com, click the right arrow, and then click Next.
10. On the Specify RD Virtualization Host server page, click RDSVHSRV01.Testdomain.com, click the right arrow, and then click Next. RDSVHSRV01 is a physical machine configured with Hyper-v. Check Create a New Virtual Switch on the selected server.
11. On the Confirm selections page, Check the Restart the destination server automatically if required check box, and then click Deploy.
12. After the installation is complete, click Close.
Step3: Test the VDI standard deployment connectivity
You can ensure that VDI standard deployment deployed successfully by using Server Manager to check the Remote Desktop Services deployment overview.
1. Log on to the DC1 server by using the testdomain\Administrator account.
2. click Server Manager, Click Remote Desktop Services, and then click Overview.
3. In the DEPLOYMENT OVERVIEW section, ensure that the RD Web Access, RD Connection Broker, and RD Virtualization Host role services are installed. If there is an icon and not a green plus sign (+) next to the role service name, the role service is installed and part of the deployment
Step4: Configure FileSRV1
You must create a network share on a computer in the testdomain domain to store the user profile disks. Use the following procedures to connect to the virtual desktop collection:
Create the user profile disk network share
1. Log on to the FileSRV1 computer by using the TESTDOMAIN\Administrator user account.
2. Open Windows Explorer.
3. Click Computer, and then double-click Local Disk (C:).
4. Click Home, click New Folder, type RDSUserProfile and then press ENTER.
5. Right-click the RDSUSERPROFILE folder, and then click Properties.
6. Click Sharing, and then click Advanced Sharing.
7. Select the Share this folder check box.
8. Click Permissions, and then grant Full Control permissions to the Everyone group.
9. Click OK twice, and then click Close.
Setup permissions on the network share
1. Right-click the RDSUSERPROFILE folder, and then click Properties.
2. Click Security, and then click Edit.
3. Click Add.
4. Click Object Types, select the Computers check box, and then click OK.
5. In the Enter the object names to select box, type RDSVHSRV01.Testdomain.com, and then click OK.
6. Click RDSVHSRV01, and then select the Allow check box next to Modify.
7. Click OK two times.
Step5: Configure RDSVHSRV01
You must add the virtual desktop template to Hyper-V so you can assign it to the pooled virtual desktop collection.
Create Virtual Desktop Template in RDSVHSRV01
1. Log on to the RDSVHSRV01 computer as a Testdomain\Administrator user account.
2. Click Start, and then click Hyper-V Manager.
3. Right-click RDSVHSRV01, point to New, and then click Virtual Machine.
4. On the Before You Begin page, click Next.
5. On the Specify Name and Location page, in the Name box, type Virtual Desktop Template, and then click Next.
6. On the Assign Memory page, in the Startup memory box, type 1024, and then click Next.
7. On the Configure Networking page, in the Connection box, click RDS Virtual, and then click Next.
8. On the Connect Virtual Hard Disk page, click the Use an existing virtual hard disk option.
9. Click Browse, navigate to the virtual hard disk that should be used as the virtual desktop template, and then click Open. Click Next.
10. On the Summary page, click Finish.
Step6: Create the managed pooled virtual desktop collection in RDSVHSRV01
Create the managed pooled virtual desktop collection so that users can connect to desktops in the collection.
1. Log on to the RDSCBSRV01 server as a TESTDOMAIN\Administrator user account.
2. Server Manager will start automatically. If it does not automatically start, click Start, type servermanager.exe, and then click Server Manager.
3. In the left pane, click Remote Desktop Services, and then click Collections.
4. Click Tasks, and then click Create Virtual Desktop Collection.
5. On the Before you begin page, click Next.
6. On the Name the collection page, in the Name box, type Testdomain Managed Pool, and then click Next.
7. On the Specify the collection type page, click the Pooled virtual desktop collection option, ensure that the Automatically create and manage virtual desktops check box is selected, and then click Next.
8. On the Specify the virtual desktop template page, click Virtual Desktop Template, and then click Next.
9. On the Specify the virtual desktop settings page, click Provide unattended settings, and then click Next. In this step of the wizard, you can also choose to provide an answer file. A Simple Answer File can be obtained from URL1 and URL2
10. On the Specify the unattended settings page, enter the following information and retain the default settings for the options that are not specified, and then click Next.
§ In the Local Administrator account password and Confirm password boxes, type the same strong password.
§ In the Time zone box, click the time zone that is appropriate for your location.
11. On the Specify users and collection size page, accept the default selections, and then click Next.
12. On the Specify virtual desktop allocation page, accept the default selections, and then click Next.
13. On the Specify virtual desktop storage page, accept the default selections, and then click Next.
14. On the Specify user profile disks page, in the Location user profile disks box, type \\FileSRV01\RDSUserProfile, and then click Next. Make sure that the RD Virtualization Host computer accounts have read and write access to this location.
15. On the Confirm selections page, click Create.
Step8: Test Remote Desktop Services connectivity
You can ensure the managed pooled virtual desktop collection was created successfully by connecting to the RD Web Access server and then connecting to the virtual desktop in the Testdomain Managed Pool collection.
1. Open Internet Explorer.
2. In the Internet Explorer address bar, type https://RDSWEBSRV01.Testdomain.com/RDWeb, and then press ENTER.
3. Click Continue to this website (not recommended).
4. In the Domain\user name box, type TESTDOMAIN\Administrator.
5. In the Password box, type the password for the TESTDOMAIN\Administrator user account, and then click Sign in.
6. Click Testdomain Managed Pool, and then click Connect.
Relevant Configuration
Remote Desktop Services with ADFS SSO
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Experience Mobile Browsing Using UAG 2010
Part 7: Publish FTP using UAG 2010
Part 8: Publish Application Specific Host Name using UAG 2010
Part 9: FF UAG 2010 Patching Order
Part 10: Publish Lync 2013 Using UAG 2010
Step1: Configure the SharePoint server
1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.
2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.
3. On the Alternate Access Mappings page, in the Alternate Access Mapping Collection list, click Change Alternate Access Mapping Collection, and then on the Select an Alternate Access Mapping Collection dialog box, select the application that you want to publish.
4. On the Alternate Access Mappings page, click Edit Public URLs.
5. On the Edit Public Zone URLs page, in a zone box that is not yet defined, such as the Internet zone, enter the URL of the same public host name that you entered in the Public host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). Make sure that the URL includes the protocol, according to the trunk type.
6. For example, if you are publishing an application via an HTTPS trunk that resides in the domain xman.com, and the application’s public host name that you entered in Forefront UAG is Portal, enter the following URL: https://Portal.xman.com.
7. When you have finished, click Save.
8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:
9. In the URL protocol, host and port box, enter the URL that you assigned in the Farm host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). For example: http://PortalExternal.xman.com.
10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.
Step2: Create a New trunk
Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next
Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next
On the Authentication Page, Click Add, Select DC, Click Next
Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.
Select Use Forefront UAG Access Policies, Click Next
Select Default and Click Next
Click Finish.
Step3: add SharePoint web applications to the trunk.
In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.
In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Microsoft Office SharePoint Server 2013, Microsoft SharePoint Server 2010, or Microsoft Office SharePoint Server 2007.
On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.
On the Web Servers page, do the following:
In the Addresses box, enter the internal host name of the server running SharePoint Products and Technologies. If your SharePoint server is load balanced, use the load-balanced URL instead of a server name. Make sure that you enter a fully qualified domain name.
In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.
In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.
In the Public host name box, enter a public host name of your choice for the SharePoint web application.
Select the Replace host header with the following check box, and in the Farm host name box, enter a URL of your choice that will be used to differentiate the internal host name of the application from its public host name. Make sure that the URL includes the domain in which the trunk resides (the domain of the trunk appears on the Web Servers tab, to the right of the Public host name box). For example, if the public host name of the application is HRPortal and the trunk resides in the domain xman.com, enter the following replacement host header: HRPortalExternal.xman.com.
On the Authentication page, do the following:
To allow rich client applications, such as Microsoft Word or Microsoft Excel, to authenticate directly to the SharePoint application without authenticating to the portal, select the Allow rich clients to bypass trunk authentication check box.
To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.
On the Portal Link page of the wizard, if required, configure the portal link for the application.
If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.
When you have completed the wizard, click Finish.
The Add Application Wizard closes, and the application that you defined appears in the Applications list.
On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.
Step4: Configure Mobile devices Access for SharePoint
When end users access a SharePoint 2010 site from a mobile device using the Office Mobile client, to allow the device to download documents from a SharePoint site, you must make the following URL set changes:
1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.
2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.
3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.
4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.
5. When end users open an Excel file on a SharePoint site from their mobile device, the file opens correctly. If they then go to a different SharePoint site, the first time they try to open an Excel file it may not open as expected; end users must click the file again to open it.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Experience Mobile Browsing Using UAG 2010
Part 7: Publish FTP using UAG 2010
Part 8: Publish Application Specific Host Name using UAG 2010
Part 9: FF UAG 2010 Patching Order
Part 10: Publish Lync 2013 Using UAG 2010
Forefront UAG Overview:
Forefront Unified Access Gateway 2010 (UAG) provides secure remote endpoint connections to corporate resources for employees, partners, and vendors on both computer and mobile devices. UAG provides many benefits. the following is the extract from http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx
Assumptions:
The following servers is installed and configured in a test environment.
Systems Requirements:
|
Option |
Description |
|
Virtual Machine Name |
DC1TVUAG01 |
|
Memory |
8GB |
|
vCPU |
1 |
|
Hard Disk 1 |
50GB |
|
Hard Disk 2 |
50GB |
|
Network Adapter |
2 |
|
Guest Operating System |
Windows Server 2008 R2 |
|
Service Pack Level |
SP1 |
Software Requirement:
|
Version |
Microsoft Forefront Unified Access Gateway 2010 |
|
Service Pack Level |
SP3 |
Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:
The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.
|
Browser |
Features |
|
Firefox |
Endpoint Session Cleanup Endpoint detection SSL Application Tunneling Endpoint Quarantine Enforcement |
|
Internet Explorer |
Endpoint Session Cleanup Endpoint detection SSL Application Tunneling Socket Forwarding SSL Network Tunneling (Network Connector) Endpoint Quarantine Enforcement |
|
Device Name |
Features |
|
Windows Phone |
Premium mobile portal |
|
iOS: 4.x and 5.x on iPhone and iPad |
Premium mobile portal |
|
Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0 |
Premium mobile portal |
Service Account for Active Directory Authentication:
|
Service Account |
Privileges |
Password |
|
xman\SA-FUAG |
Domain Users |
Password set to never expired |
The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.
Antivirus Exclusion:
|
Version |
Paths |
Processes |
|
Forefront UAG 2010 |
UAG installation folder (may be changed during installation) |
Forefront UAG DNS-ALG Service Forefront UAG Monitoring Manager Forefront UAG Session Manager Forefront UAG File Sharing Forefront UAG Quarantine Enforcement Server Forefront UAG Terminal Services RDP Data Forefront UAG User Manager Forefront UAG Watch Dog Service Forefront UAG Log Server Forefront UAG SSL Network Tunneling Server |
The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.
There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:
Perimeter Port Requirement:
To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:
Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.
|
Infrastructure server |
Protocol |
Port |
Direction |
|
Domain controller |
Microsoft-DS traffic |
TCP 445 UDP 445 |
From UAG to DC |
|
Kerberos authentication |
TCP 88 UDP 88 |
From UAG to DC |
|
|
LDAP |
TCP 389 UDP 389 |
From UAG to DC |
|
|
LDAPS |
TCP 636 UDP 636 |
From UAG to DC |
|
|
LDAP to GC |
TCP 3268 UDP 3268 |
From UAG to DC |
|
|
LDAPS to GC |
TCP 3269 UCP 3269 |
From UAG to DC |
|
|
DNS |
TCP 53 UDP 53 |
From UAG to DC |
|
|
Exchange, SharePoint, RDS |
HTTPS |
TCP 443 |
From external to internal server |
|
FTP |
FTP |
TCP 21 |
From external to internal server |
Scenario#2
In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.
UAG Network Configuration
The network adapter name used within the operating system should be changed to closely match the associated UAG network name. The following binding order will be maintained within Windows operating systems:
· First in Order- UAG internal adapter connected to the trusted network.
· Second in Order- UAG external adapter connected to the untrusted network.
The following are the network configuration for UAG server.
|
Option |
IP Address |
Subnet |
Default Gateway |
DNS |
|
Internal Network |
10.10.10.2 |
255.255.255.0 |
Not required |
10.10.10.1 |
|
External Network |
192.168.1.1 |
255.255.255.0 |
192.168.1.254 |
Not required |
Important! External Network can be assigned public IP if UAG server isn’t placed behind frontend router/firewall. In an edge configuration UAG external network is configured with public IP and internal network is assigned an IP address of internal IP range.
Based upon Microsoft practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment. Extract from Recommended Network Adapter Configuration for Forefront UAG Servers
Configuration Step 1 – Rename Network Adapters:
Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:
Configuration Step 2 – Configure Network Adapters:
The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.
Internal Network Adapter
The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.
External Network Adapter
Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.
Configuration Step 3 – Amend Bind Order:
Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:
Internal Network (Highest)
External Network (Lowest)
To amend network binding follow the steps below:
1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.
2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.
4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.
Configuration Step 4 – Run the UAG Network Interfaces Wizard:
You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.
Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow.
DNS Forwarding:
The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:
|
Purpose |
Public Host Name |
Public IP Address |
|
Exchange |
webmail.xman.com.au |
203.17.x.x |
|
SharePoint |
sharepoint.xman.com.au |
203.17.x.x |
|
RDS |
remote.xman.com.au |
203.17.x.x |
|
FTP |
ftp.xman.com.au |
203.17.x.x |
Scenario#1 Firewall Rules consideration
External NAT Rules
The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.
|
Rule(s) |
Description |
Source IP |
Public IP Address (Destination IP Address) |
Port |
NAT Destination |
Status |
|
1 |
Exchange |
Any |
203.17.x.x |
443 |
10.10.10.2 |
Forward |
|
2 |
SharePoint |
Any |
203.17.x.x |
443 |
10.10.10.2 |
Forward |
|
4 |
RDS |
Any |
203.17.x.x |
443 |
10.10.10.2 |
Forward |
|
5 |
FTP |
Any |
203.17.x.x |
21 |
10.10.10.2 |
Forward |
The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:
|
Rules |
Description |
Source IP |
Port TCP & UDP |
NAT Destination |
Destination |
Status |
|
1 |
Exchange |
10.10.10.2 |
TCP 443 |
Not Required |
10.10.10.3 |
Forward |
|
2 |
SharePoint |
10.10.10.2 |
TCP 443 |
Not Required |
10.10.10.4 |
Forward |
|
4 |
RDS |
10.10.10.2 |
TCP 443 |
Not Required |
10.10.10.5 |
Forward |
|
5 |
FTP |
10.10.10.2 |
TCP 21 |
Not Required |
10.10.10.6 |
Forward |
|
6 |
Client |
10.10.12.0/24 10.10.13.0/24 |
TCP 443 TCP 21 |
Not Required |
10.10.10.2 |
Forward |
|
7 |
Domain Controller |
10.10.10.2 |
445, 88, 53 389, 636 3268, 3296 |
Not Required |
10.10.10.1 |
Forward |
Understanding Certificates requirements:
Forefront UAG supports wildcard certificates at the domain level and sub-domain level. Wildcard certificates in the form *.xman.com.au are supported. In addition the SAN certificate can specify the required host names.
Launch Certificate Manager
1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:
2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.
3. Follow the instructions in the Certificate Import Wizard.
|
Common Name |
Subject Alternative Name |
Certificate Issuer |
|
RDS.xman.com.au |
– |
Verisign/Digicert |
|
webmail.xman.com.au |
autodiscover.xman.com.au |
Verisign/Digicert |
|
ftp.xman.com.au |
– |
Verisign/Digicert |
|
sharepoint.xman.com.au |
– |
Verisign/Digicert |
Understanding Properties of Trunk
UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.
Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:
|
URL List |
Methods |
Allow Rich Content |
|
InternalSite_Rule54 |
HEAD |
Checked |
|
SharePoint14AAM_Rule47 |
HEAD |
Checked |
Published Applications and Services:
Install Forefront UAG:
Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.
Ensure that the Network List Service (Netprofm) and the Network Location Awareness (NlaSvc) services are running, before beginning the Forefront UAG installation. To begin installation, double-click Setup.hta.
On the Welcome page of Setup, do the following:
Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.
Restart the Server.
Initial Configuration Using Getting Started Wizard
In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.
On the Define Network Adapter Settings page, in the Adapter name list do the following:
To configure the adapter connected to the external network, click the External column. On the Define External Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required. Note that it is not recommended to configure DNS on the external adapter.
To configure the adapter connected to the internal network, click the Internal column. Adapter settings are displayed in the Adapter properties list. On the Define Internal Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required.
After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:
If you are running Forefront UAG on a single server, click Single server.
If you want to join this server to an array of Forefront UAG servers, click Array member. The Array Management Wizard opens, which enables you to join the server to an array, and manage other array settings. For help on running this wizard, see Implementing an array and load balancing design. For more information about planning an array design, read the Array planning guide.
After running the Network Configuration Wizard, click Join Microsoft Update to open the Server Configuration Wizard. On the Use Microsoft Update for Forefront UAG page, Click Use Microsoft Update when I check for updates if your corporate update policy uses Microsoft Updates. Note that an Internet connection is required both to opt in for updates and receive them. Forefront UAG updates will only be available after the RTM release.
If you are installing Forefront UAG with SP1, on the Customer Experience Improvement Program page of the wizard, Click No, I do not want to participate if you do not want to participate in the program.
Configure Remote Desktop (RDP) to Forefront UAG
After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:
Ensure that remote desktop is enabled on the Forefront UAG server.
Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.
To do this, open the Forefront TMG Management console from the Start menu.
1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.
2. On the Rule Action, Click Allow, Click Next
3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next
4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next
5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Forefront UAG Patching Order
Step1: Configure the SharePoint server
1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.
2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.
3. On the Alternate Access Mappings page, in the Alternate Access Mapping Collection list, click Change Alternate Access Mapping Collection, and then on the Select an Alternate Access Mapping Collection dialog box, select the application that you want to publish.
4. On the Alternate Access Mappings page, click Edit Public URLs.
5. On the Edit Public Zone URLs page, in a zone box that is not yet defined, such as the Internet zone, enter the URL of the same public host name that you entered in the Public host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). Make sure that the URL includes the protocol, according to the trunk type.
6. For example, if you are publishing an application via an HTTPS trunk that resides in the domain xman.com, and the application’s public host name that you entered in Forefront UAG is Portal, enter the following URL: https://Portal.xman.com.
7. When you have finished, click Save.
8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:
9. In the URL protocol, host and port box, enter the URL that you assigned in the Farm host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). For example: http://PortalExternal.xman.com.
10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.
Step2: Create a New trunk
Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next
Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next
On the Authentication Page, Click Add, Select DC, Click Next
Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.
Select Use Forefront UAG Access Policies, Click Next
Select Default and Click Next
Click Finish.
Step3: add SharePoint web applications to the trunk.
In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.
In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Microsoft Office SharePoint Server 2013, Microsoft SharePoint Server 2010, or Microsoft Office SharePoint Server 2007.
On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.
On the Web Servers page, do the following:
In the Addresses box, enter the internal host name of the server running SharePoint Products and Technologies. If your SharePoint server is load balanced, use the load-balanced URL instead of a server name. Make sure that you enter a fully qualified domain name.
In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.
In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.
In the Public host name box, enter a public host name of your choice for the SharePoint web application.
Select the Replace host header with the following check box, and in the Farm host name box, enter a URL of your choice that will be used to differentiate the internal host name of the application from its public host name. Make sure that the URL includes the domain in which the trunk resides (the domain of the trunk appears on the Web Servers tab, to the right of the Public host name box). For example, if the public host name of the application is HRPortal and the trunk resides in the domain xman.com, enter the following replacement host header: HRPortalExternal.xman.com.
On the Authentication page, do the following:
To allow rich client applications, such as Microsoft Word or Microsoft Excel, to authenticate directly to the SharePoint application without authenticating to the portal, select the Allow rich clients to bypass trunk authentication check box.
To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.
On the Portal Link page of the wizard, if required, configure the portal link for the application.
If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.
When you have completed the wizard, click Finish.
The Add Application Wizard closes, and the application that you defined appears in the Applications list.
On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.
Step4: Configure Mobile devices Access for SharePoint
When end users access a SharePoint 2010 site from a mobile device using the Office Mobile client, to allow the device to download documents from a SharePoint site, you must make the following URL set changes:
1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.
2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.
3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.
4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.
5. When end users open an Excel file on a SharePoint site from their mobile device, the file opens correctly. If they then go to a different SharePoint site, the first time they try to open an Excel file it may not open as expected; end users must click the file again to open it.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
When you create a Forefront Unified Access Gateway (UAG) HTTPS portal trunk, only HTTPS requests that arrive at the Forefront UAG are handled by the trunk. This topic describes how to create a redirect trunk to automatically redirect HTTP requests made by remote endpoints to the HTTPS trunk.
| Web Sites | Inbound Requested Port | Request Redirected To |
| RDS.xman.com.au | 80 | 443 |
| ftp.xman.com.au | 80 | 443 |
| webmail.xman.com.au | 80 | 443 |
| sharepoint.xman.com.au | 80 | 443 |
Step1: Before you create a redirect trunk, note the following:
1. Make sure that you have already created the HTTPS trunk to which you want to redirect HTTP requests.
2. Make sure you define all the parameters of the HTTPS Connections trunk before you create the redirect trunk, including the definitions you make in the Forefront UAG Management console after completing the New Trunk Wizard.
If at a later stage, you change the IP address or port number of the HTTPS Connections trunk, do one of the following:
1. Update the IP address or port number manually in the relevant redirect trunk.
2. Delete the existing redirect trunk and create a new one.
3. Redirect trunks are not monitored by the Forefront UAG Web Monitor.
4. Sessions in redirect trunks are not calculated in the session count of Forefront UAG. When an HTTP session is redirected to HTTPS via a redirect trunk, it is only counted as one HTTPS session.
Step2: create a redirect trunk
1. In the Forefront UAG Management console, in the left navigation tree, right-click HTTP Connections, and then select New Trunk.
2. In the Create Trunk Wizard, select HTTP to HTTPS redirection, and then click Next.
3. All HTTPS trunks for which no redirect trunk exists are listed.
4. Select the HTTPS trunk to which you want to redirect HTTP requests, and then click Finish.
5. A new trunk with the same name as the HTTPS trunk you selected is created in the left navigation tree.
6. HTTP requests that arrive at the external Web site that is defined for this trunk are redirected to the HTTPS trunk you selected in the wizard.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Forefront UAG Patching Order
Step1: configure Exchange to use basic authentication
1. Start the Exchange Management Console.
2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.
3. Select your Client Access server, and then on the Outlook Web Access (or Outlook Web App) tab, select owa (Default Web Site).
4. In the Actions pane, under owa (Default Web Site), click Properties.
5. On the Authentication tab, click Use one or more of the following standard authentication methods, make sure that only the Basic authentication (password is sent in clear text) check box is selected, and then click OK.
Step2: publish Outlook Web Access on a Forefront UAG portal
Right Click on HTTPS Connections, Click New Trunk, Click Next
Select Portal Trunk and Publish Exchange Applications via portal, Click Next
Type the name of the trunk, type the name of the public host name i.e. FQDN of webmail. Click Next
Click Add on the Authentication page, Type the name of the domain Controller, Click Ok.
Type the service account which will talk to DC from UAG, Click Ok
Select the DC, Click Select. Leave rest of the settings as is. Click Next
Select the certificate which is issued by public certificate authority, exported from mail server and imported to UAG server. Click Next. Don’t worry about certificate screen shot. this is a test environment.
Select Use Forefront UAG Access Policies, Click Next. Don’t worry about the certificate shown in above screen shot. This is a test environment. In production environment, common name of the certificate will be webmail.xman.com.au
Select Default and Click next
Select OWA, Anywhere and ActiveSync, Select Exchange version from drop down menu, Click Next
Type the name of the application, Click next
Select default and click next
On the Deploying an Application page of the wizard, choose whether to publish a single Exchange Client Access server or a farm of load-balanced Exchange Client Access servers.
Click Configure an application server, Click Next
On the Web Servers page of the wizard:
In the Addresses list, enter the IP address or host name of the Client Access server.
In the Public host name box, enter the public host name for this application. The public host name must match the FQDN in the certificate. The public host name can be the same as the public host name of the trunk, if required.
On the Authentication page of the wizard, select an authentication server to authenticate users to the application, and click 401 request.
On the Outlook Anywhere Page, Select basic Authentication, Click next
On the Portal Link page of the wizard, configure the portal link for the application.
If you are publishing Exchange 2013 or Exchange 2010 and OWA is not the initial portal application, make sure that the Open in a new window check box is selected.
On the Authorization page of the wizard, select which users are authorized to access this application.
On the Completing the Add Application Wizard page of the wizard, click Finish.
Once configured, you will see the following screen.
If you want to define the Outlook Web Access application as the portal home page, in the Forefront UAG Management console, in the Initial application list, click the application that you added in this procedure.
To apply the Outlook Web Access look and feel to the Forefront UAG user interaction pages, in the Forefront UAG Management console, next to Configure trunk settings, click Configure, click the Authentication tab, and then select the Apply an Outlook Web Access look and feel check box. Confirm the changes to the logon settings, and then click OK.
On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
The following procedures describe how to export RemoteApp settings from RDS, and then publish RemoteApps and import the RemoteApp settings, via Forefront Unified Access Gateway (UAG).
Step1: Exporting RemoteApp settings from RDS
Before you can publish RemoteApp applications, you must export RemoteApp settings from RDS.
1. On the RD Session Host server, click Start, click Administrative Tools, click Remote Desktop Services, and then click RemoteApp Manager.
2. Ensure that the RemoteApp Programs list contains the programs that you want to provide to end users.
3. In the Actions pane, click Export RemoteApp Settings.
4. Click Export the RemoteApp Programs list and settings to a file, and then click OK.
5. Specify a location to save the .tspub file, and then click Save.
Step2: Publishing RemoteApps and importing RemoteApp settings
This procedure describes how to publish RemoteApps via Forefront UAG, and import RemoteApp settings during the publishing process.
1. In the Forefront UAG Management console, select the portal in which you want to publish RemoteApp applications. In the Applications area of the main portal properties page, click Add. The Add Application Wizard opens.
2. On the Select Application page of the wizard, select Terminal Services (TS)/Remote Desktop Services (RDS). In the list, select RemoteApp.
3. On the Configure Application page of the wizard, enter a name for the RemoteApp application.
4. On the Select Endpoint Policies page of the wizard, do the following:
5. In Access policy, select a Forefront UAG policy with which endpoints must comply in order to access the published RemoteApps in the portal. In Printers, Clipboard, and Drives, select access policies with which endpoints must comply in order to access these local resources during remote desktop sessions.
6. To enable single sign-on for the session, select the Use RDS Single Sign-On (SSO) Services check box.
7. If the trunk through which you are publishing the RemoteApp applications uses Network Access Protection (NAP) policies, and you have a Network Policy Server (NPS) configured, do the following:
8. Select Require Network Access Protection (NAP) compliance, to specify that only endpoints that comply with NAP policy can access published RemoteApps.
9. Select Require NAP compliance for RDS device redirection only, to specify that only endpoints that comply with NAP policy can access devices and resources on RDS servers, such as drives, printers, and the clipboard. Access to other resources and applications on RDS servers does not require NAP compliance.
10. Select Do not require NAP compliance, if you do not require clients to use NAP to access the published RemoteApps.
11. On the Import RemoteApp Programs page of the wizard, do the following:
12. In File to import, specify the location of the exported .tspub file, or click Browse to locate the file.
13. In RD Session Host or RD Connection Broker, specify the name of an RD Session Host (if different from that specified in the imported settings file), or the name of the RD Connection Broker server.
14. If you are using an RD Connection Broker server, in IP addresses, IP address ranges, FQDNs, or subnets, add the names of all RD Session Hosts that might be used by the RD Connection Broker. To specify multiple servers, use an IP address range or subnet.
15. On the Select Publishing Type page of the wizard, in the Available RemoteApps list, double-click each RemoteApp that you want to publish via Forefront UAG, to add it to the Published RemoteApps list. The list of available RemoteApps is retrieved from the imported .tspub file.
16. On the Configure Client Settings page of the wizard, specify how RemoteApps should be displayed. You can set a display resolution and color, or select to use display settings retrieved from the imported .tspub file.
17. Complete the Add Application Wizard.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Forefront UAG Patching Order
Forefront UAG Overview:
Forefront Unified Access Gateway 2010 (UAG) provides secure remote endpoint connections to corporate resources for employees, partners, and vendors on both computer and mobile devices. UAG provides many benefits. the following is the extract from http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx
Assumptions:
The following servers is installed and configured in a test environment.
Systems Requirements:
| Option | Description |
| Virtual Machine Name | DC1TVUAG01 |
| Memory | 8GB |
| vCPU | 1 |
| Hard Disk 1 | 50GB |
| Hard Disk 2 | 50GB |
| Network Adapter | 2 |
| Guest Operating System | Windows Server 2008 R2 |
| Service Pack Level | SP1 |
Software Requirement:
| Version | Microsoft Forefront Unified Access Gateway 2010 |
| Service Pack Level | SP3 |
Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:
The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.
| Browser | Features |
| Firefox | Endpoint Session CleanupEndpoint detectionSSL Application TunnelingEndpoint Quarantine Enforcement |
| Internet Explorer | Endpoint Session CleanupEndpoint detectionSSL Application TunnelingSocket Forwarding
SSL Network Tunneling (Network Connector) Endpoint Quarantine Enforcement |
| Device Name | Features |
| Windows Phone | Premium mobile portal |
| iOS: 4.x and 5.x on iPhone and iPad | Premium mobile portal |
| Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0 | Premium mobile portal |
Service Account for Active Directory Authentication:
| Service Account | Privileges | Password |
| xmanSA-FUAG | Domain Users | Password set to never expired |
The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.
Antivirus Exclusion:
| Version | Paths | Processes |
| Forefront UAG 2010 | UAG installation folder (may be changed during installation) %ProgramFiles%Microsoft Forefront Unified Access Gateway |
Forefront UAG DNS-ALG Service %ProgramFiles%Microsoft Forefront Unified Access GatewayDnsAlgSrv.exeForefront UAG Monitoring Manager %ProgramFiles%Microsoft Forefront Unified Access GatewayMonitorMgrCom.exeForefront UAG Session Manager %ProgramFiles%Microsoft Forefront Unified Access GatewaySessionMgrCom.exeForefront UAG File Sharing %ProgramFiles%Microsoft Forefront Unified Access GatewayShareAccess.exe Forefront UAG Quarantine Enforcement Server Forefront UAG Terminal Services RDP Data Forefront UAG User Manager Forefront UAG Watch Dog Service Forefront UAG Log Server Forefront UAG SSL Network Tunneling Server |
The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.
There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:
Perimeter Port Requirement:
To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:
Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.
| Infrastructure server | Protocol | Port | Direction |
| Domain controller | Microsoft-DS traffic | TCP 445UDP 445 | From UAG to DC |
| Kerberos authentication | TCP 88UDP 88 | From UAG to DC | |
| LDAP | TCP 389UDP 389 | From UAG to DC | |
| LDAPS | TCP 636UDP 636 | From UAG to DC | |
| LDAP to GC | TCP 3268UDP 3268 | From UAG to DC | |
| LDAPS to GC | TCP 3269UCP 3269 | From UAG to DC | |
| DNS | TCP 53UDP 53 | From UAG to DC | |
| Exchange, SharePoint, RDS | HTTPS | TCP 443 | From external to internal server |
| FTP | FTP | TCP 21 | From external to internal server |
Scenario#2
In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.
UAG Network Configuration
The network adapter name used within the operating system should be changed to closely match the associated UAG network name. The following binding order will be maintained within Windows operating systems:
· First in Order- UAG internal adapter connected to the trusted network.
· Second in Order- UAG external adapter connected to the untrusted network.
The following are the network configuration for UAG server.
| Option | IP Address | Subnet | Default Gateway | DNS |
| Internal Network | 10.10.10.2 | 255.255.255.0 | Not required | 10.10.10.1 |
| External Network | 192.168.1.1192.168.1.2192.168.1.3
192.168.1.4 192.168.1.5 |
255.255.255.0 | 192.168.1.254 | Not required |
Important! External Network can be assigned public IP if UAG server isn’t placed behind frontend router/firewall. In an edge configuration UAG external network is configured with public IP and internal network is assigned an IP address of internal IP range.
Based upon Microsoft practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment. Extract from Recommended Network Adapter Configuration for Forefront UAG Servers
Configuration Step 1 – Rename Network Adapters:
Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:
Configuration Step 2 – Configure Network Adapters:
The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.
Internal Network Adapter
The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.
External Network Adapter
Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.
Configuration Step 3 – Amend Bind Order:
Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:
Internal Network (Highest)
External Network (Lowest)
To amend network binding follow the steps below:
1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.
2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.
4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.
Configuration Step 4 – Run the UAG Network Interfaces Wizard:
You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.
Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow.
DNS Forwarding:
The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:
| Purpose | Public Host Name | Public IP Address |
| Exchange | webmail.xman.com.au | 203.17.x.x |
| SharePoint | sharepoint.xman.com.au | 203.17.x.x |
| RDS | remote.xman.com.au | 203.17.x.x |
| FTP | ftp.xman.com.au | 203.17.x.x |
Scenario#1 Firewall Rules consideration
External NAT Rules
The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.
| Rule(s) | Description | Source IP | Public IP Address
(Destination IP Address) |
Port | NAT Destination |
| 1 | Exchange | Any | 203.17.x.x | 443 | 192.168.1.2 |
| 2 | SharePoint | Any | 203.17.x.x | 443 | 192.168.1.3 |
| 4 | RDS | Any | 203.17.x.x | 443 | 192.168.1.4 |
| 5 | FTP | Any | 203.17.x.x | 21 | 192.168.1.5 |
The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:
| Rule(s) | Description | Source IP | Port
TCP & UDP |
Destination |
| 1 | Exchange | 10.10.10.2 | TCP 443 | 10.10.10.3 |
| 2 | SharePoint | 10.10.10.2 | TCP 443 | 10.10.10.4 |
| 4 | RDS | 10.10.10.2 | TCP 443 | 10.10.10.5 |
| 5 | FTP | 10.10.10.2 | TCP 21 | 10.10.10.6 |
| 6 | Client | 10.10.12.0/24 | TCP 443
TCP 21 |
10.10.10.2 |
| 7 | Domain Controller | 10.10.10.2 | 445, 88, 53
389, 636 3268, 3296 |
10.10.10.1 |
Understanding Certificates requirements:
Forefront UAG supports wildcard certificates at the domain level and sub-domain level. Wildcard certificates in the form *.xman.com.au are supported. In addition the SAN certificate can specify the required host names. Certificates must be in .pfx format with private key within the certificate.
Launch Certificate Manager
1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:
2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.
3. Follow the instructions in the Certificate Import Wizard.
| Common Name | Subject Alternative Name | Certificate Issuer |
| RDS.xman.com.au | – | Verisign/Digicert |
| webmail.xman.com.au | autodiscover.xman.com.au | Verisign/Digicert |
| ftp.xman.com.au | – | Verisign/Digicert |
| sharepoint.xman.com.au | – | Verisign/Digicert |
Understanding Properties of Trunk
UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.
| Trunk Name | Public Host Name | HTTPS Port | External IP Address | Authentication Server(s) |
| Exchange | webmail.xman.com.au | 443 | 192.168.1.2 | DC1TVDC01 |
| SharePoint | sharepoint.xman.com.au | 433 | 192.168.1.3 | DC1TVDC01 |
| RDS | remote.xman.com.au | 443 | 192.168.1.4 | DC1TVDC01 |
| FTP | ftp.xman.com.au | 21 | 192.168.1.5 | DC1TVDC01 |
Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:
| URL List | Methods | Allow Rich Content |
| InternalSite_Rule54 | HEAD | Checked |
| SharePoint14AAM_Rule47 | HEAD | Checked |
Published Applications and Services:
Install Forefront UAG:
Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.
Ensure that the Network List Service (Netprofm) and the Network Location Awareness (NlaSvc) services are running, before beginning the Forefront UAG installation. To begin installation, double-click Setup.hta.
On the Welcome page of Setup, do the following:
Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.
Restart the Server.
Initial Configuration Using Getting Started Wizard
Before you run the initial configuration, you must patch the UAG with an order described in this article . To patch UAG, open command prompt using run as Administrator. Go to the location where you saved all the service packs and patches. Run one by one. Note that if you do not run the setup as an administrator setup will roll back and fail because it cannot modify registry.
In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.
On the Define Network Adapter Settings page, in the Adapter name list do the following:
To configure the adapter connected to the external network, click the External column. On the Define External Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required. Note that it is not recommended to configure DNS on the external adapter.
To configure the adapter connected to the internal network, click the Internal column. Adapter settings are displayed in the Adapter properties list. On the Define Internal Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required.
After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:
If you are running Forefront UAG on a single server, click Single server.
If you want to join this server to an array of Forefront UAG servers, click Array member. The Array Management Wizard opens, which enables you to join the server to an array, and manage other array settings. For help on running this wizard, see Implementing an array and load balancing design. For more information about planning an array design, read the Array planning guide.
After running the Network Configuration Wizard, click Join Microsoft Update to open the Server Configuration Wizard. On the Use Microsoft Update for Forefront UAG page, Click Use Microsoft Update when I check for updates if your corporate update policy uses Microsoft Updates. Note that an Internet connection is required both to opt in for updates and receive them. Forefront UAG updates will only be available after the RTM release.
If you are installing Forefront UAG with SP1, on the Customer Experience Improvement Program page of the wizard, Click No, I do not want to participate if you do not want to participate in the program.
Configure Remote Desktop (RDP) to Forefront UAG
After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:
Ensure that remote desktop is enabled on the Forefront UAG server.
Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.
To do this, open the Forefront TMG Management console from the Start menu.
1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.
2. On the Rule Action, Click Allow, Click Next
3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next
4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next
5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Experience Mobile Browsing Using UAG 2010
Part 7: Publish FTP using UAG 2010
Part 8: Publish Application Specific Host Name using UAG 2010
Part 9: FF UAG 2010 Patching Order
Part 10: Publish Lync 2013 Using UAG 2010
Step1: configure Exchange to use basic authentication
1. Start the Exchange Management Console.
2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.
3. Select your Client Access server, and then on the Outlook Web Access (or Outlook Web App) tab, select owa (Default Web Site).
4. In the Actions pane, under owa (Default Web Site), click Properties.
5. On the Authentication tab, click Use one or more of the following standard authentication methods, make sure that only the Basic authentication (password is sent in clear text) check box is selected, and then click OK.
Step2: publish Outlook Web Access on a Forefront UAG portal
Right Click on HTTPS Connections, Click New Trunk, Click Next
Select Portal Trunk and Publish Exchange Applications via portal, Click Next
Type the name of the trunk, type the name of the public host name i.e. FQDN of webmail. Click Next
Click Add on the Authentication page, Type the name of the domain Controller, Click Ok.
Type the service account which will talk to DC from UAG, Click Ok
Select the DC, Click Select. Leave rest of the settings as is. Click Next
Select the certificate which is issued by public certificate authority, exported from mail server and imported to UAG server. Click Next. Don’t worry about certificate screen shot. this is a test environment.
Select Use Forefront UAG Access Policies, Click Next. Don’t worry about the certificate shown in above screen shot. This is a test environment. In production environment, common name of the certificate will be webmail.xman.com.au
Select Default and Click next
Select OWA, Anywhere and ActiveSync, Select Exchange version from drop down menu, Click Next
Type the name of the application, Click next
Select default and click next
On the Deploying an Application page of the wizard, choose whether to publish a single Exchange Client Access server or a farm of load-balanced Exchange Client Access servers.
Click Configure an application server, Click Next
On the Web Servers page of the wizard:
In the Addresses list, enter the IP address or host name of the Client Access server.
In the Public host name box, enter the public host name for this application. The public host name must match the FQDN in the certificate. The public host name can be the same as the public host name of the trunk, if required.
On the Authentication page of the wizard, select an authentication server to authenticate users to the application, and click 401 request.
On the Outlook Anywhere Page, Select basic Authentication, Click next
On the Portal Link page of the wizard, configure the portal link for the application.
If you are publishing Exchange 2013 or Exchange 2010 and OWA is not the initial portal application, make sure that the Open in a new window check box is selected.
On the Authorization page of the wizard, select which users are authorized to access this application.
On the Completing the Add Application Wizard page of the wizard, click Finish.
Once configured, you will see the following screen.
If you want to define the Outlook Web Access application as the portal home page, in the Forefront UAG Management console, in the Initial application list, click the application that you added in this procedure.
To apply the Outlook Web Access look and feel to the Forefront UAG user interaction pages, in the Forefront UAG Management console, next to Configure trunk settings, click Configure, click the Authentication tab, and then select the Apply an Outlook Web Access look and feel check box. Confirm the changes to the logon settings, and then click OK.
On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
Blog by Raihan Al-Beruni 