Experience Mobile (iPhone & Android) Browsing with Forefront UAG

If you are scratching your head how to grant access to your website for iPhone and Tablet published via Forefront UAG, there is way to achieve your goal. But before I articulate how to achieve this let’s revisit how UAG endpoint compliance works.

By default UAG checks compliance of every endpoint device. If you do now allow all endpoint devices in UAG Trunk it will be blocked due to policy violation. Since release of UAG SP3, mobile devices are identified as “Other” in UAG Endpoint Policy. “Other” includes iPhone, iPad, Android phone and tablet. Surprisingly I found that UAG also blocks Windows 8 mobile phone unless you allow it explicitly in endpoint policy.

When an endpoint device connect to Trunk portal or a published website, UAG automatically check Default Session Access  and Default Web Application Access policy.  However for FTP and similar policy UAG checks  Default Web Application Upload and  Default Web Application Download policy as well. You need to tweak little bit in the Trunk properties and application properties to make it work.

Let’s begin with Trunk properties. Log on the UAG server using administrative credential. Open UAG Management Console.

Step1: Advanced Trunk Configuration

1. Select the Trunk where you publish the application, in the Trunk Configuration area, click Configure.
2. On the Advanced Trunk Configuration dialog box, click the Endpoint Access Settings tab.
3. On the Endpoint Access Settings tab, click Edit Endpoint Policies.
4. On the Manage Policies and Expressions dialog box, click the Default Session Access policy, and then click Edit Policy.
5. On the Policy Editor dialog box, under Select platform-specific policies, in the Other drop-down list, click Always, and then click OK.
6. On the Manage Policies and Expressions dialog box, click the Default Web Application Access policy, and then click Edit Policy.
7. On the Policy Editor dialog box, under Select platform-specific policies, in the Other drop-down list, click Always, and then click OK.
8. Repeat the step 4 to step 7 on all the required policies. Example for FTP policies perform step4 to step7 for Default Web Application Upload and Default Web Application Download policies.
9. On the Manage Policies and Expressions dialog box, click Close.
10. On the Advanced Trunk Configuration dialog box, click OK.
11. Activate the configuration. Wait for activation to complete. Note that it takes  few minutes.
12. Open elevated command prompt using run as administrator option. Type iisreset and hit enter.

Step2: Allow Premium Mobile Portal

1. Select the application you published through the Trunk where you configured advanced properties in previous steps. In the Applications area, click the required application, and then click Edit.
2. On the Application Properties dialog box, click the Portal tab.
3. On the Portal tab, select the Premium mobile portal and Non-premium mobile portal check box.
4. On the Application Properties dialog box, click OK.
5. Activate the configuration. Wait for activation to complete. Note that it takes few minutes.
6. Open elevated command prompt using run as administrator option. Type iisreset and hit enter.

Step3: Test Mobile Devices

1. Browse published website in Windows Phone or iPhone
2. Open Forefront UAG Monitor, Check the Session compliance, Authentication in Active Session.
3. Check all systems logs in UAG monitor. You will see a session is connected successfully with endpoint device type, endpoint IP and GUID mentioned in the logs.

Other Articles:

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

 

How to Publish Application Specific Host Name using Pass Through Authentication in Forefront UAG 2010

To avoid being caught into the following UAG events, follow the below procedure to create a correct Trunk and an Application in UAG 2010.

UAG Events:

Warning 58 “The requested URL is not associated with any configured application.”

Warning 51 Invalid Method

“A request from source IP address x.x.x.x, user on trunk Trunk Name; Secure=1 for application failed because the method used PUT is not valid for requested URL”

Solutions:

1. Bypass Active Directory authentication to allow application specific authentication.

Open Regedit>Go to HKLMSoftwareWhaleCome-GapvonURLFilter

Create a 32 Bit DWORD named KeepClientAuthHeader and set value to 1

Also make sure FullAuthPassThru value is set to 1.

2. Public Host Name in Trunk must be different then public host name in published application. The purpose of public host name in Trunk is to create the actual trunk. This public host name in Trunk will not be accessible from external network nor internal network. Why? simple reason without public host name, you can’t create a Trunk. Public host name in application is the Real FQDN which employee/roaming users will access from external network which means public IP will resolve the name of application public host name. Since public host name in Trunk and Public host name in application are different, when you activate this trunk and application, you will receive a certificate error which says your trunk FQDN doesn’t match with your certificate. As long as your certificate CN matches with application public host name you will be fine. If you don’t want to see this error then you can add a SAN certificate which has both Trunk public host name and application public host name. In my case I don’t mind the see that certificate warning, my Trunk and application public host name are as follows:

• Trunk Public Host Name: Mobile.mydomain.com
• Application Public Host Name: mymobile.mydomain.com

3. Correct URL Set

• Name: MobilePortal_Rule1
• Action: Accept
• URL: /.*
• Parameters: Ignore
• Methods: PUT, POST, GET

Use the following steps to correctly publish mobile device, third party application implemented in IIS within a subdirectory.

Step1: Create a Separate Trunk for this Application

1. Before you begin, import certificate in UAG server. Certificate must be in .pfx format with private key. Open the Microsoft Management Console (MMC) which enables you to import a certificate into the IIS Certificate store.

1. Start Menu>Run>MMC
2. To import a certificate, in the MMC window, in the left pane, under Console Root, verify that Certificates (Local Computer) > Personal is selected.
3. From the Action menu, click All Tasks, and then click Import.
4. Follow the instructions in the Certificate Import Wizard.

2. In the Forefront UAG Management console, right-click HTTP Connections to create a trunk accessible over HTTP, or right-click HTTPS Connections to create a trunk accessible over HTTPS. Then click New Trunk.
3. On the Select Trunk Type page of the Create Trunk Wizard, click Portal trunk.
4. On the Setting the Trunk page of the Create Trunk Wizard, specify Trunk details. In my case I have the following:

i. Trunk Name: MobilePortal

ii. Public Host Name: Mobile.mydomain.com

iii. IP Address: Trunk IP (you must add additional IP address(s) in the TCP/IP properties of UAG external nic)

iv. Port: 443

5. On the Authentication page of the Create Trunk Wizard, I am going to add my domain controller but later stage I will remove the domain controller to make it application specific authentication not LDAP or AD. That means I will bypass AD authentication. For now select an authentication server that will be used to authenticate user requests for trunk sessions. Click Add to select a server, as follows:

1. In the Authentication and Authorization Servers dialog box, select a server and click Select. To add a new server to the list, click Add.
2. Select User selects from a server list to specify that during login to the trunk, users will be prompted to select an authentication server. If you configure one authentication server, users will authenticate to that server only. Select Show server names to allow users to select an authentication server from a list; otherwise, users must enter the server name. Select User provides credentials for each selected server to prompt users during login to authenticate to all the specified authentication servers. Select Use the same user name to specify that users must enter a single user name that will be used to authenticate to all specified servers.

6. On the Certificate page of the Create Trunk Wizard (HTTPS trunks only), select the server certificate that will be used to authenticate the Forefront UAG server to the remote endpoint.
7. On the Endpoint Security page of the Create Trunk Wizard, control access to trunk sessions by selecting policies that allow access, based on the health of client endpoints. Click Use Forefront UAG access policies to determine the health of endpoints using in-built Forefront UAG access policies.
8. Click Finish after completing the Trunk wizard.

Step2: Advanced Trunk Configuration

1. Click Configure Trunk. Click Endpoint Access Settings, Click Edit Endpoint Policies.

2. In this step, you will allow access of mobile phone and tablet. Microsoft UAG by default doesn’t allow mobile phone access. You need allow this access manually. Click Edit Endpoint Access Policies, Select Default Session Access, Click Edit, Click other, Select Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default Web Application Access Policy, Default Web Application Upload, Default Web Application download.
3. Click Authentication Page, de-select require user to authenticate at session logon. By deselecting this option, you have created pass through authentication.

4. Click on the session tab, deselect disabled component installation and disable scripting for portal applications.

5. Click URL Set Tab, Scroll down to bottom of the page. On the mobile portal rule, select PUT, POST, GET. Click Ok. Adding PUT will resolve the following issue:

6. After completing the Create Trunk Wizard, in the Forefront UAG Management console, on the toolbar, click the Activate configuration icon on the toolbar, and then on the Activate configuration dialog box, click Activate.

Step3: Add an Application Specific Host Name for iPhone, Android and Tablet

1. In the Forefront UAG Management console, select the portal trunk to which you want to add the application. In the main trunk properties page, in the Applications area, click Add to open the Add Application Wizard.

2. On the Select Application page, Click Web, choose the application specific host name you want to publish.

3. On the Application Setup page, specify the name and type of the application.

4. On the Endpoint Security page, select the access policies for your application. Note that not all of the policies may be available for some published applications. You must verify that other device is allowed in Endpoint security. See Step11 in creating a Trunk.

5. On the Application Deployment page, specify whether you want to publish a single server or a Web farm.

6. On the Web Servers page, if you are publishing a Web application, on the Web Servers page, configure settings for the backend Web server that you want to publish. On the application requires paths, add more / as your path. This will allow any sub directories of application hosted in Microsoft IIS server. On the address, type the fully qualified domain name of the web application which will be accessible from external network.

7. On the Connectivity Verifier Settings page, if you are publishing a Web farm, specify how the state of Web farm members should be detected.

8. On the Authentication page, deselect SSO. By deselecting this option, you have created pass through authentication.

9. On the Portal Link page, specify how the application appears in the portal home page of the trunk. If you have subdirectory in IIS, specify correct URL. For example, in my case I have subdirectory like https:// mymobile.mydomain.com/mobile/ .Select premium and non-premium mobile portal.

10. Once done, Click Finish.

11. On the Trunk , On the initial application, Select Portal Home page, as MobilePortal.

Step4: Activating Trunk and Post Check.

1. On the console toolbar, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

2. This is the simple step, most of techie doesn’t do and end up being calling Microsoft Tech support. You have to do this step so that published application works. Open command prompt as an administrator, run iisreset /restart.

3. Once everything is configured correctly, you will receive the following event in UAG Web Monitor> Event Viewer

The application MobilePortal was accessed on trunk; Secure=1 with user name and session ID EDD953BD-CB79-4180-B811-F1A0F53DCB33.

Other Articles:

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010