Getting to know UAG Tom Decaluwé Blog: http://trycatch.be/blogs/decaluwet/ Email: tom@decaluwe.eu
Goal of today Help you understand what UAG is. Help you get started with UAG Lingo Help you get started with configuring UAG What i prepped Certs + getting started wizard
Todays Agenda Some general thoughts on extranet / external access What is UAG & compare with TMG UAG architecture and internals Using UAG to make you apps available File access Webserver publishing Client / Server app publishing TS publishing SSTP network connectivity Directaccess => 28/04 Sessions done by John Craddock ADFS usage => 26/04 Sessions done by John Craddock Q&A
General thoughs on extranet
The killer sentence The ability to access any corporate application from anywhere in a secure manner, reliable and fast manner using any device if the business decides to do so.
Why do I need UAG in a world that is going cloud? The chance of the future being a hybrid setup cloud + on prem is very big. You will still need to give your clients access to internal apps You will need a bridge between your corpnet and the could-nets. (think of ADFS publishing)
What is UAG & compare with TMG
What is UAG => an SSL VPN Secure Gateway with Direct Access wizard Exchange CRM SharePoint IIS based IBM, SAP, Oracle Mobile Home / Friend / Kiosk HTTPS / HTTP Layer3 VPN Terminal / Remote Desktop Services HTTP(S) (443 - 80 ) Internet DirectAccess Non web Business Partners / Sub-Contractors Strong authentication Endpoint health detection: NAP and down-level Authorization: Based on health status Who + where Information leakage prevention Attachment/Cache wiper AD, ADFS, RADIUS, LDAP…. NPS, ILM Employees Managed Machines
What is UAG & Compare the Edge Unified platform for all enterprise remote access needs Integrated and comprehensive protection from Internet-based threats
TMG vs UAG (at the publishing level) De-emphesised on publishing Limited to HTTP(s) publishing Limited to auth as security Client unaware All in one box UAG The future of publishing Portal approach HTTP(s) + Client / server app + VPN (inclueding DA) Health check and cleanup Very flexibel authentication Loads of pre-built templates Very detailed reporting
Why do you see so little UAG being used? Historical pricing => UAG used to bee expensive when it was still under the Whale communications flag and when first adopted by MS. TMG is widely adopted and works really well as it’s a combo box. Commission war => Integrates will make more money selling you and appliance than they will if you deploy UAG on your standard Dell/HP hardware and licenses bought through your VL agreements. Lack of skilled UAG deployers & training Complex ?! to get to know and sometimes to use as it requires understanding of the internal app’s you are publishing. Weak on creating equal look and feel internal external
UAG architecture and internals
UAG Internal Architecture Admin Core UAG Internal Architecture Management UI SCOM MP Tracing & Logging Session Manager User Manager Config. / Array Manager Direct Access Web Application Publishing IP VPN DirectAccess Server Internal Site Portal TSG / RDG RRAS DTE / DoSP SSL Tunnel UAG Filter Native IPv6 6to4 Teredo IP-HTTPS ISATAP DNS-ALG NAT-PT SSTP Layer 3 IIS TMG Windows NLB UAG Logic Windows Server
UAG in the core ISAPI extends the on the core functionality of IIS InternalSite Vdirectory New Vdirectories per portal
UAG buildup Group HTTP/HTTPS Trunk Application IP Port Logical unit 1 HTTP and 1 HTTPS trunk per IP You can only bind to port 80 and 443 Colllection of settings and rules
Two Keywords in UAG lingo Trunk Application Two types of trunks (*UAG can not publish on any other ports) HTTP (TCP 80) HTTPS (TCP 443) Is like an IIS website or a TMG listener => ip + port A redirect Trunk can redirect http to https not the other way. Can be linked to the portal or direct to application Two options Portal trunk => homepage of UAG ADFS trunk => SSO over the border of forests +/- 40 tempaltes / 5 top-level apps Build-in services (automatically added to trunk) File access => ntfs shares Web-Monitor => remote UAG mgt Web (applications) Sharepoint Exchange ... Other => create your own setup Client/server and legacy Apps that run outside of the browser SSL vpn for specific apps When launching an app the UAG client components loads Remote Network Access => full network ssl vpn Browser-embedded Starts in browser en shifts to binary Citrix XenApp Terminal services and remote desktop 5 templates
Create an application trunk and redirect trunk
Top Level policy Endpoint Policies One of UAG’s core features Policies are a set of conditions that have to be met by the client inorde to gain access. End result for blocked apps set to gray out hidden Seem complex because they are 4 situations with each time 4 platforms and two ways to create them. Creation GUI driven Scripted mode Top Level policy Access policy - Upload policy - Download policy - Restricted zone policy Windows MAC Linux Other
Require domain membership for ADFS KCD File-Access DirectAccess UAG Arry
Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock
Why use it Not every filesystem has been migrated to sharepoint yet and not all filesystems will migrate to sharepoint. People want access to the corp files any time and where. It ensures mobile users can upload there important files to backup protected servers instead of their mobile clients. Windows XP Windows 7 Full transparent file access Web based file access Client experiance Server Experiance
Configure File Access You will need credentials of a user that can brows the network Add the built-in service application > File access
Show File Access
Things to remember (File access) The computer browser must be started and requires a chagne in the
Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock
Application specific hostname vs portal hostname application Non-AAM application If the application can only be access using the portal trunk’s public name HAT required for URL rewriting Eg. Trunk name = www.extranet.com App name= www.extranet.com/uniquesig48cb675c4745e7d473e210fdf4f89f67 Dynamics CRM, sharepoint 2003, exchange 2003 Application specific hostname application AAM-like application If an application can be configured using its own specific public hostname, which usually differs from the trunk pbulic name Now requirement of HAT Requires: DNS to point both url’s to same UAG ip Cert for both url’s DNS suffix must match as session coockie is shared Eg. Trunk name = www.extranet.com App name= finance.extranet.com OCS 2007, Forefront identiy manager, Sharepoint 2010, MS exchange 2010,...
What is URL signing Also known as Host Address Translation (HAT) URL signing allows UAG to publish mulitple servers on a single ip (HostHeaders) Add’s a url suffix to the TL domain Incorporates link translation technology UAG creates unique URL’s for each clickable link on the page by buffering the page and adding a uniqua SRA string ensuring you are always accessing the target UAG. Supports HTML ASP Java-script Eg. https://uag.createhive.com/uniquesig48cb675c4745e7d473e210fdf4f89f67/ uniquesig0/p.asp
Publish a web application
Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock
What it does Provides access to applicaions that where not designed for classic web and web publishing. SSL tunneling A client app listners for connectins tunnels and delivers to UAG UAG client components has two parts Health checking appications SSL applications Tunneling Socket forwarding component Almost completely transparant to the end user
SSL Application Tunneling component UAG Back end server SSL Tunneling component 127.0.0.1:4785 10.10.10.100 23 SSL VPN
2. Client/Server applications A lot of templates (most used are below) Generic Generic client application Uses Single SSL tunnel Generic client application (multiple server) With multiple server we mean multiple ports to the same or other back-end servers Uses UAG’s Socket forwarding component Generic silent client application No client prompt Enhanced => to tunnel the UAG client manipulates the client and changes (eg. Registry, config files, hosts file) Hosts required => edit host file if fail to edit file => end Hostes options => edit host file if fail to edit file => try to launch application Hosts disabled => don’t edit host file All launch an SSL-VPN & launch a srcipt to run the application on the client
Auto connect %localip%
2. Client/Server applications A lot of templates (most used are below) Enhanced HAT Address translation beyond the scope of normal URL rewriting. Eg. A PDF file with a link => a click on that link, UAG sees the unavailable server requests and sens an HTTP 302 redirect to the client with the UAG public trunck as link, from now on the client will redirect all this traffic tot he public trunck name. Generic http proxy enabled client application Allow http proxying Generic socks enabled client application Allow socks 4/5 porxying Citrix program neighbourhood (direct) Replaced rpc over https for clients that don’t support it,...
Thing to remember Apps use the local loopback 127.0.0.x and a port locally If SSL tunneling does not work 3 alternatives Network Connector (NC) => tunnels all traffic to the internal network by creating a virtual NIC with ip address (SSL-VPN) Secure Socket Tunnelling Protocol (SSTP) => uses built in windows components, with auto client configuration (win7 and vista sp1 only) DirectAccess (DA) => ipsec tunneling
Publish telnet
Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock
Things to know How to create the tspub file
Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock
Remote SSL VPN NC SSTP For down level clients Creates a virutal NIC Win7 and above Uses OS-built in SSTP
The hidden application The app will dynamically detec If you are win7 or downlevel client And activate SSTP or NC accordingly
Publish VPN
Thing to rembmer Cert chain must be ok also for computer container Root cert trusted CRL available Your internal servers must know how to route to those addresses
OK OK OK Goal of today Help you understand what UAG is. Help you get started with UAG Lingo Help you get started with configuring UAG OK OK
Q&A
More info http://blogs.technet.com/b/edgeaccessblog/ http://www.amazon.co.uk/Microsoft-Forefront-Unified-Administrator-27s-Handbook/dp/1849681627/ref=sr_1_3?ie=UTF8&s=books&qid=1303649443&sr=8-3 http://www.amazon.co.uk/Deploying-Microsoft-Forefront-Unified-Professional/dp/0735649774/ref=sr_1_1?ie=UTF8&s=books&qid=1303649443&sr=8-1 http://blogs.technet.com/b/tomshinder/
Speaker info: please do not delete the slides in this section Show these slides at the end of your session before going to Thank you page.
Stay up to date with TechNet Belux Register for our newsletters and stay up to date: http://www.technet-newsletters.be Technical updates Event announcements and registration Top downloads Join us on Facebook http://www.facebook.com/technetbe http://www.facebook.com/technetbelux LinkedIn: http://linkd.in/technetbelux/ Twitter: @technetbelux Download MSDN/TechNet Desktop Gadget http://bit.ly/msdntngadget Please keep this slide
TechDays 2011 On-Demand Watch this session on-demand via TechNet Edge http://technet.microsoft.com/fr-be/edge/ http://technet.microsoft.com/nl-be/edge/ Download to your favorite MP3 or video player Get access to slides and recommended resources by the speakers
If you have any more questions on anything, come and visit me at the ask the experts booth. THANK YOU Tom Decaluwé Blog: http://trycatch.be/blogs/decaluwet/ Email: tom@decaluwe.eu