Dominik Zemp Microsoft Switzerland Ltd Liab. Co. Install and Configure Remote Access for SharePoint (and RemoteApp and DirectAccess) In An Hour
What is Forefront UAG? UAG Solution and Internal Architecture How to Publish SharePoint via UAG Live Demos How to Publish RemoteApps, DirectAccess, etc. via UAG Q & A
What are the different Microsoft Remote Access Solutions? Answer: Threat Management Gateway (TMG) Direct Access Remote Desktop Services Windows RAS (SSTP) Unified Access Gateway (UAG) And which ones are for SharePoint? Answer: Threat Management Gateway (TMG) Direct Access Remote Desktop Services Windows RAS (SSTP) Unified Access Gateway (UAG)
Solution and Internal Architecture
Unified Access Gateway (UAG) is next version of Intelligent Application Gateway (IAG) with a vision and mission to provide managed, unmanaged & mobile devices with unified secure anywhere access to on-premise and in-the-cloud applications. What (Data) Who (Identity) Where (Device)
Financial Partner or Field Agent Project Manager Employee Logistics Partner Remote Technician Employee Corporate Managed Laptop Home PC Unmanaged Partner PC Kiosk Financial Partner or Field Agent Project Manager Employee Logistics Partner Corporate Laptop Home PC Kiosk Remote Technician Employee Unmanaged Partner PC Each session is tailored according to its user and the device in use, maximizing security and productivity for that session.
DirectAccess HTTPS (443) Layer3 VPN Business Partners / Sub-Contractors AD, ADFS, RADIUS, LDAP…. Home / Friend / Kiosk Employees Managed Machines Mobile Exchange CRM SharePoint IIS based IBM, SAP, Oracle Terminal / Remote Desktop Services Non web HTTPS / HTTP NPS, ILM Strong authentication Endpoint health detection: NAP and down-level Authorization: Based on health status Who + where Information leakage prevention Attachment/Cache wiper
Active Directory LDAP TACACS RADIUS RSA Smart Card Certificates KCD ADFS etc … using UAG Hooks
No need for directory replication or repetition Alternative approaches require local repository Transparent Web authentication HTTP 401 request Static Web form Dynamic browser-sensitive Web form Kerberos Constraint Delegation Integrates with: Password change management User repositories
Inbuilt policies can check the health of endpoints connecting to UAG portal and applications Check system settings and features on the endpoint Control access to trunk and applications, as well as actions such as downloading and uploading files Supports Windows, Mac OS, and Linux Platform-specific policies enforced according to the operating system on the endpoint device Predefined policies enabled by default Can be edited to check for specific settings or features, as required Administrators can also define their own policies
Enforces compliance and provides remediation for clients connecting through portal trunks or DirectAccess Each scenario will use NAP in a different way For portal trunks, UAG receives statement of health (SoH) from client and enforces policies directly For DirectAccess, IPSec policies require a “health certificate” issued independently by NAP
Wipes out the locally stored content upon session termination Prevents information leakage Removes: Downloaded files and pages AutoComplete form contents AutoComplete URLs Cookies History information Any user credentials
IP VPN Admin Core Web Application Publishing Windows Server TMG Windows NLB RRAS IIS TSG / RDG UAG Filter Session Manager User Manager Config. / Array Manager Internal Site Portal Direct Access DirectAccess Server DNS-ALG NAT-PT ISATAP IP-HTTPS Teredo 6to4 Native IPv6 DTE / DoSP Management UI SCOM MP UAG Logic Tracing & Logging SSTP Layer 3 SSL Tunnel
Technical Details and Live Demos
Enables SharePoint to map Web requests to the correct Web sites and apps Defines alternative public and internal URL names for the SharePoint Web site Should match the URLs typed by the user or provided by the reverse proxy (like UAG) Configured on the SharePoint Central Administration Site
Mistake #1: "I'm not deploying SharePoint in an unusual way, so I don't need to worry configuring Alternate Access Mappings." Mistake #2: Your reverse proxy server's "link translation" feature is sufficient. Mistake #3: Trying to reuse the same URL in AAM or not aligning the URLs to the same zone. Source: access-mappings-part-2-of-3.aspxhttp://blogs.msdn.com/sharepoint/archive/2007/03/19/what-every-sharepoint-administrator-needs-to-know-about-alternate- access-mappings-part-2-of-3.aspx
TMG 2010UAG 2010 Wizards and predefined settings basic Information leakage prevention (Session clean up) Endpoint health-based authorization Web farm load balancing (WFLB) Advanced authentication schemes (e.g. AD FS) Rich client authentication Single sign on Unified portal Application protection (Web application firewall) basic Policy-based access (granular policies) Array support AAM support Customization and manipulation (UI, applications) basic
SharePoint Publishing
How to Publish RemoteApp and DirectAccess
UAG seamlessly integrates Remote Desktop Gateway (RDG) to provide application-level gateway for RDS applications Enables employees to securely access applications that are hosted on Terminal Server or their internal workstation Benefits: Enhanced authentication Single sign-on experience Granular policies based on client health: No anti-virus no driver sharing RemoteApps are integrated into UAG portal side by side with Web applications Integrated deployment and management with other remote access technologies
In UAG, RD/TS client traffic goes over HTTPS. The HTTPS tunnel is terminated at UAG, therefore we can inspect the traffic. The traffic is then passed to the backend RD Session Host using the RDP protocol. UAG+RDGUAG+RDG RD/TS Client (MSTSC) (MSTSC) RDP over HTTPS RDPRDP RD Session Host (TS Server) RD Session Host (TS Server)
SSL-VPN { { + IPv6 Always On IPv6 IPv4 { { IPv6 or IPv4 UAG and DirectAccess better together: Extends access to line of business servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration Hardened Edge Solution
UAG provides IPv6 connectivity between Internet clients and internal servers Native IPv6 connectivity or using transition technologies 23 InternetIntranet 6to4 Teredo IP-HTTPS Native IPv6 ISATAP NAT64 6to4 Teredo IP-HTTPS
Connectivity to corporate network is done using IPv6, protected by IPSec tunnels and transported over IPv4 using IPv6 transition technologies (6to4, Teredo, IP-HTTPS): 24 IPv6 Transition Technologies Infrastructure Tunnel Intranet Tunnel Internet Domain Controllers, DNS, HRA, Management Rest of the machines in corporate network
Step 1: User machine tries to resolve address of an IPv4 only server: DNS64DNS64NAT64NAT64 Host name: x.contoso.com IP: IP: DNS AAAA Query for “x.contoso.com” DNS A Query for “x.contoso.com” DNS AAAA Query for “x.contoso.com” DNS A Response IP: DNS AAAA Response IP: 2a01:110:6:6:6:6:: NAT64 Prefix: 2a01:110:6:6:6:6::/96
Step 2: User machine sends a packet to an IPv4 server: DNS64DNS64NAT64NAT64 Host name: x.contoso.com IP: IP: Packet to: Send packet to: 2a01:110:6:6:6:6:: NAT64 Prefix: 2a01:110:6:6:6:6::/96
RemoteApps and DirectAccess
For more Information please contact Dominik Zemp TSP Security +41 (43) (0) Microsoft Switzerland Richtistrasse Wallisellen
UAG 2010 Eval Download: us/evalcenter/dd aspx UAG Team Blog: TMG Team Blog: Forefront Edge IAG/UAG Support Forum: US/forefrontedgeiag