Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dominik Zemp Microsoft Switzerland Ltd Liab. Co. Install and Configure Remote Access for SharePoint (and RemoteApp and DirectAccess)

Published byLetitia Patrick Modified over 9 years ago

Similar presentations

Presentation on theme: "Dominik Zemp Microsoft Switzerland Ltd Liab. Co. Install and Configure Remote Access for SharePoint (and RemoteApp and DirectAccess)"— Presentation transcript:

1 Dominik Zemp Microsoft Switzerland Ltd Liab. Co. dominik.zemp@microsoft.com Install and Configure Remote Access for SharePoint (and RemoteApp and DirectAccess) In An Hour

2 What is Forefront UAG? UAG Solution and Internal Architecture How to Publish SharePoint via UAG Live Demos How to Publish RemoteApps, DirectAccess, etc. via UAG Q & A

3 What are the different Microsoft Remote Access Solutions? Answer: Threat Management Gateway (TMG) Direct Access Remote Desktop Services Windows RAS (SSTP) Unified Access Gateway (UAG) And which ones are for SharePoint? Answer: Threat Management Gateway (TMG) Direct Access Remote Desktop Services Windows RAS (SSTP) Unified Access Gateway (UAG)

4 Solution and Internal Architecture

5 Unified Access Gateway (UAG) is next version of Intelligent Application Gateway (IAG) with a vision and mission to provide managed, unmanaged & mobile devices with unified secure anywhere access to on-premise and in-the-cloud applications. What (Data) Who (Identity) Where (Device)

6 Financial Partner or Field Agent Project Manager Employee Logistics Partner Remote Technician Employee Corporate Managed Laptop Home PC Unmanaged Partner PC Kiosk Financial Partner or Field Agent Project Manager Employee Logistics Partner Corporate Laptop Home PC Kiosk Remote Technician Employee Unmanaged Partner PC Each session is tailored according to its user and the device in use, maximizing security and productivity for that session.

7 DirectAccess HTTPS (443) Layer3 VPN Business Partners / Sub-Contractors AD, ADFS, RADIUS, LDAP…. Home / Friend / Kiosk Employees Managed Machines Mobile Exchange CRM SharePoint IIS based IBM, SAP, Oracle Terminal / Remote Desktop Services Non web HTTPS / HTTP NPS, ILM Strong authentication Endpoint health detection: NAP and down-level Authorization: Based on health status Who + where Information leakage prevention Attachment/Cache wiper

8 Active Directory LDAP TACACS RADIUS RSA Smart Card Certificates KCD ADFS etc … using UAG Hooks

9 No need for directory replication or repetition Alternative approaches require local repository Transparent Web authentication HTTP 401 request Static Web form Dynamic browser-sensitive Web form Kerberos Constraint Delegation Integrates with: Password change management User repositories

10 Inbuilt policies can check the health of endpoints connecting to UAG portal and applications Check system settings and features on the endpoint Control access to trunk and applications, as well as actions such as downloading and uploading files Supports Windows, Mac OS, and Linux Platform-specific policies enforced according to the operating system on the endpoint device Predefined policies enabled by default Can be edited to check for specific settings or features, as required Administrators can also define their own policies

11 Enforces compliance and provides remediation for clients connecting through portal trunks or DirectAccess Each scenario will use NAP in a different way For portal trunks, UAG receives statement of health (SoH) from client and enforces policies directly For DirectAccess, IPSec policies require a “health certificate” issued independently by NAP

12 Wipes out the locally stored content upon session termination Prevents information leakage Removes: Downloaded files and pages AutoComplete form contents AutoComplete URLs Cookies History information Any user credentials

13 IP VPN Admin Core Web Application Publishing Windows Server TMG Windows NLB RRAS IIS TSG / RDG UAG Filter Session Manager User Manager Config. / Array Manager Internal Site Portal Direct Access DirectAccess Server DNS-ALG NAT-PT ISATAP IP-HTTPS Teredo 6to4 Native IPv6 DTE / DoSP Management UI SCOM MP UAG Logic Tracing & Logging SSTP Layer 3 SSL Tunnel

14 Technical Details and Live Demos

15 Enables SharePoint to map Web requests to the correct Web sites and apps Defines alternative public and internal URL names for the SharePoint Web site Should match the URLs typed by the user or provided by the reverse proxy (like UAG) Configured on the SharePoint Central Administration Site

16 Mistake #1: "I'm not deploying SharePoint in an unusual way, so I don't need to worry configuring Alternate Access Mappings." Mistake #2: Your reverse proxy server's "link translation" feature is sufficient. Mistake #3: Trying to reuse the same URL in AAM or not aligning the URLs to the same zone. Source: http://blogs.msdn.com/sharepoint/archive/2007/03/19/what-every-sharepoint-administrator-needs-to-know-about-alternate- access-mappings-part-2-of-3.aspxhttp://blogs.msdn.com/sharepoint/archive/2007/03/19/what-every-sharepoint-administrator-needs-to-know-about-alternate- access-mappings-part-2-of-3.aspx

17 TMG 2010UAG 2010 Wizards and predefined settings basic Information leakage prevention (Session clean up) Endpoint health-based authorization Web farm load balancing (WFLB) Advanced authentication schemes (e.g. AD FS) Rich client authentication Single sign on Unified portal Application protection (Web application firewall) basic Policy-based access (granular policies) Array support AAM support Customization and manipulation (UI, applications) basic

18 SharePoint Publishing

19 How to Publish RemoteApp and DirectAccess

20 UAG seamlessly integrates Remote Desktop Gateway (RDG) to provide application-level gateway for RDS applications Enables employees to securely access applications that are hosted on Terminal Server or their internal workstation Benefits: Enhanced authentication Single sign-on experience Granular policies based on client health: No anti-virus  no driver sharing RemoteApps are integrated into UAG portal side by side with Web applications Integrated deployment and management with other remote access technologies

21 In UAG, RD/TS client traffic goes over HTTPS. The HTTPS tunnel is terminated at UAG, therefore we can inspect the traffic. The traffic is then passed to the backend RD Session Host using the RDP protocol. UAG+RDGUAG+RDG RD/TS Client (MSTSC) (MSTSC) RDP over HTTPS RDPRDP RD Session Host (TS Server) RD Session Host (TS Server)

22 SSL-VPN { { + IPv6 Always On IPv6 IPv4 { { IPv6 or IPv4 UAG and DirectAccess better together: Extends access to line of business servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration Hardened Edge Solution

23 UAG provides IPv6 connectivity between Internet clients and internal servers Native IPv6 connectivity or using transition technologies 23 InternetIntranet 6to4 Teredo IP-HTTPS Native IPv6 ISATAP NAT64 6to4 Teredo IP-HTTPS

24 Connectivity to corporate network is done using IPv6, protected by IPSec tunnels and transported over IPv4 using IPv6 transition technologies (6to4, Teredo, IP-HTTPS): 24 IPv6 Transition Technologies Infrastructure Tunnel Intranet Tunnel Internet Domain Controllers, DNS, HRA, Management Rest of the machines in corporate network

25 Step 1: User machine tries to resolve address of an IPv4 only server: DNS64DNS64NAT64NAT64 Host name: x.contoso.com IP: IP:100.1.2.3 DNS AAAA Query for “x.contoso.com” DNS A Query for “x.contoso.com” DNS AAAA Query for “x.contoso.com” DNS A Response IP: 100.1.2.3 DNS AAAA Response IP: 2a01:110:6:6:6:6::100.1.2.3 NAT64 Prefix: 2a01:110:6:6:6:6::/96

26 Step 2: User machine sends a packet to an IPv4 server: DNS64DNS64NAT64NAT64 Host name: x.contoso.com IP: IP:100.1.2.3 Packet to: 100.1.2.3 Send packet to: 2a01:110:6:6:6:6::100.1.2.3 NAT64 Prefix: 2a01:110:6:6:6:6::/96

27 RemoteApps and DirectAccess

28 For more Information please contact Dominik Zemp TSP Security dominik.zemp@microsoft.com +41 (43) 456 66 94 +41 (0) 78 844 66 94 Microsoft Switzerland Richtistrasse 3 8304 Wallisellen

29 UAG 2010 Eval Download: http://technet.microsoft.com/en- us/evalcenter/dd183100.aspx UAG Team Blog: http://blogs.technet.com/edgeaccessblog/default.aspx TMG Team Blog: http://blogs.technet.com/isablog/default.aspx Forefront Edge IAG/UAG Support Forum: http://social.technet.microsoft.com/Forums/en- US/forefrontedgeiag

30

Download ppt "Dominik Zemp Microsoft Switzerland Ltd Liab. Co. Install and Configure Remote Access for SharePoint (and RemoteApp and DirectAccess)"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
WMS02: Direct Access Always Connected: Death of the VPN

WMS02: Direct Access Always Connected: Death of the VPN
Direct Access 2012 Chad Duffey and Tristan Kington Microsoft Premier Field Engineering WSV333.

Direct Access 2012 Chad Duffey and Tristan Kington Microsoft Premier Field Engineering WSV333.
DirectAccess Infrastructure Planning and Design Published: October 2009 Updated: November 2011.

DirectAccess Infrastructure Planning and Design Published: October 2009 Updated: November 2011.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Scott Roberts Lead Program Manager Microsoft Session Code: WSV320.

Scott Roberts Lead Program Manager Microsoft Session Code: WSV320.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
The Natural way for Secure Mobile Email v.1.4 www.AGATSolutions.com.

The Natural way for Secure Mobile v.1.4
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Adwait JoshiJim Harrison Sr. Product ManagerProgram Manager Microsoft Corporation SESSION CODE: SIA308.

Adwait JoshiJim Harrison Sr. Product ManagerProgram Manager Microsoft Corporation SESSION CODE: SIA308.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Microsoft Windows 7 Security Ronen Gottlib, CISSP Information Security Lead Microsoft.

Microsoft Windows 7 Security Ronen Gottlib, CISSP Information Security Lead Microsoft.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Ronald Beekelaar Beekelaar Consultancy Intelligent Application Gateway (IAG) 2007.

Ronald Beekelaar Beekelaar Consultancy Intelligent Application Gateway (IAG) 2007.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Secure Access using IAG 2007 Presented by: Brian Dunleavy - Healthcare Business Manager - Eurodata Susanna Watson – Pre Sales Technical Consultant - Eurodata.

Secure Access using IAG 2007 Presented by: Brian Dunleavy - Healthcare Business Manager - Eurodata Susanna Watson – Pre Sales Technical Consultant - Eurodata.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Working remote: what to consider, technology evolution.

Working remote: what to consider, technology evolution.

Similar presentations

Ads by Google