500 likes | 651 Views
Getting to know UAG. Tom Decaluwé Blog: http ://trycatch.be/blogs/decaluwet / Email: tom@decaluwe.eu. Goal of today. Help you understand what UAG is. Help you get started with UAG Lingo Help you get started with configuring UAG. Todays Agenda.
E N D
Getting to know UAG Tom Decaluwé Blog: http://trycatch.be/blogs/decaluwet/ Email: tom@decaluwe.eu
Goal of today • Help you understand what UAG is. • Help you get started with UAG Lingo • Help you get started with configuring UAG
Todays Agenda • Some general thoughts on extranet / external access • What is UAG & compare with TMG • UAG architecture and internals • Using UAG to make you apps available • File access • Webserver publishing • Client / Server app publishing • TS publishing • SSTP network connectivity • Directaccess => 28/04 Sessions done by John Craddock • ADFS usage => 26/04 Sessions done by John Craddock • Q&A
The killer sentence • The ability to access any corporate applicationfrom anywherein a secure manner, reliable and fast manner using any deviceif the business decides to do so.
Why do I need UAG in a world that is going cloud? • The chance of the future being a hybrid setup cloud + on prem is very big.
What is UAG => an SSL VPN Secure Gateway with Direct Access wizard Exchange CRM SharePoint IIS based IBM, SAP, Oracle Mobile Home / Friend / Kiosk HTTPS / HTTP Terminal / Remote Desktop Services Layer3 VPN HTTP(S) (443 - 80 ) Internet DirectAccess Non web • Strong authentication • Endpoint health detection: • NAP and down-level • Authorization: • Based on health status • Who + where • Information leakage prevention • Attachment/Cache wiper Business Partners / Sub-Contractors AD, ADFS, RADIUS, LDAP…. NPS, ILM Employees Managed Machines
What is UAG & Compare the Edge Integrated and comprehensive protection from Internet-based threats Unified platform for all enterprise remote access needs
TMG vs UAG (at the publishing level) • TMG • De-emphesised on publishing • Limited to HTTP(s) publishing • Limited to auth as security • Client unaware • All in one box • UAG • The future of publishing • Portal approach • HTTP(s) + Client / server app + VPN (inclueding DA) • Health check and cleanup • Very flexibel authentication • Loads of pre-built templates • Very detailed reporting
Why do you see so little UAG being used? • Historical pricing => UAG used to bee expensive when it was still under the Whale communications flag and when first adopted by MS. • TMG is widely adopted and works really well as it’s a combo box. • Commission war => Integrates will make more money selling you and appliance than they will if you deploy UAG on your standard Dell/HP hardware and licenses bought through your VL agreements. • Lack of skilled UAG deployers & training • Complex ?! to get to know and sometimes to use as it requires understanding of the internal app’s you are publishing. • Weak on creating equal look and feel internal external
Admin Core UAG Internal Architecture Management UI SCOM MP Tracing & Logging Session Manager User Manager Config. / Array Manager Direct Access Web Application Publishing IP VPN DirectAccess Server Internal Site Portal TSG / RDG RRAS DTE / DoSP SSL Tunnel UAG Filter DNS-ALG NAT-PT Native IPv6 6to4 Teredo IP-HTTPS ISATAP SSTP Layer 3 IIS TMG Windows NLB UAG Logic Windows Server
UAG in the core • ISAPI extends the on the core functionality of IIS • InternalSite Vdirectory • New Vdirectories per portal
UAG buildup IP Group HTTP/HTTPS Trunk Application Port Logical unit 1 HTTP and 1 HTTPS trunk per IP You can only bind to port 80 and 443 Colllection of settings and rules
Two Keywords in UAG lingo • Two types of trunks (*UAG can not publish on any other ports) • HTTP (TCP 80) • HTTPS (TCP 443) • Is like an IIS website or a TMG listener => ip + port • A redirect Trunk can redirect http to https not the other way. • Can be linked to the portal or direct to application • Two options • Portal trunk => homepage of UAG • ADFS trunk => SSO over the border of forests Trunk Application • +/- 40 tempaltes / 5 top-level apps • Build-in services (automatically added to trunk) • File access => ntfs shares • Web-Monitor => remote UAG mgt • Web (applications) • Sharepoint • Exchange • ... • Other => create your own setup • Client/server and legacy • Apps that run outside of the browser • SSL vpn for specific apps • When launching an app the UAG client components loads • Remote Network Access => full network ssl vpn • Browser-embedded • Starts in browser en shifts to binary • Citrix • XenApp • Terminal services and remote desktop • 5 templates
Endpoint Policies • One of UAG’s core features • Policies are a set of conditions that have to be met by the client inorde to gain access. • End result for blocked apps • set to gray out • hidden • Seem complex because they are 4 situations with each time 4 platforms and two ways to create them. • Creation • GUI driven • Scripted mode • Top Level policy • Access policy - Upload policy - Download policy - Restricted zone policy Windows MAC Linux Other
Require domain membership for • ADFS • KCD • File-Access • DirectAccess • UAG Arry
Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock
Why use it • Not every filesystem has been migrated to sharepoint yet and not all filesystems will migrate to sharepoint. • People want access to the corp files any time and where. • It ensures mobile users can upload there important files to backup protected servers instead of their mobile clients. Client experiance Server Experiance
Configure File Access • You will need credentials of a user that can brows the network • Add the built-in service application > File access
Things to remember (File access) • The computer browser must be started and requires a chagne in the
Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock
Application specific hostname vs portal hostname application Portal Hostname application Non-AAM application • If the application can only be access using the portal trunk’s public name • HAT required for URL rewriting Eg. Trunk name = www.extranet.com App name= www.extranet.com/uniquesig48cb675c4745e7d473e210fdf4f89f67 Dynamics CRM, sharepoint 2003, exchange 2003 Application specific hostname application AAM-like application • If an application can be configured using its own specific public hostname, which usually differs from the trunk pbulic name • Now requirement of HAT • Requires: • DNS to point both url’s to same UAG ip • Cert for both url’s • DNS suffix must match as session coockie is shared Eg. Trunk name = www.extranet.com App name= finance.extranet.com OCS 2007, Forefront identiy manager, Sharepoint 2010, MS exchange 2010,...
What is URL signing • Also known as Host Address Translation (HAT) • URL signing allows UAG to publish mulitple servers on a single ip (HostHeaders) • Add’s a url suffix to the TL domain • Incorporates link translation technology • UAG creates unique URL’s for each clickable link on the page by buffering the page and adding a uniqua SRA string ensuring you are always accessing the target UAG. • Supports • HTML • ASP • Java-script • Eg. https://uag.createhive.com/uniquesig48cb675c4745e7d473e210fdf4f89f67/ uniquesig0/p.asp
Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock
What it does • Provides access to applicaions that where not designed for classic web and web publishing. • SSL tunneling • A client app listners for connectins tunnels and delivers to UAG • UAG client components has two parts • Health checking appications • SSL applications Tunneling • Socket forwarding component • Almost completely transparant to the end user
SSL Application Tunneling component UAG Back end server SSL Tunneling component 127.0.0.1:4785 10.10.10.100 23 SSL VPN
2. Client/Server applications • A lot of templates (most used are below) • Generic • Generic client application • Uses Single SSL tunnel • Generic client application (multiple server) • With multiple server we mean multiple ports to the same or other back-end servers • Uses UAG’s Socket forwarding component • Generic silent client application • No client prompt • Enhanced => to tunnel the UAG client manipulates the client and changes (eg. Registry, config files, hosts file) • Hosts required => edit host file if fail to edit file => end • Hostes options => edit host file if fail to edit file => try to launch application • Hosts disabled => don’t edit host file • All launch an SSL-VPN & launch a srcipt to run the application on the client
Auto connect • %localip%
2. Client/Server applications • A lot of templates (most used are below) • Enhanced HAT • Address translation beyond the scope of normal URL rewriting. Eg. A PDF file with a link => a click on that link, UAG sees the unavailable server requests and sens an HTTP 302 redirect to the client with the UAG public trunck as link, from now on the client will redirect all this traffic tot he public trunck name. • Generic http proxy enabled client application • Allow http proxying • Generic socks enabled client application • Allow socks 4/5 porxying • Citrix program neighbourhood (direct) • Replaced rpc over https for clients that don’t support it,...
Thing to remember • Apps use the local loopback 127.0.0.x and a port locally • If SSL tunneling does not work 3 alternatives • Network Connector (NC) => tunnels all traffic to the internal network by creating a virtual NIC with ip address (SSL-VPN) • Secure Socket Tunnelling Protocol (SSTP) => uses built in windows components, with auto client configuration (win7 and vista sp1 only) • DirectAccess (DA) => ipsec tunneling
Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock
Things to know • How to create the tspub file
Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock
The hidden application The app will dynamically detec If you are win7 or downlevel client And activate SSTP or NC accordingly
Thing to rembmer • Cert chain must be ok also for computer container • Root cert trusted • CRL available • Your internal servers must know how to route to those addresses
Goal of today OK • Help you understand what UAG is. • Help you get started with UAG Lingo • Help you get started with configuring UAG OK OK
More info • http://blogs.technet.com/b/edgeaccessblog/ • http://www.amazon.co.uk/Microsoft-Forefront-Unified-Administrator-27s-Handbook/dp/1849681627/ref=sr_1_3?ie=UTF8&s=books&qid=1303649443&sr=8-3 • http://www.amazon.co.uk/Deploying-Microsoft-Forefront-Unified-Professional/dp/0735649774/ref=sr_1_1?ie=UTF8&s=books&qid=1303649443&sr=8-1 • http://blogs.technet.com/b/tomshinder/
Stay up to date with TechNet Belux Register for our newsletters and stay up to date:http://www.technet-newsletters.be • Technical updates • Event announcements and registration • Top downloads Join us on Facebook http://www.facebook.com/technetbehttp://www.facebook.com/technetbelux LinkedIn: http://linkd.in/technetbelux/ Twitter: @technetbelux DownloadMSDN/TechNet Desktop Gadgethttp://bit.ly/msdntngadget
TechDays 2011 On-Demand • Watchthis session on-demand via TechNet Edge http://technet.microsoft.com/fr-be/edge/http://technet.microsoft.com/nl-be/edge/ • Download to your favorite MP3 or video player • Get access to slides and recommended resources by the speakers
If you have any more questions on anything, come and visit me at the ask the experts booth. THANK YOU Tom Decaluwé Blog: http://trycatch.be/blogs/decaluwet/ Email: tom@decaluwe.eu