SIP333: External Application Publishing thru UAG: Real

Download Report

Transcript SIP333: External Application Publishing thru UAG: Real 

Objavljanje aplikacij preko UAG portala
Varnost oddaljenih dostopov in Windows
Security
Gorazd Šemrov
Microsoft Corporation
Agenda - Why are we here?







What is UAG
Access challenges and primary security concerns
Solution overview
UAG product demonstration
How to publish OWA/CRM/SharePoint via UAG
How to publish applications via RDS via UAG
Questions and Answers
Few Questions?
 What are the common applications customers want to
publish?
 How do customer publish applications?
 To whom do they want to publish these applications?
 What are the solutions from Microsoft in this space?
More Important Question: What are
the different Microsoft Remote
Access Solutions?
Answer:
Threat Management Gateway (TMG)
Direct Access
Remote Desktop Services
Windows RAS (SSTP)
Unified Access Gateway (UAG)
What is UAG?
Unified Access Gateway (UAG) is next version of Intelligent
Application Gateway (IAG) with a vision and mission to provide
managed, unmanaged & mobile devices with unified secure
anywhere access to on-premise and in-the-cloud applications.
Also Simplify all Microsoft Access gateways solution platform
Where (Device)
Who (Identity)
UAG and DirectAccess better together:
Extends access to servers with IPv4 support
Access for down level and non Windows clients
Enhances scalability and management
Simplifies deployment and administration
Hardened Edge Solution
Always On
IPv6
IPv6
DirectAccess Server
+
IPv4
IPv6
or
IPv4
To UAG Connectivity Approach
Each session is tailored according to its user and the device in
use, maximizing security and productivity for that session.
Internal & External
Users
Financial
Partner or
Financial
Field Agent
Partner or
Field Agent
Logistics
Partner
Logistics
Partner
Project Manager
Employee
Project Manager
Employee
Remote
Technician
EmployeeRemote
Technician
Employee
Managed & Unmanaged
Devices
Private
Resources
Legacy Apps
Home PC
Limited Intranet
Home PC
Custom Financials
Kiosk
Kiosk
Corporate
Laptop
Corporate
Unmanaged
Managed Laptop
Partner PC
Limited Webmail:
no attachments
SharePoint
Payroll & HR
Webmail
Unmanaged
Partner PC
Web Apps
Client-Server Apps
Supply Chain
Legacy Apps
File Access
Third-Party Apps
Homegrown Apps
Tech Support App
File Access
Demo
UAG Product "Stack"
Application Access
Reverse Proxy
Intelligent URL
rewriting and
manipulation
engine to simplify
publishing
Policy and Security
SSL VPN
Tunneling
Application
Intelligence
Multiple tunnels
providing access
for non web
applications
Optimizers for
core, common,
scenarios
enabling security
and functionality
End Point
Detection
Client and deep
policies for
security health
assessment
Management
Wizard driven configuration for
core scenarios allowing easy
implementation and
enforcement of granular
policies. Web based
monitoring and control across
arrays.
Solution Architecture •Exchange
•CRM
•SharePoint
•IIS based
•IBM, SAP,
Oracle
Mobile
Home / Friend /
Kiosk
Internet
HTTPS (443)
TS
Direct Access
Non web
Business Partners /
Sub - Contractors
Employees Managed Machines
Internet / home / hotel / other company
Authentication
End-point health detection
Enterprise Readiness
Edge Ready
Information Leakage Prevention
Non-Windows
AD, ADFS,
RADIUS, LDAP….
Data Center /
Corporate Network
Lets talk: Session and Security
Encryption of all Internet bound data
Overlay SSL encryption on all communication; single certificate
Session integrity and data traces
Ensure sessions are terminated and no data remains on client
 Active Directory
 LDAP
 TACACS
 RADIUS
 RSA
 Smart Card
 Certificates
 KCD
 ADFS
 Etc … using UAG Hooks
Demo
 Multi Factor Authentication
 N-Factor Authentication
 Logical Authentication
 Etc … using UAG Hooks
Advanced Authentication
Customization Hooks
Called by Login.asp:
 Login.inc
 LoginForm.inc
Called by Validate.asp:
 PreValidate.inc
 ValidateSuccess.inc
 ValidateFailed.inc
 PostValidate.inc
Called by PostValidate.asp:
 PrePostValidate.inc
 PostPostValidate.inc
Flow of the validation process
Topic 10
 Group authorization can be
tied to each individual
application
 Simple-to-use search feature
allows the administrator to
select individual users or
groups from multiple
repositories
for authorization
 Users or groups can
be authorized for "Allow,"
"View," or "Deny" to any
individual application
 No need for directory replication
or repetition
 Alternative approaches require
local repository
 Transparent Web authentication




HTTP 401 request
Static Web form
Dynamic browser-sensitive Web form
Kerberos Constraint Delegation
 Integrates with:
 Password change management
 User repositories
Demo
 Out-of-the-box support for detection of
 Antivirus
 Antimalware
 Personal firewall


Desktop Search/Index Utilities
And much more…
 Easy to configure GUI that allows
simple management of policies
 Extended GUI for manual editing and
modification of policies
 Leverage Windows Shell Scripting
to create any policy and inspect for
any client side variable
 Provide controlled access to
application areas,
operations through policy definitions
 Can allow or block application
functions,
including
 Works at both the client and server
Demo




Access policies
Session Cleanup Agent (
Protecting the network session
Protecting the application




Out-of-the-box configuration
Wizard-driven customization
Fully customizable configuration
Integrated application firewall
Demo
What if ?
 User is trying to access the most secure site but user is
coming from untrusted machine?
 Customer wants to provide full application access no matter
where user is coming from but does not want to change the
security requirements?
Can we be innovative…
Demo
Rich Clients and MSOFBA
 UAG supports Rich Clients an MSOFBA
 MSOFBA supported only
 Microsoft Office 2010
 Microsoft Office 2007 with Service Pack 2.
 Operating systems:
 Windows 7.
 Windows Vista.
 Windows XP with Service Pack 3 or Windows XP with Service
Pack 2.
Mobile Access Scenarios?
https://uagteam.com
SharePoint Mobile Browsing
 UAG 2010 fully support publishing of
SharePoint 2010 mobile browsing
interface including the Office Web
Apps for mobile.
Mobile Login (1)
 Corporate passwords are long and complicated
 Mobile devices are has limited inputs
 Mobile devices tend to get lost so passwords cannot be
stored on them
Customer will not browse to applications
if they have to type their username and
password each time
Mobile Login (2)
 UAG implements innovative simplified login
for mobile devices:




User first login with his corporate credentials
Then he can convert them with a PIN
Next time, she logs using the PIN
Every several days the user has to reenter her
corporate password
Mobile Login (3)
 PIN login is implemented without leaving the corporate
password on the mobile device or store it on the server:
Username + Password + PIN
UAG
Server
Secret
UAG
Server
Secret
Set-Cookie with encrypted: Username + password +
PIN + Server Secret + Salt
Cookie
Cookie + PIN





Web proxy
Port forwarding
Socket forwarding
Direct Access
Network connector & SSTP
Breadth of
Locations
"Anywhere" Level
Internet
Kiosk
Customer/
Partner PC
Home
PC
Corporate
Laptop
Web
Proxy
Port/Socket Network
Forwarder Connection
Control
Recap (until now)
Protect
Safeguard
Native AD integration
w/strong and two-factor
authentication
File upload / download
control; .EXE identification
Session termination &
inactivity timeouts
SQL
Server
Active
Directory
File
Shares
Comprehensive
monitoring and logging
Single sign-on to
multiple and custom
directories
ISA Server
Endpoint policy-defined
micro-portal
IIS
Unified Application
Gateway™
Portal defined by
user identity
‘Restricted zones’
definitions for URLs
Endpoint compliance
check and clean-up
External
Firewall
Web application firewall
w/app-specific content,
command, and URL filtering
SharePoint
Server
Policy-driven intranet
access with ACL-level
controls
Exchange
Server
Positive and negativelogic filtering rules
Quick Summary until now
Instead of the application handling the “checklist” individually, UAG features are
overlaid for each resource
Financial
Partner
Field Sales
Rep
Home PC
Project Manager
Employee
Kiosk
Encryption
Unmanaged
Partner PC
Corporate
Laptop
Endpoint Scan
Authentication
SSL VPN
Remote
Technician
Access Control
Cache Cleaning
URL Translation
MOSS
AD
File Access
Related Apps