Transcript Getting to know UAG Tom Decaluwé Blog: http://trycatch.be/blogs/decaluwet/ Email: [email protected] Goal of today • Help you understand what UAG is. • Help you get started.

Getting to know UAG
Tom Decaluwé
Blog: http://trycatch.be/blogs/decaluwet/
Email: [email protected]
Goal of today
• Help you understand what UAG is.
• Help you get started with UAG Lingo
• Help you get started with configuring UAG
Todays Agenda
•
•
•
•
Some general thoughts on extranet / external access
What is UAG & compare with TMG
UAG architecture and internals
Using UAG to make you apps available
• File access
• Webserver publishing
• Client / Server app publishing
• TS publishing
• SSTP network connectivity
• Directaccess => 28/04 Sessions done by John Craddock
• ADFS usage => 26/04 Sessions done by John Craddock
• Q&A
General thoughs on extranet
The killer sentence
• The ability to access any corporate application from anywhere in a
secure manner, reliable and fast manner using any device if the
business decides to do so.
Why do I need UAG in a world that is going cloud?
• The chance of the future being a hybrid setup cloud + on prem is
very big.
You will still need to
give your clients access
to internal apps
Internet
You will need a bridge
between your corpnet
and the could-nets.
(think of ADFS
publishing)
Internet
What is UAG & compare with
TMG
What is UAG => an SSL VPN Secure Gateway with Direct
Access wizard
Exchange
CRM
SharePoint
IIS based
IBM, SAP, Oracle
Mobile
Home / Friend /
Kiosk
Layer3 VPN
HTTP(S)
(443 - 80 )
Internet
Terminal /
Remote Desktop
Services
DirectAccess
Non web
Business Partners /
Sub-Contractors
Employees Managed
Machines
•
•
•
•
Strong authentication
Endpoint health detection:
NAP and down-level
Authorization:
Based on health status
Who + where
Information leakage prevention
Attachment/Cache wiper
•
•
•
•
AD, ADFS,
RADIUS, LDAP….
NPS, ILM
What is UAG & Compare the Edge
Unified platform for all enterprise
remote access needs
Integrated and comprehensive
protection from Internet-based
threats
Internet
Internet
TMG vs UAG (at the publishing level)
• TMG
• De-emphesised on publishing
• Limited to HTTP(s) publishing
• Limited to auth as security
• Client unaware
• All in one box
• UAG
• The future of publishing
• Portal approach
• HTTP(s) + Client / server app + VPN (inclueding DA)
• Health check and cleanup
• Very flexibel authentication
• Loads of pre-built templates
• Very detailed reporting
Why do you see so little UAG being used?
• Historical pricing => UAG used to bee expensive when it was still
under the Whale communications flag and when first adopted by
MS.
• TMG is widely adopted and works really well as it’s a combo box.
• Commission war => Integrates will make more money selling you
and appliance than they will if you deploy UAG on your standard
Dell/HP hardware and licenses bought through your VL
agreements.
• Lack of skilled UAG deployers & training 
• Complex ?! to get to know and sometimes to use as it requires
understanding of the internal app’s you are publishing.
• Weak on creating equal look and feel internal  external
UAG architecture and
internals
Admin
Management UI
SCOM MP
Tracing & Logging
Core
UAG Internal Architecture
Session Manager
User Manager
Config. / Array Manager
UAG Filter
NAT-PT
DNS-ALG
ISATAP
IP-HTTPS
Teredo
6to4
DTE / DoSP
TSG /
RDG
Portal
IIS
TMG
Windows NLB
Windows Server
UAG Logic
RRAS
Layer 3
Internal
Site
SSTP
DirectAccess Server
Native IPv6
IP VPN
Web Application Publishing
SSL Tunnel
Direct Access
UAG in the core
• ISAPI extends the on
the core functionality
of IIS
• InternalSite
Vdirectory
• New Vdirectories per
portal
UAG buildup
Logical unit
Application
1 HTTP and 1 HTTPS trunk per IP
You can only bind to port 80 and 443
Group
Port
HTTP/HTTPS Trunk
IP
Colllection of settings and rules
Two Keywords in UAG lingo
Trunk
•
Two types of trunks (*UAG can not publish
on any other ports)
•
•
•
•
• HTTP (TCP 80)
• HTTPS (TCP 443)
Is like an IIS website or a TMG
listener => ip + port
A redirect Trunk can redirect http to
https not the other way.
Can be linked to the portal or direct
to application
Two options
• Portal trunk => homepage of
UAG
• ADFS trunk => SSO over the
border of forests
Application
•
+/- 40 tempaltes / 5 top-level apps
Build-in services (automatically added to trunk)
File access => ntfs shares
Web-Monitor => remote UAG mgt
Web (applications)
Sharepoint
Exchange
...
Other => create your own setup
Client/server and legacy
Apps that run outside of the browser
SSL vpn for specific apps
When launching an app the UAG client
components loads
Remote Network Access => full network ssl vpn
Browser-embedded
Starts in browser en shifts to binary
Citrix
XenApp
Terminal services and remote desktop
5 templates
DEMO
Create an application trunk and redirect trunk
Endpoint Policies
• One of UAG’s core features
• Policies are a set of conditions that have to be met by the client inorde to gain
access.
• End result for blocked apps
• set to gray out
• hidden
• Seem complex because they are 4 situations with each time 4 platforms and
two ways to create them.
Top Level policy
Access policy - Upload policy - Download policy - Restricted zone policy
Windows
• Creation
• GUI driven
• Scripted mode
MAC
Linux
Other
Require domain membership for
•
•
•
•
•
ADFS
KCD
File-Access
DirectAccess
UAG Arry
Using UAG to make you apps
available
•
•
•
•
•
•
File system publishing
Webserver publishing
Client / Server App publishing
TS publishing
SSTP publishing
Directaccess => 28/04 Sessions done by John Craddock
Why use it
• Not every filesystem has been migrated to sharepoint yet and not
all filesystems will migrate to sharepoint.
• People want access to the corp files any time and where.
• It ensures mobile users can upload there important files to
backup protected servers instead of their mobile clients.
Windows XP
Full transparent file access
Client experiance
Windows 7
Web based file access
Server Experiance
Configure File Access
• You will need credentials of a user that can brows the network
• Add the built-in service application > File access
DEMO
Show File Access
Things to remember (File access)
• The computer browser must be started and requires a chagne in
the
Using UAG to make you apps
available
•
•
•
•
•
•
File system publishing
Webserver publishing
Client / Server App publishing
TS publishing
SSTP publishing
Directaccess => 28/04 Sessions done by John Craddock
Application specific hostname vs portal hostname application
Portal Hostname application
Non-AAM application
Application specific hostname application
AAM-like application
•
•
•
If an application can be configured using its own
specific public hostname, which usually differs
from the trunk pbulic name
Now requirement of HAT
Requires:
•
•
•
DNS to point both url’s to same UAG ip
Cert for both url’s
DNS suffix must match as session coockie is
shared
Eg.
Trunk name = www.extranet.com
App name= finance.extranet.com
•
•
If the application can only be access using the
portal trunk’s public name
HAT required for URL rewriting
Eg.
Trunk name = www.extranet.com
App name=
www.extranet.com/uniquesig48cb
675c4745e7d473e210fdf4f89f67
Dynamics CRM, sharepoint 2003, exchange 2003
OCS 2007, Forefront identiy manager, Sharepoint 2010, MS exchange 2010,...
What is URL signing
• Also known as Host Address Translation (HAT)
• URL signing allows UAG to publish mulitple servers on a single ip
(HostHeaders)
• Add’s a url suffix to the TL domain
• Incorporates link translation technology
• UAG creates unique URL’s for each clickable link on the page by
buffering the page and adding a uniqua SRA string ensuring you
are always accessing the target UAG.
• Supports
• HTML
• ASP
• Java-script
• Eg.
https://uag.createhive.com/uniquesig48cb675c4745e7d473e210fdf4f89f67/ uniquesig0/p.asp
DEMO
Publish a web application
Using UAG to make you apps
available
•
•
•
•
•
•
File system publishing
Webserver publishing
Client / Server App publishing
TS publishing
SSTP publishing
Directaccess => 28/04 Sessions done by John Craddock
What it does
• Provides access to applicaions that where not designed for classic
web and web publishing.
• SSL tunneling
• A client app listners for connectins tunnels and delivers to UAG
• UAG client components has two parts
• Health checking appications
• SSL applications Tunneling
• Socket forwarding component
• Almost completely transparant to the end user
SSL Application Tunneling component
127.0.0.1:4785
SSL
Tunn
eling
com
pon
ent
10.10.10.100 23
SSL VPN
UAG
Back end
server
2. Client/Server applications
• A lot of templates (most used are below)
• Generic
• Generic client application
• Uses Single SSL tunnel
• Generic client application (multiple server)
• With multiple server we mean multiple ports to the same or other
back-end servers
• Uses UAG’s Socket forwarding component
• Generic silent client application
• No client prompt
• Enhanced => to tunnel the UAG client manipulates the client and changes
(eg. Registry, config files, hosts file)
• Hosts required => edit host file if fail to edit file => end
• Hostes options => edit host file if fail to edit file => try to launch
application
• Hosts disabled => don’t edit host file
• All launch an SSL-VPN & launch a srcipt to run the application on the client
Auto connect
• %localip%
2. Client/Server applications
• A lot of templates (most used are below)
• Enhanced HAT
• Address translation beyond the scope of normal URL
rewriting. Eg. A PDF file with a link => a click on that link,
UAG sees the unavailable server requests and sens an HTTP
302 redirect to the client with the UAG public trunck as link,
from now on the client will redirect all this traffic tot he
public trunck name.
• Generic http proxy enabled client application
• Allow http proxying
• Generic socks enabled client application
• Allow socks 4/5 porxying
• Citrix program neighbourhood (direct)
• Replaced rpc over https for clients that don’t support it,...
Thing to remember
• Apps use the local loopback 127.0.0.x and a port locally
• If SSL tunneling does not work 3 alternatives
• Network Connector (NC) => tunnels all traffic to the internal
network by creating a virtual NIC with ip address (SSL-VPN)
• Secure Socket Tunnelling Protocol (SSTP) => uses built in
windows components, with auto client configuration (win7
and vista sp1 only)
• DirectAccess (DA) => ipsec tunneling
DEMO
Publish telnet
Using UAG to make you apps
available
•
•
•
•
•
•
File system publishing
Webserver publishing
Client / Server App publishing
TS publishing
SSTP publishing
Directaccess => 28/04 Sessions done by John Craddock
DEMO
Things to know
• How to create the tspub file
Using UAG to make you apps
available
•
•
•
•
•
•
File system publishing
Webserver publishing
Client / Server App publishing
TS publishing
SSTP publishing
Directaccess => 28/04 Sessions done by John Craddock
Remote SSL VPN
NC
• For down level clients
• Creates a virutal NIC
SSTP
• Win7 and above
• Uses OS-built in SSTP
The hidden application
The app will dynamically detec
If you are win7 or downlevel client
And activate SSTP or NC accordingly
DEMO
Publish VPN
Thing to rembmer
• Cert chain must be ok also for computer container
• Root cert trusted
• CRL available
• Your internal servers must know how to route to those addresses
Goal of today
• Help you understand what UAG is.
•
• Help you get started with UAG Lingo
• Help you get started with configuring UAG
Q&A
More info
• http://blogs.technet.com/b/edgeaccessblog/
• http://www.amazon.co.uk/Microsoft-Forefront-UnifiedAdministrator-27sHandbook/dp/1849681627/ref=sr_1_3?ie=UTF8&s=books&qid=1
303649443&sr=8-3
• http://www.amazon.co.uk/Deploying-Microsoft-ForefrontUnifiedProfessional/dp/0735649774/ref=sr_1_1?ie=UTF8&s=books&qid=
1303649443&sr=8-1
• http://blogs.technet.com/b/tomshinder/
Stay up to date with TechNet Belux
Register for our newsletters and stay up to date:
http://www.technet-newsletters.be
• Technical updates
• Event announcements and registration
• Top downloads
Join us on Facebook
Download
MSDN/TechNet Desktop Gadget
http://www.facebook.com/technetbe
http://bit.ly/msdntngadget
http://www.facebook.com/technetbelux
LinkedIn: http://linkd.in/technetbelux/
Twitter: @technetbelux
TechDays 2011 On-Demand
• Watch this session on-demand via TechNet Edge
http://technet.microsoft.com/fr-be/edge/
http://technet.microsoft.com/nl-be/edge/
• Download to your favorite MP3 or video player
• Get access to slides and recommended resources by the speakers
If you have any more questions on anything,
come and visit me at the ask the experts
booth.
THANK YOU
Tom Decaluwé
Blog: http://trycatch.be/blogs/decaluwet/
Email: [email protected]