Getting to know UAG - PowerPoint PPT Presentation

terri
getting to know uag n.
Skip this Video
Loading SlideShow in 5 Seconds..
Getting to know UAG PowerPoint Presentation
Download Presentation
Getting to know UAG

play fullscreen
1 / 50
Download Presentation
Getting to know UAG
124 Views
Download Presentation

Getting to know UAG

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Getting to know UAG Tom Decaluwé Blog: http://trycatch.be/blogs/decaluwet/ Email: tom@decaluwe.eu

  2. Goal of today • Help you understand what UAG is. • Help you get started with UAG Lingo • Help you get started with configuring UAG

  3. Todays Agenda • Some general thoughts on extranet / external access • What is UAG & compare with TMG • UAG architecture and internals • Using UAG to make you apps available • File access • Webserver publishing • Client / Server app publishing • TS publishing • SSTP network connectivity • Directaccess => 28/04 Sessions done by John Craddock • ADFS usage => 26/04 Sessions done by John Craddock • Q&A

  4. General thoughs on extranet

  5. The killer sentence • The ability to access any corporate applicationfrom anywherein a secure manner, reliable and fast manner using any deviceif the business decides to do so.

  6. Why do I need UAG in a world that is going cloud? • The chance of the future being a hybrid setup cloud + on prem is very big.

  7. What is UAG & compare with TMG

  8. What is UAG => an SSL VPN Secure Gateway with Direct Access wizard Exchange CRM SharePoint IIS based IBM, SAP, Oracle Mobile Home / Friend / Kiosk HTTPS / HTTP Terminal / Remote Desktop Services Layer3 VPN HTTP(S) (443 - 80 ) Internet DirectAccess Non web • Strong authentication • Endpoint health detection: • NAP and down-level • Authorization: • Based on health status • Who + where • Information leakage prevention • Attachment/Cache wiper Business Partners / Sub-Contractors AD, ADFS, RADIUS, LDAP…. NPS, ILM Employees Managed Machines

  9. What is UAG & Compare the Edge Integrated and comprehensive protection from Internet-based threats Unified platform for all enterprise remote access needs

  10. TMG vs UAG (at the publishing level) • TMG • De-emphesised on publishing • Limited to HTTP(s) publishing • Limited to auth as security • Client unaware • All in one box • UAG • The future of publishing • Portal approach • HTTP(s) + Client / server app + VPN (inclueding DA) • Health check and cleanup • Very flexibel authentication • Loads of pre-built templates • Very detailed reporting

  11. Why do you see so little UAG being used? • Historical pricing => UAG used to bee expensive when it was still under the Whale communications flag and when first adopted by MS. • TMG is widely adopted and works really well as it’s a combo box. • Commission war => Integrates will make more money selling you and appliance than they will if you deploy UAG on your standard Dell/HP hardware and licenses bought through your VL agreements. • Lack of skilled UAG deployers & training  • Complex ?! to get to know and sometimes to use as it requires understanding of the internal app’s you are publishing. • Weak on creating equal look and feel internal  external

  12. UAG architecture and internals

  13. Admin Core UAG Internal Architecture Management UI SCOM MP Tracing & Logging Session Manager User Manager Config. / Array Manager Direct Access Web Application Publishing IP VPN DirectAccess Server Internal Site Portal TSG / RDG RRAS DTE / DoSP SSL Tunnel UAG Filter DNS-ALG NAT-PT Native IPv6 6to4 Teredo IP-HTTPS ISATAP SSTP Layer 3 IIS TMG Windows NLB UAG Logic Windows Server

  14. UAG in the core • ISAPI extends the on the core functionality of IIS • InternalSite Vdirectory • New Vdirectories per portal

  15. UAG buildup IP Group HTTP/HTTPS Trunk Application Port Logical unit 1 HTTP and 1 HTTPS trunk per IP You can only bind to port 80 and 443 Colllection of settings and rules

  16. Two Keywords in UAG lingo • Two types of trunks (*UAG can not publish on any other ports) • HTTP (TCP 80) • HTTPS (TCP 443) • Is like an IIS website or a TMG listener => ip + port • A redirect Trunk can redirect http to https not the other way. • Can be linked to the portal or direct to application • Two options • Portal trunk => homepage of UAG • ADFS trunk => SSO over the border of forests Trunk Application • +/- 40 tempaltes / 5 top-level apps • Build-in services (automatically added to trunk) • File access => ntfs shares • Web-Monitor => remote UAG mgt • Web (applications) • Sharepoint • Exchange • ... • Other => create your own setup • Client/server and legacy • Apps that run outside of the browser • SSL vpn for specific apps • When launching an app the UAG client components loads • Remote Network Access => full network ssl vpn • Browser-embedded • Starts in browser en shifts to binary • Citrix • XenApp • Terminal services and remote desktop • 5 templates

  17. Create an application trunk and redirect trunk

  18. Endpoint Policies • One of UAG’s core features • Policies are a set of conditions that have to be met by the client inorde to gain access. • End result for blocked apps • set to gray out • hidden • Seem complex because they are 4 situations with each time 4 platforms and two ways to create them. • Creation • GUI driven • Scripted mode • Top Level policy • Access policy - Upload policy - Download policy - Restricted zone policy Windows MAC Linux Other

  19. Require domain membership for • ADFS • KCD • File-Access • DirectAccess • UAG Arry

  20. Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock

  21. Why use it • Not every filesystem has been migrated to sharepoint yet and not all filesystems will migrate to sharepoint. • People want access to the corp files any time and where. • It ensures mobile users can upload there important files to backup protected servers instead of their mobile clients. Client experiance Server Experiance

  22. Configure File Access • You will need credentials of a user that can brows the network • Add the built-in service application > File access

  23. Show File Access

  24. Things to remember (File access) • The computer browser must be started and requires a chagne in the

  25. Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock

  26. Application specific hostname vs portal hostname application Portal Hostname application Non-AAM application • If the application can only be access using the portal trunk’s public name • HAT required for URL rewriting Eg. Trunk name = www.extranet.com App name= www.extranet.com/uniquesig48cb675c4745e7d473e210fdf4f89f67 Dynamics CRM, sharepoint 2003, exchange 2003 Application specific hostname application AAM-like application • If an application can be configured using its own specific public hostname, which usually differs from the trunk pbulic name • Now requirement of HAT • Requires: • DNS to point both url’s to same UAG ip • Cert for both url’s • DNS suffix must match as session coockie is shared Eg. Trunk name = www.extranet.com App name= finance.extranet.com OCS 2007, Forefront identiy manager, Sharepoint 2010, MS exchange 2010,...

  27. What is URL signing • Also known as Host Address Translation (HAT) • URL signing allows UAG to publish mulitple servers on a single ip (HostHeaders) • Add’s a url suffix to the TL domain • Incorporates link translation technology • UAG creates unique URL’s for each clickable link on the page by buffering the page and adding a uniqua SRA string ensuring you are always accessing the target UAG. • Supports • HTML • ASP • Java-script • Eg. https://uag.createhive.com/uniquesig48cb675c4745e7d473e210fdf4f89f67/ uniquesig0/p.asp

  28. Publish a web application

  29. Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock

  30. What it does • Provides access to applicaions that where not designed for classic web and web publishing. • SSL tunneling • A client app listners for connectins tunnels and delivers to UAG • UAG client components has two parts • Health checking appications • SSL applications Tunneling • Socket forwarding component • Almost completely transparant to the end user

  31. SSL Application Tunneling component UAG Back end server SSL Tunneling component 127.0.0.1:4785 10.10.10.100 23 SSL VPN

  32. 2. Client/Server applications • A lot of templates (most used are below) • Generic • Generic client application • Uses Single SSL tunnel • Generic client application (multiple server) • With multiple server we mean multiple ports to the same or other back-end servers • Uses UAG’s Socket forwarding component • Generic silent client application • No client prompt • Enhanced => to tunnel the UAG client manipulates the client and changes (eg. Registry, config files, hosts file) • Hosts required => edit host file if fail to edit file => end • Hostes options => edit host file if fail to edit file => try to launch application • Hosts disabled => don’t edit host file • All launch an SSL-VPN & launch a srcipt to run the application on the client

  33. Auto connect • %localip%

  34. 2. Client/Server applications • A lot of templates (most used are below) • Enhanced HAT • Address translation beyond the scope of normal URL rewriting. Eg. A PDF file with a link => a click on that link, UAG sees the unavailable server requests and sens an HTTP 302 redirect to the client with the UAG public trunck as link, from now on the client will redirect all this traffic tot he public trunck name. • Generic http proxy enabled client application • Allow http proxying • Generic socks enabled client application • Allow socks 4/5 porxying • Citrix program neighbourhood (direct) • Replaced rpc over https for clients that don’t support it,...

  35. Thing to remember • Apps use the local loopback 127.0.0.x and a port locally • If SSL tunneling does not work 3 alternatives • Network Connector (NC) => tunnels all traffic to the internal network by creating a virtual NIC with ip address (SSL-VPN) • Secure Socket Tunnelling Protocol (SSTP) => uses built in windows components, with auto client configuration (win7 and vista sp1 only) • DirectAccess (DA) => ipsec tunneling

  36. Publish telnet

  37. Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock

  38. Things to know • How to create the tspub file

  39. Using UAG to make you apps available File system publishing Webserver publishing Client / Server App publishing TS publishing SSTP publishing Directaccess => 28/04 Sessions done by John Craddock

  40. Remote SSL VPN

  41. The hidden application The app will dynamically detec If you are win7 or downlevel client And activate SSTP or NC accordingly

  42. Publish VPN

  43. Thing to rembmer • Cert chain must be ok also for computer container • Root cert trusted • CRL available • Your internal servers must know how to route to those addresses

  44. Goal of today OK • Help you understand what UAG is. • Help you get started with UAG Lingo • Help you get started with configuring UAG OK OK

  45. Q&A

  46. More info • http://blogs.technet.com/b/edgeaccessblog/ • http://www.amazon.co.uk/Microsoft-Forefront-Unified-Administrator-27s-Handbook/dp/1849681627/ref=sr_1_3?ie=UTF8&s=books&qid=1303649443&sr=8-3 • http://www.amazon.co.uk/Deploying-Microsoft-Forefront-Unified-Professional/dp/0735649774/ref=sr_1_1?ie=UTF8&s=books&qid=1303649443&sr=8-1 • http://blogs.technet.com/b/tomshinder/

  47. Stay up to date with TechNet Belux Register for our newsletters and stay up to date:http://www.technet-newsletters.be • Technical updates • Event announcements and registration • Top downloads Join us on Facebook http://www.facebook.com/technetbehttp://www.facebook.com/technetbelux LinkedIn: http://linkd.in/technetbelux/ Twitter: @technetbelux DownloadMSDN/TechNet Desktop Gadgethttp://bit.ly/msdntngadget

  48. TechDays 2011 On-Demand • Watchthis session on-demand via TechNet Edge http://technet.microsoft.com/fr-be/edge/http://technet.microsoft.com/nl-be/edge/ • Download to your favorite MP3 or video player • Get access to slides and recommended resources by the speakers

  49. If you have any more questions on anything, come and visit me at the ask the experts booth. THANK YOU Tom Decaluwé Blog: http://trycatch.be/blogs/decaluwet/ Email: tom@decaluwe.eu