Configuring Forefront UAG access policies

Updated: February 1, 2011

Applies To: Unified Access Gateway

Forefront Unified Access Gateway (UAG) access policies enable you to create tiers of access, by determining whether or not endpoint devices are allowed to access internal sites and applications or perform certain operations on the application servers, depending on the security settings of the endpoint devices.

This topic describes how to modify Forefront UAG access policies and expressions, as follows:

• Configuring access policies

• Managing expressions

Configuring access policies

The following procedures provide instructions on how to create, edit, and remove, access policies.

To create access policies

1. In an area where you assign policies, click Edit Endpoint Policies.

2. On the Manage Policies and Expressions dialog box, under Components, expand Policies, and then click Add Policy.

3. On the Policy Editor dialog box, do the following:

   1. In the Name box, type the policy name.

      Note

      Text applied in the Explanatory text added to end-user Access Denied message box will not be applied. Do not specify a value.

   2. If you want to create a policy from platform-specific policies, click Create a policy from platform-specific policies.

      If you want to create a policy from expressions, click Create a policy from expressions. If you select this option, skip to step 5.

4. On the Policy Editor dialog box, under Select platform-specific policies, do the following:

   1. In each of the lists next to Windows, Mac OS, and Linux, select a platform-specific policy. If you want to create new platform-specific policies or edit existing platform-specific policies, see Configuring Forefront UAG platform-specific access policies.

   2. In the list next to Other, select the policy that applies to endpoint devices that run operating systems other than Windows, Macintosh, or Linux.

      If you want to allow access to internal sites and applications, select Always.

      If you want to block access to internal sites and applications, select Never.

   After you select policies for all the available platforms, on the Policy Editor dialog box, click OK, and then on the Manage Policies and Expressions dialog box, click Close.

5. If you selected to create the policy from expressions, on the Policy Editor dialog box, under Select expressions, in the Available expressions list, select the expression or expressions that you want to use in this policy, and then click the right arrow button. If you need to create new expressions or edit existing expressions click Create Expression. For details, see Managing expressions. When all the expressions that comprise the policy appear in the Selected expressions list, on the Policy Editor dialog box, click OK, and then, on the Manage Policies and Expressions dialog box, click Close.

To edit access policies

1. In an area where you assign policies, click Edit Endpoint Policies.

2. On the Manage Policies and Expressions dialog box, under Components, expand Policies, click the policy that you want to edit, and then click Edit Policy.

3. On the Policy Editor dialog box, make the necessary changes.

   Note

   System-defined policies have standard explanatory text. If you change the policy, make sure that you also change the explanatory text so that it reflects the new or revised functionality.

4. On the Policy Editor dialog box, click OK, and then on the Manage Policies and Expressions dialog box, click Close.

To remove an access policy

1. In an area where you assign policies, click Edit Endpoint Policies.

2. On the Manage Policies and Expressions dialog box, under Components, expand Policies, click the policy you want to remove, and then click Remove.

   Note

   You can only remove user-defined policies; you cannot remove system-defined policies.

3. On the Manage Policies and Expressions dialog box, click Close.

Managing expressions

The following procedures provide instructions on how to create, edit, and remove expressions, for access policies.

To create expressions

1. In an area where you assign policies, click Edit Endpoint Policies.

2. On the Manage Policies and Expressions dialog box, under Components, click Expressions, and then click Add Expression.

3. On the Expression Editor dialog box, do the following:

   1. In the Name box, type the expression name.

   2. In each of the lists next to Windows, Mac OS, and Linux, select a predefined platform-specific expression. If you want to create new platform-specific expressions or edit existing platform-specific expressions, see Managing platform-specific expressions.

   3. In the list next to Other, select the expression that applies to endpoint devices that run operating systems other than Windows, Macintosh, or Linux.

      If you want to allow access to internal sites and applications, select Always.

      If you want to block access to internal sites and applications, select Never.

   After you select expressions for all the available platforms, on the Expression Editor dialog box, click OK, and then on the Manage Policies and Expressions dialog box, click Close.

To edit expressions

1. In an area where you assign policies, click Edit Endpoint Policies.

2. On the Manage Policies and Expressions dialog box, under Components, expand Expressions, click the expression you want to edit, and then click Edit Expression.

3. On the Expression Editor dialog box, make the necessary changes.

4. On the Expression Editor dialog box, click OK, and then on the Manage Policies and Expressions dialog box, click Close.

To remove an expression

1. In an area where you assign policies, click Edit Endpoint Policies.

2. On the Manage Policies and Expressions dialog box, under Components, expand Expressions, click the expression you want to remove, and then click Remove.

   Note

   You can only remove user-defined expressions; you cannot remove system-defined expressions.

3. On the Manage Policies and Expressions dialog box, click Close.