Share via

Advantages of publishing SharePoint with Forefront UAG

Updated: February 15, 2013

Applies To: Unified Access Gateway

Publishing SharePoint Products and Technologies through Forefront Unified Access Gateway (UAG) can provide the following advantages to both the organization and end users:

  • Anywhere access—Users can access SharePoint sites and edit their documents from virtually anywhere: managed laptops, home computers, kiosks, and mobile devices.

  • Information leakage prevention—When users open or edit a document from a SharePoint library via Forefront UAG, no information is left on the client computer; Forefront UAG deletes all cached files, temporary files, and cookies.

  • Endpoint health-based authorization—Forefront UAG allows administrators to define access, download, and upload policies that are based not only on the identity of the user and the information that is exposed, but also on the condition of the client computer; for example, basing the policy on the computer's operating system, on the browser that is used to access the site, or on whether or not an up-to-date antivirus is running on the computer. Typical implementations of this type of authorization prevent users that don’t run an antivirus from uploading files to the SharePoint site, and they also prevent access to sensitive information from public computers.

  • Web farm load balancing (WFLB)—In a large organization with many SharePoint servers, using load balancing can ensure that traffic is distributed evenly between the servers.

    Forefront UAG uses a round-robin mechanism to ensure that user requests to a Web application serviced by a Web farm are distributed fairly among farm members that are online, by spreading requests from different IP addresses evenly among the Web farm members. This even spread is preserved during failover. When failover occurs, servers that are not responding are detected, and the load is distributed among the available servers.

    Forefront UAG uses affinity to ensure that, after a user has been routed once to a particular SharePoint server, the user continues to be routed to that server. To keep this persistency, Forefront UAG supports session affinity and IP affinity.

  • Advanced authentication schemes—Forefront UAG implements many authentication schemes, ranging from simple username and password forms to smartcard-only authentication, one-time passwords, and partner integration via Active Directory Federation Services (AD FS).

  • Enabling access to SharePoint sites from Microsoft Office Outlook Web Access—When Outlook Web Access is also published via the Forefront UAG portal, Forefront UAG makes sure that if an email message contains a link to a published SharePoint site (for example,, the link works properly even if it contains Intranet domain names (for example, https://intranet/).

  • Single sign on—Users need to sign on only once during a session. After they do, Forefront UAG saves their credentials, and they are automatically signed on to any system they want to access during the session. This is very useful when publishing several SharePoint sites or additional applications.

  • Unified portal—After a user logs on, Forefront UAG presents the user with a list of SharePoint sites and other applications that are available and for which the user is authorized. The list is dynamic and reflects the current client health and Forefront UAG server configuration.

  • Automatic timeout—Forefront UAG detects whether or not users are active, and automatically logs off users that are not active for a predefined amount of time. This is very important in remote-access scenarios, where users might leave their computer unattended in a public location.

  • Internet-ready solution—Forefront UAG was developed and designed as an Internet and perimeter network solution, and it is hardened and secured according to industry standards.

  • Secure Sockets Layer (SSL) termination—Forefront UAG can terminate SSL connections and mitigate the load off Office SharePoint Server, while providing a single point of management for certificates.

  • Application protection—Not only does Forefront UAG act as an HTTP proxy and buffer the internal servers from the Internet, it also incorporates several application-level technologies to protect computers running Office SharePoint Server from malicious attacks.

  • Policy-based access—Forefront UAG provides integrated security by ensuring compliance with predefined rules and policies.

SharePoint Server 2013, SharePoint Server 2010, and SharePoint Server 2007 provide flexible options for configuring extranet access to sites. You can provide Internet-facing access to a subset of sites on a server farm, or make all content on a server farm accessible from the Internet. You can host extranet content inside your corporate network and make it available through an edge firewall, or you can isolate the server farm inside a perimeter network.

The following table describes potential deployment scenarios for Forefront UAG and SharePoint Products and Technologies:

Remote employees

Remote employees can access corporate information and electronic resources anywhere, anytime, and any place, without requiring a virtual private network (VPN).

Remote employees may be:

  • Traveling sales employees.

  • Employees working from home offices or customer sites.

  • Geographically dispersed virtual teams.

External partners

External partners can participate in business processes and collaborate with employees of your organization using Active Directory Federation Services (AD FS) 2.0. See Deploying Forefront UAG with AD FS 2.0.

You can use an extranet to help enhance the security of data in the following ways:

  • Apply appropriate security and user-interface components to isolate partners and segregate internal data.

  • Authorize partners to use only sites and data that are necessary for their contributions.

  • Restrict partners from viewing other partners’ data.

You can optimize processes and sites for partner collaboration by:

  • Enabling employees of your organization and partner employees to view, change, add, and delete content to promote successful results for both companies.

  • Configuring alerts to notify users when content changes, or to start a workflow.