Configuring Forefront UAG platform-specific access policies

Updated: February 1, 2011

Applies To: Unified Access Gateway

This topic describes how to create, edit, and remove platform-specific policies and expressions on Forefront Unified Access Gateway (UAG), for Windows, Macintosh, and Linux platforms.

The following describes:

  • Managing platform-specific access policies

  • Managing platform-specific expressions

Managing platform-specific access policies

The following procedures provide instructions on how to create, edit, and remove, platform-specific policies for Windows, Macintosh, and Linux platforms on the Manage Platform Policies and Expressions dialog box.

To open the Manage <Platform> Policies and Expressions dialog box

  1. In an area where you assign policies, click Edit Endpoint Policies.

  2. On the Manage Policies and Expressions dialog box, under Components, select Policies, and then click Add Policy.

  3. On the Policy Editor dialog box, under Select platform-specific policies, click the button next to the platform for which you want to manage the policy. For example, to manage Windows policies, click Manage Windows Policies.

    The Manage Platform Policies and Expressions dialog box appears.

    Note

    If you are publishing applications for a mobile browser, select Other. Then select Always in the Policies and Expressions dialog box; otherwise, some mobile devices may not be able to access the mobile portal.

To create platform-specific policies

  1. On the Manage Platform Policies and Expressions dialog box, click Add Policy.

  2. On the Policy Editor for Platform dialog box, on the General Policy Settings pane, do the following:

    1. Assign a name, and then in the Category list, verify that Policies is selected.

      Note

      The field Text added to end-user Access Denied Message is not applicable to platform-specific policies.

    2. On the tree at the left, select a group of predefined variables; the title of the right pane changes to reflect the selected group. For example, if you select the group Browser, the title of the pane changes to Browser accordingly.

    3. In the right pane, select Enable Group, and then under Product, select one or more variables for the policy that you are creating.

      You can select as many groups and variables as required to define the policy. All of the groups and variables define the minimum version of the software that must run on the endpoint computer.

      Note

      The Desktop Search group defines the desktop search software that must not run on the endpoint computer for it to comply with the policy.

      If required, you can also set the version of the desktop search software. If you set the version, endpoint computers must not run a version equal to or lower than the version you define here to comply with the policy.

      If you need to define additional variables or use complex Boolean expressions to define the policy, access the advanced policy editor.

      Note

      After you edit a policy in the advanced policy editor, you can only open it for further editing in this editor; you cannot revert to editing in the basic policy editor.

      To access the advanced policy editor, click Create As Script, and then go to step 3.

    4. After you select all the required groups and variables, in the platform-specific policy editor, click OK, and then on the platform-specific policy management dialog box, click Close. On the Policy Editor dialog box, click Cancel, and then on the Manage Policies and Expressions dialog box, click Close.

  3. On the Advanced Policy Editor for Platform dialog box, assign a name, and then verify that the Policies category is selected.

  4. Define policy components by doing the following:

    • In the Components list, click a component; a component can be either an existing expression or an existing variable. The selected component appears in the box on the right.

    • In the box, use VBScript-syntax free text to add or edit rules and rule components, as required. You can also delete rules and rule components in the box.

    Use the AND, OR, NOT, and parentheses operators to create a combination of as many components as you require.

  5. After you define all the required policy components, in the platform-specific advanced policy editor, click OK, and then on the platform-specific policy management dialog box, click Close. On the Policy Editor dialog box, click Cancel, and then on the Manage Policies and Expressions dialog box, click Close.

To edit platform-specific policies

  1. On the Manage Platform Policies and Expressions dialog box, under Components, in the policies tree, select the policy that you want to edit, and then click Edit Policy. If the Advanced Policy Editor for Platform dialog box appears, skip to step 3.

  2. On the Policy Editor for Platform dialog box, on the General Policy Settings pane, make the necessary changes.

    Note

    The field Text added to end-user Access Denied Message is not applicable to platform-specific policies.

    You can select as many groups and variables as required to edit the policy. All of the groups and variables define the minimum version of the software that must run on the endpoint computer.

    Note

    The Desktop Search group defines the desktop search software that must not run on the endpoint computer for it to comply with the policy.

    If required, you can also set the version of the desktop search software. If you set the version, endpoint computers must not run a version equal to or lower than the version you define here to comply with the policy.

    If you need to define additional variables or use complex Boolean expressions to define the policy, access the advanced policy editor.

    Note

    After you edit a policy in the advanced policy editor, you can only open it for further editing in this editor; you cannot revert to editing in the basic policy editor.

    To access the advanced policy editor, click Create As Script, and then go to step 3.

    After you make all the necessary changes, in the platform-specific policy editor, click OK, and then on the platform-specific policy management dialog box, click Close. On the Policy Editor dialog box, click Cancel, and then on the Manage Policies and Expressions dialog box, click Close.

  3. On the Advanced Policy Editor for Platform dialog box, make the necessary changes. Edit policy components by doing the following:

    • In the Components list, click a component; a component can be either an existing expression or an existing variable. The selected component appears in the box on the right.

    • In the box, use VBScript-syntax free text to add or edit rules and rule components, as required. You can also delete rules and rule components in the box.

    Use the AND, OR, NOT, and parentheses operators to create a combination of as many components as you require.

  4. After you edit all the required policy components, in the platform-specific advanced policy editor, click OK, and then on the platform-specific policy management dialog box, click Close. On the Policy Editor dialog box, click Cancel, and then on the Manage Policies and Expressions dialog box, click Close.

To remove a platform-specific policy

  1. On the Manage Platform Policies and Expressions dialog box, under Components, in the policies tree, select the policy that you want to remove, and then click Remove.

    Note

    You can only remove user-defined policies; you cannot remove system-defined policies.

  2. On the Manage Platform Policies and Expressions dialog box, click Close. On the Policy Editor dialog box, click Cancel, and then on the Manage Policies and Expressions dialog box, click Close.

Managing platform-specific expressions

The following procedures provide instructions on how to create, edit, and remove, expressions for Windows, Macintosh, and Linux platforms on the Manage Platform Policies and Expressions dialog box.

To open the Manage <Platform> Policies and Expressions dialog box

  1. In an area where you assign policies, click Edit Endpoint Policies.

  2. On the Manage Policies and Expressions dialog box, under Components, select Expressions, and then click Add Expression.

  3. On the Expression Editor dialog box, click the button next to the platform for which you want to manage the expression. For example, to manage Windows expressions, click Manage Windows Expressions.

    The Manage Platform Policies and Expressions dialog box appears.

To create platform-specific expressions

  1. On the Manage Platform Policies and Expressions dialog box, under Components, select the expressions tree, for example Windows Expressions, and then click Add Expression.

  2. On the Policy Editor for Platform dialog box, do the following:

    1. Assign a name, and then select the Expressions category.

      Note

      The field Text added to end-user Access Denied Message is not applicable to platform-specific policies.

    2. On the tree at the left, select a group of predefined variables; the title of the right pane changes to reflect the selected group. For example, if you select the group Browser, the title of the right pane changes to Browser accordingly.

    3. In the right pane, select Enable Group, and then under Product, select one or more variables for the expression that you are currently creating or editing.

      You can select as many groups and variables as required to define the expression. All of the groups and variables define the minimum version of the software that must run on the endpoint computer.

      Note

      The Desktop Search group defines the desktop search software that must not run on the endpoint computer for it to comply with the expression.

      If required, you can also set the version of the desktop search software. If you set the version, endpoint computers must not run a version equal to or lower than the version you define here to comply with the expression.

      If you need to define additional variables or use complex Boolean expressions to define the expression, access the advanced policy editor.

      Note

      After you edit an expression in the advanced policy editor, you can only open it for further editing in this editor; you cannot revert to editing in the policy editor.

      To access the advanced policy editor, click Create As Script, and then go to step 3.

    4. After you select all the required groups and variables, in the platform-specific policy editor, click OK, and then on the platform-specific policy management dialog box, click Close. On the Expression Editor dialog box, click Cancel, and then on the Manage Policies and Expressions dialog box, click Close.

  3. On the Advanced Policy Editor for Platform dialog box, assign a name, and then select the Expressions category.

  4. Define expression components by doing the following:

    • In the Components list, click a component; a component can be either an existing expression or an existing variable. The selected component appears in the box on the right.

    • In the box, use VBScript-syntax free text to add or edit rules and rule components, as required. You can also delete rules and rule components in the box.

    Use the AND, OR, NOT, and parentheses operators to create a combination of as many components as you require.

  5. After you define all the required expression components, in the platform-specific advanced policy editor, click OK, and then on the platform-specific policy management dialog box, click Close. On the Expression Editor dialog box, click Cancel, and then on the Manage Policies and Expressions dialog box, click Close.

To edit platform-specific expressions

  1. On the Manage Platform Policies and Expressions dialog box, under Components, expand the expressions tree, for example Windows Expressions, select the expression that you want to edit, and then click Edit Expression. If the Advanced Policy Editor for Platform dialog box appears, skip to step 3.

  2. On the Policy Editor for Platform dialog box, make the necessary changes.

    Note

    The field Text added to end-user Access Denied Message is not applicable to platform-specific policies.

    You can select as many groups and group items as required to edit the expression. All of the groups and variables define the minimum version of the software that must run on the endpoint computer.

    Note

    The Desktop Search group defines the desktop search software that must not run on the endpoint computer for it to comply with the expression.

    If required, you can also set the version of the desktop search software. If you set the version, endpoint computers must not run a version equal to or lower than the version you define here to comply with the expression.

    If you need to define additional variables or use complex Boolean expressions to define the expression, access the advanced policy editor.

    Note

    After you edit an expression in the advanced policy editor, you can only open it for further editing in this editor; you cannot revert to editing in the policy editor.

    To access the advanced policy editor, click Create As Script, and then go to step 3.

    After you make all the necessary changes, in the platform-specific policy editor, click OK, and then on the platform-specific policy management dialog box, click Close. On the Expression Editor dialog box, click Cancel, and then on the Manage Policies and Expressions dialog box, click Close.

  3. On the Advanced Policy Editor for Platform dialog box, make the necessary changes.

  4. Edit expression components by doing the following:

    • In the Components list, click a component; a component can be either an existing expression or an existing variable. The selected component appears in the box on the right.

    • In the box, use VBScript-syntax free text to add or edit rules and rule components, as required; you can also delete rules and rule components in the box.

    Use the AND, OR, NOT, and parentheses operators to create a combination of as many components as you require.

  5. After you make all the necessary changes, in the platform-specific advanced policy editor, click OK, and then on the platform-specific policy management dialog box, click Close. On the Expression Editor dialog box, click Cancel, and then on the Manage Policies and Expressions dialog box, click Close.

To remove a platform-specific expression

  1. On the Manage Platform Policies and Expressions dialog box, under Components, expand the expressions tree, select the expression that you want to remove, and then click Remove.

    Note

    You can only remove user-defined expressions; you cannot remove system-defined expressions.

  2. On the Manage Platform Policies and Expressions dialog box, click Close. On the Expression Editor dialog box, click Cancel, and then on the Manage Policies and Expressions dialog box, click Close.