Application properties help
Updated: September 6, 2012
Applies To: Unified Access Gateway
After using the Forefront Unified Access Gateway (UAG) Add Application Wizard to publish an application directly or via a portal, you can modify and configure the settings of published applications. This topic provides a summary of the application properties and settings.
General tab
Web Servers tab
Server Settings tab
Web Settings tab
Client Settings tab
Web Server Security tab
Cookie Encryption tab
Endpoint Policy tab
Download/Upload tab
Authorization tab
Portal Link tab
General tab
Configure the name used to identify the application in the trunk, and specify prerequisite applications that must be running, in order to run the application.
- Name
Configure the name used to identify the application in the trunk.
- Prerequisite applications
Specify the application that must be running in order for the published application to run. This setting applies only to client/server and legacy applications published in portal trunks. Forefront Unified Access Gateway (UAG) automatically launches prerequisite applications before starting a dependent application. For example, if an application requires a connection to an internal share, you can add a local drive mapping application that maps the required drive, and define it as a prerequisite application. The number of prerequisite applications available is indicated in Number of Prerequisite Applications.
- Inactivity period
Define the inactivity period for the application. This setting is useful in monitoring application usage. When a user does not use the application for the time specified, an “application exited” message is sent to the Web Monitor. When a user resumes application use any “application accessed” message is sent. If the period is set to zero, the application is closed only when the user session ends.
Web Servers tab
On the Web Servers tab, configure the settings for built-in services, Web applications, and browser-embedded applications, published in a portal.
- IP/Host
Click IP/Host to identify the Web server with one or more IP addresses or DNS host names. Click Subnet to define the multiple IP addresses with a subnet and mask. Click Regular Expression to define multiple IP addresses using the Regex++ regular expression syntax to define the address range in Addresses. For example: [0—9A—Z—]+\.contoso\.com. When you use regular expressions, a corresponding rule is added in Forefront Threat Management Gateway (TMG), to allow traffic from the local host network (the Forefront UAG server) to any server in the Forefront TMG internal network, on the configured port.
- Addresses
If you select IP/Host, double-click in the Addresses list to add a value.
- Paths
If the Paths list appears, double-click in the list to specify the path of the published application. A path must start with a slash (/) character. You can specify regular expressions (using the Regex++ regular expression syntax) to define a path. Special characters should be preceded by the escape character ("\").
- HTTP port; HTTPS port
Specify the port on which the application is published. To use the default port for the application type Auto. To enable all ports type All. To disable all ports leave the field empty.
Server Settings tab
On the Server Settings tab, configure the server settings for non-Web applications published in a portal. Server settings vary, depending on the application. For application-specific information, see Server settings reference (non-Web applications).
Web Settings tab
On the Web Settings tab, specify how remote user credentials are forwarded to application servers that require user authentication.
- Use single sign-on to send credentials to published applications
Select this setting to enable single sign-on using credentials presented by the user. When this check box is selected, and after users enter credentials that are valid for the application, users do not need to reauthenticate against the published application server, such as during portal logon. If this check box is selected, and authentication data is not validated by the application server, access is denied.
- Select authentication servers
Select this setting to select the authentication servers against which user credentials will be evaluated for the published application server. To add an authentication server, click Add. In the Authentication and Authorization Servers dialog box, add the required servers.
Use Kerberos constrained delegation for single sign-on
Select this setting to specify Kerberos constrained delegation as the single-sign authentication method. In the Application box, enter the service principal name (SPN) of the application. If you use Kerberos constrained delegation, you can only select the 401 Request authentication method. Each instance of a service that uses Kerberos constrained delegation authentication must have an SPN defined for it, so that clients can identify that instance of the service on the network. The SPN is registered in the Active Directory Service-Principal-Name attribute of the Windows account under which the instance of the service is running. This means that the SPN is associated with the account under which the instance of the service specified by the SPN is running. When a service needs to authenticate to another service running on a specific computer, it uses that service's SPN to differentiate it from other services running on that computer. You can set the SPN explicitly, or you can use the wildcard *, for example: owa/*. If you use a wildcard, the addresses for all the servers of this application (defined in the Web Servers tab) must not be IP addresses but host names. (The wildcard is translated to each of the host names defined in the Web Servers tab.)Note
In a Forefront UAG array, the SPN should be registered on each array member.
- 401 request
Select this setting to specify that Forefront UAG should use Basic or NTLM as the authentication method to the published web applications. Forefront UAG will use either Basic or NTLM, based on the WWW-Authenticate HTTP response headers it receives from the published web application.
- HTML form
Select to authenticate users to published Web applications using an HTML form.
- Both
Select to authenticate users with an HTTP 401 and an HTML form.
- Verify URLs
Select this setting to inspect URL requests from the application against the URL inspection rules configured for the application-type. Application-type settings are configured on the URL Set tab of the trunk properties. If you do not select Verify URLs, URL inspection is disabled for the specific application only. Application requests are still checked against general rules, such as internal site rules. To completely disable URL inspection, you must enable Debug Mode on the General tab of the trunk properties.
- Evaluate without enforcement
Select this setting to specify that URL requests from the application will be inspected against URL inspection rules for this application rule, but not enforced. When this check box is selected, if a request is not accepted by one of the application rules, the failure is logged in the security log, but the request is allowed.
- Allow data using WebDAV methods
Select this setting to allow browsers to send HTTP data to the application, in requests that use WebDAV methods.
- Check XML data integrity
Select this setting to inspect XML integrity in the HTTP data.
- Apply URL character rules
Select this method to verify URLs against the URL character rules configured for the application-type. Application-type settings are configured on the URL Inspection tab of the trunk properties.
- Use user-dependent variables
Select this setting if any of the application's URLs use variables.
- Allow POST requests without a content-type handler
Select this setting to specify that HTTP POST requests without a content-type header will be handled. If this check box is not selected, such requests are rejected.
- Ignore predefined URL list in session timeout calculation
Select this setting to specify that for each out-of-the-box application type, Forefront UAG automatically configures a list of application-aware URLs that will be ignored in the calculation of the inactive session timeout. The list can be edited on the Global URL Settings tab of the trunk properties.
Client Settings tab
On the Client Settings tab, for client/server, legacy, and browser-embedded applications published in a portal, you can specify how the Forefront UAG Socket Forwarding component is activated on client endpoints.
- Socket Forward Mode: Disabled
Select to indicate that the Socket Forwarding component is not used with the application.
- Socket Forward Mode: Bind tunnel to client executable
Select this setting to restrict client endpoint access to the server IP addresses and ports of the application to the processes or processes you define in the Client Executable list.
- Allow data using WebDAV methods
Select this setting to allow browsers to send HTTP data to the application, in requests that use WebDAV methods.
- Check XML data integrity
Select this setting to inspect XML integrity in the HTTP data.
- Apply URL character rules
Select this method to verify URLs against the URL character rules configured for the application-type. Application-type settings are configured on the URL Inspection tab of the trunk properties.
- Use user-dependent variables
Select this setting if any of the application's URLs use variables.
- Allow POST requests without a content-type handler
Select this setting to specify that HTTP POST requests without a content-type header will be handled. If this check box is not selected, such requests are rejected.
- Ignore predefined URL list in session timeout calculation
Select this setting to specify that for each out-of-the-box application type, Forefront UAG automatically configures a list of application-aware URLs that will be ignored in the calculation of the inactive session timeout. The list can be edited on the Global URL Settings tab of the trunk properties.
Web Server Security tab
On the Web Server Security tab, configure settings to protect applications against HTTP request smuggling (HRS). Note that you cannot configure HRS for client/server and legacy applications.
Activate smuggling protection
Enable to protect the application against HTTP request smuggling attacks, by blocking requests if the following conditions apply:The method is POST.
The content-type is not listed in the content-type list.
The length is greater than the specified maximum length.
This option should be enabled only for servers that are vulnerable to HRS attacks. If you enable this option when it is not required, applications may not behave as expected.
- Content Types
Specify content-types that are allowed. POST requests of content-types that are not listed are blocked if they are greater than the size defined in Maximum HTTP body.
- Maximum HTTP body
Specify the maximum size of a POST request. Requests larger than the specified maximum are blocked.
Cookie Encryption tab
On the Cookie Encryption tab, specify that all Set-Cookie headers will be encrypted, except for those defined in the global and per-application cookie lists.
- Enable cookie encryption
Select to enable cookie encryption.
- Exclude
Select to specify that only Set-Cookie headers specified in the per-application cookie list will be encrypted.
- Include
Select to specify that only Set-Cookie headers specified in the per-application cookie list will be encrypted. Note that encrypted cookie names and values are decrypted by Forefront UAG when they are returned by the browser in the cookie header. If the cookie encryption process encounters problems when a remote user requests a page, the cookie header in the request is blocked and not forwarded to the server.
Endpoint Policy tab
On the Endpoint Policy tab, specify the conditions with which remote client endpoints must comply in order to access the published application.
- Access policy
Specify the access policy with which endpoints must comply in order to access the published application.
- Upload policy
Specify the access policy with which endpoints must comply in order to upload files associated with the published application.
- Download policy
Specify the access policy with which endpoints must comply in order to download files associated with the published application.
- Restricted zone policy
Specify the access policy with which endpoints must comply in order to access restricted zones for the published application, if restricted zones are defined.
Download/Upload tab
On the Downloads/Uploads tab, apply a download or upload policy for published applications. You can specify the method by which Forefront UAG identifies URLs to enforce a download or upload policy. Note that if none of the options in the Download/Upload tab are selected, no downloads or uploads will be blocked, regardless of the download or upload policies for the applications.
- Identify by URLs
Select this setting to specify that URLs should be identified by checking against the Download URL or Upload URL lists. These lists can be viewed and modified in the Global URL Settings tab of the trunk properties.
- Identify by extensions
Select to specify that URLs should be identified by checking file extensions.
- Identify by extensions: Exclude
Select to specify that only file extensions listed are allowed when an endpoint policy is enforced.
- Identify by extensions: Include
Select to specify that the file extensions listed are blocked. Note that extensions should not include the preceding dot (.). For example, you should specify exe and not .exe. To allow or block uploading or downloading of files without an extension, specify no ext in the relevant extension list. Ensure that for extensions in the list, the association between the extensions and content-types is the same on Forefront UAG as on the application server.
- Unknown content-type
Specify the unknown content type settings of an application. This is required to block downloads by extension.
- Identify by size
Select to specify that URLs should be identified based on the size of transfer data. Specify a size limit in kilobytes. Note that HTTP GET requests are treated as downloads. HTTP POST and PUT requests are treated as uploads.
Authorization tab
On the Authorization tab, specify which users and groups can access the portal application. By default, all users who authenticate successfully to the portal can access all portal applications.
- Authorize all users
Leave this default setting selected to specify that all users authenticated for portal access can access the application. To specify that only specific users and groups can access an application in the portal, clear the check box.
- Add
If the Authorize all users setting is cleared, click Add. On the Select Users and Groups dialog box, in Look in, select the user and group repository server. In the Users and Groups list, select the required user or group, and then click Add. Select the group and click the Allow, View, or Deny columns to set the application authorization permission for the user or group.
- Save as Local Group
Select to save the user or group defined on the repository server as a local group.
Portal Link tab
On the Portal Link tab, configure application links in a Forefront UAG portal. You can control the link format on the portal homepage for applications published in the portal. Note that portal link settings are only applied if you use the Forefront UAG default portal homepage.
- Add portal and toolbar link
Select to specify that a link to the application appears on the default portal homepage and toolbar.
- Portal application name
Specify the name of the application as it appears on the default homepage and toolbar.
- Folder
Specify a folder or subfolder on the portal homepage from which users can access the application. This enables you to group a number of applications under one folder. For example, you can create a folder called DriveMappings and place all Local Drive Mapping applications under it. Only the DriveMappings folder will be visible on the portal homepage. Specify the same folder information for all applications that will reside under the folder. If there are no subfolders, specify only the folder name. For a subfolder, use the format: folder/subfolder A/subfolder B. The name of the root folder in the folder structure is the name of the Forefront UAG portal application, as defined in the Portal application name box. The folder structure is not retained in the Forefront UAG toolbar.
- Application URL
Specify the internal entry link URL from the portal to the application. You must specify an absolute URL. For example, https://www.fabrikam.com.
- Icon URL
Specify the location of the icon representing the application. The icon is displayed together with the application name in the portal.
- Short description/description
Specify more information about the application. The descriptions are displayed adjacent to the application name in the portal.
- Startup page
Specify a startup file to assign to the application. When this setting is enabled, the defined file is processed as part of the application’s default startup page, and the code included in the defined startup file is processed at the beginning of the application startup process. The default application startup for all applications is set in the StartApp.asp page, located in the \Microsoft Forefront Unified Access Gateway\von\InternalSite folder. When you enable the startup page option, Forefront UAG processes the file you have defined and then redirects the user to the application. If you enable this setting, place your custom file in the following location: \Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate\. The file URL must be relative to /Internalsite. For example, /Inc/CustomUpdate/MyPage.inc.
- Open in new window
Select to specify that the application opens in a new window.
- Display application in
Select the type of device on which the link is displayed. This setting applies only to Web applications.
Allow rich clients to bypass trunk authentication
Select this setting to allow rich client applications that cannot use the session authentication method configured for the trunk to authenticate directly with the authentication server used by the backend published application (this is the authentication server that is configured on the Web Settings tab of the application properties.Note
This setting applies to all applicable applications published on the trunk.
- Use Office Forms Based Authentication for Office client applications
In addition to allowing rich client applications to bypass trunk authentication, if end users access your published SharePoint applications by using certain rich clients you can use MSOFBA. MSOFBA is a protocol that provides forms based authentication, instead of basic authentication, when you use Office client applications.
- Specify how portal link appears for clients that do not comply with application access policy
Select Unavailable to specify that the application link should be unavailable, or select Hidden to specify that the application link should not be shown for these client endpoints.