Overview of application publishing
Updated: February 1, 2011
Applies To: Unified Access Gateway
Using Forefront Unified Access Gateway (UAG), you publish corporate applications via a Forefront UAG trunk. Users then access the applications through the portal home page of the trunk.
Read the following to ensure that you understand the Forefront UAG features required to configure application publishing:
About trunks─You create and configure trunks to control how remote endpoints interact with the Forefront UAG server, and how they access applications published via the trunk.
About portals─Each trunk has a portal home page that provides a Web gateway to one or more published applications.
About application publishing─You add applications to a trunk in order to make them accessible (via the portal home page) to remote endpoints. In addition to trunk settings that specify how endpoints access the portal, you can configure settings for each application. Application settings control how the application appears in the portal, and how endpoints access a specific application.
A Forefront UAG portal trunk is a transfer channel that allows endpoints to connect to the trunk’s portal home page over HTTP or HTTPS. You can also create a redirect trunk that redirects HTTP endpoint requests to an HTTPS trunk.
Each trunk has a portal home page to which remote endpoints connect to interact with the trunk, and access published applications. For each trunk you create, Forefront UAG adds the Portal application to the trunk in order to provide a default home page. Alternatively, you can define a customized home page.
In addition to publishing applications, there are a number of trunk settings that you can configure. These include authentication requirements and access policies for users accessing the trunk, and session and inspection settings that specify how users requests are handled by the trunk. You create a trunk with basic settings using the Create Trunk Wizard, and define additional settings after completing the wizard. Trunk settings include the following:
Address settings─For each trunk, you configure a public host name that is specified in the endpoint browser to reach the portal. Optionally, you can configure an alternative port if endpoints will connect to a portal by making a request to a computer other than the Forefront UAG server (for example, to an external load balancer that is listening on a different port). In addition, you can specify the IP address and port on which the Forefront UAG server is listening for endpoint requests.
Portal home page─You must specify a home page for the portal. You can use the default home page provided for each portal by Forefront UAG, or you can configure a customized home page.
Server certificate─If endpoints connect to a portal over HTTPS, the trunk for that portal requires a server certificate that will authenticate the Forefront UAG server to the endpoint. The certificate should be issued by a public certification authority (CA) because the CA must be trusted by all endpoints.
IIS logging──You can log trunk traffic to the IIS Web server running on the Forefront UAG server. You can log source IP addresses and user names entered during logon.
Frontend authentication─You can require endpoints to authenticate for access to a portal session using a number of authentication methods. You can specify how users interact with authentication servers on the portal home page. For example, you can enable clients to select the authentication server against which they authenticate, require users to authenticate to multiple servers either separately or with a single user name, enable users to add credentials in real-time if the current credentials are denied when accessing a portal application, and allow users to change their passwords.
Session settings─You can configure a number of settings that control endpoint sessions to the portal. These include, connection limits for sessions, session timeout settings, automatic logoff settings, and specifying how Forefront UAG endpoint components are installed during a portal session.
Endpoint access settings─You can configure an access policy for a portal session. Endpoint settings are verified against these access policies, allowing only compliant endpoints to access the portal.
Traffic inspection settings─Forefront UAG includes an application-level control engine that helps to stop HTTP-based attacks and enforce application data validation, thus helping to prevent Web server exploits, such as URL manipulation and buffer overflows. Traffic inspection mechanisms that you can configure include:
URL inspection─In addition to basic URLs, Forefront UAG inspects parameters and any other incoming data. Application-level information that can be inspected includes, exact lengths and types of URLs, parameters, methods, and combinations of them that are permitted and accepted by the application server. This helps to ensure that attempts to compromise the server by sending long URLs, unexpected parameters, or unexpected methods, will fail.
URL rules─Forefront UAG includes predefined application-aware rules that are designed to help protect the portal and the internal Web site, and to meet the specific needs of many applications that you publish via a trunk. You can also create customized rules for proprietary applications.
HTTP filtering─You can configure Forefront UAG to check HTTP headers and filter requests, based on header types, sizes, lengths, character ranges, and values. HTTP filtering uses positive logic, allowing only specifically permitted traffic to pass through the Forefront UAG server. Traffic that does not conform is automatically rejected.
HTTP compression─Forefront UAG includes HTTP compression capabilities. Content requested by a Web browser can be sent in an encoded form according to the encoding type specified by endpoints.