Updated: July 31, 2012
Applies To: Unified Access Gateway
This topic summarizes some of the support boundaries for Forefront Unified Access Gateway (UAG), where support generally describes whether Microsoft Customer Support Services (CSS) or Microsoft Services can help when you attempt to deploy or configure Forefront UAG in a given scenario.
Forefront UAG and Forefront UAG DirectAccess
You can use Forefront UAG as a publishing server, creating trunks to publish corporate applications for access by remote client endpoints either directly, or via a Web portal. In addition, you can deploy Forefront UAG as a DirectAccess server, to extend the benefits of Windows DirectAccess across your infrastructure, providing transparent access for DirectAccess clients. Note the following:
A single server can be configured as both a Forefront UAG publishing server, and as a Forefront UAG DirectAccess server.
An array can consist of Forefront UAG servers that act as both remote access publishing servers, and as Forefront UAG DirectAccess servers.
You cannot publish the Network Connector application when Forefront UAG is configured as a DirectAccess server.
Forefront UAG supports configuration of two networks – internal and external. Connecting to different switches for network redundancy is supported, providing that both are defined as part of the internal or external network.
Using Forefront TMG running on the Forefront UAG server to provide multiple network routing is not supported.
Deployment with a single network adapter is not supported.
In order to support DirectAccess, which is IPv6-based, Forefront UAG allows the following IPv6 traffic:
Inbound authenticated IPv6 traffic (using IPsec). This also includes the IPsec initiation traffic.
Native IPv6 from and to the Forefront UAG DirectAccess server.
Inbound and outbound IPv6 transition technologies (6to4, Teredo, IP-HTTPS and ISATAP).
No other IPv6 traffic is supported by Forefront UAG.
Forefront UAG customization
Forefront UAG provides a wide range of customization settings, with the following support guidelines:
CSS provides a commercially reasonable effort to customers in making custom changes to SRA, AppWrap, and FormLogin.xml, to resolve problems in publishing out-of-the box supported applications (as listed in Introduction to publishing design.
CSS provides a commercially reasonable effort to deliver samples to customers for SRA, AppWrap and FormLogin.xml for applications not listed in Overview of application publishing.
CSS will provide commercially reasonable effort to provide samples for general Forefront UAG product functionality that is documented in the Forefront UAG Microsoft TechNet Library. For example, features such as access policy detection, language customization, custom reporting events, portal page customization, and login page user interface customization.
All other customizations are not supported by CSS.
Forefront TMG running on Forefront UAG
By default, Forefront Threat Management Gateway (TMG) is installing during Forefront Unified Access Gateway (UAG) Setup. Forefront TMG is installed as a complete product, and is not modified to run on a Forefront UAG server.
Forefront UAG uses Forefront TMG, as follows:
Forefront TMG acts as a firewall, protecting the Forefront UAG server.
Forefront UAG uses Forefront TMG infrastructure and functionality in some deployment and monitoring scenarios.
Although you can configure Forefront TMG running on Forefront UAG using the Forefront TMG Management console, Forefront TMG is intended for use of the Forefront UAG infrastructure only. Specifically, the following is not supported:
Forefront TMG is installed automatically during Forefront UAG Setup, and removed automatically if Forefront UAG is uninstalled. Installing and uninstalling only Forefront TMG is not supported.
Forefront TMG as a forward proxy for outbound Internet access.
Forefront TMG application publishing, except for the publishing scenarios listed in the Supported Forefront TMG configurations section that follows.
Forefront TMG as a site-to-site VPN.
Forefront TMG as an intrusion protection system.
Forefront TMG as a network perimeter firewall. Forefront TMG running on Forefront UAG is only intended to protect the Forefront UAG local host server.
Publishing Forefront TMG via Forefront UAG.
Any other scenarios not specifically listed in the Supported Forefront TMG configurations section below.
Supported Forefront TMG configurations
You can use Forefront TMG running on the Forefront UAG server, as follows:
Creating access rules using the Forefront TMG Management console, for the purpose of limiting users, groups, and networks for granular access when deploying Forefront UAG for VPN remote network access.
Monitoring with the Forefront TMG Management console.
Limiting users, groups, sources and destinations on Forefront TMG system policy rules, with the purpose of enabling access to corporate servers and remote management to and from the Forefront UAG local host server.
You can publish the following applications via Forefront TMG:
Office Communications Server (OCS)—Only Communicator Web Access should be published using Forefront UAG. Other OCS features should be published using the Forefront TMG console running on the Forefront UAG server.