Identifying your infrastructure design requirements
Updated: February 15, 2013
Applies To: Unified Access Gateway
This topic helps you to identify your infrastructure design requirements.
Identifying your infrastructure design requirements may require the following:
Identifying design requirements for server installation and deployment
Identifying design requirements for client and endpoint deployment
Identifying design requirements for endpoint access control
Identifying design requirements for application publishing
Identifying design requirements for logging and monitoring
Identifying design requirements for server installation and deployment
Consider the following design requirements for Forefront Unified Access Gateway (UAG) installation and deployment:
Deployment scope
Network topology requirements
Domain and workgroup requirements
Network and routing requirements
DNS requirements
Deployment scope
Identifying the deployment scope requires you to identify how many Forefront UAG servers you need, as follows:
**How many endpoints need to be supported?**─By grouping multiple Forefront UAG servers into an array with the same configuration, you increase Forefront UAG capacity for throughput and number of users. Endpoint requests are serviced by all servers in the array; thus, if you deploy an array with three servers, you can support three times as many endpoints as a single Forefront UAG server.
**What are fault tolerance requirements?**─A single Forefront UAG server does not provide fault tolerance. If the server is unavailable, client endpoints cannot connect to portals provided by Forefront UAG trunks. If fault tolerance is required, consider the deployment of a load balanced Forefront UAG array. In an array configuration, each Forefront UAG array member has the same configuration and provides the same service to client endpoints. If one array member fails, the remaining array members are still available and remote endpoints can continue to access sites and portals, via another array member. You can deploy arrays of Forefront UAG servers acting as VPN servers, to provide remote access to corporate applications via Forefront UAG trunks.
**What are the specific requirements for the corporate access model?**─For example, you might need multiple Forefront UAG servers if your organization devolves access management for distributed locations, or corporate policy requires that different groups of clients or applications need a separate access infrastructure.
Network topology requirements
You can determine where Forefront UAG servers will be located within your organization, by considering the following:
**Do you want to place Forefront UAG servers behind a frontend firewall?**─In this configuration, the Forefront UAG server is placed in the internal network, behind a frontend firewall at the corporate edge. The Forefront UAG server has one network adapter that routes to the frontend firewall, and the other is in the internal network. The advantages and disadvantages are as follows:
It is the simplest solution, requiring the least amount of hardware and configuration.
It provides a single point of data, as the Forefront UAG server, published servers, and infrastructure servers, are all located within the internal network.
It provides a simple configuration for external users who connect via Forefront UAG, and internal users in the internal network can all view the same content.
The main disadvantage of this design is that the corporate internal network is separated from the Internet by a single firewall. Note that the Forefront UAG server itself is protected by Forefront TMG running as a firewall on the Forefront UAG server. Forefront TMG is installed by default during Forefront UAG setup.
**Do you want to place Forefront UAG servers between a frontend firewall and a backend firewall?**─In this configuration, the Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network. The advantages and disadvantages are as follows:
Intranet content, such as servers published by Forefront UAG, can be isolated in the perimeter network and separated from corporate content that is intended for internal access only.
If content in the perimeter network is compromised or corrupted as a result of Internet access, the integrity of the content in the corporate network is retained.
If the Forefront UAG server is located in the perimeter network, and published servers or infrastructure servers are located in the internal network, the backend firewall must be configured to let the required protocols and ports through the firewall, so that Forefront UAG can effectively publish backend applications and access infrastructure servers, such as authentication servers, as required.
Domain and workgroup requirements
A Forefront UAG server can be joined to a domain or workgroup. Consider the following for a domain or workgroup deployment:
**Do you want to configure Forefront UAG servers in an array?**─Array servers must belong to a domain. A server must be joined to a domain before you can add it to an array.
**Do you want to publish the File Access application via a Forefront UAG trunk?**─The Forefront UAG server on which the trunk is configured must be a domain member.
**Do you want to configure single sign on using Kerberos constrained delegation to forward session credentials to backend published servers requiring authentication?**─ The Forefront UAG server must be a domain member.
**Do you want to provide remote network access using SSTP?**─The Forefront UAG server must be a domain member.
Network and routing requirements
Forefront UAG deployment is highly dependent on correct network configuration, so you should consider the following:
**Do you want to deploy Forefront UAG to publish remote applications to remote VPN clients?**─A Forefront UAG server requires two network adapters, one connected to the internal network and the other connected to the external network (Internet). When you configure the internal network during deployment, it includes any subnets that are included in the internal network. When you define the internal network, you must include all subnets that are reachable from the adapter. Note that clients who connect to the internal network using Remote Network Access will be able to access all subnets reachable through the internal network adapter.
**Do you want to allow full VPN access to the internal corporate network?**─If you allow client endpoints full VPN access to the internal network using SSTP, or the legacy Forefront UAG Network Connector, you can allocate IP addresses to endpoints from a static pool. You should plan this static pool range and ensure that its addresses are not included in the internal network address range.
DNS requirements
When planning for DNS requirements, consider the following:
**Do you want to publish corporate applications via Forefront UAG trunks and a portal page?**─A public DNS server must be able to resolve the portal’s public host name that is specified in the browser of remote endpoints to reach a Forefront UAG portal page.
**Do you want to use a specific public host name for an application published via a portal, in addition to the portal public host name?**─Forefront UAG supports a new feature that allows you to publish an application using an application-specific host name instead of the portal host name. In order for remote endpoints to reach these applications, a public DNS server must be able to resolve each application-specific host name that you configure. Note that the application-specific host name must resolve to the same IP address as the portal host name.
**Do you want to publish backend servers and applications via a trunk?**─The Forefront UAG server requires internal name resolution to resolve the names and IP addresses of backend published servers, and infrastructure servers such as authentication servers.
**Do you want to publish SharePoint via a trunk?**─Forefront UAG supports alternate access mapping when publishing SharePoint. Alternate access mapping allows you to publish a single SharePoint Web server using multiple different host names. Each SharePoint application on the server is associated with a unique public host name, which is used for remote access to the application. Alternate access mapping requires a public DNS entry for each public host name that might be specified by client endpoints to reach published SharePoint applications.
Identifying design requirements for client and endpoint deployment
When planning for client scope and endpoint requirements, consider the following:
**Where are endpoints located?**─Forefront UAG supports client access from a wide range of endpoint locations, including connections from managed corporate computers, and from non-managed locations such as partners, Internet kiosks, and mobile devices. The location of endpoints might influence your infrastructure and deployment design. For example, you might need more than one Forefront UAG server if your corporate policy requires endpoints in different locations to access servers in distributed locations, or if policy requires different types of endpoints to use a separate access infrastructure. In addition, if endpoints travel around, this might increase capacity requirements as endpoints appear in multiple locations.
**What operating systems and browsers are endpoints running?**─You must identity endpoint operating systems and browsers in order to know whether Forefront UAG servers support connections from the endpoint. Endpoints running unsupported operating systems and browsers will not be able to connect to Forefront UAG resources. For a list of supported clients, see System requirements for Forefront UAG client devices.
**What Forefront UAG features will endpoints access?**─Forefront UAG installs endpoint components on endpoints connecting to Forefront UAG portals. Endpoint components are required if you want to implement any of the following:
Endpoint detection─Based on the detection results, endpoints are allowed access in line with access policies. Access policies can be inbuilt Forefront UAG access policies, or Network Access Protection (NAP policies downloaded from a Network Policy Server (NPS). Detection is provided by the Endpoint Detection component.
Endpoint session cleanup─Cleanup deletes persistent data that is downloaded to an endpoint from Forefront UAG, or created by a client endpoint browser, when a Forefront UAG session ends, when the user logs off, when a scheduled logoff occurs, or when an unscheduled power outage or computer restart occurs. Cleanup functionality is provided by the Endpoint Session Cleanup component.
Non-Web publishing─If you want to provide remote access to non-Web applications. Non-Web applications might require one or more of the following components: SSL Application Tunneling component, SSL Network Tunneling component, or Socket Forwarding component.
Endpoint components are not required for the following:
Remote access to Web applications.
Remote access to Outlook Anywhere (RPC-over_HTTP).
Remote access to Exchange ActiveSync.
Remote access to Remote Desktop Services (RDS) RemoteApps.
Identifying design requirements for endpoint access control
Depending on the client endpoint access mechanisms that you want to deploy, there are a number of infrastructure design considerations, as follows:
**Do you want to authenticate clients before allowing them to access Forefront UAG portals?**─When client authentication is required, Forefront UAG receives an authentication request from each Forefront UAG client that attempts to access the portal application. Forefront UAG then queries an authentication server to verify client credentials. Authenticating clients at the Forefront UAG gateway ensures that only authenticated client requests are passed to backend corporate servers and applications. Forefront UAG can use a variety of authentication mechanisms. For more information, see Planning for client authentication. Implementing client authentication requires you to set up an authentication infrastructure before deploying Forefront UAG. If you do not enable client authentication on the Forefront UAG server, Forefront UAG uses pass-through, and authentication takes place on backend servers only.
**Do you want to pass client credentials to backend published applications that require authentication?**─Forefront UAG allows you to implement a single sign-on mechanism that passes credentials provided during session authentication to backend servers using basic authentication (HTTP 401), an HTML form, Kerberos constrained delegation, or Active Directory Federation Services (ADFS).
To use Kerberos the following is required:
Forefront UAG servers must belong to a domain.
You must define at least one authentication server for the trunk to which the application belongs.
All domain controllers in the internal network must be computers running Windows Server 2008 or Windows Server 2003.
Authenticating clients must be part of the same Active Directory forest as the Forefront UAG server and the application servers.
Forefront UAG servers and the application servers must be part of the same domain.
To use ADFS the following is required:
Forefront UAG servers must belong to a domain.
An AD FS server must be deployed.
Active Directory must be used for authentication.
Forefront UAG requires a certificate that is trusted by endpoints because AD FS-enabled applications can only be published in an HTTPS trunk.
**Do you want to verify the health of endpoints before allowing access to portals and published applications?**─Using Forefront UAG, you can verify endpoint settings against predefined access policies, and allow or restrict access based on endpoint compliance. You can use predefined or custom inbuilt Forefront UAG access policies, or download Network Access Protection (NAP) policies. Setting up Forefront UAG access policies does not require any specific infrastructure changes. Setting up NAP policies requires the deployment of a Network Policy Server (NPS) in your corporate infrastructure. The NPS can be co-located on the Forefront UAG server.
**Do you want to limit access to individual portal applications to specific users and groups?**─Forefront UAG allows you to configure portal authorization to control access to portal applications. You use users and groups that are configured on authentication servers in order to implement authorization. An authentication server is required in the corporate infrastructure to do this.
**Do you want to differentiate between endpoints and allow some endpoints privileged access?**─Forefront UAG provides a certified endpoint feature for clients that connect over HTTPS to a portal. Certified endpoints are defined as privileged, and you can specify a more permissive access policy for these privileged endpoints. To deploy certified endpoints, a certification authority (CA) is required to issue client certificates to endpoints.
Identifying design requirements for application publishing
Using Forefront UAG, you publish corporate applications and resources via a Forefront UAG trunk. Remote endpoints then access publishing applications and resources via a Forefront UAG portal Web page. The types of corporate applications that you want to publish will affect infrastructure planning, as follows:
**Do you want to publish Web applications only?**─If you want to publish Web applications only, endpoint components are not required for these applications. If you are publishing non-Web applications such as client/server and legacy applications, the File Access application, or Remote Network Access, endpoints require components to be installed in order to access these applications. Endpoints must meet system requirements for component installation. For more information, see System requirements for Forefront UAG client devices.
**Do you want endpoints to connect to portals over a secure HTTPS connection?**─If endpoints connect using HTTPS, the Forefront UAG server must be able to present a server certificate that is trusted by connecting endpoints.
**Do you want to publish the inbuilt File Access and Local Drive Mapping applications?**─These applications provide remote access to internal file servers and shares. To publish these applications, Forefront UAG must be installed as a domain member.
**Do you want to publish the inbuilt Remote Network Access application, in order to allow remote clients to access the entire internal network?**─You can provide remote network access using the inbuilt Network Connector application, or SSTP.
To provide remote access using the inbuilt Network Connector application, you need a pool of IP addresses that are excluded from the internal network to assign to connecting VPN clients.
To use SSTP, you either need a pool of IP addresses that are excluded from the internal network to assign to connecting VPN clients, or a DHCP server set up to allocate addresses to connecting VPN clients. In addition, any clients must conform to SSTP requirements. For more information, see Setting up Remote Network Access.
**Do you want to connect from the Forefront UAG server to backend published applications and servers over a secure connection?**─If you want to use an HTTPS connection, the published server must have a server certificate that is trusted by the Forefront UAG server.
Identifying design requirements for logging and monitoring
Forefront UAG can record system information and alerts, and user activity. These can be used proactively to ensure operations are running correctly, and during troubleshooting. Information can be logged in a number of formats, including logging to a built-in reporter that can be used with Forefront UAG Web Monitor, logging to a RADIUS accounting server, or a remote Syslog server. You can also use SMTP logging to send logged events to an e-mail address. Forefront UAG can also use the Forefront TMG logging mechanism to log events to a SQL Server database. Events can be logged to a local SQL Server Express database running on the Forefront UAG server, or to a remote SQL Server.
Infrastructure design considerations include the following:
**What type of information do you want to log?**─For information about SQL Server fields that can be logged, see SQL Server logging fields.
**Do you want to log to a remote SQL Server database?**─You must configure a SQL Server database in your infrastructure. If fault tolerance is required, a remote SQL Server database can be placed in a Microsoft failover cluster.
Do you want to monitor Forefront UAG activity with Microsoft System Center Operations Manager 2007?─You must have an Operations Manager 2007 server deployed in your organization, and you must deploy the Forefront UAG management pack.