Forefront UAG

SHAREPOINT
AND
FOREFRONT
UNIFIED
ACCESS
GATEWAY
James Tramel
Solutions Architect
Planet Technologies

• In other lives:
– Network Engineer
– Network Admin
– WAN admin
– Cloud admin
• Now
– SharePoint experience and
certification (custom and oob /
data and architect)
– Forefront IM and UAG
ABOUT ME

• As a portal
• As an intranet
• As an extranet
SHAREPOINT

• How is your farm built?
• Where does it reside?
• Who accesses it and How?
• What does it look like in your network?
• What does your network topology look
like?
SHAREPOINT AND
NETWORK
INFRASTRUCTURE

• Network topology is the layout pattern
of interconnections of the various
elements (links, nodes, etc.) of a
computer or network
• Physical topology refers to the physical
design of a network including the
devices, location and cable installation.
• Logical topology refers to how data is
actually transferred in a network as
opposed to its physical design
WHAT IS
NETWORK
TOPOLOGY

• What is a LAN?INSIDE /
OUTSIDE

• A local area network (LAN) is a
computer network that connects
computers and devices in a limited
geographical area such as home, school,
computer laboratory or office building.
The defining characteristics of LANs
includes their usually high data-transfer
rates, smaller geographic area, and lack
of a need for leased telecommunication
lines
LAN

LAN: LOCAL
AREA
NETWORK -
BASIC

• What is a LAN?
• What is a WAN?
INSIDE /
OUTSIDE

• A wide area network(WAN) is a
telecommunication network that covers
a broad area (i.e., any network that
links across metropolitan, regional, or
national boundaries). Business and
government entities utilize WAN to
relay data among employees, clients,
buyers, and suppliers from various
geographical locations. In essence this
mode of telecommunication allows a
business to effectively carry out its daily
function regardless of location.
WAN

• What is a LAN?
• What is a WAN?
• What is a Host?
INSIDE /
OUTSIDE

• A network host is a computer connected
to a computer network. A network host
may offer information resources, services,
and applications to users or other nodes
on the network
• A web hosting service is a type of Internet
hosting service that allows individuals and
organizations to make their own website
accessible via the World Wide Web. Web
hosts are companies that provide space on
a server they own or lease for use by their
clients as well as providing Internet
connectivity, typically in a data center.
Web hosts can also provide data center
space and connectivity to the Internet for
servers they do not own to be located in
their data center
HOST

• Inside network protocols
• Outside network protocols
• How can SP be setup for outside?
HOW TO USE
SHAREPOINT
FROM
OUTSIDE

• Anonymous Access
• SSL
• Authentication methods
– Windows Based
– Token based
– Claims based
– Forms Based
COMMON
OUTSIDE
METHODS

• AD is not authoritative directory
• SAML tokens are not allowed to be
consumed
• No guarantee of Internet Explorer
• High security / sensitive data
AUTHENTICATION
EXAMPLE

• What is a LAN?
• What is a WAN?
• What is a Host?
• What is a DMZ?
INSIDE /
OUTSIDE

• A DMZ, or De Militarized Zone, is a
physical or logical subnetwork that
contains and exposes an organization's
external services to a larger untrusted
network, usually the Internet. It is
sometimes referred to as a perimeter
network. The purpose of a DMZ is to
add an additional layer of security to an
organization's local area network (LAN);
an external attacker only has access to
equipment in the DMZ, rather than any
other part of the network.
DMZ

• Access Scenarios
– Remote employee
– External partner or customer
– Branded Internet sites
– Web hosting
– Mobile phone access
BUILDING A
SHAREPOINT
EXTRANET

SHAREPOINT AND UAG
• Anywhere access
• Information leakage prevention
• Endpoint health-based
authorization
• Web farm load balancing
• Advanced authentication
schemes
• Enabling access to SharePoint
sites from Microsoft Office
Outlook Web Access
• Unified Portal
• Automatic timeouts
• Internet-ready appliances
Secure Sockets Layer (SSL)
termination
• Application protection
• Policy-based access
• Single sign on

• Part of ForeFront Suite
• Reverse Proxy, Direct Access, Remote
Desktop Services and VPN solution
• Built with/on TMG (firewall, endpoint
security)
• Great for LOB apps
• Highly customizable, integrates with a
lot
WHAT IS UAG?

• TMG is installed before you install UAG
• TMG can act as a router, an Internet
gateway, a virtual private network
(VPN) server, a network address
translation (NAT) server and a proxy
server.
• TMG is a firewall that offers application
layer protection, stateful filtering,
content filtering and anti-malware
protection.
• TMG can compress web traffic and
offers web caching
UAG AND TMG

• Publishing Microsoft Exchange Server
Applications
• Publishing Remote Desktop Services
• Remote Network Access Using SSTP
• Intra-Site Automatic Tunnel Addressing
Protocol
• Endpoint Policies and Network Access
Protection
• UAG Arrays
• Direct Access
UAG SETUP IN
GENERAL

• UAG direct access
• Single server endpoint outside of
perimeter
• Everything on VM’s
• Multiple SP Applications
• Multiple Forests
UAG DIRECT
ACCESS AND
SHAREPOINT

• Edge firewall
UAG – SP
EXTRANETS

UAG – SP
EXTRANETS
Split back-to-back optimized for content publishing

Back-to-back perimeter with content publishing
(and optional TMG caching)
UAG – SP
EXTRANETS

• Know the network topology
• Know how to get around the network
topology
• VM’s and VM topology
• Static Routes
• Make sure you have access to local
session – you will likely lose ip your first
time
THINGS TO
NOTE FOR
INSTALLING
UAG

• Virtual Network Types
– Private Virtual Network
– Internal Virtual Network
– External Virtual Network
• Virtual NIC’s
• Physical NIC’s
• Static Routes
UNDERSTANDING
VM’S

• Name your Network Adapters
• Configure the External NIC
– Get rid of properties you don’t
need
– Default Gateway
– Un check register the connection in
DNS
– Disable NetBIOS
ADDRESSING
UAG

• Configure the Internal NIC
– No Gateway
– Register the connection in DNS
• Check your static route to internal nic
• Change the binding order
• Check routes
ADDRESSING
UAG

• You can associate a Web application with a
collection of mappings between internal and
public URLs.
• Alternate access mappings enable a Web
application that receives a request for an
internal URL, in one of the five authentication
zones, to return pages that contain links to the
public URL for the zone.
• The UAG server responds with identical content,
even though external users submit a different
protocol (HTTPS) and a different host header
than internal users.
• Alternate access mappings to allow the
SharePoint server to perform URL changes on
its own. This ensures that reverse proxies, such
as UAG, do not have to change the content of
the pages they serve to external sources.
ADDRESSING
SHAREPOINT:
AAM –
ALTERNATE
ACCESS
MAPPINGS

• The UAG portal is an ASP.Net-based Web
application using AJAX, and is the front-end
Web application for UAG
• A UAG portal trunk is a transfer channel that
allows endpoints to connect to the trunk’s
portal home page over HTTP or HTTPS. You can
also create a redirect trunk that redirects HTTP
endpoint requests to an HTTPS trunk.
• Each trunk has a portal home page to which
remote endpoints connect to interact with the
trunk, and access published applications.
• For each trunk UAG adds the Portal application
to the trunk in order to provide a default home
page. Alternatively, you can define a customized
home page.
UAG PORTALS
AND TRUNKS

• Each Web app is associated with a
unique public-facing host name, which is
used to access the application remotely.
• A Web app that is published through
the Forefront UAG trunk shares the
trunk's definitions in addition to some
of the trunk's functionality, such as the
logon and logoff pages.
• This means that the application's public
host name must reside under the same
parent domain as the trunk's public
host name; that is, the application and
the trunk are subdomains of the same
parent domain.
ADDRESSING SHAREPOINT:
PUBLIC HOST NAMES

Forefront UAG trunk’s
public host name
Trunk’s parent
domain
Examples of valid public host
names for Web app
Examples of non valid
public host names for
Web app
uag.woodgrovebank.co
m
woodgrovebank.co
m
hrportal.woodgrovebank.com
hrportal.a.b.woodgrovebank.co
m
hrportal.uag.woodgrovebank.co
m
hrportal.com
uag.ext.example.com ext.example.com hrportal.ext.example.com
hrportal.a.b.ext.example.com
hrportal.uag.ext.example.com
hrportal.com
hrportal.example.com
ADDRESSING
SHAREPOINT:
PUBLIC HOST
NAMES

• All the public host names that are used
in the trunk should be covered by this
certificate, including the trunk's public
host name and the public host names of
all the applications that are accessed via
the trunk.
ADDRESSING
SHAREPOINT
AND UAG:
SERVER
CERTIFICATES

• UAG is a way to go for extranets for a
highly secure deployment
• Big ROI for its other uses, as well as SP
• Know your network infrastructure
• Plan your SP install
• Access to the local UAG server
• Know your risks
CONCLUSION

1. MSDN
2. Technet
3. Microsoft Press
4. Wikipedia
5. http://mikecrowley.files.wordpress.com/2010/11/
6. http://www.windowsnetworking.com/articles_t
utorials/Understanding-Virtual-Networking-
Microsoft-Hyper-V.html>
7. http://mrshannon.wordpress.com/2010/04/30/se
tting-ip-addresses-on-a-uag-directaccess-
server/>
8. http://blog.concurrency.com/infrastructure/uag-
directaccess-ip-addressing-the-server/>
9. http://www.bibble-it.com/2010/02/21/forefront-
uag-in-10-minutes
REFERENCES

Forefront UAG

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to Forefront UAG

Similar to Forefront UAG (20)

More from James Tramel

More from James Tramel (9)

Recently uploaded

Recently uploaded (20)

Forefront UAG

Editor's Notes