Forefront 2010 Unified Access Gateway with SharePoint 2010 takes considerable planning and considerations depending on your topology. Here are a few things to note about it, and at least one way to do it. Specifically, we’ll look at some of the gotchas of putting the two products together in a basic remote/direct access, single sign-on methodology.
2. • In other lives:
– Network Engineer
– Network Admin
– WAN admin
– Cloud admin
• Now
– SharePoint experience and
certification (custom and oob /
data and architect)
– Forefront IM and UAG
ABOUT ME
3. • As a portal
• As an intranet
• As an extranet
SHAREPOINT
4. • How is your farm built?
• Where does it reside?
• Who accesses it and How?
• What does it look like in your network?
• What does your network topology look
like?
SHAREPOINT AND
NETWORK
INFRASTRUCTURE
5. • Network topology is the layout pattern
of interconnections of the various
elements (links, nodes, etc.) of a
computer or network
• Physical topology refers to the physical
design of a network including the
devices, location and cable installation.
• Logical topology refers to how data is
actually transferred in a network as
opposed to its physical design
WHAT IS
NETWORK
TOPOLOGY
7. • A local area network (LAN) is a
computer network that connects
computers and devices in a limited
geographical area such as home, school,
computer laboratory or office building.
The defining characteristics of LANs
includes their usually high data-transfer
rates, smaller geographic area, and lack
of a need for leased telecommunication
lines
LAN
10. • What is a LAN?
• What is a WAN?
INSIDE /
OUTSIDE
11. • A wide area network(WAN) is a
telecommunication network that covers
a broad area (i.e., any network that
links across metropolitan, regional, or
national boundaries). Business and
government entities utilize WAN to
relay data among employees, clients,
buyers, and suppliers from various
geographical locations. In essence this
mode of telecommunication allows a
business to effectively carry out its daily
function regardless of location.
WAN
14. • What is a LAN?
• What is a WAN?
• What is a Host?
INSIDE /
OUTSIDE
15. • A network host is a computer connected
to a computer network. A network host
may offer information resources, services,
and applications to users or other nodes
on the network
• A web hosting service is a type of Internet
hosting service that allows individuals and
organizations to make their own website
accessible via the World Wide Web. Web
hosts are companies that provide space on
a server they own or lease for use by their
clients as well as providing Internet
connectivity, typically in a data center.
Web hosts can also provide data center
space and connectivity to the Internet for
servers they do not own to be located in
their data center
HOST
16. • Inside network protocols
• Outside network protocols
• How can SP be setup for outside?
HOW TO USE
SHAREPOINT
FROM
OUTSIDE
20. • AD is not authoritative directory
• SAML tokens are not allowed to be
consumed
• No guarantee of Internet Explorer
• High security / sensitive data
AUTHENTICATION
EXAMPLE
21. • What is a LAN?
• What is a WAN?
• What is a Host?
• What is a DMZ?
INSIDE /
OUTSIDE
22. • A DMZ, or De Militarized Zone, is a
physical or logical subnetwork that
contains and exposes an organization's
external services to a larger untrusted
network, usually the Internet. It is
sometimes referred to as a perimeter
network. The purpose of a DMZ is to
add an additional layer of security to an
organization's local area network (LAN);
an external attacker only has access to
equipment in the DMZ, rather than any
other part of the network.
DMZ
25. • Access Scenarios
– Remote employee
– External partner or customer
– Branded Internet sites
– Web hosting
– Mobile phone access
BUILDING A
SHAREPOINT
EXTRANET
26. SHAREPOINT AND UAG
• Anywhere access
• Information leakage prevention
• Endpoint health-based
authorization
• Web farm load balancing
• Advanced authentication
schemes
• Enabling access to SharePoint
sites from Microsoft Office
Outlook Web Access
• Unified Portal
• Automatic timeouts
• Internet-ready appliances
Secure Sockets Layer (SSL)
termination
• Application protection
• Policy-based access
• Single sign on
27. • Part of ForeFront Suite
• Reverse Proxy, Direct Access, Remote
Desktop Services and VPN solution
• Built with/on TMG (firewall, endpoint
security)
• Great for LOB apps
• Highly customizable, integrates with a
lot
WHAT IS UAG?
29. • TMG is installed before you install UAG
• TMG can act as a router, an Internet
gateway, a virtual private network
(VPN) server, a network address
translation (NAT) server and a proxy
server.
• TMG is a firewall that offers application
layer protection, stateful filtering,
content filtering and anti-malware
protection.
• TMG can compress web traffic and
offers web caching
UAG AND TMG
30. • Publishing Microsoft Exchange Server
Applications
• Publishing Remote Desktop Services
• Remote Network Access Using SSTP
• Intra-Site Automatic Tunnel Addressing
Protocol
• Endpoint Policies and Network Access
Protection
• UAG Arrays
• Direct Access
UAG SETUP IN
GENERAL
31. • UAG direct access
• Single server endpoint outside of
perimeter
• Everything on VM’s
• Multiple SP Applications
• Multiple Forests
UAG DIRECT
ACCESS AND
SHAREPOINT
35. • Know the network topology
• Know how to get around the network
topology
• VM’s and VM topology
• Static Routes
• Make sure you have access to local
session – you will likely lose ip your first
time
THINGS TO
NOTE FOR
INSTALLING
UAG
38. • Name your Network Adapters
• Configure the External NIC
– Get rid of properties you don’t
need
– Default Gateway
– Un check register the connection in
DNS
– Disable NetBIOS
ADDRESSING
UAG
39. • Configure the Internal NIC
– No Gateway
– Register the connection in DNS
• Check your static route to internal nic
• Change the binding order
• Check routes
ADDRESSING
UAG
40. • You can associate a Web application with a
collection of mappings between internal and
public URLs.
• Alternate access mappings enable a Web
application that receives a request for an
internal URL, in one of the five authentication
zones, to return pages that contain links to the
public URL for the zone.
• The UAG server responds with identical content,
even though external users submit a different
protocol (HTTPS) and a different host header
than internal users.
• Alternate access mappings to allow the
SharePoint server to perform URL changes on
its own. This ensures that reverse proxies, such
as UAG, do not have to change the content of
the pages they serve to external sources.
ADDRESSING
SHAREPOINT:
AAM –
ALTERNATE
ACCESS
MAPPINGS
41. • The UAG portal is an ASP.Net-based Web
application using AJAX, and is the front-end
Web application for UAG
• A UAG portal trunk is a transfer channel that
allows endpoints to connect to the trunk’s
portal home page over HTTP or HTTPS. You can
also create a redirect trunk that redirects HTTP
endpoint requests to an HTTPS trunk.
• Each trunk has a portal home page to which
remote endpoints connect to interact with the
trunk, and access published applications.
• For each trunk UAG adds the Portal application
to the trunk in order to provide a default home
page. Alternatively, you can define a customized
home page.
UAG PORTALS
AND TRUNKS
42. • Each Web app is associated with a
unique public-facing host name, which is
used to access the application remotely.
• A Web app that is published through
the Forefront UAG trunk shares the
trunk's definitions in addition to some
of the trunk's functionality, such as the
logon and logoff pages.
• This means that the application's public
host name must reside under the same
parent domain as the trunk's public
host name; that is, the application and
the trunk are subdomains of the same
parent domain.
ADDRESSING SHAREPOINT:
PUBLIC HOST NAMES
43. Forefront UAG trunk’s
public host name
Trunk’s parent
domain
Examples of valid public host
names for Web app
Examples of non valid
public host names for
Web app
uag.woodgrovebank.co
m
woodgrovebank.co
m
hrportal.woodgrovebank.com
hrportal.a.b.woodgrovebank.co
m
hrportal.uag.woodgrovebank.co
m
hrportal.com
uag.ext.example.com ext.example.com hrportal.ext.example.com
hrportal.a.b.ext.example.com
hrportal.uag.ext.example.com
hrportal.com
hrportal.example.com
ADDRESSING
SHAREPOINT:
PUBLIC HOST
NAMES
44. • All the public host names that are used
in the trunk should be covered by this
certificate, including the trunk's public
host name and the public host names of
all the applications that are accessed via
the trunk.
ADDRESSING
SHAREPOINT
AND UAG:
SERVER
CERTIFICATES
46. • UAG is a way to go for extranets for a
highly secure deployment
• Big ROI for its other uses, as well as SP
• Know your network infrastructure
• Plan your SP install
• Access to the local UAG server
• Know your risks
CONCLUSION
http://en.wikipedia.org/wiki/Microsoft_Forefront_Unified_Access_Gateway
authentication vendors such as RSA Security, Vasco, GrIDsure, Swivel, ActivCard and Aladdin
numerous authentication systems and protocols such as Active Directory, RADIUS, LDAP, NTLM, Lotus Domino, PKI and TACACS+.
Secure socket tunneling porotocal
What we’re going to do / What I’ve done
Simple, right?
More Complicated
Where to put things
How to get from point A to B
VLANS
TMG does not play around
Who can name all 5? Default Intranet Internet Custom Extranet
Demo
Browse to Planets
Explain redirection
Show service
http://technet.microsoft.com/en-us/virtuallabs/bb499665.aspx – configure portal trunk
Show http redirect
Show AAM
Show IIS
Show Portal
Show TMG
Show UAG