1 / 30

Forefront UAG 2010

Forefront UAG 2010. Install and Configure Remote Access for SharePoint (and RemoteApp and DirectAccess ) In An Hour . Dominik Zemp Microsoft Switzerland Ltd Liab . Co. dominik.zemp@microsoft.com. Agenda. What is Forefront UAG? UAG Solution and Internal Architecture

salena
Télécharger la présentation

Forefront UAG 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forefront UAG 2010 Install and Configure Remote Access for SharePoint (and RemoteApp and DirectAccess) In An Hour Dominik Zemp Microsoft Switzerland Ltd Liab. Co. dominik.zemp@microsoft.com

  2. Agenda • What is Forefront UAG? • UAG Solution and Internal Architecture • How to Publish SharePoint via UAG • Live Demos • How to Publish RemoteApps, DirectAccess, etc. via UAG • Q & A

  3. What are the different Microsoft Remote Access Solutions? And which ones are for SharePoint? Answer: Threat Management Gateway (TMG) Direct Access Remote Desktop Services Windows RAS (SSTP) Unified Access Gateway (UAG) Answer: Threat Management Gateway (TMG)Direct Access Remote Desktop Services Windows RAS (SSTP) Unified Access Gateway (UAG)

  4. Whatis Forefront UAG? Solution and Internal Architecture

  5. Unified Access Gateway (UAG) is next version of Intelligent Application Gateway (IAG) with a vision and mission to provide managed, unmanaged & mobile devices with unified secure anywhere access to on-premise and in-the-cloud applications. Whatis Forefront UAG? What (Data) Where (Device) Who (Identity)

  6. UAG Connectivity Approach Each session is tailored according to its user and the device in use, maximizing security and productivity for that session. Internal & External Users Managed & Unmanaged Devices Private Resources Financial Partner or Field Agent Home PC Home PC Financial Partner or Field Agent Kiosk Logistics Partner Kiosk Logistics Partner Corporate Laptop Project Manager Employee Project Manager Employee Corporate Managed Laptop Remote Technician Employee Unmanaged Partner PC Unmanaged Partner PC Remote Technician Employee

  7. UAG Solution Architecture Exchange CRM SharePoint IIS based IBM, SAP, Oracle Mobile Home / Friend / Kiosk HTTPS / HTTP Terminal / Remote Desktop Services Layer3 VPN HTTPS (443) Internet DirectAccess Non web • Strong authentication • Endpoint health detection: • NAP and down-level • Authorization: • Based on health status • Who + where • Information leakage prevention • Attachment/Cache wiper Business Partners / Sub-Contractors AD, ADFS, RADIUS, LDAP…. NPS, ILM Employees Managed Machines

  8. Active Directory LDAP TACACS RADIUS RSA Smart Card Certificates KCD ADFS etc… using UAG Hooks Authentication Repositories

  9. Noneedfordirectoryreplicationorrepetition Alternative approachesrequirelocalrepository Transparent Web authentication HTTP 401 request Static Web form Dynamic browser-sensitive Web form Kerberos Constraint Delegation Integrateswith: Password changemanagement User repositories Single Sign-On

  10. Inbuilt policies can check the health of endpoints connecting to UAG portal and applications Check system settings and features on the endpoint Control access to trunk and applications, as well as actions such as downloading and uploading files Supports Windows, Mac OS, and Linux Platform-specific policies enforced according to the operating system on the endpoint device Predefined policies enabled by default Can be edited to check for specific settings or features, as required Administrators can also define their own policies UAG EndpointPolicies

  11. Enforces compliance and provides remediation for clients connecting through portal trunks or DirectAccess Each scenario will use NAP in a different way For portal trunks, UAG receives statement of health (SoH) from client and enforces policies directly For DirectAccess, IPSec policies require a “health certificate” issued independently by NAP NAP Support

  12. Wipes out the locally stored content upon session termination Prevents information leakage Removes: Downloaded files and pages AutoComplete form contents AutoComplete URLs Cookies History information Any user credentials Endpoint Session Cleanup

  13. Admin Core UAG Internal Architecture Management UI SCOM MP Tracing & Logging Session Manager User Manager Config. / Array Manager Direct Access Web Application Publishing IP VPN DirectAccess Server Internal Site Portal TSG / RDG RRAS DTE / DoSP SSL Tunnel UAG Filter DNS-ALG NAT-PT Native IPv6 6to4 Teredo IP-HTTPS ISATAP SSTP Layer 3 IIS TMG Windows NLB UAG Logic Windows Server

  14. HowtoPublish SharePoint? Technical Details and Live Demos

  15. Enables SharePoint to map Web requests to the correct Web sites and apps Defines alternative public and internal URL names for the SharePoint Web site Should match the URLs typed by the user or provided by the reverse proxy (like UAG) Configured on the SharePoint Central Administration Site Alternate Access Mappings

  16. Mistake #1: "I'm not deploying SharePoint in an unusual way, so I don't need to worry configuring Alternate Access Mappings." Mistake #2: Your reverse proxy server's "link translation" feature is sufficient. Mistake #3: Trying to reuse the same URL in AAM or not aligning the URLs to the same zone. What every SharePoint Administrator needs to know about Alternate Access Mappings Source:http://blogs.msdn.com/sharepoint/archive/2007/03/19/what-every-sharepoint-administrator-needs-to-know-about-alternate-access-mappings-part-2-of-3.aspx

  17. UAG vs TMG

  18. Live Demo SharePoint Publishing

  19. What’snext? HowtoPublishRemoteAppandDirectAccess

  20. UAG seamlessly integrates Remote Desktop Gateway (RDG) to provide application-level gateway for RDS applications Enables employees to securely access applications that are hosted on Terminal Server or their internal workstation Benefits: Enhanced authentication Single sign-on experience Granular policies based on client health: No anti-virus  no driver sharing RemoteAppsare integrated into UAG portal side by side with Web applications Integrated deployment and management with other remote access technologies RD Gateway Publishing

  21. In UAG, RD/TS client traffic goes over HTTPS. The HTTPS tunnel is terminated at UAG, therefore we can inspect the traffic. The traffic is then passed to the backend RD Session Host using the RDP protocol. RD Gateway Publishing RDP over HTTPS UAG + RDG RDP RD/TS Client (MSTSC) RD Session Host (TS Server)

  22. UAG and DirectAccess better together: Extends access to line of business servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration { Hardened Edge Solution Windows Server 2008 R2 Windows 7 IPv6 Windows Server 2008 R2 UAG provides access for down-level and non- Windows clients UAG improves adoption and extends access to existing infrastructure UAG uses wizards and tools to simplify deployments and ongoing management UAG enhances scale and management with integrated LB and array capabilities UAG is a hardened edge appliance available in HW and virtual options Always On Windows 7 Windows Server 2008 R2 IPv6 SSL-VPN SSL-VPN { Windows Server 2003 Windows Vista/ Windows XP Legacy Application Server IPv6 or IPv4 Non-Windows DirectAccess Server Non Windows Server + IPv4 PDA

  23. UAG provides IPv6 connectivity between Internet clients and internal servers Native IPv6 connectivity or using transition technologies Under the Hood: IPv6 Gateway Native IPv6 6to4 6to4 ISATAP NAT64 Teredo Teredo Internet Intranet IP-HTTPS IP-HTTPS Client Machines Servers UAG

  24. Connectivity to corporate network is done using IPv6, protected by IPSec tunnels and transported over IPv4 using IPv6 transition technologies (6to4, Teredo, IP-HTTPS): Under the Hood: IPSec Tunnels Infrastructure Tunnel Intranet Tunnel IPv6 Transition Technologies Domain Controllers, DNS, HRA, Management Internet IPv4 via NAT64 IPv6 Native ISATAP IPv4 via NAT64 IPv6 Native ISATAP Client Machine Rest of the machines in corporate network UAG

  25. Under the Hood: NAT64, DNS64 • Step 1: User machine tries to resolve address of an IPv4 only server: DNS AAAA Query for “x.contoso.com” DNS Server DNS AAAA Query for “x.contoso.com” DNS A Query for “x.contoso.com” DNS64 DNS A Response IP: 100.1.2.3 NAT64 DNS AAAA Response IP: 2a01:110:6:6:6:6::100.1.2.3 Client Machine UAG IPv4 only server NAT64 Prefix: 2a01:110:6:6:6:6::/96 Host name: x.contoso.com IP:100.1.2.3

  26. Under the Hood: NAT64, DNS64 • Step 2: User machine sends a packet to an IPv4 server: DNS Server Send packet to: 2a01:110:6:6:6:6::100.1.2.3 DNS64 Packet to: 100.1.2.3 NAT64 Client Machine UAG IPv4 only server NAT64 Prefix: 2a01:110:6:6:6:6::/96 Host name: x.contoso.com IP:100.1.2.3

  27. Live Demo RemoteAppsandDirectAccess

  28. Thank you for your Attention! • For more Information please contact • Dominik Zemp • TSP Security • dominik.zemp@microsoft.com • +41 (43) 456 66 94 • +41 (0) 78 844 66 94 • Microsoft Switzerland • Richtistrasse3 • 8304 Wallisellen

  29. UAG 2010 Eval Download: http://technet.microsoft.com/en-us/evalcenter/dd183100.aspx UAG Team Blog: http://blogs.technet.com/edgeaccessblog/default.aspx TMG Team Blog: http://blogs.technet.com/isablog/default.aspx Forefront Edge IAG/UAG Support Forum: http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag Resources

More Related