Protecting SharePoint with Advanced Antivirus and Edge Security Solutions : Securing SharePoint Sites Using Forefront UAG

2/27/2011 9:50:02 AM
Microsoft’s Forefront UAG tool is a full-service SSL/VPN tool that can be used to publish access to multiple services, web based or otherwise. It can be used to strictly control what users have access to, and can be very granular for granting access rights, which makes it an ideal publishing solution for SharePoint 2010, because administrators can define exactly which farms a user needs to have access to.

Architecting Forefront UAG

Forefront UAG is similar to Forefront TMG; in fact, it uses a Forefront TMG engine for the creation of all of its rules. You can even access the Forefront TMG console directly from a Forefront UAG server. Subsequently, the same design criteria that applied to Forefront TMG and that are listed earlier apply to Forefront UAG.

The main difference between Forefront TMG and Forefront UAG is that Forefront UAG allows for the creation of a “trunk,” which is essentially a web page that the users hit first that forces them to authenticate and, once authenticated, allows them to have access to various applications through different links on that page. One user will see different applications on that page than another user, depending on their rights.

Creating a SharePoint Application Within a UAG Trunk

An HTTP or (preferably) HTTPS trunk needs to be created before an application such as SharePoint can be defined. Creation of this trunk is outside the scope of this book, but more information can be found at Microsoft.com/forefront on the configuration of HTTPS trunks for Forefront UAG.

From within the trunk, shown later in Figure 14.10, multiple “applications” can be created, such as one for SharePoint. To add SharePoint as an application to a trunk, perform the following steps:

From within the trunk, such as the one shown in Figure 1, click Add to add a new application.

Figure 1. Viewing a Forefront UAG trunk for a SharePoint site.

Click Next at the welcome screen.

From the Select Application dialog box, select Microsoft SharePoint Server 2010 under the type Web. Click Next to continue.

Give the application a name, such as SharePoint Extranet Farm, and click Next to continue.

From the EndPoint Policies screen, select what type of policies will be enabled for the application. Custom policies can be created from within Forefront UAG that allow for restriction of what types of activities are allowed on the site. Microsoft creates default policies that can be used, as well, such as Microsoft SharePoint 2010 Download. Either use the default policies or custom policies, depending on the situation, and then click Next to continue.

Under step 4, select to configure either one published server, or multiple servers, depending on how big the SharePoint farm is. For this example, we are configuring a single SharePoint server. Click Next to continue.

Enter the IP address of the server, plus the public hostname that the SharePoint environment is known by. Click Next to continue.

Under step 6, typically leave the SSO settings at the default, unless you have a specific need to customize them. You will need to either add an authentication server or choose one that is already established (such as an AD domain controller). After adding an authentication server, click Next to continue.

Select what type of link to include on the SSL/VPN page for the SharePoint application, such as what is shown in Figure 2. Click Next to continue.

Figure 2. Creating a SharePoint application within a Forefront UAG trunk.

Specify which set of users will be authorized to use the specific application. This gives you the opportunity to restrict who has rights to which application. After making any necessary changes, click Next to continue.

Click Finish when completed.

Different SharePoint applications can be created for multiple farms, and then directed at different types of users. Forefront UAG can also be set to authenticate users from multiple directory sources, allowing it to act as a metadirectory gateway for multiple platforms and environments.

  •  Developing Applications for the Cloud on the Microsoft Windows Azure Platform : Accessing the Surveys Application - Geo-Location
  •  Developing Applications for the Cloud on the Microsoft Windows Azure Platform : DNS Names, Certificates, and SSL in the Surveys Application
  •  Securing SharePoint Sites with Forefront TMG 2010 (part 2) - Creating a SharePoint Publishing Rule Using Forefront TMG
  •  Securing SharePoint Sites with Forefront TMG 2010 (part 1) - Configuring the Alternate Access Mapping Setting for the External URL
  •  SharePoint 2010 : Outlining the Inherent Threat in SharePoint Web Traffic
  •  SharePoint 2010 : Outlining the Need for the Forefront Edge Line for SharePoint Environments
  •  Collaborating Within an Exchange Server Environment Using Microsoft Office SharePoint Server 2007 : Customizing and Developing MOSS Sites
  •  Collaborating Within an Exchange Server Environment Using Microsoft Office SharePoint Server 2007 : Exploring End-User Features in MOSS
  •  Collaborating Within an Exchange Server Environment Using Microsoft Office SharePoint Server 2007 : Exploring Basic MOSS Features
  •  Collaborating Within an Exchange Server Environment Using Microsoft Office SharePoint Server 2007 : Understanding the History of SharePoint Technologies
  •  Business Intelligence in SharePoint 2010 with PerformancePoint Services : PerformancePoint Services Overview
  •  SharePoint 2010 : Upgrading an Existing Extranet Solution from SharePoint 2007
  •  Exchange Server 2010 : SIP Protocol
  •  Exchange Server 2010 : Unified Messaging Shell Commands
  •  Exchange Server 2010 : Monitoring and Troubleshooting Unified Messaging
  •  Microsoft Content Management Server Development : Managing Channels and Postings with the PAPI - Moving Postings
  •  Microsoft Content Management Server Development : Managing Channels and Postings with the PAPI - Copying Postings
  •  Hosting a Multi-Tenant Application on Windows Azure : Selecting a Single-Tenant or Multi-Tenant Architecture
  •  SharePoint 2010 :Implementing a Partner Extranet Solution (part 2) - Configuring Authentication Providers
  •  SharePoint 2010 :Implementing a Partner Extranet Solution (part 1) - Creating the Extranet Web Application & Creating an Extranet Site Collection
    Top 10
    Nikon 1 J2 With Stylish Design And Dependable Image And Video Quality
    Canon Powershot D20 - Super-Durable Waterproof Camera
    Fujifilm Finepix F800EXR – Another Excellent EXR
    Sony NEX-6 – The Best Compact Camera
    Teufel Cubycon 2 – An Excellent All-In-One For Films
    Dell S2740L - A Beautifully Crafted 27-inch IPS Monitor
    Philips 55PFL6007T With Fantastic Picture Quality
    Philips Gioco 278G4 – An Excellent 27-inch Screen
    Sony VPL-HW50ES – Sony’s Best Home Cinema Projector
    Windows Vista : Installing and Running Applications - Launching Applications
    Most View
    Bamboo Splash - Powerful Specs And Friendly Interface
    Powered By Windows (Part 2) - Toshiba Satellite U840 Series, Philips E248C3 MODA Lightframe Monitor & HP Envy Spectre 14
    MSI X79A-GD65 8D - Power without the Cost
    Canon EOS M With Wonderful Touchscreen Interface (Part 1)
    Windows Server 2003 : Building an Active Directory Structure (part 1) - The First Domain
    Personalize Your iPhone Case
    Speed ​​up browsing with a faster DNS
    Using and Configuring Public Folder Sharing
    Extending the Real-Time Communications Functionality of Exchange Server 2007 : Installing OCS 2007 (part 1)
    Google, privacy & you (Part 1)
    iPhone Application Development : Making Multivalue Choices with Pickers - Understanding Pickers
    Microsoft Surface With Windows RT - Truly A Unique Tablet
    Network Configuration & Troubleshooting (Part 1)
    Panasonic Lumix GH3 – The Fastest Touchscreen-Camera (Part 2)
    Programming Microsoft SQL Server 2005 : FOR XML Commands (part 3) - OPENXML Enhancements in SQL Server 2005
    Exchange Server 2010 : Track Exchange Performance (part 2) - Test the Performance Limitations in a Lab
    Extra Network Hardware Round-Up (Part 2) - NAS Drives, Media Center Extenders & Games Consoles
    Windows Server 2003 : Planning a Host Name Resolution Strategy - Understanding Name Resolution Requirements
    Google’s Data Liberation Front (Part 2)
    Datacolor SpyderLensCal (Part 1)