Microsoft’s
Forefront UAG tool is a full-service SSL/VPN tool that can be used to
publish access to multiple services, web based or otherwise. It can be
used to strictly control what users have access to, and can be very
granular for granting access rights, which makes it an ideal publishing
solution for SharePoint 2010, because administrators can define exactly
which farms a user needs to have access to.
Architecting Forefront UAG
Forefront UAG is similar to
Forefront TMG; in fact, it uses a Forefront TMG engine for the creation
of all of its rules. You can even access the Forefront TMG console
directly from a Forefront UAG server. Subsequently, the same design
criteria that applied to Forefront TMG and that are listed earlier apply
to Forefront UAG.
The main difference
between Forefront TMG and Forefront UAG is that Forefront UAG allows for
the creation of a “trunk,” which is essentially a web page that the
users hit first that forces them to authenticate and, once
authenticated, allows them to have access to various
applications through different links on that page. One user will see
different applications on that page than another user, depending on
their rights.
Creating a SharePoint Application Within a UAG Trunk
An HTTP or (preferably)
HTTPS trunk needs to be created before an application such as SharePoint
can be defined. Creation of this trunk is outside the scope of this
book, but more information can be found at Microsoft.com/forefront on
the configuration of HTTPS trunks for Forefront UAG.
From within the trunk, shown later in Figure 14.10,
multiple “applications” can be created, such as one for SharePoint. To
add SharePoint as an application to a trunk, perform the following
steps:
1. | From within the trunk, such as the one shown in Figure 1, click Add to add a new application.
|
2. | Click Next at the welcome screen.
|
3. | From the Select Application dialog box, select Microsoft SharePoint Server 2010 under the type Web. Click Next to continue.
|
4. | Give the application a name, such as SharePoint Extranet Farm, and click Next to continue.
|
5. | From
the EndPoint Policies screen, select what type of policies will be
enabled for the application. Custom policies can be created from within
Forefront UAG that allow for restriction of what types of activities are
allowed on the site. Microsoft creates default policies that can be
used, as well, such as Microsoft SharePoint 2010 Download. Either use
the default policies or custom policies, depending on the situation, and
then click Next to continue.
|
6. | Under
step 4, select to configure either one published server, or multiple
servers, depending on how big the SharePoint farm is. For this example,
we are configuring a single SharePoint server. Click Next to continue.
|
7. | Enter
the IP address of the server, plus the public hostname that the
SharePoint environment is known by. Click Next to continue.
|
8. | Under
step 6, typically leave the SSO settings at the default, unless you
have a specific need to customize them. You will need to either add an
authentication server or choose one that is already established (such as
an AD domain controller). After adding an authentication server, click
Next to continue.
|
9. | Select what type of link to include on the SSL/VPN page for the SharePoint application, such as what is shown in Figure 2. Click Next to continue.
|
10. | Specify
which set of users will be authorized to use the specific application.
This gives you the opportunity to restrict who has rights to which
application. After making any necessary changes, click Next to continue.
|
11. | Click Finish when completed.
|
Different SharePoint
applications can be created for multiple farms, and then directed at
different types of users. Forefront UAG can also be set to authenticate
users from multiple directory sources, allowing it to act as a
metadirectory gateway for multiple platforms and environments.
