47,99 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Microsoft Forefront Unified Access Gateway (UAG) is the latest in a line of Application Publishing (Reverse Proxy) and Remote Access (VPN) Server products. The broad set of features and technologies integrated into UAG makes for a steep learning curve. Understanding all the features and abilities of UAG is a complex task that can be daunting even to experienced networking and security engineers. This book is the first to be dedicated solely to Microsoft Forefront UAG. It guides you step-by-step throughout all the stages of deployment, from design to troubleshooting. Written by the absolute experts who have taken part of the product’s development, official training and support, this book covers all the primary features of UAG in a friendly style and a manner that is easy to follow. It takes you from the initial planning and design stage, through deployment and configuration, up to maintenance and troubleshooting. The book starts by introducing UAG's features and and abilities, and how your organization can benefit from them. It then goes on to guide you through planning and designing the integration of the product into your own unique environment. Further, the book guides you through the process of publishing the various applications, servers and resources - from simple web applications to complex client/server based applications. It also details the various VPN technologies that UAG provides and how to take full advantage of them. The later chapters of the book educate you with common routine “upkeep” tasks like monitoring, backup and troubleshooting of common issues. Finally, the book includes an introduction to ASP, which some of the product's features are based on, and can help the advanced administrator with enhancing and customizing the product.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 674
Veröffentlichungsjahr: 2011
Ähnliche
Table of Contents
Microsoft Forefront UAG 2010 Administrator's Handbook
Microsoft Forefront UAG 2010 Administrator's Handbook
Copyright © 2011 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: January 2011
Production Reference: 1170111
Published by Packt Publishing Ltd.
32 Lincoln Road
Olton
Birmingham, B27 6PA, UK.
ISBN 978-1-849681-62-9
www.packtpub.com
Cover Image by Tina Negus (<[email protected]>)
Credits
Authors
Erez Ben-Ari
Ran Dolev
Reviewers
Ben Bernstein
Dennis E. Lee
Dominik Zemp
Acquisition Editor
Stephanie Moss
Development Editors
Rukhsana Khambatta
Mayuri Kokate
Technical Editor
Arani Roy
Indexers
Monica Ajmera Mehta
Rekha Nair
Editorial Team Leader
Gagandeep Singh
Project Team Leader
Ashwin Shetty
Project Coordinator
Poorvi Nair
Proofreaders
Lesley Harrison
Kevin McGowan
Graphics
Geetanjali Sawant
Production Coordinator
Shantanu Zagade
Cover Work
Shantanu Zagade
About the Authors
Erez Ben-Ari is a long time technologist and journalist, and has worked in the information technology industry since 1991. During his career, Erez has provided security consulting and analysis services for some of the leading companies and organizations in the world; including Intel, IBM, Amdocs, CA, HP, NDS, Sun Microsystems, Oracle, and many others. His work has gained national fame in Israel, and he has been featured in the press regularly. Having joined Microsoft in 2000, Erez has worked for many years in Microsoft's Development Center in Israel, where Microsoft's ISA Server was developed. Being a part of the release of ISA 2000, ISA 2004, and ISA 2006, he held several roles, including Operation engineering, Software testing, Web-based software design, and testing automation design. Now living in the United States, Erez still works for Microsoft, currently as a senior support engineer for UAG.
As a writer, Erez has been a journalist since 1995, and has written for some of the leading publications in Israel and in the United States. He has been a member of the Israeli National Press Office since 2001, and his personal blogs are read by thousands of visitors per month. Erez has also written, produced, and edited content for TV and radio, working for Israel's TV Channel 2, Ananey Communications, Radio Haifa, and other venues.
Most recently, Erez has completed his work on a courseware book titled Planning, deploying, and managing Microsoft Forefront Threat Management Gateway 2010, in collaboration with several other authors.
Ran Dolev is a veteran of network security and SSL VPN industries. Ran has worked with the UAG product for more than twelve years, since the product's inception at the start-up company Whale Communications in 1998, where Ran was the first full-time developer of the product. After several years he moved to a services position as the EMEA Professional Services Manager for the team. In this role he has designed and delivered numerous IAG and UAG training sessions in North America, Europe, Middle East, Asia, and Australia, to customers, partners, and Microsoft employees. Ran also provides consulting and deployment services for many of Microsoft's enterprise UAG customers.
About the Reviewers
Ben Bernstein is a senior program manager with the Microsoft UAG DirectAccess development team. Ben has worked for Microsoft since 2001, and has held several software development and leadership positions. During his time with Microsoft, Ben has been deeply involved with the development of many of Microsoft's security product suites, including ISA 2004, ISA 2006, TMG, and UAG. Ben often speaks at conferences and public events related to information security and holds a BA and MBA degrees from the The Interdisciplinary Center and Technion Institute in Israel.
Dennis E. Lee is a noted network security expert specializing in Microsoft Forefront Security products. His journey in technology began as soon as he was able to take apart his old electronic toys. Self-taught in the art of web design, he used the Internet as a forum to foster discussion on topics such as computer self-help, graphic design, and programming. That led him into network security in which he actively attends community events and contributes to many different forums and blogs. As a consultant for Celestix Networks, Inc., Dennis travels the globe designing security solutions for organizations of all sizes. Whether it's a startup or global organization, he thrives on the opportunity to help the world do its job better. Checking out the local cuisine in all the places he visits is cool too. He wants you to read this book because while he enjoys traveling, it's unlikely that he'll be able to get to everyone in the world and believes that this book will guide you on how to build the most secure remote access solution using UAG.
Thank you to Sally, my colleagues at Celestix Networks and the people at Microsoft for sharing my passion of working with great products.
Dominik Zemp is a technical solutions specialist for Microsoft' security solutions and has worked in the security market since 2004. He is going to graduate in February 2011 from Lucerne University of Applied Sciences and Arts with a Bachelor's degree in Information Technology specialization in Software Systems. He has served as network engineer, system engineer, and security consultant. He uses Microsoft's Forefront and security products on a daily basis and is specialized in Microsoft's Identity and Access Management solutions such as Forefront Unified Access Gateway 2010.
www.PacktPub.com
Support files, eBooks, discount offers and more
You might want to visit www.PacktPub.com for support files and downloads related to your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books.
Why Subscribe?
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.
Instant Updates on New Packt Books
Get notified! Find out when new books are published by following @PacktEnterprise on Twitter, or the Packt Enterprise Facebook page.
Dedicated to my wife, Paula, who forgave me for locking myself up in my study for so many months while writing this book, and to my son, Sol, who, despite just being born, kept quiet and let me do this.
— Erez Ben-Ari
I dedicate this to the memory of my father, Dan Costescu, writer, novelist, journalist, newspaper founder and editor, who used writing to fight from exile for justice and for a better life for his fellow countrymen. I miss you, Dad!
— Ran Dolev
Preface
The Israeli department of defence has one of the strictest information security guidelines in the world, and a part of these guidelines is the requirement to have complete physical separation between the public and internal networks. A regular firewall just won't do, and this requirement gave birth to the concept of the Air-Gap, a revolutionary product for its time. The Air-Gap and e-Gap products used a physical switch that enabled the transfer of data from one network to the other, but still kept them physically disconnected. One might think of this like a shuttle transferring passengers from one land-mass to another. Whether this is more secure than advanced software-based firewalls can be debated, but the product did meet the guidelines and became very successful in Israel.
Building on this success, Whale Communications distributed the e-Gap appliance throughout the world, and continued its development. In 2006, Whale Communications was purchased by Microsoft, and the next version, named Intelligent Application Gateway or IAG, had similar capabilities, but ditched the physical switch and the dual-server design with a software firewall—Microsoft's ISA 2006 server.
The success of IAG led, of course, to the next version—UAG, short for Unified Access Gateway. UAG has some new capabilities although fundamentally it is very similar to its predecessor, IAG. Like IAG, UAG combines two major functions:
For those who are familiar with proxy servers, a reverse proxy does exactly the opposite. A proxy sits at the edge of an organization's network, and fetches data from the Internet for the employees inside the network. A reverse proxy also sits at the edge, but fetches data from within the internal network, and delivers it to people connecting from outside. This allows employees to be away from the office, at their home or on the road, but still have access to the sensitive organization applications in a way that's easy to use, but secure at the same time.
For those who are not familiar with the concept of a VPN—Virtual Private Network, this is a common way to let employees connect to the internal network remotely. Many products on the market provide VPN services including the built-in Windows service RRAS. However, using a reverse proxy instead allows quicker and easier access. Using a VPN service requires the end user to create configurations that may be complicated and are often not very secure. For example, an employee that uses his own home computer to connect to the organization's network may be sharing the same computer with his family, and that computer could be home to a virus zoo, or be exposed to external penetration via an unsecured Wi-Fi home network. If the computer is a laptop, it could potentially be stolen or lost, allowing the thief or finder to connect to the internal network and compromise it.
UAG's feature-set offers solutions to these problems using advanced features. The reverse-proxy side of the house allows easy access through most modern web browsers, with no configuration required by the user. The user simply types in the designated URL, waits for the special client-components to be installed automatically, and after a simple log-on, they can run the organization's web-based applications. While almost all firewalls offer the ability to do simple server-publishing, using a reverse-proxy is more secure. The reason is that a firewall, even one that does stateful inspection, is only passing data back-and-forth between the internal server and the client. A reverse proxy, on the other hand, stands-in for the internal server. The client is talking to the proxy, which impersonates the internal server. Even if the proxy is successfully attacked and taken-down, the internal server is never touched, and service is not interrupted.
Unfortunately, the reverse proxy service is only usable for Web-based applications. It's good for things such as Outlook Web Access and SharePoint, but many other applications require more complicated TCP/IP traffic. A good example is RDP, which works on port 3389, and cannot be simply reverse proxied. For that reason, the original e-Gap server included a feature called SSL-VPN, which has been expanded to a full range of VPN options with UAG. VPN allows pretty much any networked application to connect to internal servers by simulating a full network connection to the corporate network. Originally, e-Gap and IAG offered a VPN connection which was encrypted using SSL (Secure Socket Layer) and offered better security than many of the VPN products that existed in the market at the time. With UAG, SSL-VPN is still included, but also with several other options, most notable of which is DirectAccess. DirectAccess was originally developed to be integrated into the Windows Server 2008 R2 and Windows 7 Client platform, but the integration of this technology with UAG adds several additional security mechanisms that make for an easier and more secure deployment.
Using DirectAccess (frequently referred to as DA) with UAG includes several components that allow for a better integration with networks that are based on the IPv4 protocol, and also includes very advanced endpoint security, which has been a strong selling point for IAG and e-Gap for many years. UAG's endpoint security allows an administrator to enforce certain security policies by preventing client computers that do not meet these policies from connecting, or from accessing specific applications. These policies can include, for example, the requirement to have an antivirus product installed on the computer as a condition for allowing a connection. A policy can be even more granular and require a specific AV product, and even when the AV definitions were updated on the client. In fact, an advanced administrator can even write his own policy using VBScript to obtain the utmost granular control, down to the registry-key level.
What this book covers
Chapter 1, Planning Your Deployment, will cover the hardware and software requirements for using UAG, and what needs to be planned before purchasing the product, such as Load Balancers, client-support (PC, Mac, and Linux), and so on.
Chapter 2, Installing UAG, will cover the required steps to prepare and install UAG. We will discuss the critical settings you will need to configure before the installation and how to prepare the server for it, and then we will go through the setup process step-by-step. Finally, we will review how to verify that the installation went successfully and learn how to handle some common issues we might face.
Chapter 3, Trunk Types and Uses, will cover UAG's building blocks—trunks and applications. We will review the various types of each, what they are used for, and how to create them. We will not cover specific application publishing, but we will introduce some of the concepts that make the whole thing tick.
Chapter 4, Publishing Web Applications, will cover web applications and how to publish them, including focusing on the most popular applications types—SharePoint and Exchange.
Chapter 5, Advanced Applications and Services, will review the various applications, how to choose to appropriate templates, and how to configure them. We will also discuss in detail some of the additional built-in applications, and briefly introduce DirectAccess.
Chapter 6, Authenticating and Controlling Access, will explain the various types of authentication that UAG can use with Windows servers and third party servers. The chapter will also talk about managing user access to applications and trunks (authorization).
Chapter 7, Configuring UAG Clients, will cover UAG's client components. The client components are what the end-user sees, and they control the user's access to the portal and applications, so it's very important to understand how they work, and what they can and cannot do.
Chapter 8, Endpoint Policies discusses endpoint policies—how they can be used to provide high security, how to configure them, and how to manage them.
Chapter 9, Server Maintenance and upkeep, will cover ways to keep an eye on the server using built-in tools such as the Web Monitor, the Event Log, and the TMG live monitoring console. It will also discuss keeping the server in top shape by performance monitoring, applying patches, updates and service packs, and performing backups.
Chapter 10, Advanced Configuration, will discuss the Advanced Trunk Configuration, which allows the admin to control various aspects of the portal behavior and special-functions.
Chapter 11, DirectAccess, will introduce the admin to various DA related concepts such as IPv6, Teredo, IPHTTPS, DNS64, and NAT64. It will then detail how to configure DA in various scenarios.
Chapter 12, Troubleshooting, will discuss common problems and how to address them, as well as more generic troubleshooting concepts and technologies such as Netmon, PerfMon. The chapter will also offer a collection of external resources, such as blogs, wikis, and articles.
Appendix A, Introduction to RegEx, introduces us to Regular Expressions and the UAG RegEx syntax.
Appendix B, Introduction to ASP, gives a short introduction to ASP programming. Since UAG has quite a bit of web-based user interface, knowing a little about ASP and how it works will allow you to customize it to some degree.
What you need for this book
You will need Microsoft Forefront Unified Access Gateway (UAG) with Update 1 for this book. UAG is offered to the public in two distinct distributions. A company can choose to purchase the product in the form of an appliance, or as a downloadable ISO image file, which can be burned to DVD or mounted on a virtual DVD drive. UAG is a server product, and can only be installed on a Windows Server 2008 R2 or later, therefore the hardware requirements are combined with those of R2. The primary requirement for R2 is having a 64 bit processor and 32 GB of free disk space. UAG's minimum requirements are that the processor is a dual-core one running at 2.66 GHz or faster, and that the system has 4 GB of memory, and an extra 2.5 GB of disk space.
Who this book for
This book is intended for IT Personnel, Network Engineers, System Engineers, System Administrators, and Security Engineers who are planning to implement UAG in their organization, or have already implemented it and want to discover more about the product's abilities and how to use them effectively. To properly use the book, you should have some understanding of IT and networking technologies and terminology, such as IP, DNS, Ethernet, Web Server, and VPN. Programming knowledge is not required; though it might be of benefit for advanced customization techniques that are supported by UAG, this is not within the scope of this book. The book also requires fundamental understanding of Microsoft technologies and systems, such as Windows and Internet Explorer. For some chapters, understanding of more advanced concepts may be needed, such as SSL, Firewalls, IPv6, Adv. TCP/IP, XML, and HTML.
UAG versus IAG
As mentioned before, the basic functionality of the product from IAG to UAG has not changed much. UAG adds some broader functionality for newer applications, and support for more modern VPN technologies. The application publishing that was a part of IAG is mostly still here, with some updates to the user-interface, and some new application templates like Exchange 2010 and RemoteApp publishing. The SSL Wrapper and Network connector are also still here, but SSTP (Secure Socket Tunneling Protocol) and DA (DirectAccess) are now also included. The client components have gone through some improvements as well, and now support Windows 7, Internet Explorer 8, and several 64 bit operating systems. The user interface has gone through a nice face-lift, both on the server side and client-side (the "look and feel" of the portal).
A significant change in UAG compared to the previous generations is the availability of UAG as an installable software. IAG has been traditionally available as a hardware appliance, and recently as a virtual-appliance (a VHD file that can be run on Hyper-Visor or other virtualization products), but with UAG, an administrator can now install the product on any server he wishes to (assuming, of course, it meets the specifications for the minimum hardware support and for running Windows Server 2008 R2). This makes UAG much more readily available, and far easier to integrate into complex enterprise environments, reducing the total-cost of ownership (TCO) for IT resources.
Another improvement added to UAG over IAG is the built-in support for arrays, and integration with Windows NLB (Network Load Balancing). In the past, integration of IAG was only possible with third-party load balancing solutions, and even then, it was somewhat limited, as administrators had to manually mirror the configuration between servers, and repeat the manual sync whenever a change was required. With UAG's built-in array management functionality, an administrator can build a cluster of up to eight UAG servers. If using an array, it can be load balanced using external load balancers, or integrated with Windows NLB.
Another notable addition to the functionality of UAG is the integration with NAP (Network Access Protection), which provides an extensive platform for maintaining endpoint health and sanity that goes beyond even the native endpoint policy management that IAG had. For example, NAP continually monitors the client's health and can respond to changes even during a session. It can also direct a client to an update server or other remediation server, so the client can address the health issues and reconnect, rather than just getting blocked from access.
From the management side of the house, UAG now allows the server administrator more control over logging and monitoring of user activity. This is achieved by enabling logging to SQL, which allows for better performance and easier analysis of logged data, and creating highly customized reports.
What's in the box?
Just like IAG included ISA 2006 as its built-in firewall, UAG similarly includes Forefront TMG (Threat Management Gateway) 2010, which is the latest incarnation of Microsoft's highly regarded firewall server. TMG is automatically installed as a part of the UAG setup process, and once in place, protects the server from the outside world using its well known stateful inspection engine. Although it's tempting to think of this as two products in one, in reality, the use of TMG is somewhat limited, because it's controlled by UAG. Whenever the UAG configuration is changed and activated, UAG pushes various configuration elements and rules directly into TMG's configuration containers, and these might override or conflict with manual configuration done by the administrator. This poses some security risk; such manual configuration may unintentionally expose the server to outside threats. The same goes for IIS (Internet Information Services), which are a part of Windows Server. To perform its reverse-proxy functionality, UAG pushes various configurations directly into IIS, and changes to IIS's configuration, puts it at risk of a conflict or vulnerability which could jeopardize the entire server. For this reason, Microsoft recommends against attempting to leverage a UAG server for additional functions within organizations, and does not support this.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "but you can also use the command gpudate /force, which forces the computer to update its group policy right away".
Any command-line input or output is written as follows:
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "To do so, open Administrative Tools and open Group Policy Management."
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or e-mail <[email protected]>.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book on, see our author guide on www.packtpub.com/authors.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the let us know link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
Questions
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.
Chapter 1. Planning Your Deployment
In this chapter, we will discuss the various environmental issues that need to be planned ahead of deploying UAG (Unified Access Gateway). We shall look at what makes UAG tick and look at software, hardware, and networking considerations. We will review how UAG interacts with what's around it and discuss where in your network to place the server for optimal usability and ease of deployment, as well as looking at how clients fit into the picture.
Basic principles
Even though installing a UAG server is quite straightforward, it is very important to plan your deployment ahead of time and prepare your hardware, software, and network correctly. Failing to do so might end in an installation failure, or even worse—a situation requiring a lengthy re-planning of the integration, not to mention explaining all of this to "the guys upstairs".
When planning the installation, one must keep in mind that a UAG server is fundamentally a router. It has an external side that would be the access point for connecting clients from the internet, and an internal side through which the server can fetch data from internal corporate servers. While it is theoretically possible to use the server with a single network card, this option is not supported, and will not work for most of UAG's functionality. UAG includes Forefront TMG (Threat Management Gateway) 2010, Microsoft's well known enterprise-class firewall; therefore it is possible to have the external interface connected directly to the internet. Nonetheless, many organizations choose to play it extra-safe and place the server behind an additional firewall, which can also improve UAG's performance by eliminating junk traffic that might otherwise burden it. This, of course, requires careful planning of the routing, as well as opening the proper ports on the firewall to allow traffic to take its course.
UAG is designed to enable remote access in two primary roles: application publishing and VPN. A regular proxy is a server that resides at the edge of an organization's network, like a guard at the building's reception. The regular proxy fetches data from the outside world for the company's employees, much like a guard would escort a guest to an employee's office. A reverse proxy does the exact opposite—it fetches data from within the internal network, and delivers it to people on the outside. A regular proxy is usually about speeding things up, but also about protecting the network from uncontrolled access, while a reverse proxy is mostly about security. This is especially so for UAG, which might slow things down a bit, but provides a high level of security.
The benefit to an organization is that, using reverse proxy publishing, employees working from home or on-the-go can access the organization's internal applications from wherever they are, while still maintaining the organizational network safely and securely. Those of you who know their firewalls must be thinking "But...any firewall can do this!" That is correct – almost all modern firewalls allow various forms of server publishing, but UAG adds additional levels of security. Firewall server publishing is usually quite simplistic – an administrator specifies the internal IP and port, and the firewall listens and forwards the requests and responses to and from the internal servers. From a security standpoint, this is almost equivalent to allowing the users to interact directly with the internal server, as the firewall inspection usually takes place at the TCP packet level only. Sure, it can recognize and stop some common Denial of Service (DoS) and other attacks like Port scan and half scan, but hardly any application-level attacks. UAG, on the other hand, is much cleverer:
The second major functionality of UAG is VPN, which allows remote users to connect to the organization's network in a way that emulates them being connected directly to the network while at the office. This sort of connection can allow them to do anything they could do in the office, and provide the most advanced work environment (pyjamas notwithstanding). This functionality was included with previous versions of UAG under the name Network Connector. Network connector, or NC for short, was a VPN ability that was based on encrypting the connection with SSL, and was a proprietary technology developed by Whale Communications. At the time, Windows Servers also had built-in VPN abilities, but only based on the PPTP protocol, which is considered to be not very secure, and L2TP, which is quite secure, but difficult to deploy because of its complexity.
Today, with UAG, multiple VPN technologies are included. NC is still there, though it has been renamed to SSL Network Tunneling. SSL Network Tunneling is also limited to classic client operating systems like Windows XP and Windows Vista. A new addition is SSTP, which is a more modern incarnation of SSL-VPN for Windows 7 users The most important remote-access technology included with UAG is DirectAccess (DA for short), which offers a new and unique seamless VPN-like integration. With DA, users are virtually connected to the corporate network as soon as they connect to the internet, with no interaction or any need to configure components and launch diallers. All these will be covered in detail later in the book.
How UAG works
UAG's core functionality is as an ISAPI filter and extension, as well as various mechanisms to control other parts of Windows. ISAPI (Internet Server Application Programming Interface) is a technology that allows programmers to build add-ons for websites, enriching their functionality. UAG is heavily reliant on ISAPI to do its job, and integrates itself into Internet Information Services (IIS), Microsoft's Web server components that ships with Windows. This integration gives UAG its "face"—users logging in see a website that is generated by UAG, and UAG's ISAPI filter and extension are the components that fetch data from internal servers and show it to the user.
To do this, UAG has a mechanism that allows it to manipulate the IIS configuration directly. It creates one or more sites in IIS, and integrates itself into them by registering its ISAPI filter. Since the UAG ISAPI components are integrated into the IIS website, content going to and from the site goes through these, and they can manipulate the data directly and efficiently. To learn more about ISAPI, read the following article: http://msdn.microsoft.com/en-us/library/at50e70y(VS.80).aspx
If you take a look at IIS on a fresh UAG installation, you will notice that the Default Website contains some new virtual directories, such as "InternalSite", which has been created by UAG. This virtual directory hosts the login screen that users see, as well as other pages like the log-off page, error pages, and others. "InternalSite" also includes the various authentication mechanisms, the client detection and installation system and more. It looks darn good, if you ask us. As you'll start configuring portals on UAG, new virtual directories will appear under the Default Web Site of IIS running on the UAG server, the PortalHomePage virtual directory. This directory hosts, as its name suggests, the web resources that together compose the homepage or landing page of the portal, which end-users reach after successfully authenticating to UAG. This page displays links to all the published applications through this portal, as well as a UAG-specific toolbar.
The building blocks of UAG are Trunks and Applications. You can think of trunks as an organizational unit that can contain multiple applications. Depending on an organization's needs, the server can publish a single application, several applications within a trunk, or multiple applications within multiple trunks. An application is typically an internal server that is published through UAG, although the term can also be used to describe something that is not a website. For example, UAG has a "SSL-VPN tunneling" application, which creates a VPN connection from the user's computer to the organizational network, and allows direct access to internal resources.
If you have never seen a UAG server at work, the following screenshots offer a quick peek. Home users type into their browser a URL they are given by the networking team, and reach the illustrated login page. Even before reaching this page, their computer is checked to see if it meets the organization's security policy. For example, the organization might require that the computer is running an updated copy of Norton Anti-Virus as one of the conditions for entry:
Once users enter their password and it has been successfully verified, they are taken to the "portal" page, which lists the applications that have been published by the networking team. The middle section of the screen shows the icons, and there is also a frame on the left of the screen that shows the same applications. The top of the portal shows additional action buttons:
Users may select to launch the SharePointapplication. This looks like any ordinary SharePoint page, but it's actually being displayed by UAG. Users get to it without having to type in their username and password again, since UAG has performed single-sign on to the SharePoint server, using the credentials that it has already collected from the users. On the left, the application tool bar remains, although it can be collapsed to free up screen real-estate. The top bar also stays there and contains the Log Off button, the Homebutton and more:
When finished, users click on the Log Offbutton on the right-hand side of the portal bar, and disconnect from the portal. This not only disconnects them, but also wipes clean temporary files that have been downloaded to their computer while working. For example, if they opened Office document attachments from the site, these will be wiped securely, so even if their computer is stolen, that data will not be recoverable by the thief:
When working with some services, such as OWA and SharePoint, UAG has the ability to manipulate the data stream received from the backend server, and add functionality to it. For example, in the case of SharePoint, as seen above UAG rewrites the functionality behind the Log Offbutton, so that when a user clicks on it, it not only logs off from SharePoint, but also from the UAG portal itself. This is designed for convenience, of course, this way the user does not have to press Log Off multiple times. In fact, for SharePoint and OWA, UAG also rewrites the data that comes in from the server and hides the log-off buttons that these servers normally show, so that the user can have only one button to click. This manipulation is called Application Wrapping, and it's also customizable by the server's administrator. With a good understanding of HTML and other web development technologies, as well as careful planning, an administrator can affect the way anything that goes through UAG looks. For example, the organization's logo can be added to pages, or specific text messages can be shown. Some customers have even used this technique to replace whole pages with others, to "cover up" information that they wanted to keep confidential.
Software requirements
UAG is offered to the public in two distinct distributions. A company can choose to purchase the product in the form of an appliance, or as a downloadable ISO image file, which can be burned to DVD or mounted as a virtual DVD drive and installed from. If you have elected to go with an appliance, then there's nothing to worry about with regards to requirements, but if you are to install it yourself, there are more things to consider.
UAG is a server product, and can only be installed on a Windows Server 2008 R2 or later. Windows 2008 R2 is only available as a 64 bit system, so that will affect the hardware requirements that are discussed a little later in this chapter. Since UAG is ultimately just a piece of software running on Windows, this might be tempting for some organizations to try and conserve resources by assigning multiple roles to the UAG server. For example, a company might want to use the TMG included with UAG to publish some internal servers, or try to use TMG's web-caching features to speed up a user's access to the web. Microsoft strongly discourages that notion, and for a very good reason. The reason for this is because UAG is not just a program – it's a service that interacts with many other components. For example, when you publish an application on the server, UAG pushes the configuration directly into TMG, as well as IIS, so any changes the administrator makes to any of these components manually could interfere and conflict with those done by UAG. This could lead to various breaks and interruptions in functionality, and in a worst case scenario, could seriously jeopardize the security of the system. For example, misconfiguring TMG's Local Address Table (LAT), which lets TMG know which IP addresses are within the internal network, and which are not, could lead it to think that a connection attempt from the external network (the internet) is actually coming from the internal one, and trust it falsely. In this case, it could let an attacker sneak in unnoticed. What's even more problematic is that if an administrator makes changes to components that they are not supposed to, it makes it difficult or impossible for Microsoft to support. You can think about this like a warranty sticker. Just like the fact that opening up your stereo's case and fiddling with the wires would void the warranty, messing around with the "wires" of a complex software product can make the product unsupportable.
If you run into a problem, Microsoft's support can't guess what you've done and can't possibly check every setting in the entire system. They can inspect UAG's configuration and Networking configuration, but might not be able to find the real cause, as it's lurking away in some other configuration dialog that is not normally used.
The official guidelines dictate that UAG needs to be installed on a "clean" server, with no other applications installed on it. This might be somewhat over-protective. This doesn't mean you can't have an Anti-Virus running on the server—on the contrary, having an AV product is a great idea. However, to decrease the likelihood of an installation failure, it's best to start with a server that's clean, if possible. "Clean", in our book, doesn't mean a server that was loaded with stuff, and that stuff has been uninstalled. If your organization mandates certain software to be installed on every server, like a remote-management agent or hardware-specific software, these should not be seen as a deal breaker, and installation should still run smoothly. Keep in mind, though, that if it fails, Microsoft Support may request that you retry it with a clean server.
Another requirement for installation of UAG is Administrative rights. This should be a no-brainer for most administrators, though we have seen cases where it has been missed. The computer can be a stand-alone server, or a Domain member, but if it is a domain member, then the installation needs to be done while logged on to the server as a domain user with local administrative permissions.
It's very important to correctly define the computer's Network configuration, computer name and domain membership before starting the installation, as some of these settings are difficult or impossible to change afterwards. You should have two Network cards installed – one for the "external" network, and one for the "internal" one. The external could connect to the DMZ, and you can rename the network cards at any point, but the following need to be configured:
If the computer name is some random string generated by your system deployment automation, make sure you set the server name to a permanent one, and if it is to be a domain member, join it to the domain first.
An installation option favoured by many organizations these days is a virtual-machine based installation. This has many advantages – it allows easy change control via Snapshots or saved-states, as well as setting up a warm backup server easily. One must keep in mind, though, that this might have an impact on the server performance, as a guest machine is inherently weaker than its host, and this might introduce risks, especially in the Network Performance arena. When considering using a virtual machine, one must keep in mind that not all virtualization platforms are the same. Certain platforms are incompatible with UAG, so you should consult the Windows Server Virtualization Validation Program (SVVP) to make sure yours is supported. Don't take this lightly, as using an unsupported platform can cause serious problems. The SVVP validation website is here: http://www.windowsservercatalog.com/svvp.aspx?svvppage=svvpwizard.htm
Lastly, many organizations have their server hardware located in remote or secure server rooms, with management being done remotely. If that is the situation in your case, keep in mind that the installation of UAG affects the server's networking, and the installation might sever communications with the computer, since as part of the UAG installation, TMG is installed and launched. You might find yourself thrown off the RDP session and unable to reconnect to the server. We recommend you prepare a plan to gain physical access to the server in that case.
Hardware requirements
Since UAG is installed on top of Windows Server 2008 R2, the hardware requirements are combined with those of R2. The primary requirement for R2 is having a 64 Bit processor and 32 GB of free disk space, and that's easy enough to get these days. UAG's minimal requirements are that the processor is a dual-core one, running at 2.66 GHz or faster, 4 GB of memory, and an extra 2.5 GB of disk space.
In reality, UAG can run on weaker systems, so if you just need to install it temporarily for a proof-of-concept or for training purposes, you could get away with a lot less (though installing it on a Commodore-64 is really taking it too far). For production environments, the stronger the better, especially with memory size, as going with the bare minimum may limit the number of concurrent users the server can handle.
If you were hoping to learn here how many concurrent users the server can support, you're in for a disappointment. While some other server software has a very linear model for client support, UAG's performance varies significantly by the type of applications that are published and the way users use them. For example, RDP applications transfer a lot of data back-and-forth between the client and the target internal server, so that would put more stress on the UAG server compared to a typical intranet, mostly-text web portal. The only way to know with a reasonable amount of certainty how many users your server can support is with a baseline performance analysis. That would include analyzing typical user activity and simulating multiple users in a test-environment, while using the built-in Performance Monitor to see how things are going. Doing performance analysis is not easy, and there's always a risk of miscalculating, but be wary of skipping this just because a sales person claims your server can support "thousands" or "millions" of users. We have seen quite a few deployments where the customer found out too late that they require more servers, and that was not only costly, but also quite frustrating and embarrassing to all parties involved
We already mentioned the Networking requirements earlier, but it's worth repeating. A UAG server is a router, and as such, needs two Network cards. If you are deploying on a virtual machine, this is rather easy, but if it's a physical, make sure you have two real NICs in place. There's no harm in having additional cards, although one must carefully plan the IP, Mask and Gateway settings so as to not arrive at a configuration that will prevent the routing mechanisms of TMG from making the correct decisions as to where to send packets and block dangerous or inappropriate traffic.
Considerations for placing the server
We assume a network administrator does not need this book to learn how to physically secure a server, but there is one hardware aspect that should be kept in mind. Many organizations place their servers in a secure location – a dedicated server room (a.k.a. The Dungeon), which is sometimes even isolated from the main company campus. This is not a bad practice, but keep in mind that during installation, remote-desktop connection to the server might be disconnected, so it's worthwhile to keep an option to reach the server physically. Another thing that's good to keep in mind is that UAG is designed to serve clients connecting from outside the organization, and so using it from "inside" is unsupported and will not work for the most part. Some features can be tested from the internal network, and some can even be tested by launching a browser on the server itself, but we strongly recommend that any organization plan for a "real" test client.
Note
Installing the UAG client components on the UAG server itself, by using Internet Explorer on the UAG server and browsing to a UAG portal and allowing the installation of these components, can lead to undesired results. A real test client would be just a regular computer that is physically connected (either permanently or when needed) to an external NIC on the UAG machine, or to the same switch the Server is connected to on the external interface, and dedicated to being used to test the server, if a need arises. This is pretty easy to accomplish if the UAG server is a Virtual Machine, but even if it isn't and it sounds a little dumb to "waste" a computer or a switch port just for that, do it! It could save you hours and hours of frustration if the server experiences a problem. For example, if the organization decides to place an external Load Balancer in front of the server, you might have a tough time knowing to which server your test clients are connecting, but such a standalone client could eliminate that problem easily. If you are able to dedicate a reasonably strong machine for this, it would be even better to run several client Virtual Machine guest OSs on it, and thus be able to quickly test various scenarios.
From a networking perspective, placing is even more important. Most organizations place the server in their DMZ, and have one firewall in front of it, and another behind it. This is not a bad idea, even though UAG does include its own robust firewall – TMG. Regardless, if any additional networking hardware is in the picture, care must be taken to allow the right traffic to flow. The frontend firewall needs to allow traffic to the UAG server's external IP from any IP, and allow ports 443 for Secure portal trunks, and port 80 for non-secure trunks or HTTP to HTTPS redirection trunk (those are used when the portal is on HTTPS, but you want to avoid forcing your users to type the elusive 'https' prefix to the URL).
The backend firewall needs to be configured to allow UAG to communicate with whatever servers it needs to publish, as well as traffic to its domain controllers, and to the authentication servers used by UAG to authenticate end-users. In some scenarios that require the use of digital certificates, access to a Certificate Authority is also required. Keep in mind that if UAG is used to publish non-HTTP or non-HTTPS servers, additional ports may need to be opened. For example, if RDP access to internal servers is required, port 3389 needs to be allowed.
If load balancers are to be part of this dance, it introduces quite a few other considerations. For example, how is stickiness going to be preserved? Different load balancers have different mechanisms, and those need to be accounted for to make sure that once a user has connected to a UAG array member, they will not be handed off to another one, mid-session. UAG's session information is not shared across members of a UAG array, so if that happens, the user will be redirected to login again, and depending on what they were doing, may lose data.
Another important consideration to take into account is DNS. Clients that are connecting to UAG from the public internet will need to connect to the server using a host name, and not an IP address. Depending on an organization's DNS hierarchy and server placement, this may affect the deployment. This is especially true if SharePoint servers are to be published, as they require their own additional DNS mapping (more about that in Chapter 4). The UAG server needs to be able to resolve internal hostnames, so Port 53 needs to be open on the internal firewall, if one exists. If load balancing, either front or back, is done, the effect it has needs to be planned as well, to make sure UAG has access to all the relevant internal servers.
Planning the networking infrastructure
From a networking perspective, one must carefully plan the IP addresses assigned to the server, especially when NAT
