(For more resources related to this topic, see here.)
The four faces of UAG
Microsoft Forefront UAG is a product focused on centralizing and managing access to internal resources from external networks.
The aforementioned statement is expressed through the following four access models:
Reverse proxy (portal)
We are able to select the HTTP or HTTPS protocol to publish the resources, and the choice will be related to security requirements, with no significant difference in the functionalities available in the two configurations. In UAG, there is also a viable alternative, the capability to pre-authenticate a user account. The access gateway will act as the endpoint of the HTTPS connection and inspect the traffic before passing it to the backend servers for authentication, adding a security layer against common Internet threats.
Planning a successful deployment
Before installing UAG, there is a planning phase necessary to select the kind of deployment that is more fit to our company's needs. UAG is able to work with different levels of isolation from the internal network and resources that we will make available to external users.
We are able to divide the above aspect into three different design and deployment topics:
The logical network in which UAG will be located
The security context in which UAG will be working
The IT system that will be used for the security, compliance controls, and authorization of the end points that will require access to our resources
Let us start from the first point, the selection of the logical network where UAG will be positioned.
The possible scenarios are as follows:
When UAG is directly connected to an external network
When UAG is behind an external firewall
When UAG is installed in a DMZ between an external and an internal firewall
Our objective is to publish resources in an efficient manner while keeping up the security level. It is a work that requires a balance between control and easiness ( often they are inversely proportional). If we plan to connect the external interface of UAG directly to a public network, we are relying on the local installation of TMG with its rules to protect the host. If we have an existing firewall, it's a good idea to keep it in front of UAG, because the level of the security will not be lowered (UAG requires TCP ports 80 and 443, and the HTTP port is in use only if we plan to deploy a listener with no encryption), and we gain an additional layer of security.
The last scenario is a classic DMZ, with a second firewall deployed to isolate the Internet-exposed services from the internal network. The complexity of the configuration will be related to the UAG features we are going to use, for example, with DirectAccess it requires many modifications on the firewall before we are able to make it work. The second topic in our list is the domain membership. We have an easier deployment with UAG added as a member server to our domain, while the reverse scenario (standalone server) is interesting only if we have some concern about security on our UAG server. The third point is the control of the end points as we are able to select UAG or a Microsoft NAP infrastructure to check the devices requiring a connection. We will be talking about this topic later, but using NAP has no benefits with our scenario that is based on mobile devices.
Step 1 — What we need
The minimum hardware requirements are as follows:
2.66 GHz, Dual core CPU
4 GB memory and 2.5 GB of free disk space
Two network adapters
There is no official sizing guide for UAG.
A common suggestion is to install a test environment and to evaluate our needs based on this experience.
It makes sense because there are no typical deployment scenarios for UAG, and requirements are related to the features we will use and to the number of trunks and applications we are going to use.
The given value for disk space is really an installation minimum. All the user activities will be logged by the system because UAG is also in charge of the application layer security, which implies that we will need a lot of disk space to manage the logs. When the number of connections (or the number of UAG servers) increases, we can send the logs to an external SQL server. The advantages of such a solution are not only related to the disk space and performances on the UAG host, but also to the consolidation and easier reporting of the log data.
Logging to the SQL server requires a configuration in TMG; for more details see the related TechNet article at http://technet.microsoft.com/en-us/library/dd897065.aspx.
The following are the software requirements for the installation process:
Windows Server 2008 R2 Standard SP2, Windows Server 2008 R2 Enterprise SP2, or Windows Server 2008 R2 DataCenter SP2.
All the required Windows roles and features will be automatically installed (Network Policy Server, Routing and Remote Access Services, Active Directory Lightweight Directory Services Tools, Web Server (IIS) Tools, Network Load Balancing Tools, and Windows PowerShell).
All the required system components will be automatically installed (Microsoft .NET Framework 3.5 SP1, Windows Web Services API, Windows Update, Microsoft Windows Installer 4.5, SQL Server Express 2005). Forefront TMG is installed as a firewall during the Forefront UAG setup, and following this a Windows Server 2008 R2 DirectAccess component is added.
Step 2 — Software that we need to have available
The most recent version of the UAG installation media (or ISO) has Forefront Unified Access Gateway 2010 with Service Pack 1, and TMG with Service Pack 1 Update 1 slipstreamed. If we select the setup.exe file and look at the properties of the file, we will see a product version 4.0.1752.10000, that is the version number related to the Service Pack 1.
However, on June 8, 2012, UAG Service Pack 2 was released and that is important for our work, because as we said the number of mobile devices supported has been expanded.
The following is the logical order of the installation, using the media available at the time of writing.
The list of the steps is pertinent also for existing installations; we will have to start the checklist from the step following the last applied update.
1. UAG installation.
2. TMG updates (before the UAG updates).
3. TMG SP2 (KB 2555840).
4. TMG SP2 Rollup 2 (KB 2689195).
5. UAG SP1 Update 1 (KB 2585140).
6. UAG SP2 (KB 2710791).
Please remember to activate UAG after any update and before applying the next one. Often there are problems (for example, lost configuration) going from update to update with no activation in between.
If we have already installed UAG and are missing UAG SP 1, we have to install it after updating TMG and prior to step 5 (UAG SP1 Update 1) of the checklist.
Operating system and SQL updates are usually installed before we start with the UAG and TMG updating process, but we are free to apply those updates at the end of the previous steps.
UAG 2010 Service Pack 3 will probably be available during the first quarter of the calendar year 2013, and will provide support for Windows 8, Office 2013 clients, publishing Exchange 2013, and publishing SharePoint 2013.
Step 3 — Install Forefront UAG
It is strongly suggested to use the console for the installation process of UAG.
If we are using RDP, after the first part of the installation process (that includes the installation of TMG) the remote connection will no longer work. We have to modify the TMG rules to resolve the issue. Right-click on Firewall Policy | All Tasks | System Policy | Edit System Policy, then go to Remote Management | Terminal Server | Tab General | Enable | Tab From and insert the source IP that is allowed to access via RDP to our Forefront machine (for example, add it to Enterprise Remote Management Computers).
There are some limits and topics to know before installing UAG. The Support boundaries documentation on the TechNet site contains this information. It is available at http://technet.microsoft.com/en-us/library/ee522953.aspx.
Setup choices will also depend on the above notes.
We can start launching the Setup.exe file from the UAG installation folder.
We will have a Welcome screen, and then proceed using the Next button, as shown in the following screenshot:
In the Sign Agreement screen, select to accept the license terms and use the Next button.
The installation process will install a full deployment of TMG and UAG.
During the Select Installation Location screen, we have to select the path where the UAG deployment will be placed.
We are offered no choice on the installation location for TMG.
The UAG setup will go on requiring no interaction.
If we are installing with the Windows Firewall active, we will need to permit the Active Directory Lightweight Directory Services Installer traffic.
AD-LDS will be used by TMG to save the TMG configuration data.
After the TMG installation phase, we will be required to restart the server.
The setup wizard will give us the usual radio buttons with Restart Now or Restart Later, as shown in the following screenshot:
UAG installation will continue after we log on again to our host.
Another system restart will be required, but this time the message will state that the wizard has been completed, as shown in the following screenshot:
Step 4 — First configuration of Forefront UAG
As we stated in a previous note, it is important to activate UAG before an upgrade with service packs, to prevent installation issues. The very first time we launch the UAG management console, the Getting Started wizard will be activated, with the aim to help us in the basic configuration of UAG:
At the top of the list, we will have the Configure Network Settings procedure.
The idea is to help us set the various network interfaces and addresses of our host.
The welcome page explains that we will define network adapters and addresses.
The next screen will ask us to select the context of the network interfaces we have configured on the host. The main objective here is to define at least an internal and an external network interface.
The only supported configuration is the one with two network interfaces, as is specified in the aforementioned Support boundaries document.
A typical configuration requires the external network interface configured with a default gateway and no DNS server. The internal interface should have no gateway and use the internal network (domain) DNS servers.
If we have an internal network with more than one subnet, this configuration requires us to add static routes to all the networks that are not directly connected to UAG.
This is depicted in the following screenshot:
The previous step will be followed by the Define Internal Network IP Address Range window. As we said, UAG is a software to connect external users to internal resources, so the steps to outline the various networks have a deep impact on all the configurations that we're going to set from now on.
The internal network is configured by selecting the internal adapter. By default, TMG protects the internal network from all other networks except the Local Host network. System policy rules in TMG expect services such as DNS servers, RADIUS servers, and domain controllers to be located with in the internal network.
To learn more, refer to the Internal and perimeter network properties document which can be found at http://technet.microsoft.com/en-us/library/cc441726.aspx.
We will be asked to confirm what we have done in the previous steps of the Network Configuration Wizard window.
When the Configure Network Setting wizard is completed, we will be moved to the second step, Define Server Topology. TMG uses the parameters we have configured in the previous steps to create network objects. For example, our internal IP range is assigned to the internal network object.
The Server Management Wizard window is our way to deploy an array of UAG servers or to define a single host. It will start with a simple welcome page.
Our configuration will be a single server deployment, so we will have to select the first option.
UAG uses the TMG standalone array infrastructure to provide scalability and high availability. To get started with the installation of a UAG array, we can start from the TechNet article Array deployment guide available at http://technet.microsoft.com/en-us/ library/dd857305.aspx.
A configuration like this requires no further steps, and so we will have a simple confirmation screen.
We are back to the Getting Started Wizard window, with the first two steps cleared, and the last one, Join Microsoft Update to be completed:
The first screen is a simple welcome screen, so we will go on with the Next button.
The first decision is related to Microsoft Update; if we want to use it, use our source for updates for UAG (and other Microsoft software).
TMG also uses the Microsoft Update service to update malware definitions. WSUS is another alternative update method supported by TMG. For a complete table of the available features, refer to the Configuring update settings article available at http://technet.microsoft.com/en-us/library/cc995320.aspx.
We will have the opportunity to join the Customer Experience Program, so we are able to select our preferred option and the Next button again.
The wizard is now completed. A last confirmation screen will be displayed and we're able to select the Finish button.
The Getting Started Wizard window will require a last confirmation before activating the UAG configuration.
Before we activate the configuration, we will be prompted for a path to save a backup of our existing configuration (we can protect it with a password).
A last confirmation to the backup and activation step is required.
Each time we activate UAG , it automatically exports the configuration (if we leave the checkbox selected.
And here we are, the first configuration is completed and we're ready to work with UAG.
Step 5 — Updating Forefront TMG and UAG
We outlined the steps required to upgrade TMG and UAG at the second step of the installation process.
We will start our updating process from Service Pack 2 for TMG.
The next step is TMG SP2 Rollup 2 (this is cumulative, so we don't need Rollup 1).
Now we have to install UAG Update 1.
If we try to skip the aforementioned update, and go straight to the Service Pack 2 for UAG, the latter will present an error.
The UAG Update 1 will start.
Now, before we take the next step, it's really important to activate UAG again.
To do so we will have to open the UAG management console and run the little "gear" icon, as shown in the following screenshot:
The last step will be the installation of UAG Service Pack 2.
Again, it's a good idea to check UAG to verify the release level (select the Help menu in the UAG management console and then select About).
In the course of this article, we have seen the logic, pre-requirements, and configuration steps required to deploy UAG starting from the installation media and upgrading the system to the latest available service pack. TMG played an important part in the whole explanation because UAG heavily relies on TMG features to deliver its own features. Now with a working installation at our disposal, we will go on to configure SharePoint and SharePoint Workspace through UAG, to learn the fundamentals of application publishing and access.
Resources for Article :
- Microsoft Forefront UAG: Preparing, Creating, and Publishing an HTTPS Trunk [Article]
- Customizing Look and Feel of UAG [Article]
- Creating and configuring a basic mobile application [Article]