dominik zemp microsoft switzerland ltd liab. co. install and configure remote access for sharepoint...
DESCRIPTION
What are the different Microsoft Remote Access Solutions? Answer: Threat Management Gateway (TMG) Direct Access Remote Desktop Services Windows RAS (SSTP) Unified Access Gateway (UAG) And which ones are for SharePoint? Answer: Threat Management Gateway (TMG) Direct Access Remote Desktop Services Windows RAS (SSTP) Unified Access Gateway (UAG)TRANSCRIPT
Dominik ZempMicrosoft Switzerland Ltd Liab. [email protected]
Forefront UAG 2010Install and Configure Remote Access for SharePoint (and RemoteApp and DirectAccess) In An Hour
AgendaWhat is Forefront UAG?UAG Solution and Internal ArchitectureHow to Publish SharePoint via UAGLive DemosHow to Publish RemoteApps, DirectAccess, etc. via UAGQ & A
What are the different Microsoft Remote Access Solutions?
Answer: Threat Management Gateway (TMG)Direct AccessRemote Desktop ServicesWindows RAS (SSTP)Unified Access Gateway (UAG)
And which ones are for SharePoint?Answer:
Threat Management Gateway (TMG)Direct AccessRemote Desktop ServicesWindows RAS (SSTP)Unified Access Gateway (UAG)
What is Forefront UAG?
Solution and Internal Architecture
Unified Access Gateway (UAG) is next version of Intelligent Application Gateway (IAG) with a vision and mission to provide managed, unmanaged & mobile devices with unified secure anywhere access to on-premise and in-the-cloud applications.
What is Forefront UAG?W
hat (
Data
)
Who (Identity)
Where (Device)
UAG Connectivity Approach
Managed & Unmanaged
Devices
Internal & External Users
Private Resources
Financial Partner or
Field Agent
Project Manager Employee
Logistics Partner
Remote Technician Employee
Corporate Managed Laptop
Home PC
Unmanaged Partner PC
KioskWeb Apps
Client-Server Apps
Legacy Apps
Third-Party Apps
Homegrown Apps
File Access
FinancialPartner or Field Agent
Project ManagerEmployee
LogisticsPartner
CorporateLaptop
Home PC
Kiosk
SharePoint
Payroll & HR
Legacy Apps
Custom Financials
Supply Chain
File Access
Remote TechnicianEmployee
Unmanaged Partner PC Webmail Tech Support
App
Limited Webmail:
no attachments
Limited Intranet
Each session is tailored according to its user and the device in use, maximizing security and productivity for that session.
UAG Solution Architecture
DirectAccess
HTTPS (443)
Layer3 VPN
Business Partners /Sub-Contractors
AD, ADFS, RADIUS, LDAP….
Home / Friend / Kiosk
Employees Managed Machines
Mobile
ExchangeCRMSharePointIIS basedIBM, SAP, Oracle
Terminal / Remote Desktop Services
Non web
HTTPS /
HTTP
NPS, ILM
Internet
• Strong authentication• Endpoint health detection:• NAP and down-level
• Authorization:• Based on health status• Who + where
• Information leakage prevention• Attachment/Cache wiper
Active DirectoryLDAPTACACSRADIUSRSASmart CardCertificatesKCDADFSetc … using UAG Hooks
Authentication Repositories
No need for directory replication or repetition
Alternative approaches require local repository
Transparent Web authenticationHTTP 401 request Static Web formDynamic browser-sensitive Web formKerberos Constraint Delegation
Integrates with:Password change managementUser repositories
Single Sign-On
Inbuilt policies can check the health of endpoints connecting to UAG portal and applications
Check system settings and features on the endpointControl access to trunk and applications, as well as actions such as downloading and uploading filesSupports Windows, Mac OS, and Linux
Platform-specific policies enforced according to the operating system on the endpoint device
Predefined policies enabled by defaultCan be edited to check for specific settings or features, as requiredAdministrators can also define their own policies
UAG Endpoint Policies
Enforces compliance and provides remediation for clients connecting through portal trunks or DirectAccessEach scenario will use NAP in a different way
For portal trunks, UAG receives statement of health (SoH) from client and enforces policies directlyFor DirectAccess, IPSec policies require a “health certificate” issued independently by NAP
NAP Support
Wipes out the locally stored content upon session termination
Prevents information leakageRemoves:
Downloaded files and pagesAutoComplete form contentsAutoComplete URLsCookiesHistory informationAny user credentials
Endpoint Session Cleanup
UAG Internal Architecture
IP VPN
Adm
inCo
re
Web Application Publishing
Windows Server
TMG
Windows NLB
RRAS
IIS
TSG / RDG
UAG Filter
Session Manager User Manager Config. / Array Manager
Internal Site Portal
Direct Access
DirectAccess Server
DNS-
ALG
NAT-
PT
ISAT
APIP
-HTT
PS
Tere
do6t
o4
Nativ
e IP
v6
DTE / DoSP
Management UI SCOM MP
UAG Logic
Tracing & Logging
SSTP
Laye
r 3SSL
Tunn
el
How to Publish SharePoint?
Technical Details and Live Demos
Enables SharePoint to map Web requests to the correct Web sites and appsDefines alternative public and internal URL names for the SharePoint Web siteShould match the URLs typed by the user or provided by the reverse proxy (like UAG)Configured on the SharePoint Central Administration Site
Alternate Access Mappings
What every SharePoint Administrator needs to know about Alternate Access Mappings
Mistake #1: "I'm not deploying SharePoint in an unusual way, so I don't need to worry configuring Alternate Access Mappings."
Mistake #2: Your reverse proxy server's "link translation" feature is sufficient.
Mistake #3: Trying to reuse the same URL in AAM or not aligning the URLs to the same zone. Source: http://blogs.msdn.com/sharepoint/archive/2007/03/19/what-every-sharepoint-administrator-needs-to-know-
about-alternate-access-mappings-part-2-of-3.aspx
UAG vs TMGTMG 2010
UAG 2010
Wizards and predefined settings basic
Information leakage prevention (Session clean up)Endpoint health-based authorizationWeb farm load balancing (WFLB)Advanced authentication schemes (e.g. AD FS)Rich client authenticationSingle sign onUnified portalApplication protection (Web application firewall)
basic
Policy-based access (granular policies)Array supportAAM supportCustomization and manipulation (UI, applications)
basic
Live Demo
SharePoint Publishing
What’s next?
How to Publish RemoteApp and DirectAccess
UAG seamlessly integrates Remote Desktop Gateway (RDG) to provide application-level gateway for RDS applicationsEnables employees to securely access applications that are hosted on Terminal Server or their internal workstationBenefits:
Enhanced authenticationSingle sign-on experience
Granular policies based on client health: No anti-virus no driver sharing
RemoteApps are integrated into UAG portal side by side with Web applicationsIntegrated deployment and management with other remote access technologies
RD Gateway Publishing
In UAG, RD/TS client traffic goes over HTTPS. The HTTPS tunnel is terminated at UAG, therefore we can inspect the traffic.The traffic is then passed to the backend RD Session Host using the RDP protocol.
RD Gateway Publishing
UAG+
RDGRD/TS Client
(MSTSC) RDP over HTTPS RDPRD Session
Host(TS Server)
SSL-VPN
SSL-VPN
{
DirectAccess Server+
IPv6
Windows 7Always On
Windows Server 2008
R2
Windows Server 2008
R2
Windows Server 2008
R2
Windows 7
IPv6
Windows Server 2003
Legacy Application
Server
Non Windows Server
IPv4{
PDA
Windows Vista/ Windows XP
Non-Windows
IPv6
or I
Pv4
UAG and DirectAccess better together: Extends access to line of business servers with IPv4
supportAccess for down level and non Windows clientsEnhances scalability and management
Simplifies deployment and administrationHardened Edge Solution
UAG provides access for down-level and non- Windows clientsUAG improves adoption and extends access to existing infrastructure
UAG enhances scale and management with integrated LB and array capabilities
UAG uses wizards and tools to simplify deployments and ongoing management
UAG is a hardened edge appliance available in HW and virtual options
Under the Hood: IPv6 GatewayUAG provides IPv6 connectivity between Internet clients and internal servers
Native IPv6 connectivity or using transition technologies
23
Internet
UAGClient Machines
Intranet
Servers
6to4Teredo
IP-HTTPS
Native IPv6ISATAPNAT64
6to4Teredo
IP-HTTPS
Under the Hood: IPSec TunnelsConnectivity to corporate network is done using IPv6, protected by IPSec tunnels and transported over IPv4 using IPv6 transition technologies (6to4, Teredo, IP-HTTPS):
24
IPv6 Transition TechnologiesInfrastructure Tunnel
Intranet Tunnel
Internet
Client Machine
Domain Controllers,DNS, HRA, Management
Rest of the machines in corporate network
UAG
IPv4 via NAT64IPv6 NativeISATAPIPv4 via NAT64IPv6 NativeISATAP
Under the Hood: NAT64, DNS64Step 1: User machine tries to resolve address of an IPv4 only server:
Client Machin
e UAG
DNSServer
IPv4 only server
DNS64
NAT64
Host name: x.contoso.co
mIP:100.1.2.3
DNS AAAA Query for “x.contoso.com” DNS A Query
for “x.contoso.com”
DNS AAAA Query for “x.contoso.com”
DNS A ResponseIP: 100.1.2.3DNS AAAA Response IP:
2a01:110:6:6:6:6::100.1.2.3
NAT64 Prefix:2a01:110:6:6:6:6::/96
Under the Hood: NAT64, DNS64Step 2: User machine sends a packet to an IPv4 server:
Client Machin
e UAG
DNSServer
IPv4 only server
DNS64
NAT64
Host name: x.contoso.co
mIP:100.1.2.3
Packet to: 100.1.2.3
Send packet to:2a01:110:6:6:6:6::100.1.2.3
NAT64 Prefix:2a01:110:6:6:6:6::/96
Live Demo
RemoteApps and DirectAccess
Thank you for your Attention!For more Information please contact
Dominik ZempTSP Security
[email protected]+41 (43) 456 66 94+41 (0) 78 844 66 94
Microsoft SwitzerlandRichtistrasse 38304 Wallisellen
UAG 2010 Eval Download:http://technet.microsoft.com/en-us/evalcenter/dd183100.aspx
UAG Team Blog:http://blogs.technet.com/edgeaccessblog/default.aspx
TMG Team Blog:http://blogs.technet.com/isablog/default.aspx
Forefront Edge IAG/UAG Support Forum:http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag
Resources