Forefront Unified Access Gateway 2010 s1

Forefront Unified Access Gateway 2010

Access Control for Publishing Design Guide

Microsoft® Corporation

Published: January, 2010

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, and MS-DOS, Windows, Windows Server, and Active Directory are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents

Access control for publishing design guide 5

About this guide 5

Introduction to endpoint access design 5

Identifying your endpoint access deployment goals 6

Mapping your deployment goals to an endpoint access design 7

Planning for client authentication 8

Client endpoint access over HTTPS 8

About session authentication 9

Planning for frontend authentication 9

LDAP authentication 10

LDAP authentication flow 10

LDAP client certificate authentication 11

LDAP client certificate authentication flow 12

RADIUS authentication 13

Secret key 13

Challenge-response modes 13

RADIUS groups 13

RADIUS authentication flow 13

RSA SecurID authentication 14

Next Token mode 15

New PIN mode 15

RSA SecurID authentication flow 15

TACACS authentication 16

TACACS authentication flow 17

WINHTTP authentication 18

WINHTTP authentication flow 18

Planning for backend authentication to published servers 19

Basic, NTLM, or HTTP forms authentication 20

Kerberos constrained delegation 20

System requirements 20

Planning for federation with AD FS 21

Supported scenarios 21

ADFS prerequisites 22

Planning for endpoint health checking 22

Inbuilt access policies 22

NAP access policies 23

Planning to implement endpoint access policies 23

Using endpoint policies 24

Session endpoint policies 25

Application endpoint policies 25

Endpoint detection 25

Information collected from client endpoints 26

Planning for portal application authorization 26

Access control for publishing design guide

Forefront Unified Access Gateway (UAG) provides a gateway for remote employees, mobile workers, partners, and other third-parties to access corporate applications and resources. To help secure applications published through the gateway, Forefront UAG allows you to define which users are allowed to access the applications, and how they will authenticate to Forefront UAG and to the applications. Forefront UAG allows you to use a number of authentication servers to authenticate users to the portal.

About this guide

This guide is designed to help you understand how you can use Forefront UAG with authentication servers to identify and preauthenticate end users to the portal, and to authenticate end users to the published applications.

The guide is intended for the system administrator who is responsible for ensuring that end users are properly authenticated to the Forefront UAG portal and to the published applications.

Use this guide to:

· Understand endpoint access and identity concepts. For information, see Introduction to endpoint access design.

· Identify your endpoint access and identity deployment goals. For information, see Identifying your endpoint access deployment goals.

· Map your deployment goals to an endpoint access and identity design. For information, see Mapping your deployment goals to an endpoint access design.

· Start planning your deployment strategy. For information, see Planning an endpoint access design.

Introduction to endpoint access design

Forefront Unified Access Gateway (UAG) enables you to provide remote access to corporate applications and resources for remote employees, mobile workers, partners, and other third-parties. However, providing remote access to applications and resources that are located on your corporate network could potentially lead to security breaches. Forefront UAG helps you to provide secure remote access only to the users and endpoints that you want to allow access to your applications and resources, by using a combination of endpoint health policies, authentication servers, and application access authorization.

· Health policies—Forefront UAG provides inbuilt policies that check the health of endpoint devices by checking for system settings and features on the endpoint. Each of the policies can be edited to check for specific settings or features, as required. You can also define your own policies. When checking the health of endpoint devices, you must try to find the correct balance between using strict policies or more permissive policies, for a wide range of end users, using different endpoints devices, and requiring access to many different applications.

· Authentication servers—You can require users to authenticate for access to the Forefront UAG portal and application sessions. Forefront UAG supports a number of predefined authentication schemes; you can also create custom schemes. Configuring authentication requires you to set up authentication servers against which user credentials are verified.

· User authorization—In addition to user authentication, you can configure authorization settings for specific applications published in a portal. You specify which users and groups can access specific applications, based on users and groups defined on user and group servers used for authorization. You can configure users and groups on the same server you use for authentication, or you can combine authentication against one type of authentication server, with the authorization of users and groups in a different authentication scheme.

Identifying your endpoint access deployment goals

For the successful deployment of Forefront Unified Access Gateway (UAG), you must identify your endpoint access deployment goals correctly. This topic is designed to help you identify your endpoint access deployment goals. By identifying these goals, you can clearly pinpoint the endpoint access design requirements necessary to meet each goal. Depending on the size of your organization, implementing a solution might require the involvement of other IT staff, in addition to the infrastructure specialist or systems architect. You can take advantage of existing, documented, and predefined endpoint access deployment goals that are relevant to endpoint access designs, and develop a working solution for your endpoint access scenarios.

This topic describes the following predefined goals:

· Providing remote access for employees—The primary goal for using Forefront UAG is to provide employees of your organization with secure remote access to applications and resources located on your internal network. This goal requires you to plan an authentication scheme for end users who access your portal, an authentication scheme for end users to connect to the published applications and resources, single sign-on (SSO) if required, and access policies to check the health of endpoints.

Within this goal are two possible scenarios: providing access for managed devices, and providing access for nonmanaged devices.

If you are providing access for employees using managed devices, you can use an authentication scheme that already exists within the organization. The authentication scheme may use smart cards, tokens, or certificates. When determining the health of the endpoint, you must ensure that the health checks that you perform, that is, the settings and features that you check using access policies, will accurately identify the endpoints as being managed or not managed.

When providing access for employees using nonmanaged devices, you must ensure that you can correctly identify the employee who is attempting to gain access to the internal applications and resources. To authenticate employees in this scenario, you may use a basic level of authentication to provide a minimal level of access. If the employee attempts to access restricted information, you can require them to provide further credentials. As you do not have control over the settings and features on the device, this may limit the thoroughness of the health checking performed on the device, which means that you can provide only a subset of functionality to these users. For example, if an end user on a managed device can download and save files stored on a SharePoint site, an end user accessing the same site from a nonmanaged device is not allowed to view the files.

· Providing remote access for partners—If your organization works with partners, it may be necessary to provide individual employees or groups of employees from the partner organization with remote access to applications and resources from your organization. To implement this goal, you can use Active Directory Federation Services (ADFS) to provide the identity information of the partner employees to your organization.

If you are unable to use ADFS to identify the partner employees, you can use shadow accounts within your own Active Directory domains.

When providing access to partner employees who are not using devices managed by your organization, you must try to find a balance in the health checking that you perform. If you are too restrictive, partner employees who should have access to the resources and applications that you publish may not be able to access them. However, if you are not restrictive enough, partner employees may be able to access and distribute proprietary information.

Note:

It is recommended that you use a dedicated Forefront UAG trunk when publishing applications for partners.

· Providing remote access for customers—Many companies must provide access to internal applications and resources to customers. For this goal, you should use or create a repository to store the customer identity information. When customers attempt to access the applications and resources that you publish, Forefront UAG authenticates the customer against this repository. Forefront UAG supports a variety of authentication schemes, or you can configure a user-defined authentication server.

To ensure that all of your customers can access the applications and resources that you publish, you should only perform generic health checking. You must also take care when defining the trunks and applications to ensure the integrity of your own network.

Mapping your deployment goals to an endpoint access design

To begin the Forefront Unified Access Gateway (UAG) endpoint access and identity design process, you must first identify your deployment goals (see Identifying your endpoint access deployment goals). After evaluating these goals, you can select a design that meets your endpoint access and identity deployment objectives.

The following table maps each possible deployment goal to the planning tasks that you must perform to implement that goal.

Deployment goal / Planning tasks /
Remote employee access / · Planning for frontend authentication in particular LDAP authentication
· Planning for backend authentication to published servers
· Planning for portal application authorization
· Planning for endpoint health checking
· Planning to implement endpoint access policies
Partner access / · Planning for federation with AD FS
· Planning for portal application authorization
· Planning for endpoint health checking
· Planning to implement endpoint access policies
Customer access / · Planning for frontend authentication
· Planning for portal application authorization
· Planning for endpoint health checking
· Planning to implement endpoint access policies

Planning for client authentication

Forefront Unified Access Gateway (UAG) allows you to control client endpoint access to published resources, by using the following methods:

· Require an HTTPS channel between client endpoints and the Forefront UAG server.

· Apply session authentication. You can require client endpoints to authenticate in order to connect to a portal or an individually published Web application.

Client endpoint access over HTTPS

When you create a trunk to publish a portal or specific Web application, you can specify that client endpoints must communicate with the Forefront UAG server over an HTTPS connection. In this case, you must select a server certificate when you configure the trunk. This certificate is used to authenticate the Forefront UAG server to the client endpoint.

About session authentication

Forefront UAG enables you to control access to internal resources by verifying end user credentials against an authentication database. A portal or application session is opened only for end users who authenticate successfully; end users who cannot authenticate successfully do not gain access. Access is granted per end user, and each authentication instance is only valid for one session. Forefront UAG seamlessly integrates with numerous authentication schemes even if the application being protected has no inherent support for the method you choose to implement, such as, where Forefront UAG serves as a client of the third-party authentication server. In addition, Forefront UAG also enables periodic reauthentication by applying a logoff scheme. After a predetermined time, end users must resubmit credentials to continue working; otherwise, their sessions are terminated.

To define session authentication, you should define an authentication server against which the credentials of end users who connect to a portal or application session are verified. For more information about Forefront UAG client authentication schemes, see Deploying frontend authentication servers.

Planning for frontend authentication

Forefront Unified Access Gateway (UAG) supports the use of a number of different authentication protocols to authenticate end users to the Forefront UAG portal. By using these authentications protocols, you can provide strong authentication, for example two-factor or smart card authentication.

The following topics describe the supported authentication protocols:

· LDAP authentication

· LDAP client certificate authentication

· RADIUS authentication

· RSA SecurID authentication

· TACACS authentication

· WINHTTP authentication

Note:

If you do not want to use one of the authentication schemes provided by Forefront UAG, you can configure a custom authentication scheme.

LDAP authentication

Lightweight Directory Access Protocol (LDAP) is an Internet protocol for querying and modifying directory services. The LDAP authentication server keeps information about users, including authentication information such as user properties and authentication scripts, in special-purpose databases termed as Directories. When a connection request arrives at the Forefront Unified Access Gateway (UAG), the user name and password are authenticated against the LDAP Directory.