Introduction

Forefront Unified Access Gateway 2010, formerly known as Intelligent Application Gateway, is Microsoft’s current generation solution for providing remote access to internal resources.

One of the exciting features in UAG is the ability to publish internal web applications through a secure portal. This allows you to control who has access to what applications and enforce certain security requirements on computer / device that the user is accessing the site from.

Pre-Configuration Tasks

Before you begin the publishing tasks you will have to decide on the namespace you want to use and procure the certificates to match the space. In our example we will be using the address portal.domain.com to publish the UAG portal site.

Keep in mind that when publishing applications via this portal site, all applications will require an address that exists under the top level portal address. For example, when publishing a SharePoint site, you will have to assign it an address like sharepoint.portal.domain.com.

In addition to the DNS entries that must be created to facilitate the solution (portal.domain.com and sharepoint.portal.domain.com in our example), a certificate must be created that will cover the portal and all the sites underneath it. The best option in this situation would be to obtain a wildcard certificate that covered the portal.domain.com site and all sites underneath it. You could also obtain (or create) a certificate that covered the portal.domain.com site and also contained all the application sites you wish to create as Subject Alternate Names.

Creating SSL Trunk

To create the portal trunk that we will use to publish applications, first open up the Forefront Unified Access Gateway Management Console. In the left pane, right click on HTTPS Connections and choose New Trunk. Please note that we will be accepting defaults for most of the configurable options in this section.

In the Welcome to the Create Trunk Wizard screen, click next. In the Select Trunk Type screen, ensure Portal Trunk is selected and click next. In the Setting the Trunk screen enter the Trunk Name (just a friendly name which the trunk will go by), the Public Host Name (which is the external URL that the trunk will be accessed from – portal.domain.com in our example), ensure the proper IP address and ports are selected, and click next. In the Authentication screen, click the Add button and select one of your Domain Controllers to use for authentication of users, and click next. In the Certificate screen, select the certificate that you have procured in the previous step and click next. In the Endpoint Security screen, click next. In the Endpoint Policies screen, click next. In the Completing the Create Trunk Screen, click finish.

Your portal has now been created with default options! At this point, please use an external connection to navigate to https://portal.domain.com and view the result.

Publishing SharePoint Application

To publish the SharePoint web application, first open up the Forefront Unified Access Gateway Management Console. In the left pane, expand HTTPS Connections, right click on the Trunk you created in the previous section, and click Add Application. Please note that we will be accepting defaults for most of the configurable options in this section.

In the Welcome screen, click next. In the Select Application screen, fill the radio button next to Web and choose Microsoft SharePoint Server 2010 from the Web drop down list. In the Configure Application screen, enter the Application Name (just a friendly name which the application will go by) and click next. In the Select Endpoint Policies screen, click next. In the Deploying an Application screen, ensure the Configure an Application Server radio button is filled and click next.

In the Web Servers screen, double click in the blank space to the right of Addresses and enter the URL (excluding the HTTP/S://) that you use to access your SharePoint 2010 site internally, in the Public Host Name field enter the DNS name you have given the site (in our example you would enter “sharepoint.portal”), fill the checkbox next to Replace the Host Header with the Following and in the associated box type the URL that you use to access your SharePoint 2010 site internally, and click next.

In the Authentication screen, click Add and add at least one Domain Controller that users will authenticate against, then click next. In the Portal Link screen, click next. In the Authorization screen, click next. In the Completing the Add Application Wizard, click next.

Conclusion

When properly configured, Forefront Unified Access Gateway 2010 is a powerful tool for providing remote access to your internal web applications (and many more internal resources). In my example I accepted mostly default settings, however there are many powerful options available to help you control access, security, and endpoint compliance.