Forefront UAG: About Endpoint Components
In order for remote endpoint devices to access internal applications and resources via a UAG portal or Web site, UAG installs endpoint components on endpoint devices. UAG endpoint components are required for the following scenarios:
- Endpoint detection - The UAG Endpoint Detection component is installed on endpionts in order to verify the identity of the UAG site against the server certificate presented by the site (for HTTPS), and checks whether the site is in the endpoint's trusted sites list. If the site is trusted the Endpoint Detection component runs to collect data that identifies endpoints features and settings, and determined which endpoint components are installed on the endpoint device. Based on detection results, the settings are compared against UAG policies and the level of access allowed for the endpoint is determined.
- Browser cache wiping - The UAG Endpoint Session Cleanup component runs on the endpoint device to delete persistent data that is downloaded to an endpoint from the sites protected by UAG (or data related to the UAG session that is created by the endpoint browser). Cleanup occurs when a UAG session ends, when a user logs off from a UAG site using the site logoff mechanism, during a scheduled logoff or cleanup, or after an unscheduled power outage or reboot. The component deletes items that are saved in the browser’s cache during the session, such as Web pages, cookies, and also application-specific cached files that are stored in the application’s temporary folder. The Endpoint Session Cleanup component also deletes items that are saved in the browser’s offline folder. These include files that were opened from within the browser for editing by an external application, such as an Office application (for example, a document that was opened via the browser for editing in Microsoft Office Word). The offline folder is cleaned only when all Forefront UAG sessions on the client endpoint end. Only items that were written to the offline folder after the Endpoint Session Cleanup component was first activated during the initial login, are deleted.
- Non-Web protocol tunneling - When providing access to non-Web applications over an SSL connection, SSL tunneling causes the application traffic at the client endpoint to be overlaid with SSL encryption and tunneled to the Forefront UAG SSL VPN gateway. UAG decrypts the traffic and sends the payload to the application server in the internal network. The Forefront UAG Socket Forwarding component add-on, which is based on Layered Service Provider and Named Service Provider technologies, can be used to support a wider variety of applications, such as supporting applications that jump ports, without the need to make changes to the running operating system. The Forefront UAG SSL Network Tunneling component can be used to provide full VPN access to the corporate network.
UAG endpoint components are not required for the following scenarios:
- Publishing - Publishing Web applications via UAG, including Exchange services or RDS
- Authentication - Authenticating end-users does not require UAG endpoint components.
How do UAG endpoint components get installed?
There are a number of limitations for endpoint component installation. For a full list of endpoint requirements see http://technet.microsoft.com/en-us/library/dd903055.aspx.
There are three options for installing Forefront UAG client endpoint components:
- On demand when the endpoint access an UAG portal - This is useful if there are a number of different applications and resources published through the portal. As a client accesses a particular application or resource, the required endpoint components are downloaded and installed. Online installation mode is suitable for end-users who have ActiveX download rights in Windows Internet Explorer, and are logged in with administrator privileges. In this mode, as soon as users try to access the site, before logging in, Forefront UAG downloads the Component Manager to their endpoints. After the Component Manager is installed on the client endpoint, the Component Manager determines the need for installing the remaining components each time the user accesses the site, and then installs them. By default the Endpoint Session Cleanup component; the Client Trace component utility; and the Endpoint Detection Component are installed automatically on endpoints.
- Using an offline browser installation - This deployment method uses the Client Components Installer and is useful for end-users who do not have ActiveX download rights in Windows Internet Explorer, and are logged in with administrator privileges. It can also be used on browsers other than Internet Explorer, by end-users who are logged in with administrator privileges, to install the SSL Network Tunneling (Network Connector) component.
- Using an offline installation file - This method installs the client endpoint components using a download file, and is used for end-users who do not have ActiveX download rights on Windows Internet Explorer and are non-privileged (guest/user) users. In this setup, the administrator must log in to the endpoint computer by using power-user or Administrator privileges, and install the components before the user accesses the site.
Where can I get more information?
- Endpoint Component Design Guide on TechNet - http://technet.microsoft.com/en-us/library/dd857326.aspx
- Endpoint Component Deployment Guide on TechNet - http://technet.microsoft.com/en-us/library/dd857277.aspx
- Endpoint Component Design and Deployment Guides as a download - http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9cbbc75e-2c21-440f-b7dc-000ce4774c2b