none
UAG Portal access from web kiosk? RRS feed

  • Question

  • When our users access the company UAG portal, the endpoint scanner is installed on the users client. What happens if the client is locked-down, such as a web kiosk device, that is configured to prevent installation of anything ?

    In fact, is it possible to configure a UAG trunk that has *no* endpoint scanning, and allows a vanilla IE browser to reach the credentials screen, logon, and display a published application? We have users who presently browse directly to an Outlook Web Access 2007 server, and can access email from almost any internet-connected PC, without installation of anything. I'd like to replicate this functionality under UAG.

    Peter

     

     

    Friday, June 18, 2010 2:57 PM

Answers

All replies

  • You can disable endpoint protection in the trunk settings.

    Configure Trunk > Session Tab > 'Disable component installation and activation'

    The only downside I've noticed to this since I'm not using DirectAccess or anything is that without those components, published terminal server apps revert to standard RDWeb plugins which removes some of the SSO.  If you're not running direct access or publishing remoteapps I can't see a big disadvantage to disabling these.

    Friday, June 18, 2010 3:13 PM
  • When our users access the company UAG portal, the endpoint scanner is installed on the users client. What happens if the client is locked-down, such as a web kiosk device, that is configured to prevent installation of anything ?

    In fact, is it possible to configure a UAG trunk that has *no* endpoint scanning, and allows a vanilla IE browser to reach the credentials screen, logon, and display a published application? We have users who presently browse directly to an Outlook Web Access 2007 server, and can access email from almost any internet-connected PC, without installation of anything. I'd like to replicate this functionality under UAG.

    Peter

     

     

    You need to define your access and application endpoint policies to take this client scenario into account...

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, June 21, 2010 9:12 AM
    Moderator
  • Disabling endpoint protection is not a recommended approach as this will prevent you from using them on any client...unless you dedicate a trunk for this purpose and understand what you are losing with the approach...

    Do you have an idea of client access scenarios you want to support?


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Monday, June 21, 2010 9:15 AM
    Moderator
  • Hi Jason,

    I don't know if it's possible but what I'd like to achieve is:

    1/ A trunk with full endpoint scanning, AD + RSA authentication. This will deliver all company applications, terminal services etc. This will work on any PC that can install the endpoint components.

    2/ A second trunk, with *no* endpoint scanning, with AD + RSA authentication. This will deliver *only* Outlook Web Access. This will work from any web browser, including locked-down kiosk type services.

    Does this make sense? (and is it possible!)

    Regards, Peter

     

    Thursday, June 24, 2010 10:50 AM
  • Hi Peter,

    Yep looks fine I think, each trunk will need a dedicated IP address and you will need a unique public name/certificate per trunk (unless you are using shared SAN/wildcard certs).

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, June 24, 2010 5:46 PM
    Moderator
  • Thanks Jason, since this idea now has the thumbs-up from the "UAGMeister", I'll spend some time setting it up and testing in my dev environment.

    Regards,

    Peter

     

    Thursday, June 24, 2010 8:37 PM
  • Not sure I warrant that, Yaniv or Ran maybe ;)

    I tried this config earlier today (as I was planning to do something similar for a customer) and it works well. I used two discrete IPs with a single wildcard certificate.

    Obviously, the trunk without endpoint components removes a lot of UAG benefits, but does offer something pretty similar to TMG web publishing in terms of transparency...

    Cheers

    JJ 


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, June 24, 2010 10:12 PM
    Moderator
  • Not sure I warrant that, Yaniv or Ran maybe ;)


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    You can go ahead and warrant Peter's design, Jason :)

    Regards

    -Ran

    • Marked as answer by Erez Benari Tuesday, June 29, 2010 8:50 PM
    Friday, June 25, 2010 6:53 AM
  • I have built and deployed this configuratin now; works really well. What I have is a Single NIC in the DMZ offering two trunks, on two IP addresses. The first trunk has full endpoint access controls, AD and RSA authentication, and publishes business criticial applications. The 2nd trunk enforces no endpoint components, and just requires AD + RSA authentication, and publishes Outlook Web Access only.

    perfect! 

    Wednesday, June 30, 2010 7:11 AM
  • Cool!


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, June 30, 2010 8:51 AM
    Moderator