locked
Question about Endpoint Policies RRS feed

  • Question

  • I have a UAG server set up and have Outlook Web Access Published as an application. I now see two things listed under Applications Portal and Outlook Web App. My question is which Endpoint policy is taking precedence. I Endpoint Policy settings under both applications and when I click on Configure Trunk Settings I see Endpoint Policy Settings there also.

    I am new to UAG and this is very confusing for me. What are the settings in each of these places for and which ones should I configure. I also see Upload/Download tabs in the settings of the Portal and Outlook Web App applications. Again which setting should I be looking at if I want to make changes.

    The reason for asking this is that when a user on some computers outside our network click an attachment they get a message saying "According to your organizations download policy, the requested download is not allowed." They can still open the attachment as a web page.

    Wednesday, August 22, 2012 12:32 PM

Answers

  • No problem, I might be able to advice you a bit. Endpoint Policies can be somewhat confusing, but once you understand them the fun starts.

    Endpoint Policies on an UAG trunk are global. They are applied to access the UAG Portal itself. And they are always applied on top of everything that is published within an UAG trunk. For example, the Endpoint Policies linked to the UAG trunk allow you to define who has "access" to the UAG trunk and whether the user or device is considered an Certified Endpoint.

    If your UAG trunk is reachable by a URL, for example https://uag.<yourdomain.com. And you have Outlook Web App through a specific URL, for example <a href="https://owa..com">https://owa.<yourdomain>.com. Wether you directly access owa.<yourdomain.com, the Endpoint Policies on the trunk are applied. With the Endpoint Policies defined on the published application such as Outlook Web App and SharePoint, you can define more specific settings. Also keep in mind that authorization can only be configure on a published application, not on a UAG trunk.

    Just an example. An UAG trunk is configured with an Authentication (Server). You cannot authorise a specific Security Group. With the "Default Session Access" policy linked to that UAG trunk you can define for example; if you have a local virusscanner and firewall you can have access. And with the "Default Privileged Endpoint" policy you can define for example; if the client computer is domain-joined and has a valid certificate, then you are considered a privileged endpoint. Next you can publish an application, allow only privileged endpoint and authorize a certain Security on it.

    Does this make more sense to you?

    About the download notification they get. I think you need to look at the Endpoint Policies linked to the published Outlook Web App application. There you can define upload and download policies.


    Boudewijn Plomp, BPMi Infrastructure & Security

    • Edited by Boudewijn Plomp Thursday, August 23, 2012 2:43 PM
    • Proposed as answer by Boudewijn Plomp Thursday, August 23, 2012 2:43 PM
    • Marked as answer by jtrimme Thursday, August 23, 2012 5:32 PM
    Thursday, August 23, 2012 2:26 PM

All replies

  • No problem, I might be able to advice you a bit. Endpoint Policies can be somewhat confusing, but once you understand them the fun starts.

    Endpoint Policies on an UAG trunk are global. They are applied to access the UAG Portal itself. And they are always applied on top of everything that is published within an UAG trunk. For example, the Endpoint Policies linked to the UAG trunk allow you to define who has "access" to the UAG trunk and whether the user or device is considered an Certified Endpoint.

    If your UAG trunk is reachable by a URL, for example https://uag.<yourdomain.com. And you have Outlook Web App through a specific URL, for example <a href="https://owa..com">https://owa.<yourdomain>.com. Wether you directly access owa.<yourdomain.com, the Endpoint Policies on the trunk are applied. With the Endpoint Policies defined on the published application such as Outlook Web App and SharePoint, you can define more specific settings. Also keep in mind that authorization can only be configure on a published application, not on a UAG trunk.

    Just an example. An UAG trunk is configured with an Authentication (Server). You cannot authorise a specific Security Group. With the "Default Session Access" policy linked to that UAG trunk you can define for example; if you have a local virusscanner and firewall you can have access. And with the "Default Privileged Endpoint" policy you can define for example; if the client computer is domain-joined and has a valid certificate, then you are considered a privileged endpoint. Next you can publish an application, allow only privileged endpoint and authorize a certain Security on it.

    Does this make more sense to you?

    About the download notification they get. I think you need to look at the Endpoint Policies linked to the published Outlook Web App application. There you can define upload and download policies.


    Boudewijn Plomp, BPMi Infrastructure & Security

    • Edited by Boudewijn Plomp Thursday, August 23, 2012 2:43 PM
    • Proposed as answer by Boudewijn Plomp Thursday, August 23, 2012 2:43 PM
    • Marked as answer by jtrimme Thursday, August 23, 2012 5:32 PM
    Thursday, August 23, 2012 2:26 PM
  • Thank You, That makes sense
    Thursday, August 23, 2012 5:32 PM