Your IP Address is:
Windows Server 2012 Book
BUY IT NOW:
BARNES & NOBLE
Exchange Server 2013 Book
BUY IT NOW:
BARNES & NOBLE
Lync Server 2013 Book
BUY IT NOW:
Barnes & Noble
TranslatorPowered by Google Translate.
- Microsoft Launches the Cloud OS Network, a Group of Leading Service Providers Who Leverage the Microsoft Cloud Platform
- Are You a BYOD Chieftain? Tell Us in Poetry for a Chance to Win an Xbox 360
- Microsoft Tech Companion App Launches – Use the Cross Platform App to Get the Latest News on your Phone or Slate
- HarperCollins Publishers Creates Global BI Solution in Weeks Using Windows Azure and SQL Server
TagsActive Directory Web Services AD AD CS Cisco DMZ ESX 4.0 Exchange Roles Exchange Server Exchange Server 2013 Forefront Client Security Forefront Protection 2010 Forefront Technologies Forefront TMG Forefront UAG 2010 FTP7.5 Group Policy Object Hyper-v Hyper-v Server 2012 ISA Server Microsoft Active Directory Microsoft VPN Outlook Anywhere OWA publish ftp 7.5 publish OWA using UAG publish RDS using UAG 2010 Security service pack service pack 3 SharePoint Services Step by Step TMG UAG 2010 UAG in cloud wds Windows 8 Windows Client Windows Deployment Services Windows Server 2003 Windows Server 2008 windows server 2008 R2 Windows Server 2012 WSUS WSUS 3.0 SP2 WSUS error
© 2010-2013 MicrosoftGURU Any redistribution or reproduction of part or all of the contents in any form is prohibited. All Rights Reserved.This site is protected by WP-CopyRightPro
How to Publish Application Specific Host Name using Pass Through Authentication in Forefront UAG 2010
To avoid being caught into the following UAG events, follow the below procedure to create a correct Trunk and an Application in UAG 2010.
Warning 58 “The requested URL is not associated with any configured application.”
Warning 51 Invalid Method
“A request from source IP address x.x.x.x, user on trunk Trunk Name; Secure=1 for application failed because the method used PUT is not valid for requested URL”
1. Bypass Active Directory authentication to allow application specific authentication.
Open Regedit>Go to HKLM\Software\WhaleCom\e-Gap\von\URLFilter
Create a 32 Bit DWORD named KeepClientAuthHeader and set value to 1
Also make sure FullAuthPassThru value is set to 1.
2. Public Host Name in Trunk must be different then public host name in published application. The purpose of public host name in Trunk is to create the actual trunk. This public host name in Trunk will not be accessible from external network nor internal network. Why? simple reason without public host name, you can’t create a Trunk. Public host name in application is the Real FQDN which employee/roaming users will access from external network which means public IP will resolve the name of application public host name. Since public host name in Trunk and Public host name in application are different, when you activate this trunk and application, you will receive a certificate error which says your trunk FQDN doesn’t match with your certificate. As long as your certificate CN matches with application public host name you will be fine. If you don’t want to see this error then you can add a SAN certificate which has both Trunk public host name and application public host name. In my case I don’t mind the see that certificate warning, my Trunk and application public host name are as follows:
- Trunk Public Host Name: Mobile.mydomain.com
- Application Public Host Name: mymobile.mydomain.com
3. Correct URL Set
- Name: MobilePortal_Rule1
- Action: Accept
- URL: /.*
- Parameters: Ignore
- Methods: PUT, POST, GET
Use the following steps to correctly publish mobile device, third party application implemented in IIS within a subdirectory.
Step1: Create a Separate Trunk for this Application
- Before you begin, import certificate in UAG server. Certificate must be in .pfx format with private key. Open the Microsoft Management Console (MMC) which enables you to import a certificate into the IIS Certificate store.
- Start Menu>Run>MMC
- To import a certificate, in the MMC window, in the left pane, under Console Root, verify that Certificates (Local Computer) > Personal is selected.
- From the Action menu, click All Tasks, and then click Import.
- Follow the instructions in the Certificate Import Wizard.
- In the Forefront UAG Management console, right-click HTTP Connections to create a trunk accessible over HTTP, or right-click HTTPS Connections to create a trunk accessible over HTTPS. Then click New Trunk.
- On the Select Trunk Type page of the Create Trunk Wizard, click Portal trunk.
- On the Setting the Trunk page of the Create Trunk Wizard, specify Trunk details. In my case I have the following:
i. Trunk Name: MobilePortal
ii. Public Host Name: Mobile.mydomain.com
iii. IP Address: Trunk IP (you must add additional IP address(s) in the TCP/IP properties of UAG external nic)
iv. Port: 443
- On the Authentication page of the Create Trunk Wizard, I am going to add my domain controller but later stage I will remove the domain controller to make it application specific authentication not LDAP or AD. That means I will bypass AD authentication. For now select an authentication server that will be used to authenticate user requests for trunk sessions. Click Add to select a server, as follows:
- In the Authentication and Authorization Servers dialog box, select a server and click Select. To add a new server to the list, click Add.
- Select User selects from a server list to specify that during login to the trunk, users will be prompted to select an authentication server. If you configure one authentication server, users will authenticate to that server only. Select Show server names to allow users to select an authentication server from a list; otherwise, users must enter the server name. Select User provides credentials for each selected server to prompt users during login to authenticate to all the specified authentication servers. Select Use the same user name to specify that users must enter a single user name that will be used to authenticate to all specified servers.
- On the Certificate page of the Create Trunk Wizard (HTTPS trunks only), select the server certificate that will be used to authenticate the Forefront UAG server to the remote endpoint.
- On the Endpoint Security page of the Create Trunk Wizard, control access to trunk sessions by selecting policies that allow access, based on the health of client endpoints. Click Use Forefront UAG access policies to determine the health of endpoints using in-built Forefront UAG access policies.
- Click Finish after completing the Trunk wizard.
Step2: Advanced Trunk Configuration
- Click Configure Trunk. Click Endpoint Access Settings, Click Edit Endpoint Policies.
- In this step, you will allow access of mobile phone and tablet. Microsoft UAG by default doesn’t allow mobile phone access. You need allow this access manually. Click Edit Endpoint Access Policies, Select Default Session Access, Click Edit, Click other, Select Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default Web Application Access Policy, Default Web Application Upload, Default Web Application download.
- Click Authentication Page, de-select require user to authenticate at session logon. By deselecting this option, you have created pass through authentication.
- Click on the session tab, deselect disabled component installation and disable scripting for portal applications.
- Click URL Set Tab, Scroll down to bottom of the page. On the mobile portal rule, select PUT, POST, GET. Click Ok. Adding PUT will resolve the following issue:
- After completing the Create Trunk Wizard, in the Forefront UAG Management console, on the toolbar, click the Activate configuration icon on the toolbar, and then on the Activate configuration dialog box, click Activate.
Step3: Add an Application Specific Host Name for iPhone, Android and Tablet
1. In the Forefront UAG Management console, select the portal trunk to which you want to add the application. In the main trunk properties page, in the Applications area, click Add to open the Add Application Wizard.
2. On the Select Application page, Click Web, choose the application specific host name you want to publish.
3. On the Application Setup page, specify the name and type of the application.
4. On the Endpoint Security page, select the access policies for your application. Note that not all of the policies may be available for some published applications. You must verify that other device is allowed in Endpoint security. See Step11 in creating a Trunk.
5. On the Application Deployment page, specify whether you want to publish a single server or a Web farm.
6. On the Web Servers page, if you are publishing a Web application, on the Web Servers page, configure settings for the backend Web server that you want to publish. On the application requires paths, add more / as your path. This will allow any sub directories of application hosted in Microsoft IIS server. On the address, type the fully qualified domain name of the web application which will be accessible from external network.
7. On the Connectivity Verifier Settings page, if you are publishing a Web farm, specify how the state of Web farm members should be detected.
8. On the Authentication page, deselect SSO. By deselecting this option, you have created pass through authentication.
9. On the Portal Link page, specify how the application appears in the portal home page of the trunk. If you have subdirectory in IIS, specify correct URL. For example, in my case I have subdirectory like https:// mymobile.mydomain.com/mobile/ .Select premium and non-premium mobile portal.
10. Once done, Click Finish.
11. On the Trunk , On the initial application, Select Portal Home page, as MobilePortal.
Step4: Activating Trunk and Post Check.
1. On the console toolbar, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
2. This is the simple step, most of techie doesn’t do and end up being calling Microsoft Tech support. You have to do this step so that published application works. Open command prompt as an administrator, run iisreset /restart.
3. Once everything is configured correctly, you will receive the following event in UAG Web Monitor> Event Viewer
The application MobilePortal was accessed on trunk; Secure=1 with user name and session ID EDD953BD-CB79-4180-B811-F1A0F53DCB33.
Issue: Client Not Yet Sync WSUS error
Step1: Download KB2720211 x64 and apply on WSUS server using the following steps in command prompt with administrative privilege:
- net stop wsusservice
- WSUS-KB2720211-x64.exe /q C:\MySetup.log
- net start wsusservice
Step2: Open elevated command prompt, type the following. Detailed available on KB958046
net stop wuauserv
ren Download Download.old
net start wuauserv
Step3: Detect and authorize client to WSUS Server. Run the following in elevated command prompt.
wuauclt /resetauthorization /detectnow
Before you authorize, make sure WSUS GPO is applied to the clients with following GPO Configuration:
Computer Configuration\Administrative Templates\Windows Components\Windows Update
- Configure Automatic Update—–Enabled
- Specify intranet Microsoft update service location…… Enabled
- Enable Client side target……Enabled.
2013-11-21 09:43:36 Config file did not contain a value “ContentDirectory”
2013-11-21 09:43:36 Microsoft.UpdateServices.Administration.CommandException: A required configuration value was not found in the system. This is usually caused by installing WSUS through PowerShell and not specifying a configuration file. Review the article Managing WSUS Using PowerShell at TechNet Library (http://go.microsoft.com/fwlink/?LinkId=235499) for more information on the recommended steps to perform WSUS installation using PowerShell.
at Microsoft.UpdateServices.Administration.PostInstall.GetConfigValue(String filename, String item)
Issue: This is a known issue on Windows Server 2012. Microsoft WSUS team posted an work around to resolve the issue.
Solution: In the WSUS server, open PowerShell, type the following depending on which database you have:
%programfiles%\update services\tools\wsusutil.exe postinstall CONTENT_DIR=C:\Wsus
SQL Server databases
%programfiles%\update services\tools\wsusutil.exe postinstall CONTENT_DIR=C:\Wsus SQL_INSTANCE_NAME=<database server name>
Here content_dir is your real directory where you would like to install WSUS and pointed that directory during WSUS installation and rest are self explanatory. Once you do that you will see output in the logs available in C:\Users\thermomixadmin\AppData\Local\Temp directory.
2013-11-21 09:56:46 Postinstall started
2013-11-21 09:56:46 Detected role services: Api, Database, UI, Services
2013-11-21 09:56:46 Start: LoadSettingsFromParameters
2013-11-21 09:56:46 Content local is: True
2013-11-21 09:56:46 Content directory is: E:\WSUS
2013-11-21 09:56:46 SQL instname is: SQL Server Name
2013-11-21 09:56:49 Value is E:\WSUS
2013-11-21 09:56:49 Fetching group SIDs…
2013-11-21 09:56:49 Fetching WsusAdministratorsSid from registry store
2013-11-21 09:56:49 Value is S-1-5-2
2013-11-21 10:17:41 Saving Subscription
2013-11-21 10:17:52 Creating default subscription succeeded.
2013-11-21 10:17:54 Populating Auto-Approval Rules.
2013-11-21 10:18:18 Populating Auto-Approval Rules Succeeded.
2013-11-21 10:18:23 StartServer completed successfully.
2013-11-21 10:18:23 Marking PostInstall done for UpdateServices-Services in the registry…
2013-11-21 10:18:23 Mark initialization done in database…
2013-11-21 10:18:25 End: Run
2013-11-21 10:18:25 Postinstall completed
I have written the following articles few weeks back. One thing I would like to add on to these articles is the patching order of Forefront UAG 2010.
You must have a base build Windows Server 2008 R2 SP1 with all Microsoft security and critical updates. you install the UAG from the this source Forefront_UAG_Server_2010_64Bit_English_w_SP1 with correct product key from Microsoft volume licensing center.
The following the order of patching UAG before you start configuring UAG.
Trend Micro Worry-Free Business Security (WFBS) protects business users and assets from data theft, identity theft, risky websites, and spam (Advanced only).
Trend Micro offers the following editions:
Standard: Designed to protect clients (desktops, portable computers, and servers) on your local network. This edition includes Outbreak Defence, Firewall, and Antivirus/Anti-spyware scanning. It also comes with technical support, malware/virus pattern file downloads, real-time scanning, and program updates for one year.
Advanced: Designed to protect clients and Microsoft Exchange servers on your network. In addition to all the features in Worry-Free Business Security Standard, this edition includes Anti-spam, Content Filtering, Data Loss Prevention, and Attachment Blocking.
Features worry-free business Features
- Component Updates
- Device Control
- Web Reputation
- URL Filtering
- Behavior Monitoring
- User Tools
- Instant Messaging Content
- Mail Scan (POP3)
- Mail Scan (IMAP)
- Anti-Spam (IMAP)
- Email Message Content
- Email Message Data Loss Prevention
- Attachment Blocking
A Registration Key comes with your purchase of Worry-Free Business Security. It has
22 characters (including hyphens) and is in the following format: xx-xxxx-xxxxx-xxxxx-xxxxx
Use a fully licensed Registration Key to register Worry-Free Business Security on the Trend Micro website at http://olr.trendmicro.com.
At the center of Worry-Free Business Security is the Security Server. The Security Server hosts the web console, the centralized web-based management console for Worry-Free Business Security. Hosts the Web Console, downloads updates from the Trend Micro ActiveUpdate Server, collects and stores logs, and helps control virus/malware Outbreaks Manages all agents from a single location
The Security Server includes a service called Scan Server, which is automatically installed during Security Server installation. As such, there is no need to install it separately. The Scan Server runs under the process name iCRCService.exe and appears as Trend Micro Smart Scan Service from Microsoft Management Console.
Downloads scanning-specific components from Trend Micro and uses them to scan clients
Agents protect clients from security threats. Clients include desktops, servers, and Microsoft Exchange servers.
Security Agent Protects desktops and servers from security threats and intrusions Protects Windows 7/Vista/XP/Server 2003/Server 2008 computers from malware/viruses, spyware/grayware, Trojans, and other threats
Messaging Security Agent Protects Microsoft Exchange servers from email-borne security Threats
The web console is the central point for monitoring clients throughout the corporate network. It comes with a set of default settings and values that you can configure based on your security requirements and specifications. The web console uses standard Internet technologies, such as Java, CGI, HTML, and HTTP.
WFBS uses the following ports:
• Server listening port (HTTP port): Used to access the Security Server. By default, WFBS uses one of the following:
• IIS server default website: The same port number as your HTTP server’s TCP port.
• IIS server virtual website: 8059
• Apache server: 8059
• Client listening port: A randomly generated port number through which the Security Agent and Messaging Security Agent receive commands from the Security Server.
Trend Micro Security (for Mac) Communication port: Used by the Trend Micro Security (for Mac) server to communicate with Mac clients. The default is port 61617.
SMTP port: Used by the Security Server to send reports and notifications to administrators through email. The default is port 25.
Proxy port: Used for connections through a proxy server.
- 1 vCPU, 2GB RAM, 10GB additional space
- IIS 7.5 Windows Server 2008 R2
- Internet Explorer
- Adobe Acrobat
- Java client
- Clients that use Smart Scan must be in online mode. Offline clients cannot use Smart Scan
- Administrator or Domain Administrator access on the computer hosting the
- Security Server
- File and printer sharing for Microsoft Networks installed
- Transmission Control Protocol/Internet Protocol (TCP/IP) support installed
- If Microsoft ISA Server or a proxy product is installed on the network, you need to open the HTTP port (8059 by default) and the SSL port (4343 by default) to allow access to the Web Console and to enable client-server communications
TrendMicro Download Location:
1. Double-click the SETUP.EXE file. The Trend Micro Installation screen appears.
2. Click Next. The License Agreement screen appears.
3. Read the license agreement. If you agree with the terms, select I accept the terms of the license agreement.
4. Click Next. The Setup Type screen appears.
5. From the Setup Type page, choose one of the following options:
- Typical install (Recommended) – This provides an easy solution for installing WFBS using Trend Micro default values. This method is suitable for a small business using a single Trend Micro Security Server and up to ten clients.
- Minimal Install
- Custom install – This provides flexibility in implementing your network security strategy. This method is suitable if you have many computers and servers or multiple Exchange servers.
6. Click Next. The Product Activation page appears Note: If you do not have an Activation Code, you may not have registered your copy of WFBS yet. Click Register Online to open a new browser window.
7. Click Next. The Setup Overview page appears. The Setup Overview page shows the components that you need configure in order to install the Trend Micro Security Server and the Security Agent (as well as the Messaging Security Agent [MSA] if you are using WFBS Advanced).
8. Click Next. If you selected Custom Installation, the Select Target Folder page would appear. The default WFBS install folder is C:\Program Files\Trend Micro\Security Server. If you want to install WFBS in another folder, click Browse.
9. Click Next. The Select Components page appears.
10. Select the components that you want to install. For WFBS Advanced only: The Configure Security Server page now highlights the Security Server.
- Security Server (default): The Security Server hosts the centralized web-based management console.
- Security Agent (default): The agent protects desktops and servers.
- Messaging Security Agent (optional): When installing the Security Server on a computer that has a Microsoft Exchange server installed on the same computer, Setup prompts you to install a local MSA.
- Remote Messaging Security Agent (optional):When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote MSA to remote servers.
11. Configure the Security Server. The Security Server configuration tasks consist of pre-scanning the server for malware as well as configuring the web server and the proxy server.
12. Click Next. The Computer Prescan page appears.
13. Choose whether or not to pre-scan your computer for threats by selecting one of the following options:
Prescan my computer for threats- The prescan targets the most vulnerable areas of the computer, which include the following:
- the boot area and boot directory (for boot sector viruses)
- the Windows folder
- the Program Files folder
- Do not prescan my computer for threats – Trend Micro highly recommends pre-scanning your computer for security threats to ensure that the installation goes into a clean environment. Not pre-scanning the computer could prevent a successful installation.
14. Click Next. If you selected Custom Installation, the Web Server page would appear. Select a web server to host the Security Server web console. Choose one of the following:
- Internet Information Services (IIS) server
- Apache Web server 2.0.xx
15. Click Next. The Web Server Identification page appears.
16. Choose from one of the following server identification options for client-server communication:
- Server information – Choose domain name or IP address:
- Fully Qualified Domain Name – Use the web server’s domain name to ensure successful client-server communications.
- IP address – Verify that the target server’s IP address is correct.
17. Click Next. The Administrator Account Password page appears.
18. Specify different passwords for the Security Server web console and the Security Agent.
Note: The password field holds 1-24 characters and is case sensitive.
- Security Server web console – You will need a password to log on the web console. Provide the password and confirm the password.
- Security Agents – You will need the password to uninstall Security Agents and remove them from your computer.
19. Click Next. The SMTP Server and Notification Recipient(s) page appears.
20. Enter the required information:
- SMTP server – the IP address of your email server
- Port – the port that the SMTP server uses for communications
- Recipient(s) – the email address(es) that the SMTP server uses to send alert notifications. You can enter multiple email addresses when more than one person needs to receive notifications.
21. Click Next. The Trend Micro Smart Protection Network page appears.
22. Choose whether or not you want to participate in the Trend Micro Smart Protection Network feedback program.
23. Click Next. If you selected Custom Installation, the General Proxy Settings page would appear. The Configuring Security Agent page highlights the Security Agent.
- Proxy server type
- Server name or IP address
- User name and Password – Provide these only if the proxy server requires authentication.
24. Configure the Security Agent. The Security Agent configuration tasks consist of setting the agent installation path, configuring the agent’s server and desktop settings as well as the proxy server settings for additional services.
25. Click Next. If you selected Custom Installation, the Security Agent Installation Path page would appear.
26. Set the following items:
- Installation Path – This is the destination folder where the Security Agent files are installed.
- Security Agent Listening Port – This is the port number used for Security Agent and Security Server communications.
27. Click Next. If you selected Custom Installation, the Configuring Security Agents Settings page would appear.
28. You can configure Security Agent settings for Servers and Desktops: In each group, you can configure the following components:
- Servers – Windows Server 2003/2008 computers will be added to the default Servers group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
- Desktops – Windows XP/Vista/7 computers will be added to the default Desktops group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
- Smart Scan – Smart Scan uses a central scan server on the network to take some of the burden of the scanning of clients.
- Antivirus and Anti-Spyware – This scans files for malicious code as they are accessed or created.
- Firewall – This protects clients against malware attacks and network viruses by creating a barrier between the clients and the network.
- Web Reputation – This blocks malicious websites through the credibility of web domains and assigning a reputation score based on several identifying factors.
- URL Filtering – This blocks specified categories of websites (for example, pornographic sites and social networking) according to your company’s policy.
- Behavior Monitoring – This analyses program behaviour to proactively detect known and unknown threats.
- Device Control – This regulates access to external storage devices and network resources.
29. Click Next. If you selected Custom Installation, the Proxy Setting for Additional Services page would appear. The Smart Scan, Web Reputation, and Behaviour Monitoring services use the proxy server address and port used by Internet Explorer on client computers. If that proxy server requires authentication, use this page to specify logon credentials.
30. For WFBS Advanced only: Configure the MSA. You will be prompted to install the MSA at one of the following points: Note: This procedure applies to both local and remote MSA installation.
- When installing the Security Server on a computer that has Microsoft Exchange server installed on the same computer, Setup prompts you to install a local Messaging Security Agent.
- When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote Messaging Security Agent to remote servers.
31. Click Next. The Install Messaging Security Agent page appears.
32. Provide the following information:
i. Exchange Server
ii. Domain Administrator Account
33. Click Next. If you selected Custom Installation, the Messaging Security Agent Settings page would appear. Configure the following:
- Target Folder – This is the folder where the MSA files are installed.
- Temp Folder – This is the system root folder for MSA Agent installation.
- Spam management
- End User Quarantine – If selected, WFBS creates a separate spam folder on Microsoft Outlook in addition to the Junk E-mail folder.
- Outlook Junk Email folder – If selected, WFBS stores spam mail into this folder. Since Outlook typically moves spam mail in the End User Quarantine (EUQ) folder to the Junk E-mail folder, Trend Micro recommends to select this option.
35. Proceed with the installation process. The Start Copying Files page shows a summary of all the parameters that will be used during the installation of WFBS. Do one of the following:
- If you wish to verify previous installation settings, click Back.
- Click Next to proceed with the actual installation.
The Install Third Party Components page appears. This page informs you which third party components will be installed.
36. Click Next to start installing the selected components. The entire installation process may take some time to complete. During the installation, a status page will show the progress being made. When the Setup Wizard Complete screen appears, click Finish.
Installing the Client/Server Security Agent (CSA) or Security Agent (SA) using Remote Install
- Log on to the WFBS console.
- Click Security Settings > Add. The Add Computer page appears.
- Under Computer Type section, choose Desktop or server.
- Under Method section, choose Remote install.
- Click Next. The Remote Install page appears.
- From the Groups and Computers list, select the computer on which you will install the CSA and click Add. A prompt for a username and password appears. Note: You need an account with administrator rights for the installation.
- Type the username and password of an account with administrator rights, and click Login. For the domain computers, use the Domain_Name\Username format; for workgroup computers, use the Target_Computer_Name\Local_Administrator_User_Name format.
The computer is added to the Selected Computers list.
- Repeat Steps 6-7 if you want to add more computers to the list.
- Click Install, and then click Yes when the confirmation window shows up. A progress screen will show the installation status, and the computer names will have a green check mark when the installation is complete.
Installing Agent for Exchange Server
The Messaging Security Agent (MSA) can also be installed from the Web Console.
1. Log on to the Web Console.
2. Click the Security Settings tab, and then click the Add button.
3. Under the Computer Type section, click Microsoft Exchange server.
4. Under Microsoft Exchange Server Information, type the following information:
• Server name: The name of the Microsoft Exchange server to which you want
to install MSA.
• Account: The built-in domain administrator user name.
• Password: The built-in domain administrator password.
5. Click Next. The Microsoft Exchange Server Settings screen appears.
6. Under Web Server Type, select the type of Web server that you want to install on
the Microsoft Exchange server. You can select either IIS Server or Apache Server.
7. For the Spam Management Type, End User Quarantine will be used.
8. Under Directories, change or accept the default target and shared directories for
the MSA installation. The default target and shared directories are C:\Program
Files\Trend Micro\Messaging Security Agent and C$, respectively.
9. Click Next. The Microsoft Exchange Server Settings screen appears again.
10. Verify that the Microsoft Exchange server settings that you specified in the
previous screens are correct, and then click Next to start the MSA installation.
11. To view the status of the MSA installation, click the Live Status tab.
Configure Smart Host for Outbound Email
1. Open the Exchange Management Console.
2. Click on the plus sign (+) next to Organization Configuration.
3. Select Hub Transport and click the Send Connectors tab.
4. Right-click the existing Send Connector then select Properties and go to the Network tab.
5. Select Route mail through the following smart hosts and click Add.
6. Select Fully Qualified Domain Name (FQDN)and specify the HES relay servers:
o HES US / Other Regions Relay Record: relay.sjc.mx.trendmicro.com
o HES Europe, Middle East, and Africa (EMEA) Relay Record: relay.mx.trendmicro.eu
7. Click OK.
8. Go to the Address Space tab and click Add.
9. Add an asterisk (*) and then click OK.
10. Click Apply > OK.
11. Go to the Source Server tab and add your Exchange Server.
12. Click Apply > OK.
Before you begin next step, make sure you have a valid public DNS and MX record configured and available via ping or nslookup. To find Out MX Record, follow the step or contact your ISP.
> set type=mx
domainanme.com.au MX preference = 20, mail exchanger = mx1.domainname.net.au
domainanem.com.au MX preference = 10, mail exchanger = mail.domainname.com.au
mx1.domainname.net.au internet address = 203.161.x.x
mail.domainname.com.au internet address = 116.212.x.x
Pinging domainname.com.au [203.161.x.x] with 32 bytes of data:
Registered Hosted Email Security
Firstly you’ll need to have registered with Trend Micro Online https://olr.trendmicro.com/registration/ .
Create service account (See upcoming post on creating a secure services account)
- Open ActiveDirectory Users and Computers
- Create a user sa-TrendMicroHE with password never expires
Open Hosted Email Security Web console
- Visit the link that applies to your location
- Login with your details you setup in the online registration earlier and don’t forget to tick Log on with Trend Micro Online Registration user name and password
Register Your Domains with Trend Micro
1. Go to the Trend Micro Online Registration portal.
2. Create a new OLR account.
a. Under the “Not registered” section, select your country and language from the dropdown list, then click Continue.
Enter your HES Registration Key.
If you have other Trend Micro products or services you want to register, enter their Registration Keys and click Continue. Otherwise, click No. The License Terms page appears.
Select I Accept, then click Submit.
Complete the registration information form.
Specify your OLR logon ID.
Note: The OLR logon ID will also serve as your HES portal login ID.
The next page will show your HES Activation Code (AC). This means that you have successfully registered HES. You will receive an email copy containing your Activation Code, username and temporary password.
3. Using the provided OLR username and password, log on to the HES console:
Note: Make sure that the Log on with Trend Micro Online Registration user name and password checkbox is ticked.
4. Enter your domain and IP information, then click Add Domain.
5. Once your managed domain list is complete, tick the checkbox beside your managed domain and click Submit.
6. Wait for your confirmation email. This will take 48 hours at most. The confirmation email will guide you through the final steps needed before starting the service.
Navigate to Administration > Domain Management
- All the fields are pretty much self-explanatory, except for Seats assigned: 1 (no need to use more)
- Click Activate Domain
- Now this you would think would be it, except it goes to the list below which you then need to check the tick box of the domain and then Click Check MX Record
Download the ActiveDirectory Sync Client
- Navigate to Administration > Directory Management
- Click Imported User Directories so it becomes Enabled with a green tick
- Navigate to Administration > Web Services
- Click on the Applications bar so it get’s a Green Tick as above
- Click on Generate Service Authentication Key, copy this key for use later in the setup
- Click and download the ActiveDirectory Sync Client
Install the ActiveDirectory Sync Client
1. Extract the ActiveDirectory Sync Client file and run setup.exe
2. Usual I agree, next, next stuff
3. Then you’ll need your DOMAIN, the user will be the sa-TrendMicroHE we created earlier along with it’s password.
4. Click Next
5. Leave installation path as is, and change to install for Everyone
6. Click Next
7. Click Next
8. Click Close when finish
9. The ActiveDirectory Sync Client will then open
10. For the source paths you’ll need to enter the LDAP source paths for your server where users and groups are located to get you start some defaults are (don’t forget to change it to <yourdomain>)
11. Click Add
LDAP://OU=Distribution Groups, OU=companyname,DC=<yourdomain>,DC=com
12. Click Add
13. Click Configure
- Username: as per web login
- Service Auth Key: as the key we copied earlier from the web console under Administration> Web Services
- Proxy: leave as automatic unless your network requires otherwise
- Synchronize: leave at 1
14. Click OK
15. Click Apply
16. This will restart the service
1. Open C:Program Files (x86)Trend MicroHosted Email Security ActiveDirectory Sync ClientIMHS_AD_ACL.config in notepad
2. Installed Config file looks like this:
<?xml version=”1.0″ encoding=”utf-8″?>
3. Change it to this (This allows it to add groups and public folders)
<?xml version=”1.0″ encoding=”utf-8″?>
4. Save this (you’ll need to save to desktop then move it back over the original file, otherwise it will Access Denied) and return the the ActiveDirectory Sync Client
5. Click Sync Now
6. Give it a few moments then click History
7. Here you should see the correct number of groups and users you expect. Check the times are correct for when you’ve pressed. And it should finish with Sync domain <yourdomain.com> successful
8. Click Close
9. Click Close
Post Configuration Check
- open the Hosted Email Security Console
- Navigate to Administration > Directory Management
- Click the Export to CSV for the domain you’re wanting to check
- This will generate a CSV file, which you can use notepad to check that all your email addresses have synced
In most of the SMB customer, the nodes of the cluster that reside at their primary data center provide access to the clustered service or application, with failover occurring only between clustered nodes. However for an enterprise customer, failure of a business critical application is not an option. In this case, disaster recovery and high availability are bonded together so that when both/all nodes at the primary site are lost, the nodes at the secondary site begin providing service automatically, or with minimal intervention.
The maximum availability of any services or application depends on how you design your platform that hosts these services. It is important to follow best practices in Compute, Network and Storage infrastructure to maximize uptime and maintain SLA.
The following diagram shows a multi-site failover cluster that uses four nodes and supports a clustered service or application.
The following rack diagram shows the identical compute, storage and networking infrastructure in both site.
- Primary and Secondary sites are connected via 2x10Gbps dark fibre
- Storage vendor specific replication software such as EMC recovery point
- Storage must have redundant storage processor
- There must be redundant Switches for networking and storage
- Each server must be connected to redundant switches with redundant NIC for each purpose
- Each Hyper-v server must have minimum dual Host Bus Adapter (HBA) port connected to redundant MDS switches
- Each network must be connected to dual NIC from server to switches
- Only iLO/DRAC will have a single connection
- Each site must have redundant power supply.
Since I am talking about highly available and redundant systems design, this sort of design must consist of replicated or clustered storage presented to multi-site Hyper-v cluster nodes. Replication of data between sites is very important in a multi-site cluster, and is accomplished in different ways by different hardware vendors. You will achieve high performance through hardware or block level replication instead of software. You should contact your storage vendor to come up with solutions that provide replicated or clustered storage.
A multi-site cluster running Windows Server 2008 can contain nodes that are in different subnet however as a best practice, you must configure Hyper-v cluster in same subnet. You applications and services can reside in separate subnets. To avoid any conflict, you should use dark fibre connection or MPLS network between multi-sites that allows VLANs.
Note that you must configure Hyper-v with static IP. In a multi-site cluster, you might want to tune the “heartbeat” settings, see http://go.microsoft.com/fwlink/?LinkId=130588 for details.
Network Configuration Spread Sheet
NICs and Switch Ports speed
(Separate from Hyper-v)
Note that iSCSI network is only required if you are using IP Storage instead of Fibre Channel (FC) storage.
Cluster Selection: Node and File Share Majority (For Cluster with Special Configurations)
Quorum Selection: Since you will be configuring Node and File Share Majority cluster, you will have the option to place quorum files to shared folder. Where do you place this shared folder? Since we are talking about fully redundant and highly available Hyper-v Cluster, we have several options to place quorum shared folder.
Option1: Secondary Site
Option 2: Third Site
Visit http://technet.microsoft.com/en-us/library/cc770620%28WS.10%29.aspx for more details on quorum.
Visit http://www.starwindsoftware.com/images/content/technical_papers/StarWind_HA_Hyper-V_6.0.pdf , http://docs.us.sios.com/ and http://us.sios.com/wp-content/uploads/sios-datakeeper-replication-multi-site-clustering-windows-servers-enterprise.pdf for clustered storage configuration for Hyper-v.
Hyper-v Cluster Configuration:
Visit http://microsoftguru.com.au/2013/06/04/windows-server-2012-failover-clustering-deep-dive/ for detailed cluster configuration guide.
If you have a Common Name certificate or Subject Alternative Name certificate in Exchange webmail or other website and you would like to change that to wild card certificate to consolidate your certificate uses in wide variety of infrastructure and save money. You can do so safely with a minor downtime with no or little loss of productivity.
Microsoft accept certified SSL provider which are recorded in this url http://support.microsoft.com/kb/929395/en-us
Here is a guide lines how to accomplish this objective.
Step1: Check Current Exchange SSL Certificate
Open Exchange Management Shell and Issue Get-ExchangeCertificate Command. Record the information for future reference.
Step2: Record Proposed Exchange SSL Wildcard Certificate
- Common Name: *.yourdomain.com.au
- SAN: N/A
- Organisation: Your Company
- Department: ICT
- City: Perth
- State: WA
- Country: Australia
- Key Size: 2048
Step3: Generate a wildcard certificate request
You can use https://www.digicert.com/easy-csr/exchange2007.htm to generate a certificate command for exchange server.
New-ExchangeCertificate -GenerateRequest -Path c:\star_your_company.csr -KeySize 2048 -SubjectName “c=AU, s=Western Australia, l=Perth, o=Your Company, ou=ICT, cn=*.yourdomain.com.au” -PrivateKeyExportable $True
Step4: Sign the certificate request and download SSL certificate in PKCS#7 format
For more information, you can go to help file of your certificate provider. But for example I am using rapidSSL. Reference https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO14293&actp=search&viewlocale=en_US&searchid=1380764656808
2. Provide the common name, technical contact e-mail address associated with the SSL order,
and the image number generated from the Geotrust User Authentication page.
3. Select Request Access against the correct order ID. An e-mail will be sent to the technical contact e-mail address specified above.
4. Click on the link listed in the e-mail to enter the User Portal Click View Certificate Information. Select the appropriate PKCS#7 or X.509 format from the drop down menu depending on the server requirements. NOTE: Microsoft IIS users select PKCS#7 format and save the file with .p7b extension.
5. Save the certificate locally and install per the server software.
Step5: Locate and Disable the Existing CA certificate
Now this step is a disruptive step for webmail. You must do it after hours.
1. Create a Certificate Snap-In in Microsoft Management Console (MMC) by following the steps from this link: SO14292
2. With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.
3. Locate the following certificate in the MMC: If this certificate is present, it must be disabled. Right click the certificate, Select Properties
4. In the Certificate purposes section, select Disable all purposes for this certificate
Click OK to close the MMC without saving the console settings.
Step6: Install Certificate
To install a SSL certificate onto Microsoft Exchange, you will need to use the Exchange
Management Shell (EMS). Microsoft reference http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx
1. Copy the SSL certificate file, for example newcert.p7b and save it to C:\ on your Exchange server.
2. Run the Import-ExchangeCertificate and Enable-ExchangeCertificate commands together. For Example
Import-ExchangeCertificate -Path C:\newcert.p7b | Enable-ExchangeCertificate –Services “SMTP, IMAP, POP, IIS”
3. Verify that your certificate is enabled by running the Get-ExchangeCertificate command.
For Example Get-ExchangeCertificate -DomainName yourdomain.com.au
4. In the Services column, letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS). If your certificate isn’t properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument such as: Enable-ExchangeCertificate -ThumbPrint [paste] -Services ” IIS”
Step7: Configure Outlook settings
Microsoft reference http://technet.microsoft.com/en-us/library/cc535023(v=exchg.80).aspx
To use the Exchange Management Shell to configure Autodiscover settings by using the Set-OutlookProvider cmdlet if you are using Exchange 2007.
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.yourdomain.com.au
To change Outlook 2007 connection settings to resolve a certificate error
1. In Outlook 2007, on the Tools menu, click Account Settings.
2. Select your e-mail address listed under Name, and then click Change.
3. Click More Settings. On the Connection tab, click Exchange Proxy Settings.
4. Select the Connect using SSL only check box.
5. Select the Only connect to proxy servers that have this principal name in their certificate: check box, and then, in the box that follows, enter msstd:*.yourdomain.com.au.
6. Click OK, and then click OK again.
7. Click Next. Click Finish. Click Close.
8. The new setting will take effect after you exit Outlook and open it again.
Step8: Export Certificate from Exchange in .pfx format
The following Step8 to Step 10 is for Forefront TMG 2010 configuration only. If you are using different method to publish Exchange then you don’t need to follow these steps. Use help file of your firewall/Edge product to configure SSL.
Open Exchange Management Shell, run
Export-ExchangeCertificate -Thumbprint D6AF8C39D409B015A273571AE4AD8F48769C61DB
010e -BinaryEncoded:$true -Path c:\certificates\export.pfx -Password:(Get-Credential).password
Step9: Import certificate in TMG 2010
1.Click Start and select Run and tape mmc
2.Click on the File menu and select Add/Remove Snap in
3.Click Add, select Certificates among the list of Standalone Snap-in and click Add
4.Choose Computer Account and click Next
5.Choose Local Computer and click Finish
6.Close the window and click OK on the upper window
7.Go to Personal then Certificates
8.Right click, choose All tasks then Import
9.A wizard opens. Select the file holding the certificate you want to import.
10.Then validate the choices by default
11.Make sure your certificate appears in the list and that the intermediary and root certificates are in their respective files. If not, place them in the appropriate file and replace existing certificates if needed.
Step10: Replace Certificate in Web Listener
1. click Start Forefront Threat Management Gateway console. The Forefront TMG console starts.
2. In the console tree, expand the name of your Security Server, and then click Firewall Policy.
3. In the results pane, double-click Remote Web Workplace Publishing Rule.
4. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.
5. Select External Web Listener from the list, and then click Properties.
6. In External Web Listener Properties, click the Certificates tab.
7. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.
8. In the Select Certificate dialog box, click a certificate in the list of available certificates, and then click Select. Click OK twice to close the Properties dialog boxes.
9. To save changes and update the configuration, in the results pane, click Apply.
Step11: Test OWA from external and internal network
On the mobile phone, open browser, type webmail.yourdomain.com.au and log in using credential.
Make sure no certificate warning shows on IE.
Use the RapidSSL Installation Checker https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO9556 to verify your certificate.
The following features are available for external access through a UAG reverse proxy:
- Enabling external users to download meeting content for your meetings.
- Enabling external users to expand distribution groups.
- Enabling remote users to download files from the Address Book service.
- Accessing the Microsoft Lync Web App client.
- Accessing the Dial-in Conferencing Settings webpage.
- Accessing the Location Information service.
- Enabling external devices to connect to Device Update web service and obtain updates.
- Enabling mobile applications to automatically discover mobility URLs from the Internet.
- Lync Frontend, Lync Director and Lync Edge are configured and optional for internal users
- Lync External Access Topology is published using Topology Builder
- Lync Server is configured for External user Access
- UAG server installed and initial configuration is completed
- All Service pack and hot fixes installed in UAG and Lync Server.
Forefront UAG and Lync Edge must be assigned two NICs with external network adapter and the internal network adapter.
The reverse proxy must be able to resolve the internal Director and next hop pool FQDNs used in the web publishing rules to IP addresses. As with the Edge Servers, for security reasons, we recommend that you do not have Edge Servers access a DNS server located in the internal network. This means you either need DNS servers in the perimeter, or you need HOST file entries on the reverse proxy that resolves each of these FQDNs to the internal IP address of the servers.
|DNS Name||Record Type||IP address||Purpose|
|sip.xman.com.au||HOST (A)||Internal IP||Sip domain|
|_sip_tls.xman.com.au||SRV record Port 5061||Internal IP||used for Edge deployment separate to UAG|
|meet.xman.com.au||HOST (A)||Internal IP||Meeting|
|dialin.xman.com.au||HOST (A)||Internal IP||Dial-in|
|discover.xman.com.au||HOST (A)||Internal IP||Discover|
|webext.xman.com.au||HOST (A)||Internal IP||Common external Lync access|
|UAGSRV.xman.com.au||HOST (A)||Internal IP||UAG server internal DNS|
To create Public DNS record, request your ISP to route these public FQDN to your premises i.e. to the external NIC of UAG server if there is no frontend firewall or route to your external router if UAG is behind frontend router and placed in perimeter.
|DNS Name||Record Type||IP address||Purpose|
|webext.xman.com.au||HOST (A)||Publicly routable
UAG External NIC IP IP should resolve Front Edge or Director
|Lync external access|
|LyncUAG. xman.com.au||HOST (A)||Publicly routable
UAG External IP Address
|UAG external FQDN|
|sip.xman.com.au||HOST (A)||Publicly routable
Lync Edge External NIC IP separate to UAG
|Lync External SIP domain|
used for Lync Edge deployment separate to UAG
|CNAME of external SIP domain|
|Common Name||Subject alternative name||Purpose||Issuer|
|webext.xman.com.au||webext.xman.com.au||Pool FQDN||Public CA|
|meet.xman.com.au||Meeting simple URL|
|dialin.xman.com.au||Dial-in simple URL|
|discover.xman.com.au||External Autodiscover Service URL|
This topic describes the required NAT behaviour of UAG deployment if UAG server is placed after frontend firewall.
|NAT Rule||Source IP||Public IP||NATed Destination||Port|
|1||Any||Public IP of Lync web||UAG External NIC IP||4443, 3478|
|2||Edge External NIC||-||Internet/Extranet||3478|
|3||Internal Network||-||UAG Internal NIC IP||4443,3478|
Create a Lync Trunk
1. Start ForeFront UAG.
2. Right-Click HTTPS Connection and select New Trunk
3. Name the Trunk and enter the public hostname and IP address (this should match the DNS record created i.e LyncUAG.xman.com.au – this name should be different to the external name of the Lync Front End Pool. Click Next
4. Select the Authentication Server for your domain by clicking Add. Click Next.
5. Select the Public Certificate you have obtained. Click Next.
6. Select the default option of Use Forefront UAG access policies. Click Next.
7. Select the Default Endpoint Policies. Click Next.
8. Click Finish.
1. Select the trunk created above.
2. Click Add under Applications.
3. Click Next
4. Select Microsoft Lync Web App 2010 under Web. Click Next.
5. Enter a name for the application (i.e. LyncWeb). Click Next.
6. Leave the Endpoint Policies as default. Click Next.
7. Click Next.
8. Enter webext.xman.com.au under Addresses. This should resolve to the Front Edge (or Director) Server from the UAG server. This should also match the name that External Access URL is set in the Lync Topology. Enter the same public host name. Click Next.
9. Uncheck Use SSO. Click Next.
10. Remove “dialin” from Application URL. Click Next.
11. Click Finish.
1. In the same Trunk click Add under Applications.
2. Select Microsoft Lync Web App 2010. Click Next.
3. Enter a name for the application (i.e. LyncDiscovery). Click Next.
4. Click Next.
5. Enter webext.xman.com.au as the IP/Host and Discover as the public hostname. Click Next.
6. Uncheck Use SSO. Click Next.
7. Remove “dialin” from the application URL and click Next.
8. Click Next
9. Click Finish.
The wizard will create two additional entries for meet and dialin for the LyncDiscover application. Remove them by selecting each one and click Remove.
1. Click Configure under Trunk Configure.
2. Select the Authentication tab. Uncheck Require users to authenticate at session logon.
3. Select the Session tab and check Disable component installation and activation and Disable scripting for portal applications.
4. Click OK.
Important! Modify the registry at your own risk.
1. Open Registry Editor
2. Navigate to HKLM\Software\WhaleCom\e-Gap\von\UrlFilter
3. Right-Click and add a DWORD 32-bit registry KeepClientAuthHeader and FullAuthPassthru, set the value to 1.
4. Close the registry editor.
1. Click the Save button in the UAG console.
2. Click Activate
3. Once the configuration has completed, click Finish
4. Start a Command Prompt (cmd) as an Administrator.
5. Perform an IISRESET.
Verify Website Access through the Internet
Open a web browser, type the URLs in the Address bar that clients use to access the Address Book files and the website for conferencing as follows:
- For Address Book Server, type a URL similar to the following: https://webext.xman.com.au/abs
- For conferencing, type a URL similar to the following: https://webext.xman.com.au /meet
- For distribution group expansion, type a URL similar to the following:
- For dial-in, type the simple URL for dial-in conferencing. The user should be directed to the dial-in page. https://webext.xman.com.au/dialin
Step1: Configure the SharePoint server
1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.
2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.
3. On the Alternate Access Mappings page, in the Alternate Access Mapping Collection list, click Change Alternate Access Mapping Collection, and then on the Select an Alternate Access Mapping Collection dialog box, select the application that you want to publish.
4. On the Alternate Access Mappings page, click Edit Public URLs.
5. On the Edit Public Zone URLs page, in a zone box that is not yet defined, such as the Internet zone, enter the URL of the same public host name that you entered in the Public host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). Make sure that the URL includes the protocol, according to the trunk type.
6. For example, if you are publishing an application via an HTTPS trunk that resides in the domain xman.com, and the application’s public host name that you entered in Forefront UAG is Portal, enter the following URL: https://Portal.xman.com.
7. When you have finished, click Save.
8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:
9. In the URL protocol, host and port box, enter the URL that you assigned in the Farm host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). For example: http://PortalExternal.xman.com.
10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.
Step2: Create a New trunk
Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next
Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next
On the Authentication Page, Click Add, Select DC, Click Next
Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.
Select Use Forefront UAG Access Policies, Click Next
Select Default and Click Next
Step3: add SharePoint web applications to the trunk.
In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.
In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Microsoft Office SharePoint Server 2013, Microsoft SharePoint Server 2010, or Microsoft Office SharePoint Server 2007.
On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.
On the Web Servers page, do the following:
In the Addresses box, enter the internal host name of the server running SharePoint Products and Technologies. If your SharePoint server is load balanced, use the load-balanced URL instead of a server name. Make sure that you enter a fully qualified domain name.
In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.
In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.
In the Public host name box, enter a public host name of your choice for the SharePoint web application.
Select the Replace host header with the following check box, and in the Farm host name box, enter a URL of your choice that will be used to differentiate the internal host name of the application from its public host name. Make sure that the URL includes the domain in which the trunk resides (the domain of the trunk appears on the Web Servers tab, to the right of the Public host name box). For example, if the public host name of the application is HRPortal and the trunk resides in the domain xman.com, enter the following replacement host header: HRPortalExternal.xman.com.
On the Authentication page, do the following:
To allow rich client applications, such as Microsoft Word or Microsoft Excel, to authenticate directly to the SharePoint application without authenticating to the portal, select the Allow rich clients to bypass trunk authentication check box.
To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.
On the Portal Link page of the wizard, if required, configure the portal link for the application.
If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.
When you have completed the wizard, click Finish.
The Add Application Wizard closes, and the application that you defined appears in the Applications list.
On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.
Step4: Configure Mobile devices Access for SharePoint
When end users access a SharePoint 2010 site from a mobile device using the Office Mobile client, to allow the device to download documents from a SharePoint site, you must make the following URL set changes:
1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.
2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.
3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.
4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.
5. When end users open an Excel file on a SharePoint site from their mobile device, the file opens correctly. If they then go to a different SharePoint site, the first time they try to open an Excel file it may not open as expected; end users must click the file again to open it.