Preface

In the world of enterprise-class software products, software development companies often find themselves struggling with merely finishing the product and getting it out to the market before their competitors beat them to the punch. In this type of situation, more often than not, the developers are happy if the customer is just able to deploy the product successfully. UAG as well as its predecessors IAG and e-Gap have always been somewhat unique in this aspect by providing extensive customization options which are not only possible, but some of which are even fully supported. Even in Microsoft's impressive selection of software products, there are very few products which offer as extensive customizability as UAG does, and this has made UAG a tremendous success in the remote-access space.

In this book, which is the follow-up to the successful Microsoft Forefront UAG 2010 Administrator's Handbook, we will delve deep into the wonderful things you can achieve with UAG customizations. Our journey will explore the many aspects of the product that are customizable, suggest ideas for customizations that could benefit your organization, and offer detailed explanations, as well as code samples for implementing these ideas. Ready?

Why customize?

UAG was designed to provide multiple mechanisms for remote access. It was intended to allow organizations to give such access to any corporate resource, whether it is a simple HTML-based website or a complex, multiplatform dynamic application. As such, it was written with a complicated user interface, and includes a large selection of application publishing templates. However, despite the many years of development that went into it, the number of applications and scenarios that the product can cover can never meet each and every conceivable scenario, and that's why major parts of the server were designed to be openly customizable.

In fact, the flexibility of the customization mechanisms is so good that it allows us to publish technologies that were created many years after the customization framework was designed. The objective of this book is to show you how you can take advantage of this solution and use it to its full potential.

What can you customize?

Virtually every aspect of UAG's operation can be customized to some degree, but generally speaking, the customizable framework is spread across the following core categories:

• Look and feel

• Clients, endpoint detection, and policies

• Application templates

• Authentication to UAG

• Authentication to backend applications

• Application and data flow

Look and feel

Customizing the look and feel refers to anything that has to do with what the user and/or administrator sees. This includes altering the text and graphics displayed by the portal, customizing application icons, changing the layout, setting the server to display additional data to the administrator or the user, and so on.

For example, some companies are perfectly happy with just a simple change from the default blue UAG color scheme, and at a push maybe even apply some subtle text changes plus a company logo, but for others you'll see nothing short of a complete rework, where frontend and portal pages have been entirely customized into stunning works of creativity.

Other look and feel customizations could be geared towards improving the user experience itself, such as by including some basic help or even a portal quick FAQ page, service messages or disclaimers, and of course, extending UAG's language capabilities to beyond those of the default predefined language set.

Needless to say, this makes for a completely tailored experience where the potential here is limited only by your imagination.

Clients, endpoint detection, and policies

The default endpoint policies included in UAG can be tailored to the organization's needs using a GUI-based editor and a script-based editor. However, these are often misunderstood, and we will take the opportunity to elaborate on these here. Additionally, UAG comes with an elaborate detection script that collects over 300 parameters from endpoints, but this too can be extended to collect additional info. This provides the organization with the ability to dictate special requirements, thus providing increased security for endpoint filtering and control.

Additionally, UAG allows you to customize and control which endpoint components are installed on clients, and this provides for a better user experience, as it can reduce the number of browser restarts and client reboots that result in incremental installation of components.

Application templates

While UAG comes with over 30 individual application templates, many organizations find that their specific application requires certain tweaks to the templates to work perfectly. Additionally, one can create custom templates to perform certain automations or tasks, such as manipulation of registry settings on the client. This section of the book will detail the process of creating custom applications, and useful changes one could undertake to make life better.

Authentication to UAG

One of UAG's strengths is authentication and this alone makes it one of the most versatile products available today. Out of the box, it can talk to thousands of applications, and similarly can also integrate with dozens of directory types, from simple LDAP implementations and Radius backends through to the more service-oriented Claims-based architectures. However, enforcing security in the large heterogeneous environment is easier said than done. Quite often you'll find that many of these organizations employ multiple systems or custom authentication schemes (such as elaborate smartcard or certificate-based authentication) to control and restrict access into the multitude of systems and applications dispersed across their estates. In most cases, this can often require a bespoke implementation that has been specifically built around the organization's needs and practices. See the challenge? Then also consider how you provide remote access into these resources. If you haven't already guessed, this is where UAG really comes into its own and the fact that its authentication code is written almost exclusively using ASP means it is able to offer unparalleled flexibility and diversity when faced with such challenges. This section of the book will guide you through some of the things you can accomplish through code customization.

Authentication to backend applications

Most organizations that use UAG use it to publish many applications, and sometimes as many as a few dozen. UAG's ability to perform Single-Sign-On (SSO) to these applications is a key factor in choosing UAG over other solutions. UAG's SSO mechanism is exceptionally clever, and is able to handle standard 401 authentication, Kerberos Constrained Delegation (KCD), Active Directory Federation Services (ADFS), and more. This section of the book will discuss how to adapt UAG to perform custom SSO to applications it was not designed to handle, as well as customizing the authentication flow itself.

Application and data flow

As a reverse proxy, it is UAG's primary job to fetch data from backend servers and present it to clients, as well as receive information from clients and send it back to the backend. Two major components of this engine are the Application Wrapper (also known as AppWrap) and SRA, which have the capacity to alter content on the fly. These components are a critical part of the application publishing process, and can also be used to enhance applications' functionality, while also optimizing the user experience by altering content in real time. By customizing these components, one can achieve better application compatibility, as well as enhanced performance, functionality, and security that go beyond what UAG provides out of the box. This section of the book will guide you in customizing the AppWrap and SRA, and suggests how you can use them to solve problems, boost productivity, and achieve incredible results.

Why is UAG so unique in this realm?

Two things make UAG an exceptional product from a customization point-of-view. First, it includes a mechanism that makes it easy to add, change, or remove custom code with a reduced risk of causing harm to the default core code. This mechanism, commonly known as CustomUpdate, allows the customizer to populate specially designated folders with custom files, and UAG's engine automatically detects these files and incorporates them into its code. For example, if you want to have the portal display your own icon when showing Citrix applications, all you have to do is create the graphic file, name it appropriately, and place it in the correct folder. UAG will recognize it right away, without you needing to configure any settings or edit any complicated configuration files. Don't like the change? Remove the file, or overwrite it with another, and your changes are applied right away.

Secondly, a significant portion of UAG's code is written using Active Server Pages (ASP), Microsoft's Web application framework. This means that you can open and read some of UAG's code directly off your server, without having to plough through mountains of API documentation. This doesn't mean it's a piece of cake following the hundreds of code files and the interlinking between them can be quite challenging, but almost all of the code is available to anyone, and you don't even have to install expensive development studio suites.

On the other hand, customizing the code is not going to be a walk in the park, we can promise you that. Besides having tons of ASP code to melt your brains, you will find out that the code flow is mostly undocumented, and unless you are a veteran developer yourself, you may find it hard to understand exactly what does what, and where you can add stuff without risking stability. Additionally, big parts of UAG's code go back many years into the past, to the days the first generation of the product was developed. Some parts of the code have been around for many years, and some may be completely irrelevant to the product's operation, but were kept for backwards-compatibility. This may cause some confusion, at least until you get the hang of things. In addition to all of the preceding info, the code, as far as ASP is concerned, includes a mix of COM objects, ActiveX, Java, HTML, CSS, and JavaScript code. For some customizations, you will need to know many or all of them to be able to follow it through. Are you up to the challenge?

What this book covers

Chapter 1, Customization Building Blocks, discusses some of the operations of UAG in depth, and introduces the various technologies used as part of the customization process. It explains some key concepts that are required and lists other topics that will be required to perform such customizations properly. It also includes references to additional recommended reading.

Chapter 2, Customizing UAG's Look and Feel, will teach you how to perform various look and feel customizations, including text, languages, themes, images, JavaScript, and icons.

Chapter 3, Customizing Endpoint Detection and Policies, will guide you through the process of creating custom endpoint detection using VBScript and the UAG COM object model, as well as integrating the detection script with endpoint policies.

Chapter 4, The Application Wrapper and SRA, will explore how to take advantage of the Application Wrapper and SRA, which enable UAG to alter content on-the-fly. The chapter will also suggest how to use this mechanism to improve application compatibility and fix various content-parsing related issues.

Chapter 5, Creating Custom Application Templates, will discuss creating, editing, and customizing the default SSL-VPN templates, as well as creating new ones which can be used to let UAG run special scripts and commands on clients, and applications with special properties.

Chapter 6, Custom Certificate Authentication, will teach you how to create a custom authentication repository that can authenticate a user via a Smartcard or certificate.

Chapter 7, Custom Authentication Repositories, will go through creating custom authentication repositories that can interact with various types of authentication mechanisms that are not available with the built-in repositories.

Chapter 8, Extending the Login Process with Customization, will discuss the process of customizing the login and validation process, including extracting user and session information and manipulating it.

Chapter 9, Customizing Endpoint Components, will teach you how to configure the endpoint client components for customized distribution, making deployment easier.

Chapter 10, Additional Customizations, will discuss various other customizations that do not belong to the other classifications.

What you need for this book

First, you will require a thorough understanding of UAG and its out-of-the-box configuration. You will need to have a good understanding of key concepts in the UAG world, such as the following:

• Trunks

• Applications

• Endpoint detection

• RuleSet

• Public URLs

• The UAG Portal

• SSL-VPN

• Tunneled Applications

• Tracing

All of the preceding concepts can be learned using UAG's online documentation (http://technet.microsoft.com/en-us/library/ff358694.aspx), as well as by referring to the book to which this is a follow-up: Microsoft Forefront UAG 2010 Administrator's Handbook (http://www.packtpub.com/microsoft-forefront- uag-2010-administrators-handbook/book.

In addition, you will require some level of understanding of the following underlying technologies:

• Windows Server

• Windows clients

• Networking (TCP/IP, Windows Networking, WAN )

• Active Directory

• The HTTP and HTTPS protocols

• Public Key Infrastructure

• The Kerberos authentication protocol

• Claims-based access control authorization model

• AD FS

• ASP

• COM programming

• ActiveX

• Java

• HTML

• CSS

• JavaScript

• WMI

• VBScript

• Windows Shell scripting (Batch files)

• XML

The preceding list is in no particular order, and being an expert on these is not essential. However, it would be of an advantage as customizations will vary and sometimes require only simple HTML and CSS knowledge, while others may focus on ASP, XML, and VBScript. Equally, a good grasp of networking, Windows Servers, and Windows clients is somewhat important and are all areas that require a good foundation.

This is particularly true when working with protocols, such as HTTP and HTTPS. Most of the others will only require basic understanding. The first chapter will describe these technologies in more detail.

Who this book is for

Since its release, UAG has evolved to be one of the most popular remote access solutions in the market. When compared to its predecessors, it has also become more of a mainstream product which is now widely used across all industries. The appeal to most is, without a doubt, its reputation for doing exactly as it says on the box, but then also having this almost boundless ability to satisfy almost every possible requirement.

In a sense, you could even class UAG as more of a platform for bringing remote users and their applications together in a single place. However, it goes without saying that how you deliver, secure, and then present your solution, is only as good as the person who implements it.

For this reason, most companies choose to either engage a security practice which offers UAG skills or in quite a lot of cases prefer to put their own consultant through training, along with a purchase of our very own Microsoft Forefront UAG 2010 Administrator's Handbook as a means of getting up to speed.

Having the right skills is important as many of UAG's advanced features require careful planning and experience with UAG itself. It can also require experience with the underlying technologies and products, such as Windows Server, Active Directory, the HTTP and HTTPS Protocols, Public Key Infrastructure, the Kerberos authentication protocol, the claims-based access control authorization model (used in AD FS), and many others. For these reasons, this book will be most useful to such consultants who are interested in advancing their deployment skills to include custom UAG scenarios. This book can also be very useful for network and security engineers who deploy and use the product, and are interested in deploying advanced scenarios without help from a consultant, or who need to expand on the work of a consultant, or to support it following the deployment handover. Another target group are prospective developers who are interested in developing custom solutions or add-ons to UAG, to be used within their organizations, or to be offered to the public.

Conventions

In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.

Code words in text are shown as follows: "First, we execute the function GetAuthenticatedUserDetails, which would return empty if the user has already authenticated."

A block of code is set as follows:

<Policies>
<Policy>
<Name>Screen Saver Active</Name>
<ID>Screen_Saver_Running</ID>
<Type>0</Type>
<Value>false</Value>
<Description></Description>
<Section>Variables\System</Section>
</Policy>
</Policies>

Any command-line input or output is written as follows:

@echo If WScript.Arguments.length =0 Then >%temp%\SetDns.vbs

New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "This option can be changed in the Web Settings tab."

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.

To send us general feedback, simply send an e-mail tofeedback@packtpub.com, and mention the book title via the subject of your message.

If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or e-mailsuggest@packtpub.com.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the example code

You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books maybe a mistake in the text or the code we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.

Piracy

Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us atcopyright@packtpub.com with a link to the suspected pirated material.

We appreciate your help in protecting our authors, and our ability to bring you valuable content.

Questions

You can contact us atquestions@packtpub.com if you are having a problem with any aspect of the book, and we will do our best to address it.