Trunk properties help

Updated: July 31, 2012

Applies To: Unified Access Gateway

After using the Forefront Unified Access Gateway (UAG) Add Trunk Wizard to create a portal trunk, you can modify and configure portal settings on the portal property pages. This topic provides a summary of the portal properties and settings.

• Main portal page

• General tab

• Authentication tab

• Session tab

• Endpoint Access Settings tab

• Application Customization tab

• Portal tab

• URL Inspection tab

• Global URL Settings tab

• URL Set tab

Main portal page

Configure portal settings on the main page of each portal.

• Public host name
  Specify the external portal address that is used by remote clients to reach the portal site. The host name must contain at least two periods.

• Port
  If client endpoints making portal requests access a computer other than the Forefront UAG server (such as a load-balancer), specify the port number of that computer.

• IP address
  Specify the external address of the portal. If the server is part of a Forefront UAG array, in the drop-down list select the external IP address of this array member.

• HTTP port; HTTPS port
  Configure the port on which the portal listens for client requests. Only the default ports of 80 (HTTP) and 443 (HTTPS) are supported.

• Initial application
  Select an application to be the home page of the portal. By default the default portal home page is used. If you want to use a customized home page, you can use any of the applications with predefined support, or you can use a generic application or an HTML page. A sample portal page is provided in this location: \Microsoft Forefront Unified Access Gateway\von\PortalHomePage\.

• Use portal frame

• Applications
  In the Applications area set the following:

  • Click Add to add a new application to the portal using the Add Application Wizard.

  • Click Edit to edit the published application properties. In the Application Properties dialog box, you can configure prerequisite requirements for client/server and legacy applications. In the Prerequisite applications list, enable the required applications. Prerequisite applications are automatically launched before starting a dependent application.

  • Click Remove to specify that an application should no longer be published in the portal.

  • Click Sort Alphabetically to sort the published applications list.

  • Click Add in the Limit Applications to the following subnets area to specify that an application should be restricted to the defined subnet.

General tab

In the General tab, configure connection settings, external Web site properties, and the server certificate.

• Maximum
  Specify the maximum number of concurrent connections to the Forefront UAG portal. The default setting is 500.

• External Web site

  • IP address─Specifies the external IP address of the portal. This setting is read-only. You can modify the address on the main property page of the portal.

  • HTTP port─HTTP port on which the portal listens for client requests. If the portal is an HTTP portal, you can modify the HTTP port setting on the main property page of the portal.

  • HTTPS port─HTTPS port on which the portal listens for client requests. If the portal is an HTTPS portal, you can modify the HTTPS port setting on the main property page of the portal. Both HTTP and HTTPS ports are displayed because you can use the same IP address for two trunks that share the same site name, one for HTTP sessions, and the other for HTTPS sessions.

  • Site name─Specifies the trunk name you defined when creating the trunk using the Create New Trunk Wizard. Sites with the same IP address must have matching site names; sites with different IP addresses must have unique sitenames.

• Server certificate
  On HTTPS trunks, specifies the server certificate used to authenticate the Forefront UAG server to client endpoints over an HTTPS connection.

• Enable Web server logging
  Select this check box to enable IIS Web server logging to record transactions through the trunk, including the source IP addresses. The log is created in the location defined in the ISAPI Filters tab, under Web Site properties in the IIS Microsoft Management Console (MMC).

• Include user name in log
  If you select Enable Web Server logging, you can enable this option to specify that the user name entered during logon is recorded in the IIS log.

• Disable all security features for the trunk
  Select this check box to disable all security features configured for a trunk. This mode should only be used when instructed by technical support. If you select this option, ensure you disable the setting after completing troubleshooting.

Authentication tab

On the Authentication tab, specify how clients authenticate when establishing a portal session.

• Require users to authenticate at session logon
  Enable to specify that only authenticated users can access the portal.

  Note

  When SSTP is configured, Require users to authenticate at session logon, must be selected.

• Select authentication servers

  • Add─Click to select the authentication server against which clients should authenticate to establish a portal session. In the Authentication and Authorization Servers dialog box, select a server, and then click Select. To add a new server to the list, click Add.

  • Remove-Select an authentication server from the list, and then click Remove to specify that the server should no longer be used to authenticate clients requesting access to a portal session.

• Enable users to specify an authentication server
  Select to specify that users connecting to the portal will be prompted to select the server against which they will authenticate. If only one server appears in the authentication servers list, no prompt is displayed.

• Provide a server list at user logon
  Select to allow users to select a server from a drop-down list instead of requiring them to specify the server name.

• Require users to authenticate to each server
  Select to specify that users are prompted at logon to authenticate against all servers specified in the authentication servers list. The first server on the list is defined as the lead server. After a scheduled logoff, users are requested to authenticate against this lead server only.

• Authenticate to each server with the same user name
  Select to specify that users will be prompted to enter one user name that is used for authentication against all selected servers. If this option is not enabled, users will be prompted to enter a user name for each server.

• Enable users to add credentials on-the-fly
  Select to specify that users can add credentials when access to a published application with a user's current credentials is denied. When this check box is selected, applications with "Allow" or "View" authorization are displayed, and users attempting to access "View" applications will have the option of entering credentials to gain access. If this check box is cleared, only applications for which the user has "Allow" access are displayed in the portal.

• Enable users to change passwords
  Select to specify that users can change their password on demand or on expiry. This enables users who cannot logon because of an expired password to renew their password and logon successfully. Users can initiate a password change using the credentials management option in the portal. Note that this option is available only when authenticating using Active Directory Domain Services.

  Note the following:

  • It is recommended that you only enable this option when the Forefront UAG server and endpoint users are domain members, and the Forefront UAG domain trusts the user domain.

  • Credentials specified for access to authentication servers should allow passwords to be changed. In addition, the authentication server itself should allow password changes.

• Notify user <number_of_days> Days Prior to Expiration
  Specify when users should be notified that their password is due to expire. This option is available only if the Enable users to change passwords check box is selected.

• Enable users to manage their credentials
  Select to add an option to the portal homepage that allows users to add authentication credentials or to change a password. To allow users to change a password using the credentials management option in the portal page, you must also select the Enable users to change passwords check box.

• Enable users to select a language
  Select to define language options for end-user Web pages, including text that appears in pop-ups and messages. When you select this setting, a drop-down list is displayed on the logon page to allow users to select a language. The selected language is used for all client endpoint sessions with the Forefront UAG server, until the user changes the language settings again. If you clear this setting, the client endpoint browser language is used if available; otherwise, English is used.

• User logon page
  Type the URL of the logon page with which Forefront UAG replies to client endpoints that request access. Forefront UAG provides a default logon page.

• On-the-fly logon page
  Specify the URL of the logon page that is presented to users when they are required to logon for additional access following the initial logon. By default, this page is the same as the default logon page.

• Maximum logon attempts
  Enter the maximum number of consecutive times that a user can attempt to logon for access to any application before failing. This setting also applies to the number of times that users can attempt to change a password if the Enable users to change passwords check box is selected. This does not include attempts that fail because a proposed password does not comply with corporate policy.

• Block period after failed
  Specify the period in minutes during which users are blocked from accessing the site because they failed to logon or change a password.

• Apply an Outlook Web Access look and feel
  If you are publishing Exchange Outlook Web Access, select the option to apply an Outlook Web Access look and feel to the portal logon and logoff pages. This is useful when end users are already familiar with the Outlook Web Access interface.

• Logoff scheme
  Select to specify that a logoff scheme should be used.

• Logoff URL
  Specify the URL of the logoff page that serves as a trigger for the termination of the session. You can define the logoff URL on any internal application with a logoff mechanism. Forefront UAG provides a default logoff URL page at the following location: \Microsoft Forefront Unified Access Gateway\von\InternalSite\LogoffMsg.asp.

  You can specify only URLs of applications that use host address translation (HAT) for this field.

• Logoff message
  Specify the URL containing the message that will be sent to the browser when the logoff scheme is activated.

• Wait numberofseconds seconds and then terminate the session
  Specify how long Forefront UAG should wait before closing the session after a logoff is initiated.

• Send the logoff request to the application server
  If you have a custom page specified in Logoff URL, select this setting to indicate that the logoff request should be forwarded to the specified application server. When this setting is enabled, the application will also be closed. If this check box is not selected, once logoff is initiated and until the Forefront UAG session is closed, requests will not be forwarded to the application server.

• Send the application server response to the browser
  Select to indicate that the application server response to the logoff request should be sent to the browser instead of the message defined in Logoff message. This option is only applied if the Send the logoff request to the application server check box is selected.

Session tab

On the Sessions tab, configure settings that are applied to endpoint sessions with the portal site.

• Maximum concurrent sessions
  Defines the maximum number of sessions that can be open simultaneously through the portal. The default limit is 10,000. In order to modify this value, you must manually restart IIS after activating the setting in Forefront UAG.

• Session threshold before issuing event
  Specify the concurrent session threshold limit. When the number of sessions reaches this limit, Forefront UAG sends a message alert to the Web Monitor when a new session is opened. The message is also sent to the Built-In reporter log file, if this type of logging is enabled. The default limit is 0, which indicates that no threshold is set and no alert is sent.

• Maximum unauthenticated concurrent sessions
  Specify the maximum number of anonymous (unauthenticated) sessions that can be open simultaneously through the portal.

• Unauthenticated session threshold before issuing event
  Specify the concurrent session threshold limit for unauthenticated sessions. When the number of unauthenticated sessions reaches this limit, Forefront UAG sends a message alert to the Web Monitor when a new unauthenticated session is opened.

• Session timeout notifications (seconds)
  Specify the number of seconds before a session timeout occurs that client endpoints should be notified. For example, if you set the timeout to 60 seconds, clients will be notified 60 seconds before a scheduled session logoff that the logoff is about to occur. Note that to receive session notifications, client endpoint browsers must allow pop-ups from the portal site.

• Error message URL
  Specify the URL containing the error messages that are displayed when client endpoints do not access the portal successfully.

• Disable component installation and activation
  Select this option to disable the installation of Forefront UAG endpoint component on client endpoints, including the installation of the SSL Wrapper component. Note that disabling the installation of component will affect Forefront UAG functionality on all endpoints, including endpoints that currently have the components installed. In addition, when you select this option endpoint access policies cannot be applied because client endpoint compliance cannot be verified. Ensure that you are familiar with client endpoint components before selecting this check box.

• Disable scripting for portal applications
  Select this option to disable scripting options defined when a portal application is accessed. These scripting options are defined in the folder: \Microsoft Forefront Unified Access Gateway\von\InternalSite\StartApp.asp. Options defined in this file include the activation of an application's prerequisite applications, if any are defined, and an application's startup page, if defined. Note that selecting this setting disables all client/server and legacy portal applications. You should select this check box for troubleshooting purposes only.

• Use certified endpoints
  Select to specify whether certified endpoints are evaluated for the portal session.

• Verify user name with endpoint certificate
  If Use certified endpoints is enabled, select this setting to compare the user login name with the user name for which the client certificate was issued. When this check box is selected, the certified endpoint is evaluated per user and not per endpoint. Note that this option is relevant only for HTTPS connections to the portal.

• Delete application-specific files with Endpoint Session Cleanup
  Select this option to enable the Endpoint Session Cleanup component to clean specific application files on the client endpoint when the endpoint session is completed.

• Use DNS suffix
  Select this option to specify that when you define the application server in the Server Settings tab of the application properties, Forefront UAG automatically completes the entry. This setting is applicable for client/server and legacy applications published via a portal trunk, and for a directly published Domino iNotes application. Two entries are defined for each server:

  • NetBIOS hostname. For example: appserver.

  • Fully Qualified Domain Name (FQDN). For example:appserver.contoso.com.

  The value you enter in Use DNS Suffix determines the extension that the system adds to NetBIOShost names, in order to complete the server’s FQDN name. If this field is left empty, the system adds the suffix of the local host Forefront UAG server. If you enter a suffix, it is added to the server name. If you add an FQDN server name, thesystem derives the NetBIOS hostname from this name.

• Default Session Settings

  • **Inactive session timeout (seconds)**─ Enter the maximum time a session can be inactive before it times out. By default, the client endpoint is prompted to renew the session 30 seconds before session timeout. If it is not renewed, the session is closed, and when the browser next sends a request, a new session is opened. If authentication is required, credentials are requested. Configure the same settings for privileged sessions in the Privileged Session Settings area.

  • Trigger logoff scheme after <minutes> minutes─Specify how many minutes should elapse before the configured logoff scheme is triggered. This setting applies only if the Logoff scheme check box is selected on the Authentication tab. Configure the same setting for privileged sessions in the Privileged Session Settings area.

  • Delete cookies at logoff─Specify whether session cookies should be set to "Expired" when the session is terminated, and deleted from the client endpoint. Configure the same setting for privileged sessions, in the Privileged Session Settings area.

  • Request no browser caching─Select to prevent the client endpoint browser from keeping pages in the browser cache during a portal session. This behavior is obtained by adding the header "vary:*" to the response. Note that you can add a different header to the response by adding an <ADD_HEADER> element to the application customization file. Configure the same setting for privileged sessions in the Privileged Session Settings area.

  • Activate Endpoint Session Cleanup component─Select to activate the Endpoint Session Cleanup for the portal session. Configure the same setting for privileged sessions in the Privileged Session Settings area.

  • Prompt user to disconnect if the portal closes without logging off─Select to specify that client endpoints should be prompted to disconnect the session when the portal Web site closes without a logoff. If this check box is selected, select the Reopen the portal if the user does not disconnect check box to ensure that when the portal window closes without logoff, and a user selects not to close the open SSL wrapper channel, the portal window is reopened. This prevents SSL wrapper applications from running outside the browser environment. A portal may close without the user logging off when a browser crashes or when a user accesses a non-portal page from within the portal, but the portal remains open to enable connections to applications. Note that this option is applicable for portals publishing SSL wrapper applications (client/server applications, legacy applications, and browser-embedded applications). Configure the same setting for privileged sessions in the Privileged Session Settings area.

Endpoint Access Settings tab

On the Endpoint Access Settings tab, specify the access policies with which clients must comply to gain access to a portal session.

Note

If the controls on this tab are unavailable, on the Session tab, clear the Disable component installation and activation check box, if required.

• Use Network Access Protection (NAP) policies
  Select this setting to specify that endpoint health should be verified using NAP policies downloaded from Network Policy Server (NPS) servers.

• Deny access to logon page from endpoints that do not have NAP installed and running
  Select this option to verify endpoint health using NAP policies only.

• Use Forefront UAG policies when endpoints do not have NAP installed and running
  Select this option to verify endpoint health using Forefront UAG policies if NAP is not available.

• Select NPS servers

  • Click Add to add an NPS server on which NAP policies are defined.

  • Click Remove to remove an NPS server.

• Session Access Policy

  • Access method─Specifies whether client health for the session is assessed using NAP or Forefront UAG policies

  • Endpoint policy─Specifies the endpoint policy that is applied for the session.

  Configure the same settings for the Privileged Endpoint Policy.

• Socket forwarding component installation policy
  Configure these settings to define the access policies with which an endpoint must comply in order for the Socket Forwarding component to be installed on the endpoint. The Socket Forwarding component is used for SSL Wrapper applications. Select Uninstall the Socket Forwarding component to specify that the Socket Forwarding component should be uninstalled on any endpoints running it, the next time that the endpoint accesses the portal. With this option enable, the component will be uninstalled, regardless of whether the endpoint conforms to the access policies set for Socket Forwarding component installation.

• Do not block this site in the Internet Explorer in the Internet Explorer pop-up blocker
  Specify this setting to add the site to the list of allowed sites in the Internet Explorer pop-up blocker. This ensures that pop-ups from the site are not blocked, and that users can continue to receive messages and notifications. The site is removed from the list when Forefront UAG client endpoint components are uninstalled. When the user connects and the site is added, a pop-up message notifies the user of the proposed addition.

• Prompt user before retrieving information from endpoint
  Enable this setting to specify that client endpoints should be informed when Forefront UAG is collecting information. Selecting this check box allows client endpoints to select Enable and continue with full functionality to specify that they give their consent for the collection of information. Alternatively, clients can select Continue with limited functionality to specify that the Endpoint Detection component should not be activated, and that information should not be collected. This may result in limited functionality for client endpoints.

Application Customization tab

Configure settings in the Application Customization tab to select whether to use the default application customization template supplied by Forefront UAG, and configure global content-type and URL extension lists.

• Enable application customization
  Select this option to allow application customization, and to apply the setting configured in the application customization templates, according to the option selected in Select Customized Template.

• Select Customized Template
  Select Automatic to use the default template. Select Other (manual configuration) to modify the default template.

• Search and Replace Using Content-Type
  Defines a global list of content-types on which the filter searches and replaces data.

  • Click Add to add a content type.

  • Click Edit to edit an existing content type.

  • Click Remove to delete a content type.

• Compression Handling in Responses
  Defines a default list of URL extensions for which compression handling in responses is applied.

  • Click Add to open the Add URL Extension dialog box, in the Extension box, enter the URL extension you want to add to the list..

  • Click Remove to remove a URL extension from the list.

• Support GZip compression of listed URL extensions
  Enable to specify that when the filter receives a request for content that is listed here and it passes the request to the application server, the filter does one of the following:

  • If the requesting browser supports GZip encoding, the filter informs the application server that the browser supports this type of encoding. The server can then send the content GZip-encoded; in which case, the filter decompresses it, manipulates the links as required, compresses it again, and sends it to the requesting browser. Note that even if the browser supports additional encoding forms, the filter informs the application server that the browser supports only GZip encoding.

  • If the requesting browser does not support GZip encoding, the filter informs the application server that the browser does not support encoding, even if the browser supports other types of encoding. In this case, the server sends unencoded content to the filter. The filter then manipulates the links as required, and sends the content to the requesting browser, in an unencoded form.

  If you clear the Support GZip compression of listed URL extensions check box, when the filter receives a request for content that is listed in the URL Extension list and it passes the request to the application server, the filter informs the server that the browser does not support encoding. The server then sends unencoded content to the filter. The filter manipulates the links as required and sends the content to the requesting browser, in an unencoded form.

Portal tab

Configure settings in the Portal tab to do the following:

• Define a list of URLS on which you do not want to run the content-type parser in either the body of the request, the response, or both (for example, on pages that contain no links or pages where all the links are relative path URLs where there is no need for link replacement because the server name does not appear in the URL). You can configure this per application server or per application type.

• Define a list of URLs on which you want to run a search and replace parser on the body of the response. The search and replace engine manipulates absolute URLs in order to hide link names in body data that is not otherwise handled by the content-specific parser (for example, Java comments or URLs that appear within HTML text tags). The search and replace engine runs on the entire HTTP data in the application or in the trunk, including all tags. It is applicable for responses only. You can configure this per application server or per application type.

• Define a manual list of URLs that, when requested, will be redirected or rerouted to the specified location.

• Skip body parsing
  Configure body parsing as follows:

  • Do not parse the bodies of these requests Click Edit to specify that if a requested URL matches any URL on this list, the body will not be accumulated for parsing. On the URLs without body parsing dialog box, in Servers, click Add. On the Add Server dialog box, enter the name of the site on which the page or pages reside using regular expression. In URLs, click Add. In the Add URL dialog box, enter URLs using regular expressions. For each site you configure you must configure at least one URL. To display the URLs that are configured for a site, select the site in the Server list.

  • Do not parse the bodies of the response to these requests─Click Edit to specify that if a requested URL matches any URL on this list, the response body will not be accumulated for parsing. On the URLs without body parsing in response dialog box, in Servers, click Add. On the Add Server dialog box, enter the name of the site on which the page or pages reside using regular expression. In URLs, click Add. In the Add URL dialog box, enter URLs using regular expressions. For each site you configure you must configure at least one URL. To display the URLs that are configured for a site, select the site in the Server list. Repeat the process for all sites and URLs for which you want to skip body parsing. After activating the trunk, the body of the requests you configured here will not be parsed.

• Search and Replace Response Content
  Defines a global list of content-types on which the filter searches and replaces data. If the requested URL does not match the parameters configured in Skip Body Parsing, and the content type matches any content type on this list, the response body will be accumulated for parsing. Click Edit to add a content type.

• Manual URL Replacement
  Use this list to manually replace unrecognized URLs in requests with a valid path. Ensure that URLs to which you redirect a request are sites that appear on the portal application list. Configure rules as follows:

  • Click Add to add a URL redirection entry. In the URL Change dialog box, in URL box, enter the URL from which you want to redirect the request. In To URL, specify the replacement URL. In Type, select Redirect to return the HTTP 302 status and redirect the browser to the URL path defined in To URL. This option is selected by default and is recommended for use with most applications, because all relative links within the HTML page are also directed to their true location when requested. Select Rerouting to replace the original URL with the URL defined in To URL. Select this option only if your application uses a protocol that does not support the HTTP 302 status, such as WebDAV. In this case, you have to configure each of the relative path links that appear within the HTML page to be rerouted to their true location. In Server name, specify the IP address or domain name of the server to which the URL defined in URL will be redirected. In Port, specify the port number of the number of the server. Enable Use SSL if the server is listening for requests on an HTTPS port. Select Dynamic if rule will automatically reroute or redirect requests to the appropriate application server for the current session. The dynamic forwarding rule must include a dynamic parameter that is used to determine the destination server to which the request is forwarded. You define the dynamic parameter in an authentication hook and refer to it from the URL replacement rule. It must also include a fallback server, to which requests are forwarded in case the dynamic parameter cannot be resolved. The fallback server must be a server that is defined in the Web Servers tab of the application properties for one of the defined applications.

  • Click Edit to edit a URL replacement entry..

  • Click Remove to remove a URL replacement entry.

URL Inspection tab

On the URL Inspection tab, you can specify valid methods for URL access, define a default set of valid methods, set an enforcement level for application types, configure general URL inspection settings, and configure settings for global URL character rules.

• Valid URL Access Methods area

  • To add a new method to the list of default methods that are valid when you create a URL inspection rule, type the method in the Predefined and custom methods list, and then click Add.

  • To remove a method, select the method in the Predefined and custom methods list, and then click Remove To delete added methods click Remove All. Default methods cannot be modified.

• Default group methods

  • To add a new method to the list of grouped methods that can be used as default groups when creating URL inspection rules, select the method in the Predefined and custom methods list, and then click Add>>.

  • To remove a method, select the method in the Predefined and custom methods list, and then click Remove To delete added methods click Remove All. Default methods cannot be modified.

• Rule Enforcement Level – Type
  In the Type drop-down list, select the application type to which the enforcement level applies. The enforcement level is applied individually for each of the Web and browser-embedded applications enabled via the trunk.

• Rule Enforcement Level – slider levels

  • Extra fine─Select to specify high granularity with strict enforcement of specific URLs, parameters and methods. This may cause errors requiring manual changes to the rule set in some environments.

  • Fine─Select to specify strong enforcement of URLs, parameters and methods.

  • Medium─Select to specify flexible enforcement that is not bound to highly specific parameters.

  • Rough─Select to specify very basic rule enforcement with minimal risk of rule-set violations.

• Data and Headers – Maximum POST/PUT size
  Set the maximum size of pages that can be sent using the POST or PUT methods (in bytes). The default setting is -1, indicating that the size of data is unlimited and not checked. If you enter a positive value and the size of a page exceeds this value, the request is denied, and an error message URL is sent.

• Block Negotiate authorization headers
  Select to specify that Forefront UAG should block all headers beginning with authorization:negotiate, select the Block Negotiate authorization headers check box. Note that a negotiate authorization header sent by clients may contain malformed code, which can cause denial of service and browser crashes.

• Global URL Character Rules
  Global URL character rules to define which ASCII characters may appear in URLs and in what form. Settings can be applied individually for a portal, internal site, and for Web and browser-embedded applications, or they can be applied globally. To create a rule, select the application type, and then click Edit.

  • Legal Characters─ Specify the characters that are allowed in the URL as is. If you want the filter to inspect encoded characters, do not include the character "%" in the list. This character is used as a prefix for encoded characters.

  • Forbid Encoding Of─ Specify characters that are not allowed in the URL in an encoded form.

  • Include NULL─Select the Include NULL check box to specify that NULL characters cannot appear in an encoded form.

  • Enable %u encoding─Select to enable the use of %u encoding in URLs and parameters. This specifies that the filter decodes and inspects characters that are encoded by using the %u encoding method in requests, URLs, and parameters. Note that in order to support encoding, the character "%" must not appear in the Legal characters list. Note also that escaped encoding ("%" hex hex) is enabled by default.

• Apply global URL character rules for all trunk applications
  Enable this option to enforce all rules that appear in the Global URL Character Rules list on all the relevant applications in the trunk. For example: If encoding of the character "?" is forbidden for the Forefront UAG internal site, it will be automatically forbidden for all the other relevant applications, regardless of the individual configuration of the option Illegal characters (encoded) for those applications.

Global URL Settings tab

Configure settings on the Global URL Settings tab to define global parameter rules that are automatically added to each of the parameter rules you defined in the URL Set tab. Global rules are automatically added to each of the URL inspection rules, and to the individual parameter rules. When the request is checked against the rule, the individual parameter rules are applied first. Then the global parameter rules are applied. In addition, on the Global URL Settings tab, configure a global list of rejected parameter values, global URL settings, and a download file size limit.

• Global Parameters List

  • Click Add to create a new parameter rule. Parameter rules are rules that Forefront UAG applies to a URL when its relevant URL inspection rule is set to handle parameters. Rules on the Global Parameters List are added to each of the URL inspection rules defined on the URL Set tab.

    • Name─Type the parameter name. The name must match the name sent by the browser. Note that names are not case sensitive.

    • Name type─ Click the drop-down button and select the type for the parameter: possible values are String and Regular expression.

    • Value─ Type the parameter value. This is dependent upon the value defined in Value Type. For strings, enter a regular expression that defines the acceptable values. For integer and real parameters, a comma divides values, and a colon represents a range of values. Parameter values must be listed according to their length, in descending order from the longest to the shortest.

    • Value Type─Click the drop-down button and select the type for the parameter value: possible values are Integer, Real, or String.

    • Length─Type the length of the value.

    • Existence─Click the drop-down button and select how the parameter is evaluated. Select Mandatory to specify that the URL is only considered valid if the parameter is present. Select Optional to specify that the parameter is option. Select Reject to specify that the request should be considered not valid if the parameter appears in the request.

    • Occurrences─ Click the drop-down button to select whether the parameter can appear in the URL once or multiple times.

    • Maximum Total Length─Type the total length of parameter values of all occurrences of this parameter.

  • To delete a rule, select it in the list and then click Remove.

• Rejected Values
  Click the drop-down button to select whether to check the parameter against the Rejected Values list. Select On to check against the list. Select Off to specify that the parameter should not be checked.

• URL Settings – Download URLs
  Download rules are used when an application is configure to identify downloads to enforce its download policy is set to Identify by URLs. Click Configure to create a download URL rule.

  • Download URLs Settings -Add

    • Type ─Select the application type from the application list.

    • URL─Enter the URL by using regular expressions.

    • Method─Optionally, enter the HTTP method used to access the URL. Separate multiple methods with commas.

  • Download URLs Settings - Edit─To edit an existing rule, select the rule, and then click Edit.

  • Download URLs Settings - Remove─ To delete an existing rule, select the rule, and then click Remove.

• URL Settings – Upload URLs
  Upload rules are used when an application is configure to identify downloads to enforce its upload policy is set to Identify by URLs. Click Configure to create an upload URL rule.

  • Upload URLs Settings - Add

    • Type ─Select the application type from the application list.

    • URL─Enter the URL by using regular expressions.

    • Method─Optionally, enter the HTTP method used to access the URL. Separate multiple methods with commas.

    • Check content for attachments─ Select to specify that the contents of the URL should be checked for attachments. When this check box is selected, only the URLs that contain attachments are considered uploads.

    • Do not check POST data parameters─Select to specify that POST data parameters should not be checked.

    • Check using AND─Select to specify that parameters should be checked, and that the data must contain all of the rule parameters as defined in the parameter list.

    • Check using OR─Select to specify that parameters should be checked, and that the data must contain one or more of the defined parameters. Note that if you configure the rule to check POST data parameters, ensure that you define the parameters in the parameter list.

  • Upload URLs Settings - Edit─To edit an existing rule, select the rule, and then click Edit.

  • Upload URLs Settings - Remove─ To delete an existing rule, select the rule, and then click Remove.

• URL Settings – Restricted Zone URLs
  Restrict Zone URL rules are used when the Restricted Zone option is enabled for an application Click Configure to create a Restricted Zone URL rule.

  • Upload URLs Settings - Add

    • Type ─Select the application type from the application list.

    • URL─Enter the URL by using regular expressions.

    • Method─Optionally, enter the HTTP method used to access the URL. Separate multiple methods with commas.

    • Check content for attachments─ Select to specify that the contents of the URL should be checked for attachments.

    • Do not check POST data parameters─Select to specify that POST data parameters should not be checked.

    • Check using AND─Select to specify that parameters should be checked, and that the data must contain all of the rule parameters as defined in the parameter list.

    • Check using OR─Select to specify that parameters should be checked, and that the data must contain one or more of the defined parameters. Note that if you configure the rule to check POST data parameters, ensure that you define the parameters in the parameter list.

  • Restricted Zone URLs Settings - Edit─to edit an existing rule, select the rule, and then click Edit.

  • Restricted Zone Settings - Remove─ To delete an existing rule, select the rule, and then click Remove.

• Ignore requests in timeout calculations
  Enable this option to configure a list of URLs that are ignored in the calculation of the Inactive Session Timeout settings, configured on the Sessions tab. To manage the list, click Configure.

  • Ignore requests in timeout calculations - Add

    • URL─Enter the URL by using regular expressions.

    • Method─Optionally, enter the HTTP method used to access the URL. Separate multiple methods with commas.

  • Ignore requests in timeout calculations - Edit─To edit an existing URL, select the URL, and then click Edit.

  • Ignore requests in timeout calculations - Remove─ To delete an existing URL, select the URL, and then click Remove.

URL Set tab

On the URL Set tab, define URL inspection rules. URLs that are not listed are denied access. Rules are configured and applied per application type. For each primary rule in the URL list, you can define exclusionary rules that define exceptions to the primary rule. Note that when you disable a primary rule, its exclusionary rules are also disabled. After you re-enable the primary rule, the associated exclusionary rules are not automatically enabled; you must manually re-enable each exclusionary rule.