Skip to main content

UAG endpoint detection and access policies

Endpoint detection and access policies are among the most important security features of the Unified Access Gateway (UAG). Naturally, the ability to evaluate the health of endpoint devices and to enforce certain requirements goes a long way towards enhancing overall security profile of any remote access solution and can play an essential role in implementing organization’s security in-depth strategy. UAG endpoint detection and access policies allow for an extremely detailed level of control. The policies can be applied at three different levels:

  • Trunk – policies applied at this level will be enforced before a user logs on, and if the computer does not meet them, the user will not even reach the log-on page.
  • Portal – policies applied at this level may prevent a user from accessing the portal application after the log-on.
  • Application – policies applied at this level may block access to some or all published applications.

When the user tries to access the UAG portal client components are initialized and perform a system scan. Data collected (about 300 parameters) is sent back to the UAG server, which evaluates it against endpoint policies set for the trunk, portal, and applications, to determine the appropriate level of access.
It is important to note that client components are required for the endpoint detection to work. Also, for security purposes the client detection components will not trust just any website that tries to launch them – unless user has selected to trust the site, the components will not run.
Enforcing 'Any Antivirus' and 'Any Personal Firewall' settings:
The following seem to be a popular initial configuration - to create a custom policy that will enforce the requirements for anti-virus and personal firewall software on the endpoint devices and to apply it at the trunk level. So, I will use it as to showcase the creation of a custom policy:
  • Select the trunk you will be applying custom policy to, navigate to “Endpoint  Access Settings” tab, and click on “Edit Endpoint Policies”:

  • Click on “Add Policy”:

  • Create new policy that defines “Any Antivirus” and “Any Personal Firewall” requirements:
 
  • Apply newly created policy instead of “Default Session Access” one to the trunk:
 
  • Make sure to click on “Activate configuration” for changes to take effect: 
 
  • Test new configuration – first, by trying to connect to the trunk from the device running anti-virus and personal firewall software (upon endpoint detection and evaluation you should get a standard log-on screen); then, by turning your personal firewall off and trying again (you should get a message notifying you that your device does not meet security policy requirements).

Comments

Popular posts from this blog

Mail-enabled security groups in Office 365

Another update (11/19/2013):  further evolution of Office 365 services makes creation of distribution and security groups even easier, plus there's now an option of creating a dynamic distribution group (click here for more information):    Update (08/06/2012): a clear sign of Office 365 evolving along the same lines as other agile cloud services - small incremental features and minor new functionality are being delivered almost continuously and, unlike important major service updates,  without much fanfare. For example, there's no need to resort to using PowerShell to setup mail-enabled security groups anymore, it can now be done at creation using management portal:       Those managing Office 365 ( O365 ) tenant via the Microsoft Online Services Portal  ( MOS Portal ) interface would notice that there are two distinct group entities: Security Groups: can be created via MOS Portal (main portal page>Management>Security Groups) and used for assigning

Skype for Business and VTC Interoperability

Skype for Business (SfB) has a very, very strong potential, I have written about it in my previous post . I can't think of any other platform that shows as much promise in terms of bridging personal and business communications as well as unifying different modes and mediums. And all of this may have started with a strategic acquisition of Skype by Microsoft in 2011. That said, the road ahead is not without challenges. For example, interoperability with other platforms. Making SfB work with existing Video TeleConferencing (VTC) systems, many of which represent significant capital investments in organizations' infrastructure, could be of a particular importance. After reading statements like Skype for Business is based on Session Initiation Protocol (SIP) standards and supports H.264 (MPEG-4 video coding standard) one can come to a quick conclusion that integration and/or interoperability with other VTC solutions is easy or nearly automatic. Unfortunately, the industry is not

Drumbeat - Sales and Technical Resources for Office 365

​ Drumbeat - provides information as well as technical and sales resources for Office 365. From partnering with Microsoft, to building up your sales and technical readiness, to adopting proven methodologies for successful deployment - you will find lots of good information and many helpful links there. Here's a quick sample of topics covered: The Customer Decision Framework is Microsoft's selling methodology designed to help partners sell Office 365 to their customers. Office 365 FastTrack is Microsoft's new, 3-step pilot and deployment methodology designed so customers experience service value early in the sales cycle with a smooth path to advance from a pilot to deployment.