Your network contains an internal network and a perimeter network. The internal network contains an Active Directory forest named contoso.com. The forest
contains a Microsoft Exchange Server 2010 organization. All of the domain controllers in contoso.com run Windows Server 2012.
The perimeter network contains an Active Directory forest named litware.com.
You deploy Microsoft Forefront Unified Access Gateway (UAG) to litware.com. All of the domain controllers in litware.com run Windows Server 2012.
Some users connect from outside the network to use Outlook Web App.
You need to ensure that external users can authenticate by using client certificates.
What should you do?
More than one answer choice may achieve the goal. Select the BEST answer.
A.
To the perimeter network, add an Exchange server that has the Client Access server role installed.
B.
Deploy UAG to contoso.com.
C.
Enable Kerberos delegation in litware.com.
D.
Enable Kerberos constrained delegation in litware.com.
Explanation:
Forefront TMG provides support for Kerberos constrained delegation (often abbreviated as KCD) to enable published Web servers to authenticate users by
Kerberos afterForefront TMG verifies their identity by using a non-Kerberos authentication method. When used in this way, Kerberos constrained delegation
eliminates the need for requiring users to provide credentials twice.
About Kerberos constrained delegation
I think the answer should be “B” . UAG can use certificate to provide authentication.
https://technet.microsoft.com/en-us/library/ee690443.aspx
https://blogs.technet.microsoft.com/edgeaccessblog/2013/04/25/how-to-configure-client-certificate-authentication-in-uag-2010/