Forefront Unified Access Gateway 2010, what’s that then?

I keep hearing a lot of confusion as to what UAG is, where it fits, and what it does, so here is a brief introduction to what it does, and what it’s capabilities are.
Forefront Unified Access Gateway 2010 is designed as a gateway into your organization, and utilizes a number of other Microsoft components to enable a seamless and integrated experience for both corporate users, and 3rd parties

  • UAG is NOT the same as TMG, nor are the two interchangeable
  • UAG is geared toward securely allowing inbound access
  • TMG is geared toward protecting internal users from external threats

A lot of confusion arises because UAG installs some TMG components and utilizes them, mainly for array management and firewalling, it cannot however operate as a forward or reverse proxy, nor can it do web filtering or use the active protection components that TMG does

The TMG components built into UAG are there to protect the TMG server, as it is generally afforded a global external address and does not sit behind its own firewall due to the NAT restrictions if you wish to utilize DirectAccess

Direct Access

Microsoft DirectAccess technology allows you to bridge the connections of enterprise endpoints to the corporate network whenever they are online, this is accomplished seamlessly and securely with a combination of IPv6, PKI and IPSEC technologies.  This allows users to access resources on the corporate infrastructure safely from anywhere they can get online, as well as providing internal support staff access to roaming systems without requiring them to join special support sessions, install special software, or have the user bring the system into an office

DirectAccess is a technology built into Windows 2008 R2, and can operate without UAG, however there are significant benefits to deploying direct access through a UAG system, including DNS64 and NAT64, both of which are required to allow seamless network access to IPv4 only corporate resources (not just IPv6 ready apps)

Remote Access

UAG provides a user web portal to access applications, services and network resources, as well as integrating with an RDS gateway component if you chose to install that, this portal provides access to numerous devices and can detect the type of device, and the type of experience to deliver.  These portals can be customized to fit the clients needs, to display client assets and specifics on a case by case basis

UAG is also capable of VPN termination, this can be via integration with RRAS for PPTN and SSTP tunnels, or via native UAG SSL VPN capabilities

While TMG can also do VPNs, it is not afforded the same SSL VPN capabilities that UAG has, this is another UAG plus point

Server Publishing

UAG is the Microsoft recommendation for publishing Microsoft server resources, this is a shift from IAG2007 when MS still pushed ISA2006 as it’s best practice method for securing Exchange and SharePoint web interfaces.  If you wish to make services such as outlook web access, outlook anywhere, active sync and SharePoint sites available to your users over the internet, this is the technology to deploy to secure and manage access to those resources.

TMG can still handle this, but many of the upgrades and features that have been added to UAG2010 have not been included in TMGs publishing capabilities, so when publishing SharePoint, Exchange, or even RDS Web Access, UAG is the way to go (reverse proxy requirements are still handled by TMG 2010, this includes OCS and Lync requirements)


UAG has client and server CAL requirements, unlike TMG which is licensed as a server (unless you want all the filtering and protection suites), however ECALS have UAG CALs included, this is good to know for ECAL customers as the majority of the cost is already paid for and you can start benefiting from the technology straight away through a pilot, or implementation engagement

Light Peak is dead.. Long live Thunderbolt

Intel has finally realized a commercial package for it’s light peak initiative, in the form of Thunderbolt.  Apple were the first to bring this to bear in the new MacBook Pro lineup announced last week, however Intel have been quick to claim that this will not be an Apple exclusive technology and will be available to other partners and OEMS.

Despite the name, and initial plans, Thunderbolt is currently based on an electrical medium, not an optical one, which shuns away from the initial concept of an optical interconnect for high demand peripherals and buses, but Intel have committed to continuing work on an optical option in the future, stating that results from testing on the electrical side were far better than expected, and keep both costs and complexity down for this initial offering.

Change of plans?
Light Peak was destined to be a transport medium, not a protocol itself, it wasn’t set to replace USB or FireWire, but the physical mediums used to connect these devices.  The consensus initially was that USB may well be the protocol of choice, but Intel have opted for a combination of Display port and PCI Express thus far.

This diagram from Intel shows a simplified version of how the technology works


As you can see, the Thunderbolt controllers at both ends (say, a monitor and a MacBook Pro) combine the signals from the two sources to cross a single cable, this allows the single mini display port on a MacBook Pro to provide the video signal to the monitor, as well as other peripheral connectivity.  Like USB, the ability to daisy chain these connections is built in, for example, allowing a monitor to have Thunderbolt ports for other connections back to the MacBook Pro

Utilizing PCIe in this manner provides some interesting possibilities, by extending the bus to remote devices there is potential to connect numerous other controllers directly to the PCIe bus on the remote device, and connect seamlessly to the host system via the single Thunderbolt cable.  For instance, rather than just finding USB ports on a monitor, a manufacturer could build an entire controller into the monitor for USB, FireWire, eSATA and have those controllers connect to the PCIe bus of the host system via Thunderbolt.  This opens up some interesting possibilities in deployment options for vendors, as well as streamlining the way we connect peripherals to the host system (I for one have very few spare ports on the back of my systems at present, a way to streamline more effectively than multiple USB hubs is always appreciated!

The downside to this is obviously the extension of the PCIe bus outside of the host system, which has already caused some parties to claim security concerns, although this is no different than with existing bus extension technologies that operate at such low hardware layers, such as Express Card and FireWire.

Lots of bits, not a lot of cable
The most staggering achievement of the new technology is the bandwidth it brings to consumer devices, each Thunderbolt port provides two full duplex, bi-directional 10Gbps channels totaling 40Gbps, although only adds display port 1.1a support on top of this, rather than the newer 1.2 standard, even so, this amounts to a combined total of almost 60Gbps of bandwidth, from that single port!

The potential for this technology is quite astounding, and with bandwidth like that there are a myriad of new ways of approaching connectivity that could be imagined, however the standard at present is an Intel only offering, requiring the purchase of controllers from Intel, this itself could hinder the protocols adoption by third parties, especially ones loyal to competitors such as AMD, which would ultimately undermine the growth of the standard.

Look out for compatible devices from Promise and Lacie already announced, as well as other vendors in the near future