UAG in a Multi-Platform world

I have had queries from a couple of clients of mine regarding the deployment of UAG in a multi platform environment, not only Windows, but Mac OS X, Linux, Mobile devices etc.  The demand seems to be for a secure connectivity solution that can handle this sort of bi-modal environment with minimum aggravation to users

one particular client emphasized a client-less solution to meet there needs as they are considered early adopters on the OS front and as we all know, that usually breaks software clients!

UAG seems to be synonymous with Microsoft Direct Access, and as an advanced platform for the deployment of Direct Access, that is an understandable misinterpretation, but UAG is much more than just a heavy duty implementation platform for Direct Access

The Trust Pyramid

As a new generation of users and devices enter the workplace, IT is presented with a set of new and unique challenges, to deliver content anywhere it’s desired to facilitate business needs, but keep it secure and manageable, also for business reasons, but how do we accomplish that when so many devices are not managed? personal cell phones, iPads, home computers? do we just block access from these devices? that’s fast becoming an unavailable option, especially as board level staff are bringing their shiny new iPad to the table.

The Trust pyramid fits nicely with UAGs remote access technologies, as each of them provide a different level of access and control while being deployed and managed from a common platform from an IT perspective

  • Direct Access – Windows 7 Enterprise Only, Full, always on network access for the most trusted and managed of systems
  • SSL VPN – Multi platform/browser, Configurable access to applications and services for less managed devices such as non domain OS X systems and Linux boxes
  • Web Portals – Multi platform/browser, Restricted, specific access to applications for personal devices unknown to the IT department

As part of the pyramid we also take into account what we present, not just how we present it, for instance a user accessing the network via direct access may have full access to LOB and CRM systems, but users coming in on a personal tablet may be limited to non restricted file data and email, by providing separate connectivity mechanisms in this manner, UAG helps us meet the IT governance needs of our organization while also empowering users to do things whatever way is convenient for them.

SSL VPNs

Aside from Direct Access which I’m sure will have numerous posts of it’s own, SSL VPN connectivity through UAG provide non Windows 7 systems (either via ActiveX for IE sessions, or Java for non IE sessions) seamless access to systems configured to utilize it, this can spread the remote access to non Microsoft devices, and third-party browser software such as Mozilla and Opera.  SSL VPNs allow access to desired network services that would otherwise not allow access without a traditional fat-VPN configuration (and the client that goes with it usually).  These operate by creating a secure tunnel between your device and the UAG server and then funneling any data appropriate to the connection over the secure tunnel.  as this technology utilizes SSL and HTTPS technology there are very few circumstances where it does not work.

Web Portals

Web portals are the most restricted of access methods, providing an interface to access a web application that is fronted by the UAG itself, so users are actually talking to UAG, and in most cases UAG talks to the back end servers on their behalf.

This allows IT to be a little more liberal with the devices they allow access to the portals, as the access is so limited, and provides access to the users that they desire, email, SharePoint, or whatever the corporation deems available.

These can be configured and customized to a high level, even presenting different portals to different sets of users to really fine grain the access to the system.

Forefront Unified Access Gateway 2010, what’s that then?

I keep hearing a lot of confusion as to what UAG is, where it fits, and what it does, so here is a brief introduction to what it does, and what it’s capabilities are.
Forefront Unified Access Gateway 2010 is designed as a gateway into your organization, and utilizes a number of other Microsoft components to enable a seamless and integrated experience for both corporate users, and 3rd parties

  • UAG is NOT the same as TMG, nor are the two interchangeable
  • UAG is geared toward securely allowing inbound access
  • TMG is geared toward protecting internal users from external threats
UAG vs TMG

A lot of confusion arises because UAG installs some TMG components and utilizes them, mainly for array management and firewalling, it cannot however operate as a forward or reverse proxy, nor can it do web filtering or use the active protection components that TMG does

The TMG components built into UAG are there to protect the TMG server, as it is generally afforded a global external address and does not sit behind its own firewall due to the NAT restrictions if you wish to utilize DirectAccess

Direct Access

Microsoft DirectAccess technology allows you to bridge the connections of enterprise endpoints to the corporate network whenever they are online, this is accomplished seamlessly and securely with a combination of IPv6, PKI and IPSEC technologies.  This allows users to access resources on the corporate infrastructure safely from anywhere they can get online, as well as providing internal support staff access to roaming systems without requiring them to join special support sessions, install special software, or have the user bring the system into an office

DirectAccess is a technology built into Windows 2008 R2, and can operate without UAG, however there are significant benefits to deploying direct access through a UAG system, including DNS64 and NAT64, both of which are required to allow seamless network access to IPv4 only corporate resources (not just IPv6 ready apps)

Remote Access

UAG provides a user web portal to access applications, services and network resources, as well as integrating with an RDS gateway component if you chose to install that, this portal provides access to numerous devices and can detect the type of device, and the type of experience to deliver.  These portals can be customized to fit the clients needs, to display client assets and specifics on a case by case basis

UAG is also capable of VPN termination, this can be via integration with RRAS for PPTN and SSTP tunnels, or via native UAG SSL VPN capabilities

While TMG can also do VPNs, it is not afforded the same SSL VPN capabilities that UAG has, this is another UAG plus point

Server Publishing

UAG is the Microsoft recommendation for publishing Microsoft server resources, this is a shift from IAG2007 when MS still pushed ISA2006 as it’s best practice method for securing Exchange and SharePoint web interfaces.  If you wish to make services such as outlook web access, outlook anywhere, active sync and SharePoint sites available to your users over the internet, this is the technology to deploy to secure and manage access to those resources.

TMG can still handle this, but many of the upgrades and features that have been added to UAG2010 have not been included in TMGs publishing capabilities, so when publishing SharePoint, Exchange, or even RDS Web Access, UAG is the way to go (reverse proxy requirements are still handled by TMG 2010, this includes OCS and Lync requirements)

Licensing

UAG has client and server CAL requirements, unlike TMG which is licensed as a server (unless you want all the filtering and protection suites), however ECALS have UAG CALs included, this is good to know for ECAL customers as the majority of the cost is already paid for and you can start benefiting from the technology straight away through a pilot, or implementation engagement