Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Start-Ups

Encryption

Forefront Unified Access Gateway 2010 review

Article comments

Forefront UAG, formerly known as Intelligent Application Gateway (IAG), is part of Microsoft's Forefront line of security tools. Forefront UAG distinguishes itself from most other SSL VPN products in three ways. First, it is a software only solution licensed on a per-user basis. Although the underlying Windows and UAG server licences aren't inexpensive and UAG won't share a server with other applications, being software-only makes it an affordable solution when licensing 250 or more simultaneous users, especially in organisations that have volume licence agreements for Windows server.

Second, UAG provides some application layer firewalling capability. Most other SSL VPNs provide only minimal application-layer inspection of content, focusing on correctly rewriting URLs rather than blocking potentially hazardous URLs. UAG goes beyond this by providing some URL syntax checking, which can protect against some types of attacks, such as SQL injection.

Third, UAG includes Microsoft's new DirectAccess technology, an IPv6-based feature that can simplify end-to-end VPNs by reducing the need for VPN gateways and easing the deployment of remote access VPNs across a Windows domain.

Included in Forefront UAG are large chunks of Forefront Threat Management Gateway (TMG), the recently renamed Microsoft ISA firewall product. However, TMG's main purpose in UAG is protection of the UAG server, and Microsoft places strict limits on what is and is not permitted with TMG.

In other words, if you were hoping for a full pure Microsoft firewall and SSL VPN solution in a single system, this isn't it. Forefront UAG also requires Windows 2008 Server R2 (a 64-bit only version of Windows).

Authorisation angst

SSL VPNs start by authenticating the user, so we tested that first. Most deployments will probably use the built-in Active Directory links, which is a good thing, because we had a difficult time making any of the alternative authentication options work.

Officially, UAG offers a wide variety of other authentication sources, including RADIUS, several LDAP directories, as well as more obscure methods. We tested the ones we thought would be most useful, including Active Directory, LDAP, RADIUS and SecurID.

The good news is that we were able to make authentication work with all sources, with only minor restrictions. LDAP authentication, always one of the biggest bugaboos, is helped in UAG by the creation of templates for some common LDAP servers. However, if you have chosen to make any adjustments to the schema of those servers, you won't be able to use them with UAG. Since our server looked mostly like a standard Netscape LDAP server (one of the choices), we were able to authenticate successfully.

Where we ran into problems was in the authorisation side of the house. In SSL VPNs, authorisation is a critical feature that lets you build security policy differently for different groups of users. Most SSL VPNs, UAG included, use the concept of "groups" to provide access control.

We wanted to see how well we could get group information out of our authentication servers to the UAG. We found that UAG wouldn't work properly with any of the servers we tried, for different reasons each time.

With LDAP, since our server didn't match exactly the schema that UAG had built-in, o ur group hierarchy wasn't available, and UAG couldn't see it. With RADIUS, UAG's option to customise the extraction of group information was grayed out and, more importantly, we couldn't add these groups to our access control lists. With SecurID, we wanted to get group information out of Active Directory — a common approach for most enterprises using SecurID — but couldn't make that work either, even with a Microsoft guru on site to help.

If your plans for UAG are exclusively built around a fairly standard Active Directory, and if you don't plan on using external sources for authorisation (for example, if all authenticated users get the same services), then UAG's authentication features will be quick and easy to use. However, if you want to integrate your SSL VPN across other directory services besides Active Directory, UAG may not work well for you.



Share:

More from Techworld

More relevant IT news

Comments

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *