Forefront Unified Access Gateway 2010 review
By Joel Snyder | Network World US | Published: 12:10, 08 March 2010
Portal customisation conundrums
A few customisations are easy to do. For example, having inaccessible applications (for example, because you're not allowed to run them) not show up on the portal is an important security consideration. UAG also has the concept of multiple types of devices: personal computers, handheld devices and mobile devices. You can block some applications from showing up on devices that can't support them.
On the other hand, some customisations that every other SSL VPN makes trivial are painfully difficult. Let's say you want to put your logo on the home page, and change the copyright notice. You can do it, but you have to navigate a 17MB website with 325 files and 35 directories to find the files that you need to update. UAG also does not support any user customisation of their own portal, such as maintaining a set of personal bookmarks.
Another piece of portal functionality we tested was the single sign-on capability. UAG makes it easy to provide single sign-on for applications that link to your Active Directory, simplifying the process for end users and probably increasing security along the way.
Other parts of single sign-on, though, such as saving website specific credentials or using a static password for a website are not supported well, if at all. This type of authentication simplification is important when UAG is used as a portal to internal websites that aren't connected to Active Directory, or when you're using UAG as a reverse proxy portal to gain access to external websites. It's not a hard feature to implement — most other SSL VPNs do it just fine — but UAG doesn't have it.
In our testing, links to websites — especially Microsoft web applications such as SharePoint and Exchange — that used cached credentials in Active Directory authenticated fine without requiring the user to re-login. We had varying success with non-Active Directory websites, depending on how the website requested login credentials.