Forefront Unified Access Gateway 2010 review

Portal customisation conundrums

One of the main functions of an SSL VPN is to export web-based applications, so the inevitable itch to tinker and fiddle with how the web page looks strikes frequently. UAG doesn't make it particularly easy to customize the look-and-feel of the web pages. Full control is there — as long as you feel comfortable diving into the middle of XML files, ASP.NET pages, and writing your own Javascript and Visual Basic.

A few customisations are easy to do. For example, having inaccessible applications (for example, because you're not allowed to run them) not show up on the portal is an important security consideration. UAG also has the concept of multiple types of devices: personal computers, handheld devices and mobile devices. You can block some applications from showing up on devices that can't support them.

On the other hand, some customisations that every other SSL VPN makes trivial are painfully difficult. Let's say you want to put your logo on the home page, and change the copyright notice. You can do it, but you have to navigate a 17MB website with 325 files and 35 directories to find the files that you need to update. UAG also does not support any user customisation of their own portal, such as maintaining a set of personal bookmarks.

Another piece of portal functionality we tested was the single sign-on capability. UAG makes it easy to provide single sign-on for applications that link to your Active Directory, simplifying the process for end users and probably increasing security along the way.

Other parts of single sign-on, though, such as saving website specific credentials or using a static password for a website are not supported well, if at all. This type of authentication simplification is important when UAG is used as a portal to internal websites that aren't connected to Active Directory, or when you're using UAG as a reverse proxy portal to gain access to external websites. It's not a hard feature to implement — most other SSL VPNs do it just fine — but UAG doesn't have it.

In our testing, links to websites — especially Microsoft web applications such as SharePoint and Exchange — that used cached credentials in Active Directory authenticated fine without requiring the user to re-login. We had varying success with non-Active Directory websites, depending on how the website requested login credentials.