Product Review - Portsys Unified Access Gateway
Product: Portsys Unified Access Gateway
Product Homepage: Click here
Network security has always been important, but today it has been increasingly more important and more difficult to prevent unauthorized network access. The proliferation of mobile devices and the consumerization of IT has led to users expecting to be able to access network resources from virtually any device from anywhere in the world. Needless to say, maintaining security while providing such an unprecedented level of access is a tall order for any IT professional.
Portsys has sought to address this issue through their Unified Access Gateway appliance (http://www.portsys.com/index.php/products/uag/technical-specs). This appliance is essentially an HP server with Microsoft’s Forefront Unified Access Gateway and Forefront Threat Management Gateway, and some proprietary Portsys.
In case you are not familiar with these products, Forefront Threat Management Gateway (often referred to as Forefront TMG) is a security application that is designed to protect users from online threats such as malware or malicious Web pages.
Forefront Unified Access Gateway (or Forefront UAG) is designed to provide remote access to resources on the corporate network. Forefront UAG allows administrators to create policies that limit access to resources based on things like the user’s identity, device type, and device health. For example, some organizations will allow users to access sensitive resources from a company provided laptop that has proven itself to be healthy, but not from a user’s own personal computer.
Unlike most of the products that I review for Windows Networking, the Portsys Unified Access gateway is built into a physical hardware appliance. For the purpose of this review, I was provided with the HS-UAG7000 appliance, which supports up to 7,000 concurrent users.
The appliance consists of an HP ProLiant 1U rack mount server with 12 GB of RAM (Portsys is a global OEM for HP). This server features an Intel Xeon quad core CPU running at 2.26 GHz and four gigabit Ethernet ports.
The server runs a hardened instance of Windows Server 2008 R2 and comes with the following software preinstalled:
- Microsoft Forefront UAG
- Microsoft Forefront TMG Server 2010
- Paragon Drive Backup 10 Server Edition
The Deployment Process
Setting up the appliance proved to be an easy process. I was provided with a 20 page Quick Deployment Guide that walked me through the initial deployment process. I found this setup guide to be very well written. The guide provided screen captures for each step that I had to perform.
Performing the initial setup consisted of plugging in the appliance, connecting the network ports, and working through a setup wizard.
Providing the appliance with network connectivity is a breeze. The appliance has four gigabit Ethernet ports, and at a minimum you must connect one port to an internal network segment and another port to an external segment. What was nice was that I didn’t have to worry about which adapter I connected to which network segment. When I ran the setup wizard, the wizard automatically detected which network adapters were connected and I was able to specify which port should be treated as an external connection and which should be treated as an internal connection. I was also able to assign IP addresses directly through the setup wizard.
All in all, the initial configuration proved to be simple and intuitive. It took me about half an hour to unbox, connect, and configure the appliance. To say that the process was painless would be an understatement.
Making a Case for the Appliance
As I stated earlier in this review, the Portsys Unified Access Gateway appliance is an HP ProLiant server with Microsoft’s Forefront Unified Access Gateway and Forefront Threat Management Gateway preloaded. That being the case, it seems reasonable to ask the question of whether or not there are benefits to purchasing the Portsys appliance rather than purchasing a server and manually installing Forefront Threat Management Gateway and Forefront Unified Access Gateway.
In my opinion, there are two main factors that would justify the purchase of this appliance. The most important of these factors is the proprietary software that Portsys has installed. I will discuss that software a little bit later on.
The other big justification for the purchase of the Portsys appliance (as opposed to buying a server and setting it up yourself) is security. An Internet gateway such as the Portsys appliance resides in the network’s DMZ. In spite of the fact that most organizations place a firewall in front of the DMZ, the Internet gateway could still be considered to reside in the most hostile environment imaginable. Because the Unified Access Gateway sits at the network perimeter, it becomes the first line of defense against Internet based attacks. Fortunately, Portsys has hardened the appliance to make it resistant to attack.
One of the things that Portsys has done to help make the appliance secure is to place the Best Practices Analyzer for both Forefront Threat Management Gateway and Forefront Unified Access Gateway directly on the Start menu so that they are easily accessible.
Out of curiosity I ran some best practices scans against the system. Obviously both Forefront products have to be configured in a way that meets your organization’s needs. However, the scans confirmed that Portsys had done some preliminary configuration work to secure the appliance. For example, a best practices scan of Forefront TMG revealed policy rules blocking TCP uploads and rules that enforce strict RPC compliance, among other things.
One aspect of the appliance’s configuration that surprised me was that the appliance was not set up to receive automatic updates. This was true both for the Windows operating system and for the Forefront products. While I would have liked to have seen automatic updates enabled by default, I can’t fault Portsys for not enabling automatic updates because there are some perfectly valid reasons why organizations might sometimes be better off updating the appliance manually.
I also took the time to check out the appliance’s local security policy. Many of the policy settings were pre-configured. However, I was surprised that Portsys did not enable any audit policy settings or account lockout policy settings.
Another thing that Portsys has done is to include Paragon Drive Backup 10 Server Edition directly on the appliance. The reason why this is so beneficial is simple. If the appliance were to be compromised as the result of an attack then repairing the damage manually isn’t an option because you can never be 100% sure that you have fixed everything. However, if you make a backup of the appliance’s configuration before an attack happens then the backup gives you an easy way of reverting the appliance to a pristine state should the need arise.
I realize that it’s a small thing, but another thing that made me very happy was that Portsys included a folder on the desktop called Appliance Documents. This folder contained 23 different PDF files, documenting various appliance features. The icing on the cake was the fact that Portsys had pre-installed Adobe Acrobat Reader so that it was actually possible to open and read the documentation.
Probably the best justification for purchasing the Portsys Unified Access Gateway is that Portsys has created a number of different built in applications that are designed to augment Microsoft UAG. These applications are all exposed through a utility called Field Commander. Field Commander also manages the licensing for the various Portsys applications. Incidentally, the Portsys UAG appliance is not necessarily a requirement. The applications can be purchased separately and run on any UAG server.
One Portsys application that organizations are sure to find helpful is the Application Connector. The Application Connector is designed to make it easy for organizations to publish applications through the UAG. Normally publishing an application is no small feat. At the very least, the organization typically needs a skilled developer with a commanding knowledge of XML. The Application Connector takes most of the work out of publishing applications. It allows administrators to enter a few key pieces of information (such as the application’s name, an IP address, and an authentication server) and then click a button to publish the application. Application Connector does all the heavy lifting behind the scenes so that the administrator doesn’t have to.
The Portsys appliance also includes an application accelerator called Ballista. Ballista works by sitting between the UAG and the client. It compresses the traffic flowing between the client and the gateway, but it also caches application content. This caching helps to minimize the number of requests that clients have to make of Web applications such as SharePoint. This improves the overall end user experience, but it also allows the application server to handle a greater number of clients than it would otherwise be able to.
Portal Branding is a feature that lets organizations customize the appearance UAG portal. For example, organizations can add a corporate logo, a custom color set, etc. Portsys has taken special care to design the Portal Branding feature in a way that won’t cause things to break if you later have to apply a service pack to UAG. Furthermore, it is possible to apply your branding to all of your UAG portals at once, which helps to provide a consistent end user experience.
The Safe Room feature can be thought of as a sterile environment in which a user session can be quarantined. The safe room is a virtualized environment with its own registry. The user’s session can be forced into this sterile environment until the user’s device has proven itself to be healthy. If the user tries to leave the safe room environment their session is terminated and they are returned to their local desktop.
Within the sterile environment, Internet Explorer is locked down to the point that add-ins, tracking cookies, and ActiveX controls (except those needed by UAG) are disabled. The user can’t even use drag and drop or print from Internet Explorer.
One of the big challenges in any organization is password management. Long, complex passwords can be difficult for users to remember, especially when passwords are frequently changed. On the flip side however, passwords are a relatively easy security mechanism to beat since doing so merely requires stealing a block of text.
SafeLogin attempts to address these issues by using picture passwords. Unlike the picture passwords in Windows 8, which require a user to make gestures on a touch screen, SafeLogin displays a series of picture tiles which must be clicked in the correct order.
SafeLogin seems to work really well. It eliminates the need to remember complex passwords, and the interface is completely intuitive.
Cloud Control and Connect
Another major challenge that administrators are facing today is that an increasing number of applications are running in the cloud. The problem with this is that each cloud application has a separate set of security credentials, thus requiring users to remember a mind boggling number of frequently changing passwords.
Cloud Control and Connect seeks to resolve this problem by providing single sign on capabilities for cloud applications. More importantly, Cloud Control and Connect can be combined with the TAC gateway to provide multi factor authentication, which is something that is usually missing from cloud applications.
Secure Mobile Enterprise
Perhaps the most beneficial of the Portsys applications is Secure Mobile Enterprise. Secure Mobile Enterprise is designed to make BYOD more practical. It works by using a special app to provide the device with access to the portal. The app is currently available for iOS and Android, but will soon be available for Windows Phone 8 as well.
The app works by discovering the device’s hardware, operating system, etc. Once the device connects to the portal, the app provides the portal with information about the device’s hardware and software configuration. This information is compared to administrative policies that determine whether or not the device should be given access. For example, some organizations use this mechanism to prevent jail broken iPhones from connecting to the portal.
It has become customary when I write a review for this site to rate the product on a scale from one to five, with five being the highest possible rating. In the case of Portsys Unified Access Gateway there were a lot of things to consider. The first consideration was the hardware. Portsys used an HP server rather than going with a generic open source appliance as so many vendors do, so I give them full marks for hardware quality.
I tend to review a lot of software products, and it is usually easy to come up with a score based on how good a particular product is. In the case of the Portsys Unified Access Gateway however, there are a lot of different software products to consider. The appliance runs a Windows Server operating system, Microsoft’s Forefront Unified Access Gateway and Forefront Threat Management Gateway, HP Insight management software, Adobe Acrobat Reader, a whole slew of proprietary Portsys software, and even a backup application. Needless to say, it is difficult to come up with a score for all of the hardware and software as a whole.
All things considered, I give the Portsys Unified Access Gateway a score of 4.6 out of 5 possible points, which earns the appliance an ISAserver.org Gold Award.
ISAserver.org Rating: 4.6/5
Get more information about Portsys Unified Access Gateway