Last month I wrote an article outlining some of the important considerations for migrating from Microsoft ISA server to Forefront Threat Management Gateway (TMG) 2010. As a follow up, this month I’d like to share with you some compelling reasons to upgrade from the Microsoft Intelligent Application Gateway (IAG) 2007 to the Unified Access Gateway (UAG) 2010. In early 2006, Microsoft acquired Whale Communications, a leader in the SSL VPN space and in February of 2007 released IAG. As with ISA server, IAG is fast approaching the end of mainstream support and organizations who have deployed it are now considering an upgrade to UAG. Many organizations who have deployed ISA server as a reverse proxy to provide secure remote access to Intranet applications are now considering a migration to UAG to take advantage of the advanced capabilities and granular access control provided by UAG.
UAG is Native 64-Bit
Like its cousin, TMG, UAG is now a native 64-bit application that runs on the latest 64-bit operating system from Microsoft – Windows Server 2008 R2. However, unlike TMG, UAG does not run on any earlier versions of Windows. With 64-bit support, UAG can now address much more memory than IAG was capable of. Removing the 4GB memory limited imposed by 32-bit operating systems means that UAG can be scaled up more effectively, and can handle much more traffic than its predecessors.
Now included in UAG is the ability to create high availability clusters. This is a substantial improvement over IAG, which had no native high availability or centralized management support. With IAG, providing redundancy required the implementation of an external load balancer, which added complexity and expense to the solution. With UAG the administrator can configure a clustered array of UAG servers and manage them as a single logical device. A virtual IP address can be assigned to the cluster to provide load balancing and the cluster can be managed from a single management console. External load balancers can certainly be used, but they are no longer a requirement.
Improved Application Support
With the latest updates installed, UAG now provides full support for publishing Exchange 2010 and SharePoint 2010. Built-in deployment wizards now walk you through gathering all of the necessary information required to successfully make your on-premises Exchange and SharePoint farms available securely to remote users. In addition, UAG now provides full support for Lync web services publishing, Dynamics CRM 2011 publishing, and full support for SharePoint 2010 with Office Web Apps.
Web Farm Load Balancing
UAG now supports Web Farm Load Balancing for published web applications. When publishing an Exchange CAS farm, a farm of SharePoint front end servers or any web application that leverages stateless web front ends, UAG can now provide load balancing for these resources natively. UAG performs health checks on published servers and if a resource is unavailable for any reason, UAG will no longer forward requests to that node until it is online and healthy again. Enabling NLB or implementing an external load balancer to provide high availability is no longer required.
Remote Desktop Gateway
Providing support for Remote Desktop (RD) users is greatly improved in UAG. When UAG is installed, the server is automatically configured as a Remote Desktop Gateway, which allows UAG to easily publish full remote desktop sessions to individual servers, groups of servers, or servers defined by the user. In addition, UAG includes support for publishing RemoteApps, which is a function provided by the RD gateway. This feature allows individual applications (as opposed to the full desktop) to be made available to remote users over SSL.
One of the strong points of the IAG remote access solution is the granular access control that can be enforced by using the native endpoint configuration detection. This is improved in UAG, but UAG now also includes the option to leverage an existing NAP deployment to enforce endpoint policy configuration. This is especially helpful in DirectAccess deployments where native UAG endpoint policy detection is unavailable.
Client-Based VPN Support
SSL VPN is wonderful, but there are scenarios that require extending network-layer access to the Intranet. In support of this, IAG included the Network Connector, now called SSL Network Tunneling. However, SSL Network Tunneling only works for Windows Vista and earlier clients. To support Windows 7 and later clients, UAG now provides support for Secure Sockets Tunneling Protocol (SSTP) clients. SSTP uses SSL to encrypt network-layer communication, and is fully supported in the Windows 7 client operating system.
In my opinion, one of the most compelling deployment scenarios for UAG is that of DirectAccess gateway. If you’re not familiar with DirectAccess, it is an always-on remote access solution that leverages components of the Windows Server 2008 R2 operating system, including Active Directory Group Policy, PKI, IPsec, and much more. DirectAccess relies heavily on IPv6, and all intranet resources must be running IPv6. For many organizations interested in taking advantage of this new feature this is a show stopper because IPv6 is not widely implemented yet. When configured as a DirectAccess gateway, UAG provides important transition technologies like DNS64 and NAT64 which function as protocol translators, allowing native IPv6 DirectAccess clients to connect to IPv4-only network resources. This significantly reduces infrastructure requirements and eliminates the need to have IPv6 deployed on your Intranet to support DirectAccess. Scalability and high availability are enhanced with UAG’s native network load balancing (NLB) active-active clustered arrays. One-time passwords (OTP) are also supported for DirectAccess clients with the latest update for UAG.
As is typical with most major product upgrades, there are myriad new features in UAG that aren’t by themselves earth shattering, but collectively make for a much more functional remote access solution. Among them are:
- New look and feel – The look and feel of the application and network access portal is much improved over IAG. The user interface has the modern SharePoint look and feel, and Exchange web application publishing now features the Exchange 2010 scheme.
- 64-bit client endpoint components – UAG now provides full support for 64-bit Windows clients
- Federation – UAG now supports AD FS 2.0 for federated access to published applications.
- AD RMS – SharePoint libraries that are protected by Active Directory Rights Management Servers (AD RMS) can now be access through UAG.
- SCOM integration – UAG includes support for integration with System Center Operations Manager (SCOM) 2007 and later.
- Improved browser support – Web browser support is much improved in UAG.
As you can see, UAG has many significant improvements over IAG. If you have requirement to support modern browsers for your current published applications, or are making plans to migrate to the latest versions of Exchange or SharePoint on premises, you’ll definitely need to consider migrating from IAG to UAG before those projects are completed. From a performance and availability perspective, UAG, with its native clustering capabilities and web farm load balancing capabilities, can significantly improve your uptime for published applications. If you are considering a DirectAccess deployment in the near future, UAG will allow you to take advantage of this great new remote access method by simplifying the deployment and reducing infrastructure requirements with its integrated IPv6 transition technologies. On top of all that, UAG is now Common Criteria certified to level EAL 2+, so you can deploy the solution with the confidence that it is a secure and stable solution.