The Changing of the Guard for Microsoft Remote Access - UAG
Meir Mendelovich a Senior Program Manager in the Microsoft UAG product group, posted an important blog post last week regarding the future of Microsoft remote access. You can check out Meir’s blog post over at:
From that post, it’s become clear to me that Microsoft intends the next version of IAG to be the one-stop shop for all remote access to network resources, especially remote access to Microsoft networks. The next version of IAG isn’t coincidently named “Unified Access Gateway” – it was named that because of its intended purpose: to provide a single remote access gateway that consolidates almost all of Microsoft’s remote access technologies.
This creates an interesting conundrum for the current ISA or TMG firewall administrator. For the last decade, we considered the best way to enable remote access to internal resources to be through Web Publishing, Server Publishing or network level VPN using PPTP, L2TP/IPsec or SSTP (SSTP if you’re using a TMG firewall). All of these methods enabled both stateful packet and application layer inspection, with Web Publishing and VPN access allowing you to enforce strong user/group granular access controls.
WHAT HAPPENED TO IAG?
Of course, IAG has been out there for the last couple of years. The problem IAG had was that while it should have been a major player in the Microsoft remote remote access community and supplant the ISA or TMG firewall’s remote access schemes, it failed to meet its potential, at least among the ISA or TMG firewall crowed because there was no software only version available.
Sure, there was a trial .vhd you could download and test, but the only way you could purchase IAG, at least until SP2, was to buy an hardware appliance. While this approach works for other vendors very well, Microsoft admins like to install things themselves, kick the tires, customize the configuration and give things a good strong workout before committing themselves to a new technology purchase. Microsoft admins aren’t so trusting of the “black box” approach used by hardware appliance vendors. Unfortunately for IAG, the .vhd trial download and purchase option came too late.
In contrast, UAG will soon be available for beta testing in a number of formats, including software installation, trial .vhd and hardware appliance. This gives UAG a significant advantage over IAG right from the start. In addition, UAG will have profound usability improvements that address some of the more problematic issues exposed during an IAG deployment.
CHANGING OF THE GUARD FOR MICROSOFT REMOTE ACCESS
But the key issue here for ISA and TMG firewall administrators is the entire issue of remote access. With the introduction of UAG as a unified remote access gateway that consolidates almost all of Microsoft remote access technologies, the playing field will change.
For remote access scenarios the decision making process regarding what to use for inbound access will change and shift toward a UAG solution. Some of the reason for this include:
- UAG will be a more secure reverse proxy solution than TMG
- UAG will make configuring secure remote access to both Microsoft and non-Microsoft resources easier than TMG, and provide a much larger collection of authentication options
- UAG will be a complete DirectAccess solution. TMG might be able to support DirectAccess to a certain extent, but it will be far from a complete solution. If you haven’t seen the infinite number of moving parts in a DirectAccess infrastructure, you might not appreciate this yet. If you have, then you already know. The fact is that UAG will enable you to get DirectAccess working in a fraction of the time it would take to get a fully working solution without it.
- UAG will enable high availability scenarios for DirectAccess that aren’t really possible without it. I can’t share with you the details of how this is implemented at this time, but when you find out, you’ll realize that DirectAccess without UAG is like peanut butter without chocolate.
- UAG will provide network layer SSL VPN connectivity to all Windows clients – not just Vista SP1 and above (which are the only ones that support SSTP)
- UAG provides sophisticated endpoint detection right out of the box for all SSL VPN reverse proxy scenarios. TMG does not do this for reverse proxy. UAG can use either its build-in endpoint detection or leverage an existing NAP infrastructure. In contrast, TMG supports NAP or remote access VPN quarantine only for network level VPN connections over PPTP, L2TP/IPsec or SSTP.
TMG INVESTMENTS ARE IN THE UTM SPACE
If you look closely at TMG beta 3, you’ll notice that no major investments were made in the reverse Web proxy component, and the only two major investments in inbound access (and ones we highly appreciate!) are in TMG VPN networking is SSTP support and enhanced NAT to support SMTP server publishing.
Why? Most likely the reason for this is that UAG is the target of Microsoft efforts at providing fast, stable, secure and reliable anytime, anywhere access to Web resources over the Internet.
None of this is meant to denigrate TMG. In fact, I think the TMG firewall is one of the most impressive efforts I’ve ever seen come out of Microsoft. The issue here is remote access. TMG has made major investments in IPS/IDS, outbound SSL inspection, Web protection with integrated anti-malware, advancements in ease of setup and maintenance, improved troubleshooting tools, new reports, and enhancements to the firewall engine and services that comprise the firewall’s firewall core to improve performance and security. What’s clear is that TMG is moving forward as a Unified Threat Management (UTM) solution whose purpose is to secure your network in outbound access scenarios.
For inbound access, you need to start looking at the UAG.
That’s not to say that you can’t use Web Publishing, Server Publishing and network layer VPNs with TMG. However, TMG is not going to be the best option – it won’t be the easiest to use solution for remote access scenarios, it won’t be the most secure solution for remote access scenarios, and it won’t provide the single point of visibility and control for all of your remote access connections, which include going forward, DirectAccess.
UAG AND TMG AT ISASERVER.ORG
That’s why you’ll see some changes at ISAserver.org in the coming months. We’ll be doing a good number of articles on UAG, starting soon after UAG’s beta release. When the focus is on remote access, we’ll focus the content on UAG. When the focus is on outbound access, we’ll focus on the TMG. Our goal, as always, is to promote security best practices and this UAG/TMG division of labor helps us continue in that direction.
So, look forward to lots of new material this year in both the UAG and TMG spaces. One thing’s for certain, things are getting better and better for the Microsoft edge network admin!
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer