Microsoft Forefront Unified Access Gateway
Encyclopedia
Microsoft Forefront Unified Access Gateway (UAG), is a reverse proxy
and VPN solution that provides secure remote access to corporate networks for remote employees and business partners. It is part of the Microsoft Forefront
offering. It incorporates various remote access technologies such as reverse proxy, VPN (especially SSL VPN), DirectAccess
and Remote Desktop Services. UAG was released in 2010, and is the successor for Microsoft Intelligent Application Gateway (IAG) which was released in 2007. UAG also integrates DirectAccess which is a VPN-Like technology that provides seamless remote access to an organizational network via IPv6
and IPSec
.
, Israel
. One of the challenges it tried to solve in the nineties was to develop a remote access solution based on a VPN mechanism but without direct network access from the remote client to the corporate network
. This type of solution was specifically required by the Israeli military and government, to meet national information security standards.
The technology developed was called the Air Gap
and the communication between the external network and internal network was managed by two separate 1U rack-mount servers linked together by a memory bank accessed through a SCSI
interface.
On 18 May 2006, Microsoft announced that it would be acquiring Whale Communications. Microsoft completed the acquision on 26 July 2006. Following this acquisition, the product was renamed Microsoft Intelligent Application Gateway Server 2007. With this version, the SCSI-based Air Gap was dropped, and the product was unified as a single-server appliance. Instead of using the Air Gap as the security barrier, IAG used Microsoft's ISA Server firewall product. IAG was offered to the public as a pre-installed appliance by Celestix Networks, IVO Networks, Portcullis Systems and nAppliance. In 2009, with the release of Service Pack 2 for IAG, the product was also offered directly to the public from Microsoft in the form of a virtual appliance - a pre-installed VHD which could be run on Hyper-V
or VMWare
.
In April 2008, Microsoft announced that the next generation of IAG will be named Forefront Unified Access Gateway. The product was released on 24 December 2009. Service Pack 1 for this product was released on 3 December 2010.
Included are customized granular access policy and security capabilities for Microsoft Exchange Server (2003, 2007 and 2010), Microsoft SharePoint Portal Server (2003, 2007 and 2010), Microsoft Terminal Services and Citrix Presentation Server. The product is highly customizable, and almost any application can be published With UAG.
Out of the box UAG Server is able to work with many authentication vendors such as RSA Security
, Vasco
, GrIDsure
, Swivel, ActivCard and Aladdin
. It also works with numerous authentication systems and protocols such as Active Directory, RADIUS, LDAP, NTLM, Lotus Domino, PKI and TACACS+. Possible customizations include single-sign-on (SSO), as well as look-and-feel dynamic customization. With the current release of UAG with Update 2, the product also offers support for many third-party systems such as Linux
, Macintosh
and iPhone
. The product also supports Mozilla Firefox
.
UAG performs particularly well in providing a portal for web applications, such as web-based email
and intranet
s, but it also provides full SSL VPN network access using either ActiveX
(when using Internet Explorer) or Java
components (when using Firefox, Opera
, non Windows client such as Red Hat
or Mac OS). These components can also perform end-point compliance checks before allowing access, to test for attributes on the PC such as domain name, antivirus definitions date or running processes.
The inclusion of DirectAccess
with UAG has been a big influence on its success, as DirectAccess provides a very seamless VPN-like integration and is in high-demand by many organizations. DirectAccess is part of Windows, but UAG provides a very user-friendly configuration interface for it, making it easier to configure for administrators. UAG also adds two additional components - DNS64 and NAT64
, which make deploying DirectAccess in an existing network easier, without the need to deploy IPv6
.
The product is sold in appliance form, from vendors such as IVO Networks, Portcullis Systems, Celestix Networks, and nAppliance. It is also offered as an installable DVD. The product can be installed on Windows Server 2008 R2
.
Reverse proxy
In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though it originated from the reverse proxy itself...
and VPN solution that provides secure remote access to corporate networks for remote employees and business partners. It is part of the Microsoft Forefront
Microsoft ForeFront
Microsoft Forefront is a family of line-of-business security software by Microsoft Corporation. Microsoft Forefront products protect computer networks, network servers and individual devices....
offering. It incorporates various remote access technologies such as reverse proxy, VPN (especially SSL VPN), DirectAccess
DirectAccess
DirectAccess is a new feature in Windows 7 and Windows Server 2008 R2 that provides seamless intranet connectivity to DirectAccess client computers when they are connected to the Internet...
and Remote Desktop Services. UAG was released in 2010, and is the successor for Microsoft Intelligent Application Gateway (IAG) which was released in 2007. UAG also integrates DirectAccess which is a VPN-Like technology that provides seamless remote access to an organizational network via IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
and IPSec
IPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
.
History
Unified Access Gateway was originally developed by a startup company named Whale Communications in Rosh HaAyinRosh HaAyin
Rosh HaAyin is a city in the Center District of Israel. To the west of Rosh HaAyin is the fortress of Antipatris and the source of the Yarkon River. To the southeast is the fortress of Migdal Afek...
, Israel
Israel
The State of Israel is a parliamentary republic located in the Middle East, along the eastern shore of the Mediterranean Sea...
. One of the challenges it tried to solve in the nineties was to develop a remote access solution based on a VPN mechanism but without direct network access from the remote client to the corporate network
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
. This type of solution was specifically required by the Israeli military and government, to meet national information security standards.
The technology developed was called the Air Gap
Air gap
An air gap, as it relates to the plumbing trade, is the unobstructed vertical space between the water outlet and the flood level of a fixture.A simple example is the space between a wall mounted faucet and the sink rim...
and the communication between the external network and internal network was managed by two separate 1U rack-mount servers linked together by a memory bank accessed through a SCSI
SCSI
Small Computer System Interface is a set of standards for physically connecting and transferring data between computers and peripheral devices. The SCSI standards define commands, protocols, and electrical and optical interfaces. SCSI is most commonly used for hard disks and tape drives, but it...
interface.
On 18 May 2006, Microsoft announced that it would be acquiring Whale Communications. Microsoft completed the acquision on 26 July 2006. Following this acquisition, the product was renamed Microsoft Intelligent Application Gateway Server 2007. With this version, the SCSI-based Air Gap was dropped, and the product was unified as a single-server appliance. Instead of using the Air Gap as the security barrier, IAG used Microsoft's ISA Server firewall product. IAG was offered to the public as a pre-installed appliance by Celestix Networks, IVO Networks, Portcullis Systems and nAppliance. In 2009, with the release of Service Pack 2 for IAG, the product was also offered directly to the public from Microsoft in the form of a virtual appliance - a pre-installed VHD which could be run on Hyper-V
Hyper-V
Microsoft Hyper-V, codenamed Viridian and formerly known as Windows Server Virtualization, is a hypervisor-based virtualization system for x86-64 systems. A beta version of Hyper-V was shipped with certain x86-64 editions of Windows Server 2008, and the finalized version was released on June 26,...
or VMWare
VMware
VMware, Inc. is a company providing virtualization software founded in 1998 and based in Palo Alto, California, USA. The company was acquired by EMC Corporation in 2004, and operates as a separate software subsidiary ....
.
In April 2008, Microsoft announced that the next generation of IAG will be named Forefront Unified Access Gateway. The product was released on 24 December 2009. Service Pack 1 for this product was released on 3 December 2010.
Technical overview
Microsoft UAG provides secure socket layer (SSL) virtual private network (VPN), a Web application firewall, and endpoint security management (for compliance and security) that enable access control, authorization, and content inspection for a wide variety of line-of-business applications.Included are customized granular access policy and security capabilities for Microsoft Exchange Server (2003, 2007 and 2010), Microsoft SharePoint Portal Server (2003, 2007 and 2010), Microsoft Terminal Services and Citrix Presentation Server. The product is highly customizable, and almost any application can be published With UAG.
Out of the box UAG Server is able to work with many authentication vendors such as RSA Security
RSA Security
RSA, the security division of EMC Corporation, is headquartered in Bedford, Massachusetts, United States, and maintains offices in Australia, Ireland, Israel, the United Kingdom, Singapore, India, China, Hong Kong and Japan....
, Vasco
Vasco
The name Vasco, currently used as a Portuguese male name, derives from the medieval Iberian name Velasco, which probably has its origins in the Basque country .Vasco may refer to:People:...
, GrIDsure
GrIDsure
GrIDsure was a personal identification system which extends the standard ‘shared-secret’ authentication model to create a secure methodology whereby a dynamic ‘one-time’ password or PIN can be generated by a user. It could have been used to secure ATMs, POSs, mobile phones, dedicated devices, door...
, Swivel, ActivCard and Aladdin
Aladdin
Aladdin is a Middle Eastern folk tale. It is one of the tales in The Book of One Thousand and One Nights , and one of the most famous, although it was actually added to the collection by Antoine Galland ....
. It also works with numerous authentication systems and protocols such as Active Directory, RADIUS, LDAP, NTLM, Lotus Domino, PKI and TACACS+. Possible customizations include single-sign-on (SSO), as well as look-and-feel dynamic customization. With the current release of UAG with Update 2, the product also offers support for many third-party systems such as Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, Macintosh
Macintosh
The Macintosh , or Mac, is a series of several lines of personal computers designed, developed, and marketed by Apple Inc. The first Macintosh was introduced by Apple's then-chairman Steve Jobs on January 24, 1984; it was the first commercially successful personal computer to feature a mouse and a...
and iPhone
IPhone
The iPhone is a line of Internet and multimedia-enabled smartphones marketed by Apple Inc. The first iPhone was unveiled by Steve Jobs, then CEO of Apple, on January 9, 2007, and released on June 29, 2007...
. The product also supports Mozilla Firefox
Mozilla Firefox
Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
.
UAG performs particularly well in providing a portal for web applications, such as web-based email
Web-based email
The term Webmail is used to describe two things. One use of the word is to describe a Webmail client: an email client implemented as a web application accessed via a web browser. This article focuses in this use of the term...
and intranet
Intranet
An intranet is a computer network that uses Internet Protocol technology to securely share any part of an organization's information or network operating system within that organization. The term is used in contrast to internet, a network between organizations, and instead refers to a network...
s, but it also provides full SSL VPN network access using either ActiveX
ActiveX
ActiveX is a framework for defining reusable software components in a programming language-independent way. Software applications can then be composed from one or more of these components in order to provide their functionality....
(when using Internet Explorer) or Java
Java (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
components (when using Firefox, Opera
Opera
Opera is an art form in which singers and musicians perform a dramatic work combining text and musical score, usually in a theatrical setting. Opera incorporates many of the elements of spoken theatre, such as acting, scenery, and costumes and sometimes includes dance...
, non Windows client such as Red Hat
Red Hat
Red Hat, Inc. is an S&P 500 company in the free and open source software sector, and a major Linux distribution vendor. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina with satellite offices worldwide....
or Mac OS). These components can also perform end-point compliance checks before allowing access, to test for attributes on the PC such as domain name, antivirus definitions date or running processes.
The inclusion of DirectAccess
DirectAccess
DirectAccess is a new feature in Windows 7 and Windows Server 2008 R2 that provides seamless intranet connectivity to DirectAccess client computers when they are connected to the Internet...
with UAG has been a big influence on its success, as DirectAccess provides a very seamless VPN-like integration and is in high-demand by many organizations. DirectAccess is part of Windows, but UAG provides a very user-friendly configuration interface for it, making it easier to configure for administrators. UAG also adds two additional components - DNS64 and NAT64
NAT64
NAT64 is a mechanism to allow IPv6 hosts to communicate with IPv4 servers. The NAT64 server is the endpoint for at least one IPv4 address and an IPv6 network segment of 32-bits . The IPv6 client embeds the IPv4 address it wishes to communicate with using these bits, and sends its packets to the...
, which make deploying DirectAccess in an existing network easier, without the need to deploy IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
.
The product is sold in appliance form, from vendors such as IVO Networks, Portcullis Systems, Celestix Networks, and nAppliance. It is also offered as an installable DVD. The product can be installed on Windows Server 2008 R2
Windows Server 2008 R2
Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...
.