Skip Links

Microsoft delivers feature-rich SSL-VPN

Forefront Unified Access Gateway is enterprise-grade, software-based remote access tool

By , Network World
March 08, 2010 12:07 AM ET

Network World - We tested Whale Communications' SSL VPN in 2003 and the product didn't fare very well. Microsoft bought Whale in 2006, jettisoned some of the strange idiosyncrasies of the product, dramatically simplified management, and subsequently integrated several Vista and Windows 7 technologies.

Test methodology

The latest version of the product, now called Forefront Unified Access Gateway 2010, offers a great SSL VPN feature set, especially when integrated into an existing Microsoft Windows network and when used to provide staff access to enterprise applications.

There are some weaknesses, such as support for non-Windows platforms and extranet support. But the product's strengths, including configuration, ease-of-use and single application publishing, bring it to the forefront of the SSL VPN marketplace.

SSL VPNs might not be as secure as you think

Forefront UAG, formerly known as Intelligent Application Gateway (IAG), is part of Microsoft's Forefront line of security tools. Forefront UAG distinguishes itself from most other SSL VPN products in three ways. First, it is a software-only solution licensed on a per-user basis. Although the underlying Windows and UAG server licenses aren't inexpensive and UAG won't share a server with other applications, being software-only makes it an affordable solution when licensing 250 or more simultaneous users, especially in organizations that have volume license agreements for Windows server.

Second, UAG provides some application layer firewalling capability. Most other SSL VPNs provide only minimal application-layer inspection of content, focusing on correctly rewriting URLs rather than blocking potentially hazardous URLs. UAG goes beyond this by providing some URL syntax checking, which can protect against some types of attacks, such as SQL injection.

Third, UAG includes Microsoft's new DirectAccess technology, an IPv6-based feature that can simplify end-to-end VPNs by reducing the need for VPN gateways and easing the deployment of remote access VPNs across a Windows domain.

Included in Forefront UAG are large chunks of Forefront Threat Management Gateway (TMG), the recently re-named Microsoft ISA firewall product. However, TMG's main purpose in UAG is protection of the UAG server, and Microsoft places strict limits on what is and is not permitted with TMG.

In other words, if you were hoping for a full pure Microsoft firewall and SSL VPN solution in a single system, this isn't it. Forefront UAG also requires Windows 2008 Server R2 (a 64-bit only version of Windows).

Authorization angst

SSL VPNs start by authenticating the user, so we tested that first. Most deployments will probably use the built-in Active Directory links, which is a good thing, because we had a difficult time making any of the alternative authentication options work.

Officially, UAG offers a wide variety of other authentication sources, including RADIUS, several LDAP directories, as well as more obscure methods. We tested the ones we thought would be most useful, including Active Directory, LDAP, RADIUS and SecurID.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News