Forefront UAG, formerly known as Intelligent Application Gateway (IAG), is part of Microsoft's Forefront line of security tools. Forefront UAG distinguishes itself from most other SSL VPN products in three ways. First, it is a software only solution licensed on a per-user basis. Although the underlying Windows and UAG server licences aren't inexpensive and UAG won't share a server with other applications, being software-only makes it an affordable solution when licensing 250 or more simultaneous users, especially in organisations that have volume licence agreements for Windows server.

Second, UAG provides some application layer firewalling capability. Most other SSL VPNs provide only minimal application-layer inspection of content, focusing on correctly rewriting URLs rather than blocking potentially hazardous URLs. UAG goes beyond this by providing some URL syntax checking, which can protect against some types of attacks, such as SQL injection.

Third, UAG includes Microsoft's new DirectAccess technology, an IPv6-based feature that can simplify end-to-end VPNs by reducing the need for VPN gateways and easing the deployment of remote access VPNs across a Windows domain.

Included in Forefront UAG are large chunks of Forefront Threat Management Gateway (TMG), the recently renamed Microsoft ISA firewall product. However, TMG's main purpose in UAG is protection of the UAG server, and Microsoft places strict limits on what is and is not permitted with TMG.

In other words, if you were hoping for a full pure Microsoft firewall and SSL VPN solution in a single system, this isn't it. Forefront UAG also requires Windows 2008 Server R2 (a 64-bit only version of Windows).

Authorisation angst

SSL VPNs start by authenticating the user, so we tested that first. Most deployments will probably use the built-in Active Directory links, which is a good thing, because we had a difficult time making any of the alternative authentication options work.

Officially, UAG offers a wide variety of other authentication sources, including RADIUS, several LDAP directories, as well as more obscure methods. We tested the ones we thought would be most useful, including Active Directory, LDAP, RADIUS and SecurID.

The good news is that we were able to make authentication work with all sources, with only minor restrictions. LDAP authentication, always one of the biggest bugaboos, is helped in UAG by the creation of templates for some common LDAP servers. However, if you have chosen to make any adjustments to the schema of those servers, you won't be able to use them with UAG. Since our server looked mostly like a standard Netscape LDAP server (one of the choices), we were able to authenticate successfully.

Where we ran into problems was in the authorisation side of the house. In SSL VPNs, authorisation is a critical feature that lets you build security policy differently for different groups of users. Most SSL VPNs, UAG included, use the concept of "groups" to provide access control.

We wanted to see how well we could get group information out of our authentication servers to the UAG. We found that UAG wouldn't work properly with any of the servers we tried, for different reasons each time.

With LDAP, since our server didn't match exactly the schema that UAG had built-in, o ur group hierarchy wasn't available, and UAG couldn't see it. With RADIUS, UAG's option to customise the extraction of group information was grayed out and, more importantly, we couldn't add these groups to our access control lists. With SecurID, we wanted to get group information out of Active Directory — a common approach for most enterprises using SecurID — but couldn't make that work either, even with a Microsoft guru on site to help.

If your plans for UAG are exclusively built around a fairly standard Active Directory, and if you don't plan on using external sources for authorisation (for example, if all authenticated users get the same services), then UAG's authentication features will be quick and easy to use. However, if you want to integrate your SSL VPN across other directory services besides Active Directory, UAG may not work well for you.