| Author info | Rating | Review Summary |
|---|---|---|
| Senior Consultant at Unify Square | 4.0 | No summary available |
| Senior System Engineer with 1,001-5,000 employees | 3.5 | We found UAG slow and unscalable, but RAS greatly improved remote access performance and stability. Setup requires network expertise, but it's a valuable upgrade for enabling global employee connectivity. |
| Engineer with 1,001-5,000 employees | 4.0 | No summary available |
| Senior Manager of Engineering with 1,001-5,000 employees | 5.0 | We chose UAG for its strong security, including 2FA, enabling secure remote access for email and applications. Its administration console simplified deployment and management, despite minor difficulties with trunk configuration and network card requirements. |
| Manager of Operations at a tech company with 51-200 employees | 3.0 | Overall, I believe UAG provides robust SSL VPN security, including an app-layer firewall and SQL injection prevention. My concerns are its authentication issues, non-standard server communication, and strict x64 platform requirement. It's best for standard Windows/AD setups. |
| Director of IT at a tech company with 51-200 employees | 4.0 | I observe UAG delivers secure, policy-driven remote access, improving productivity and consolidating infrastructure. I noted issues with cross-site SSO and Network Connector. It simplifies deployment, reduces costs, and ensures granular control. |
| Manager of Data Center at a insurance company with 51-200 employees | 5.0 | We found UAG offers secure, seamless remote access for diverse clients, addressing our VPN challenges. Though it requires configuration expertise and multiple servers, it proved a valuable, cost-effective solution for us. |
*Review updated on April 17, 2014
As you can read on the Microsoft TechNet blog ( bit.ly/J2Jcni ) UAG has entered the final part of its lifecycle.
"Mainstream support will continue through April 14, 2015, and extended support will continue through April 14, 2020."
The features you used in UAG are now available in Windows 2012 R2 using the operating system's DirectAccess and Web Application Proxy functionalities.
"Customers will be granted a Windows Server 2012 Standard server license for each UAG server license with active Software Assurance to allow them to make the transition."
Pros:
Consolidate remote access from different networks, users and devices into a single product.
UAG is able to work with all the most used browsers and operating systems (including Android and IOS with Service Pack 2)
Powerfull policies and tools to manage and monitor connections and activities.
Rules are not too difficult to create and manage
A lot of possibilities to customize the product and the aspect of UAG to be compliant with your company's guidelines
Cons:
Direct Access is something that is now available also in Windows 2012
At the moment (01/05/2013) we are waiting for Service Pack 3 of UAG to interact in the right manner with Exchange 2013, Lync 2013 and do on.
The ForeFront TMG installation made by UAG is something you have not to modify or use and that is a pitty (it is there only to protect the server where UAG is installed).
UAG is a really good product and it is not difficult to use if you compare it with other softwares / hardwares that deliver similar features.
Given the fact that other product of the ForeFront family are going out of support, if you want a Microsoft product for publishing and remote access, UAG is the only choice you will have in the next year (years ?)
Employees can work from home, branch offices or anywhere in the world together with employees in the firm.
We still use RSA with SSL VPN as the backup solution for non-windows and laptops that don't belong to the company.
In-house by ourselves.
It is included in our Microsoft premier contract, at no extra cost.
Go through the documentation carefully and involve your network team.
We recently started a trial of Microsoft's UAG (Universal Access
Gateway) product. It's a cool 'always on' VPN solution that detects when
you laptop is off the corporate network and connects you via a some
fancy VPN technology without you even knowing it. One interesting aspect
is that it runs on IPv6.
For most companies (ours included) IPv6 is not something we have
embraced. It's hard to have a network team who have spent decades
becoming experts in TCP/IP and have them relearn a whole new technology
and implement it. It's just not high on our list (I digress) so...
Perfect Storm Component (1): We don't even route IPv6 on our network
Our Windows 2008 servers all have IPv6 installed and bound to the NICs
(the default configuration). Microsoft say this is best practice since
they have declined to retro test any of the current or future
technologies against a platform that has IPv4 enabled and IPv6 disabled.
Perfect Storm Component (2): We have IPv6 enabled on all our servers.
When an IPv6 stack comes on line it will perform a solicitation
broadcast (IPv6 Broadcast) and typically in our environment that falls
on deaf ears, thus the only IPv6 interface that is online is a loopback
interface. Enter UAG. Since the UAG product uses IPv6 it needs a way of
allowing the IPv6 clients on the Internet a way of talking to IPv4
servers, it does this by installing an ISATAP server which effectively
allows IPv6 and IPv4 systems to talk to each other by gluing IPv4
headers onto IPv6 packets. The moment that comes on line the IPv6
solicitation broadcasts are received by ISATAP and it starts handing out
addresses (only analogous to DHCP). Two things then start to occur. (a)
All our servers begin registering AAAA records in DNS and (b) the nodes
of our production clusters start to perform their health checks of
IPv6.
Perfect Storm Component (3): Servers, including clusters, start using IPv6 for DNS and cluster health checks.
At this point I am pissed off, or at least I would have been if I had
known what was going on. The introduction of the UAG product and
consequently ISATAP had made a change to our entire enterprise at a
profound level and all without our knowledge.
And then it happens...
Perfect Storm Component (4): The UAG product breaks.
Now the time bomb has started to tick, with UAG down, servers can no
longer communicate via IPv6 so they are unable to renew their IP
addresses in DNS. The countdown to their DNS scavenge time has begun and
7 days later their IPv6 AAAA records get deleted from DNS. That's
OK for most servers, but for the clusters, they try to perform their
regular health check and 0-1.2 seconds after their AAAA records are
deleted the cluster health check fails and the cluster falls over.
Very safe and secure, the ability to use factor 2 authentication, by integrating it with Pinsafe - was the main reason why we choose UAG. All configuration is done by the UAG console allowing easy administration.
Trunks are slightly difficult to configure.
Two Networks card have to be configured to use UAG on different subnets (Can be tweaked to use one subnet however not supported by Microsoft).
We needed a solution to enable email and application access from remote networks. Microsoft's UAG was exactly what we were looking for. We wanted to minimize the amount of ports open to the internet with all our data encrypted. We were able to setup an SSTP VNP, application access portal and desktop access from one gateway. Deploying multiple UAG servers was very easy once we had one working properly as configuration can be imported/exported. Truly a great product from Microsoft!
With a need of absolute security in SSL VPN, Microsoft has introduced UAG. Forefront Unified Access Gateway is a software solution which provides better security in SSL VPN. Though UAG is bit different than other SSL VPN software, the software has some features which resemble SSL VPN. One of the important features of the software is a firewall facility provided in Application Layer. There is also better prevention in SQL injection for URL based applications. The URL syntax checking facility provided with the software is quite impressive. IPV6 based access technology has reduced the requirement of additional gateway setup in case of remote access VPN.
Though UAG is a breakthrough in SSL VPN, it still lags in some fronts, like authentication control process in VPN. In some cases where standard schema is not followed for a server, UAG seems to not communicate well. UAG also requires Microsoft Windows Server 2008 R2 x64 platform. This is a setback for users of x86 platforms. UAG also faces some difficulties with communication through 802.1x authentication protocol in radius mode. Other than standard Active Directory group, UAG doesn't communicate with external groups in case of a remote VPN.
If you are trying to work out a solution for your SSL VPN with the same standard of platforms and Active Directory, then setting up UAG will be easier and it will perform as expected. UAG is an affordable software solution available in the market. It is useful for users using Windows Server platform with volume licensing copy and with 250 or more users.
- UAG makes it easier for organizations to deliver secure remote access to their applications and resources, and improve employee and partner productivity.
- Protect IT assets through fine-grained and built-in access policies that provide access to sensitive data, based on identity and endpoint health.
- Consolidate remote access infrastructure and management.
- Simplify deployment and ongoing tasks through wizards and built-in policies.
- Reduce support costs by delivering a simplified connectivity experience for users.
- Cross site single sign-on, not working between two UAG servers.
- It is not possible to use the Network Connector application (a form of VPN) when Forefront UAG is configured as a DirectAccess server.
Forefront UAG is used to extend and enhance the basic publishing features of Forefront UAG. It comes with extended features like portals, SSL VPN, DirectAccess, and powerful Endpoint Access Policies to control the client devices, when accessing the Forefront UAG server. During a Forefront UAG installation, Forefront TMG will also be installed, but only to protect the Forefront UAG Server. In fact, Forefront UAG acts as an Application Layer Gateway and is the solution for incoming access to internal resources from the internet. For the state of health of the devices being used to gain access and the user's identity, UAG enforces granular access controls and policies to deliver comprehensive remote access, ensure security, and reduce management costs and complexity.
1. Seamless connectivity
2. It supports SharePoint publishing
3. It is relatively cheap when licensing 250 or more simultaneous users
4. UAG incorporates DirectAccess facilities.
5. It is secure and safe.
1. You cannot implement UAG on a single server. This makes it not ideal for small businesses
2. UAG needs expertise to configure.
3. You can’t share the UAG server with any other applications.
When Microsoft announced DirectAccess, we were very happy to see a solution that will overcome VPN dial-in dial-out lapses. However, we were discouraged when we discovered that DirectAccess requires all the client computers to be running on Windows 7 Ultimate or Enterprise edition, and our company doesn’t have the resources to upgrade all our systems. This became an issue as our VPN solution is not living up to our expectations.Our research shows that Forefront Unified Access Gateway (UAG) can be a remedy.
We implemented UAG and it paid off for us. Our remote users can securely logon to our corporate network (Copnet) from any part of the world without compromising the integrity of the corporate resources. UAG provides seamless connectivity for remote users. Windows XP, vista, windows 7, windows 8, Mac OS, Linux and mobile phone clients can seamlessly connect remotely as if they were in the internal network. We are not only benefiting from the UAG’s ability to support diverse devices, but its ability to accommodate both IPV4 and IPV6 clients. IT administrators can control how the UAG clients behave. For example, authenticated users can be prevented from uploading a video file, but allowed to download similar file type.
![Microsoft UAG [EOL] Logo](https://images.peerspot.com/image/upload/c_scale,dpr_3.0,f_auto,q_100,w_100/GqfBeX9zWxZG3rC5hyrUo9Aq.jpeg?_a=BACAGSGT)
