Even though installing a UAG server is quite straightforward, it is very important to plan your deployment ahead of time and prepare your hardware, software, and network correctly. Failing to do so might end in an installation failure, or even worse—a situation requiring a lengthy re-planning of the integration, not to mention explaining all of this to "the guys upstairs".
When planning the installation, one must keep in mind that a UAG server is fundamentally a router. It has an external side that would be the access point for connecting clients from the internet, and an internal side through which the server can fetch data from internal corporate servers. While it is theoretically possible to use the server with a single network card, this option is not supported, and will not work for most of UAG's functionality. UAG includes Forefront TMG (Threat Management Gateway) 2010, Microsoft's well known enterprise-class firewall; therefore it is possible to have the external interface connected directly to the internet. Nonetheless, many organizations choose to play it extra-safe and place the server behind an additional firewall, which can also improve UAG's performance by eliminating junk traffic that might otherwise burden it. This, of course, requires careful planning of the routing, as well as opening the proper ports on the firewall to allow traffic to take its course.
UAG is designed to enable remote access in two primary roles: application publishing and VPN. A regular proxy is a server that resides at the edge of an organization's network, like a guard at the building's reception. The regular proxy fetches data from the outside world for the company's employees, much like a guard would escort a guest to an employee's office. A reverse proxy does the exact opposite—it fetches data from within the internal network, and delivers it to people on the outside. A regular proxy is usually about speeding things up, but also about protecting the network from uncontrolled access, while a reverse proxy is mostly about security. This is especially so for UAG, which might slow things down a bit, but provides a high level of security.
The benefit to an organization is that, using reverse proxy publishing, employees working from home or on-the-go can access the organization's internal applications from wherever they are, while still maintaining the organizational network safely and securely. Those of you who know their firewalls must be thinking "But...any firewall can do this!" That is correct – almost all modern firewalls allow various forms of server publishing, but UAG adds additional levels of security. Firewall server publishing is usually quite simplistic – an administrator specifies the internal IP and port, and the firewall listens and forwards the requests and responses to and from the internal servers. From a security standpoint, this is almost equivalent to allowing the users to interact directly with the internal server, as the firewall inspection usually takes place at the TCP packet level only. Sure, it can recognize and stop some common Denial of Service (DoS) and other attacks like Port scan and half scan, but hardly any application-level attacks. UAG, on the other hand, is much cleverer:
Firstly, UAG includes TMG—a firewall, so it does exactly what was described above.
UAG also impersonates the internal server, so the end-user is actually interacting only with UAG. If the user is able to mount a successful attack and crash the server, UAG may go down (this has never happened, by the way), but the sensitive internal server will march on, undisturbed.
Another security layer on top of that is endpoint detection, which boosts security even further. Clients connecting to UAG must undergo a configurable security policy check that can eliminate many threats. For example, it can reject connections from computers that have not gone through a specific "preparation" by the organization, so that potential attackers are turned away even before they try to log in. It can reject connections from computers which are not well protected by an Anti-Virus or a personal firewall, to reduce the risk of a worm infecting the internal network. If this is not enough, the UAG logon process can be customized extensively, to boost security even further. We will not discuss this sort of customization in this book, but just to give you an idea, one example is the ability to include a CAPTCHA mechanism, so automated brute-force attacks cannot be executed to try to obtain a login to the server.
The second major functionality of UAG is VPN, which allows remote users to connect to the organization's network in a way that emulates them being connected directly to the network while at the office. This sort of connection can allow them to do anything they could do in the office, and provide the most advanced work environment (pyjamas notwithstanding). This functionality was included with previous versions of UAG under the name Network Connector. Network connector, or NC for short, was a VPN ability that was based on encrypting the connection with SSL, and was a proprietary technology developed by Whale Communications. At the time, Windows Servers also had built-in VPN abilities, but only based on the PPTP protocol, which is considered to be not very secure, and L2TP, which is quite secure, but difficult to deploy because of its complexity.
Today, with UAG, multiple VPN technologies are included. NC is still there, though it has been renamed to SSL Network Tunneling. SSL Network Tunneling is also limited to classic client operating systems like Windows XP and Windows Vista. A new addition is SSTP, which is a more modern incarnation of SSL-VPN for Windows 7 users The most important remote-access technology included with UAG is DirectAccess ( DA for short), which offers a new and unique seamless VPN-like integration. With DA, users are virtually connected to the corporate network as soon as they connect to the internet, with no interaction or any need to configure components and launch diallers. All these will be covered in detail later in the book.