When considering the implementation of UAG, one must take into account which clients are usable with UAG. Various operating systems have different capabilities and limitations, and not all are supported. At the time of writing, UAG supports the following operating systems as clients:
Windows XP 32-bit
Windows XP 64-bit
Windows Vista 32-bit
Windows Vista 64-bit
Windows 7 32-bit
Windows 7 64-bit
Windows Server 2003 32-bit
Windows Server 2003 64-bit
Windows Server 2008 32-bit
Windows Server 2008 64-bit
Mac OX X 10.3+ (PowerPC and Intel) 32-bit only
Linux (RPM-based Linux distributions: Red Hat Enterprise 4 and 5, Fedora Core 5 and up. Debian Linux distributions; Debian 4 and up, Ubuntu 6.10 and up) 32-bit only
Windows Mobile 2003
Windows Mobile 2005
Windows Mobile 7
Windows Mobile 6.x
iPhone version 3.0.x
Nokia S60 3rd edition, Feature Pack 1—validated on E71, N95
Nokia S60 3rd edition, Feature Pack 2—validated on E72, E52
Note
The above list may change as service packs and updates are introduced for UAG or for various operating systems. For a full list of supported operating systems and browsers, see http://technet.microsoft.com/en-us/library/dd920232.aspx.
As stated, not all systems support all functions. For example, using Network Connector is not possible with Windows 7. If your users are running both Windows 7 and Windows XP, the only way to allow all of them to VPN into the corporate network would be to implement both SSTP and NC. Depending on which OS is running, the proper one will be selected automatically.
When clients connect to various UAG services, they might need more than just a browser. For example, Endpoint Detection, Socket Forwarding and Endpoint Session Cleanup are special components that are installed on the client when they are required. These components may not be required, depending on which UAG features you are deploying. With most deployments however, they are necessary, so it's important to keep in mind that they can only be used with certain browsers and operating systems. With Windows and Internet Explorer, everything works nice and dandy. With Linux and Mac, a Java-based version of the client components does a similar job, and almost everything works (see link above). For mobile browsers, including Windows Mobile up to version 7 and Apple iPhone, the "Premium" portal is supported, but the phone cannot perform SSL tunneling, session cleanup or endpoint detection. Nokia phones only support the "Limited" portal. The "Premium" portal is specially designed for the mobile phone view on a small screen. It has fewer graphics, but still looks pretty darn good. The Limited portal is a text-only version that is usable even for phones with limited web capabilities.
When planning a UAG deployment, it's important to prepare and understand the limitations of client support to make sure the organization's primary target audience will have the right level of access. Discovering in mid-deployment that your number-one app is unusable for most of your users can be embarrassing. This is especially so if the target application or client are not explicitly on the list. Sometimes, even a minor version change can wreak havoc, as in the case of a certain well-known server application that introduced a major change to the way the application handles cookies, and so version 9.5.2 of the application worked perfectly through UAG, but version 9.5.3 failed miserably.
As mentioned before, when a user connects to the UAG portal for the first time, UAG client components are installed on their computer. It's important to keep in mind that the client components' installation process installs some Active-X components, and that is considered to be a risky situation. Don't worry—your user's computers aren't going to explode, but if the user is logged on as a non-administrative user, the Active-X registration will be denied and the client components installation will fail. In other words, make sure that when your users log on to the UAG portal for the first time, they will do so while logged on as local administrators, or at least run the browser with elevated privileges. Later, when just launching the portal again, the user no longer needs to be an administrator. If your organization or the user have customized the browser's security settings in some way, it's important to properly test the client component installation, to make sure the security configuration will not cause the computer to end up with a corrupt client installation. One other option that is at the administrator's side is the ability to manually install the client components using a stand-alone installer. The UAG server will have on its hard drive a set of Microsoft-installer files (with the extension of MSI) that can be used to install the client components fully or partially. In fact, if the organization's users take their computers to work regularly, one can even use Active Directory application deployment automation or a logon script to automatically and quietly perform this installation. You can read more about this in Chapter 7.