Unified Access Gateway (UAG) is a product focused on granting access anywhere and keeping centralized entry points and management methods.
The two main features of UAG are DirectAccess and Publishing.
DirectAccess: This feature is used to extend our network to external users, connecting to clients outside our network even before the user is logged on, and without using VPN or other traditional solutions
UAG Publishing: This feature is what we want to look into, because publishing gives us the capability to grant access to our applications and resources to people coming from different locations, and from different devices, using a single web application or a Forefront UAG portal (that consolidates multiple resources in a single gateway)
While opening our resources to a wide variety of end points, we need a strong access control, and UAG includes such mechanisms to check clients, users, and groups for authorization and to apply mandatory policies. With the release of Service Pack 2 (August 2012), UAG is now able to interact with the most recent devices from all the biggest players in the mobile market (Windows Phone 7.5, iOS 5.x on iPad and iPhone, and Android 4.x on tablets and phones) and, as soon as an end point tries to connect to a UAG site, there are different publishing scenarios based on the characteristics of the device in use.
The client device discovery mechanisms of UAG give us what we need to identify and provide the best results to different clients and mobile devices. We have two kinds of portals, the Premium portal (the suggested solution for devices with good graphic capabilities) and the Limited portal (mainly text-based and a viable solution for older products).
A third kind of portal, that is, the Regular portal, is the standard for desktop and laptop computers. As we can see in the following screenshot taken from the gateway management screen, the publishing functions rely on two different kinds of connections from UAG to the servers where the applications really are:
The connections are called trunks and they are available through HTTP or in a more secure HTTPS encryption. The HTTPS publishing used by UAG is an efficient solution for mobile users, both from the point of view of bandwidth consumption and compatibility (the last because the protocol is widely supported on mobile networks while other solutions are prone to various technical issues). The list of what we are able to publish with UAG is rather impressive, including various versions of Exchange, Dynamics CRM, SharePoint, Remote Desktop, and Terminal Services. Terminal Services, applications based on IIS, and on other web servers and client/server applications from different vendors.
Often there is confusion because there is another software that gives us the capability to publish resources, which is the Threat Management Gateway. To worsen the situation we have to say that TMG is (also) a part of the UAG setup (with limited function to secure the UAG server from external networks). TMG is an Enterprise Edge Firewall that offers functionalities (from the publishing point of view) that are similar but less powerful than the ones we have with UAG, with limits on what we can publish and on the controls we're able to perform on the connecting clients.