UAG vs TMG

I typically dedicate my posts here to more technical and in-depth stuff, but I figure it’s time I address this issue as well, as I’ve seen in come up in many discussions. With all the acronyms in the security world, it may be hard to know which product you actually need, and what it can and cannot do. Here’s a little about UAG, what it can do for you, and which product you should chose for your company.

UAG, short for “Unified Access Gateway” is the successor to IAG (Intelligent Application Gateway), which is the successor to eGap. EGap and IAG were originally developed by a company called Whale, located in Israel, and in 2006, Microsoft purchased the company and its technology. Under Microsoft, UAG was released in early 2010, and is designed to be a successor to IAG and eGap.

Concurrently to all this, Microsoft has developed ISA Server. This began many years ago, with a product called “Microsoft Proxy”, which was a relatively simple internal proxy server. Later on, the product was added various security features, making it a fully fledged, enterprise-class firewall. Its current version is called TMG – Threat Management Gateway, and it was released back in 2009 as a successor to ISA 2006. My own personal angle on this, if anyone cares, is that for most of my career at Microsoft, I was working at the development center where ISA was developed, and was deeply involved with the product.

IAG and UAG are products that were developed separately from ISA and TMG, but these two families are strongly related. They do not share the same code, but are closely linked. While ISA and TMG are stand-alone products, and are marketed separately, UAG and IAG have TMG and ISA built-into them. From a technical perspective, it’s still separate – these are two separate software products installed on a single computer. IAG shipped as an appliance as a virtual server image, so the user wouldn’t need to install it, but whoever it was that created the image had to manually install ISA server before installing IAG itself. With UAG, the installation binaries that the administrator needs to run include the full TMG installation package inside them, and it is installed automatically as part of the installation process. For the rest of this, I’m going to ignore IAG, as it’s no longer being sold, and focus on UAG. UAG uses TMG as a protection mechanism – like a pub uses a bouncer to keep out bad people. That also means that UAG is the boss – it tells TMG what to do, which means you, the administrator, are not the one in that position. This is a classic misunderstanding affecting many new UAG users. TMG is there, glaringly, but except for a small number of situations, Microsoft instructs the administrator not to configure TMG in any way. This warning should not be taken lightly. It’s not just a vague and meaningless warning. Because of the strict relationship between the products, ignoring it can cause a complete collapse of the server. You can read more about this, and about some exceptions to it here.

If you are facing the decision of purchasing a security product, and needing to decide which is the most suitable, you need to keep in mind that ISA’s successor is TMG. TMG is, of course, more advanced than ISA, but it does not compete with UAG on for the same spot. TMG is a firewall and proxy server (both forward-proxy and reverse-proxy) . It’s suitable for acceleration of internet access, as well as securing your network from attack. It’s also suitable for publishing internal resources to the outside, as well as VPN connections. Generally speaking, TMG can do everything that ISA was able to do, or better. UAG, on the other hand, is a reverse-proxy and VPN server. It cannot be used as a forward-proxy, and some of its features make it better for publishing internal applications. Even as a reverse proxy, UAG has some limitations, making TMG a better solution for some scenarios.

One thing which makes UAG better for publishing is the fact that it is designed to publish multiple applications on a single public IP. IP addresses are a hard thing to come-by these days, and with UAG, you can publish dozens of applications using only one IP, with the UAG PORTAL helping to make this magic possible. This is also nice because your users don’t need to remember various URLs by heart – one URL (the portals) leads them to all the applications. In addition to this, UAG contains an advanced endpoint-detection mechanism, which can collect information about a client’s computer, as it attempts to connect to UAG. This information can be used by the administrator to control access. For example, if your organization has determined that only clients running Windows 7, with Windows Defender installed are “safe”, you can block access to all other computers. Another feature is the session cleanup component, which cleans up files that were downloaded by the user during the session. For example, if the user opens email attachments during an OWA session, these files might otherwise remain in the computer’s temp folder afterwards. With UAG, a special component on the client cleans those up at the session end. One additional useful feature is the URL SET mechanism, which defines a URL pattern that is allowed for certain types of applications, and can be customized by a user. For example, when UAG is used to publish SharePoint, it automatically creates a set of 59 rules that define the various URLs SharePoint may generate. If the client tries to feed-in any illegal variation, the request will be blocked. This is a good defense against many types of malformed-URL attacks, and the administrator can also define or refine the rules if newer attacks are identified.

In addition to all the above, UAG also enables easy deployment of DirectAccess, which is a new, VPN-like connectivity for clients that is gaining huge momentum out there. UAG makes configuring DirectAccess easier and our customers are loving it.

These advantages, however, don’t mean that UAG is “better”. It’s more suitable to some things. On the other hand, for some others, TMG may be more suitable. For example, TMG supports PPTP and L2TP VPN, which UAG cannot do. TMG is also better at transparent publishing. This is the kind of situation where you need to configure an application to connect to the internal network via the firewall. UAG is designed to interact with browsers, so for applications like TFS or OCS*, TMG may provide an easier solution.

* This doesn’t mean TFS and OCS cannot be used with UAG – it’s possible with the right Config, but this is not the place to get technical about this.

So, the next question that may come to mind is how to know which one you need? Well, if you are currently using ISA, then it’s likely that upgrading to TMG is going to be the smoothest path. If you find ISA to be lacking a specific feature, I recommend contacting a consultant* who can analyze your requirements and suggest the best solution. Even if the above info suggests UAG is right for you, it would probably still be a good idea to talk with an experienced consultant. Sure, they are not cheap, but even at a few hundred dollars per hour; it would still be cheaper than finding out 3 months into the project that you chose the wrong product. Also, they might point out other requirements that need to be addressed, like Certificates, IP address allocation, routing and networking etc.

* There are many resources for this. Microsoft offers MCS as a good option, and our OEM partners, who sell UAG appliances can also help. In addition, there are a few dozen consultants all over the world with the right experience to help!

Naturally, if you want to go at it yourself, this is always an option, and there’s also my book. In that case, do keep in mind that UAG is a complicated product, and a typical deployment takes anywhere from a few weeks to a few months. Assuming you can just install it over a weekend and be done by Monday morning may lead to disappointment.

Have fun with whatever sibling you select!

Comments

  • Anonymous
    June 25, 2012
    good reading sir.. you helped me with one install two year ago :-) looking good

  • Anonymous
    July 09, 2012
    Are you still working for Microsoft?

  • Anonymous
    July 09, 2012
    Alen, you can contact me directly via the "Email blog author" link on the top-right. However, the answer is that I still do work for Microsoft, with no plans of leaving. A few months ago marked the start of my 12th year with the company.

  • Anonymous
    August 08, 2012
    Any news on ipv6 support? Meaning not only for the direct access feature. The roadmap for UAG and TMG is very unclear.