Iconic IT
Microsoft Suite

Microsoft Suite Security Solutions

Microsoft Forefront Unified Access Gateway (UAG)

Forefront Unified Access Gateway

Microsoft Forefront Unified Access Gateway 2010 (UAG) delivers comprehensive, secure remote access to corporate resources for employees, partners, and vendors on both managed and unmanaged PCs and mobile devices. Utilising a combination of connectivity options, ranging from SSL VPN to Direct Access, as well as built in configurations and policies, Forefront UAG provides centralised and easy management of an organisation's complete anywhere access offering. Integrating a deep understanding of the applications published, the state of health of the devices being used to gain access, and the user's identity. Forefront UAG enforces granular access controls and policies to deliver comprehensive remote access, ensure security, and reduce management costs and complexity.

Iconic specialise in Microsoft Forefront UAG and have worked on some of the world’s largest deployments. We have integrated closely with Microsoft to develop this cutting edge technology.

Key Benefits

Anywhere Access

Forefront Unified Access Gateway makes it easier for organizations to deliver secure remote access to their applications and resources and improve employee and partner productivity, by combining an intelligent access policy engine and consolidating a variety of connectivity options including SSL VPN and Direct Access.

Empower employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.

Deliver simple and secure access optimized for applications such as SharePoint, Lync, Exchange and Dynamics CRM.

Extend networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.

Integrated Security

Forefront Unified Access Gateway improves the security in remote access scenarios by enforcing granular access controls and policies that are tailored to the applications being published, the identity of the user, and the health status of the device being used. UAG further improves security by enabling strong authentication to applications and mitigating the risks of downloaded data from unmanaged devices.

  • Protect IT assets through fine-grained and built-in access policies that provide access to sensitive data based on identity and endpoint health.
  • Easily integrate with Active Directory and enable a variety of strong authentication methods.
  • Limit exposure and prevent data leakage to unmanaged endpoints.

Simplified Management

With Forefront Unified Access Gateway, administrators have a single platform through which to deliver and manage remote access. With built in policies and configurations for common applications and devices, administrators gain more control, more efficient management, greater visibility, and lower total cost of ownership.

  • Consolidate remote access infrastructure and management.
  • Simplify deployment and ongoing tasks through wizards and built-in policies.
  • Reduce support costs by delivering a simplified connectivity experience for users.

Application Publishing

The diagram below highlights some of the extensive offerings and secure access methods of Forefront UAG using web publishing and portal access rules.

Forefront Unified Access Gateway

Publish Web and non-Web applications using Forefront UAG trunks. You can create a portal trunk to provide a one-to-many connection with a single IP address, allowing users to access multiple applications from a consolidated portal gateway. You can also create a single-application trunk to provide a one-to-one connection; one IP address routes to a single published Web server, enabling access to any generic Web application.

Web Application Publishing

Forefront UAG Provides an application layer inspection reverse proxy for publishing Web applications and Web farms. Application inspection provides positive logic inspection to ensure that only legitimate application connections are allowed. Forefront UAG application optimisers include out-of-the-box inspection settings for many key Microsoft and third-party applications.

Remote Application Publishing

Forefront UAG allows you to leverage Remote Desktop Services (Terminal Services) with an integrated Remote Desktop Services Gateway, to publish Remote Applications via a Forefront UAG portal and also supports publishing Citrix Web Interface via a Portal Trunk.

Client/Server Application Publishing

Forefront UAG allows you to publish non-Web applications over a secure connection using socket or port forwarding. You can request that users authenticate to Forefront UAG for access to user non-Web applications.

VPN Client Access

You can publish a VPN connection in a portal, allowing remote endpoints to connect to the internal network and access all network resources. For VPN client access, you can use the proprietary Forefront UAG Network Connector, or allow clients with SSTP support to connect using SSTP. File Access

You can publish internal file structures in a portal, thus allowing remote clients to access internal file servers and shares.

Direct Access

Forefront UAG integrates Windows Server 2008 R2 Direct Access to allow seamless connectivity to corporate networks regardless of location. Direct Access can be configured directly in the Forefront UAG Management console.

The illustration below shows the key usage and features of Forefront UAG and Direct Access

Direct Access

  • Extend access to line of business servers with IPv4 support such as Windows 2003 and non-Windows servers.
  • Provide SSL VPN access for down level (Vista/XP) and non-Windows clients as well as PDAs.
  • Enhance scale and management through array management capabilities and integrated load balancing.
  • Simplify deployments and on-going administration using wizards and automated tools.
  • Deliver a hardened, edge-ready, solution that can swiftly be deployed.

Endpoint access controls

Forefront UAG provides a variety of mechanisms to control endpoint access to published applications, including:

Client Authentication

You can request remote clients to authenticate before establishing sessions to Forefront UAG sites, or allow anonymous access for pass-through authentication to backend servers. You can also configure single sign-on, so that credentials specified by users during session logon are passed to published servers that require authentication.

Endpoint Access Policies

You can set up endpoint policies with which endpoints (client devices) must comply in order to gain access to Forefront UAG sessions and applications. Endpoint policies specify prerequisites that endpoint client must meet for session access. Endpoint health can be inspected using built-in UAG policies or through integration with Network Access Protection (NAP).

Portal Application Authorisation

When publishing applications and resources in a portal, you can enable application authorization to ensure that only specific users and groups can access the application.

High Availability and Array Management

Forefront UAG allows you to group multiple Forefront UAG servers into an array. All array members share the same configuration, and can be managed as a single entity. One of the array members acts as the array manager, storing configuration settings for the entire array. You can configure array members to use network load balancing (NLB) for high-availability and failover. Use integrated Forefront UAG NLB to configure NLB features of Windows Server 2008 R2 directly in the Forefront UAG Management console. Extended Forefront UAG Arrays can be created using F5 hardware Load Balancers.

Enhanced Monitoring and Logging

You can log Forefront UAG events and errors to a variety of logging formats, including a built-in reporter, a RADIUS server, and a local or remote SQL server. Forefront UAG provides the Web Monitor console as a Web application for viewing events, and managing Forefront UAG sessions.

Microsoft Forefront Threat Management Gateway (TMG)

Forefront Threat Management Gateway

Microsoft Forefront Threat Management Gateway 2010 (TMG) is a secure web gateway that provides comprehensive protection against web-based threats by integrating multiple layers of protections into a unified, easy-to-use solution. Forefront TMG allows your employees to safely and productively use the Internet for business without worrying about malware and other threats.

Iconic have extensive experience in Forefront TMG and its predecessors ISA Server.

Forefront Threat Management Gateway 2010 (TMG) protects your employees from Web-based threats by integrating multiple layers of security into an easy-to-manage solution. Deployed on your corporate network as a unified gateway, Forefront TMG 2010 inspects web traffic at the network, application and content layers to help ensure comprehensive protection. It also improves your organization’s firewall performance by offloading processor-intensive functions like inspection for malware.

The secure web gateway solution includes:

•The Forefront TMG 2010 server, which provides multiple inspection technologies, including application-and network-layer firewall, intrusion prevention, and malware filtering to keep your users safe from web-based attacks. It connects to the Forefront TMG Web Protection Service for URL filtering and anti-malware updates.

•Forefront TMG Web Protection Service (included in Forefront Protection Suite or as a stand-alone purchase), which delivers anti-malware updates and provides a real-time connection to cloud-based URL filtering technologies that can be used to monitor or block employee web usage.

•A management console, which offers both local and remote policy management for servers.

•A management server (included with Forefront TMG Enterprise Edition), which enables the creation of enterprise-wide policies that can be assigned to an array of servers.

Forefront TMG 2010 can scale performance when administrators cluster multiple gateways or deploy Forefront TMG 2010 at individual sites. It can easily be deployed in two modes: as a standalone server to deliver maximum performance, or as a virtualized machine that can be combined with other applications to reduce hardware costs.

Reduce Costs and Simplify Web Security

Forefront Threat Management Gateway (TMG 2010) delivers comprehensive protection against Web-based threats, integrated into a unified gateway that reduces the cost and simplifies the complexity of Web security. Building on the core features and functionality that you have come to expect from Internet Security & Acceleration server, Forefront TMG 2010 provides new Web security features that help your users stay safe while online. Benefits of these new features include:

Comprehensive Protection

  • Multiple URL filtering data sources for improved blocking of malicious Web sites
  • Highly accurate antimalware engine
  • Intrusion prevention against exploitation of vulnerabilities
  • Built-in, proven network protection technologies of ISA 2006

Integrated Security

  • Multiple Web security technologies integrated into a single solution
  • Authentication, update, policy distribution and reporting infrastructure investments

Simplified Management

  • Single interface for managing Web security policy
  • Comprehensive logging and reporting

 Compare Threat Management Gateway with ISA Server 2006 and TMG MBE

Threat Management Gateway


If you would like to find out more about how Iconic IT can help your business with our consultancy services then please contact us today on 0330 088 3338.