This topic summarizes the main features of Forefront Unified Access Gateway (UAG). For a comparison of IAG 2007 and Forefront UAG, see Comparing IAG 2007 and Forefront UAG RTM.

Deployment Feature Details

Installation and deployment

Software installation

Forefront UAG can be installed on Windows Server 2008 R2 64-bit computers. For more information, see System requirements for Forefront UAG servers. The software version is available from the Volume Licensing Service Center.

Hardware appliance

Forefront UAG is available as a hardware appliance.

Inbuilt firewall

Forefront UAG installs Forefront TMG for firewall protection of the local Forefront UAG server. For more information about running Forefront TMG on Forefront UAG, see Support boundaries.

Getting Started Wizard

Forefront UAG provides a Getting Started Wizard, that runs automatically after installation, to help you to set up network adapters and configure Microsoft update settings. You can also use the wizard to gather multiple Forefront UAG servers into an array.

High availability and scalability

Multiple server array deployment

Multiple Forefront UAG servers can be deployed in an array, in which all array members share the same configuration. For more information, see the Array planning guide.

Load balancing

You can load balance traffic to array members, using integrated Network Load Balancing (NLB) or a hardware load balancer. For more information, see Load balancing design, in the Array planning guide.

Forefront UAG as a DirectAccess server

Forefront UAG DirectAccess deployment

Forefront UAG servers can be configured as DirectAccess servers. You can deploy a single server or an array of Forefront UAG DirectAccess servers. For more information, see the Forefront UAG DirectAccess planning guide.

Forefront UAG as a publishing server

Application publishing

Using Forefront UAG as a publishing server, you can publish internal resources for remote access, including Web and non-Web applications, full VPN access to internal networks, and access to internal file shares and structures. In addition, Forefront UAG provides out-of-the-box support for a number of applications, including predefined settings and values that provide optimum settings for accessing a specific application via a Forefront UAG trunk. For information, see the Publishing planning guide.

Publishing Exchange services

Forefront UAG provides a dedicated wizard for publishing Exchange services. Using the wizard, you can publish Microsoft Office Outlook® Web Access, Exchange ActiveSync®, and Outlook Anywhere (RPC over HTTP) in a single portal, providing secure access to Exchange services on a single IP address. For more information, see the Exchange services publishing solution guide.

Publishing SharePoint

You can publish SharePoint via Forefront UAG, allowing users to securely access SharePoint sites and manage documents from a range of virtual locations. In addition to publishing SharePoint 2003 and SharePoint 2007, using Forefront UAG you can publish SharePoint 2010. For more information, see the SharePoint publishing solution guide.

Publishing Remote Desktop Services (RDS)

Forefront UAG includes support for publishing RDS, including remote desktops and RemoteApps. For more information, see the Remote Desktop Services publishing solution guide.

Publishing a Web farm

You can publish a farm of Web servers or application servers that perform the same role or host the same content. You can load balance requests to farm members to distribute requests evenly among available nodes, detect offline servers and implement failover, and maintain farm servers without disrupting current endpoint connections.

Forefront UAG remote network access

Remote network access with SSTP

Forefront UAG provides support for remote client endpoints connecting to the internal network with SSTP. For more information, see Planning for internal network access in the Publishing planning guide. SSTP is also supported when Forefront UAG is configured as a DirectAccess server. For more information, see Choosing a Forefront UAG DirectAccess and VPN coexistence design.

Remote network access with Network Connector

In addition to SSTP, Forefront UAG adds 64-bit client support for the legacy Network Connector application. For more information, see Planning for internal network access in the Publishing planning guide. Note that using Network Connector is not supported if the Forefront UAG server is configured as a DirectAccess server.

Client endpoint access

Client endpoint components

Forefront UAG supports a range of client endpoints. For information about the Forefront UAG support matrix, see System requirements for Forefront UAG client devices.

Web access

Endpoints access applications published in a Forefront UAG trunk via a Forefront UAG Web site or portal. To provide direct access to a specific application, you publish it in a trunk using an application-specific host name. Endpoints can then connect directly to the application by typing the host name in a browser. Alternatively, you can publish applications in a Forefront UAG Web portal, which acts as a consolidated gateway for access to one or more internal resources. For more information, see Introduction to publishing design. Forefront UAG provides a number of customization options for a portal. For more information, see Customizing Forefront UAG.

Portal with Outlook Web Access look and feel

Forefront UAG provides a streamlined logon experience for Outlook Web Access users. You can apply an Outlook Web Access theme to a portal; authentication logon and logoff pages have been redesigned with an Outlook Web Access look and feel.

Client authentication

Forefront UAG allows you to perform client authentication on the Forefront UAG servers, ensuring that only authenticated requests reach published backend servers. You can verify client credentials using a number of authentication mechanisms, including LDAP, LDAP client certificates, RADIUS, and RSA SecurID.

Authentication single sign-on

Forefront UAG allows you to delegate credentials, so that when a client authenticates during logon to a Forefront UAG session, the credentials can be sent to backend servers that require authentication. This allows users to log on with a single set of credentials which can then be used to authenticate and gain access to any application for which the credentials are valid. You can implement single sign-on using a 401 request, HTTP forms-based authentication, Kerberos constrained delegation, and Active Directory Federated Services (AD FS). For more information, see Planning for client authentication in the Access control for publishing planning guide.

Access policies

In addition to verifying endpoint settings against inbuilt Forefront UAG endpoint policies, Forefront UAG integrates Windows Server 2008 NAP technology, allowing you to verify client endpoint compliance against NAP policies defined on a Network Protection Server (NPS). For more information, see Planning for endpoint health checking in the Access control for publishing planning guide.

Monitoring and logging

SQL logging

In addition to legacy log formats that include an inbuilt reporter, a RADIUS accounting server, a remote Syslog server, an SMTP mail server, Forefront UAG allows you to log to a local or remote SQL Server. For more information, see Configuring event logging, and Logging to a SQL Server.

Activation Monitor

Forefront UAG provides an Activation Monitor that shows configuration activation activity. This is useful for monitoring the status of array members when activation occurs on the array manager. Activation Monitor is available from the Forefront UAG option in the Start menu. For more information, see About the Activation Monitor console.