Forefront UAG Provides a Seamless Remote Experience

The global nature of business means an increasing number of workers aren’t tied to desks, offices, and regular business hours. It also means that information that resides on the corporate network needs to be available to customers, partners, and vendors.

For customers and partners, secure access to the corporate network means the potential for seamless communication and collaboration. For employees, the ability to access the corporate network from home or the road can lead to increased productivity and a better work-life balance. An Ipsos-Reid poll found that 42 percent of Canadians said they could be retained at one job or lured to another by the ability to work from home at least one day a week.

There are a number of technologies that IT managers can deploy to connect remote workers to data on the corporate network, such as virtual private networks (VPNs), Remote Desktop Protocol, Terminal Services, and remote proxy, to name just a few. Remote access solutions are often built on products from numerous vendors, creating a headache for IT managers trying to support secure network access for employees and partners.

Microsoft’s goal for secure remote access gives remote workers seamless access to the corporate network, without using client software to initiate a connection or experiencing a lag in system or application response times. As the world continues to shrink and organizations increasingly find the need to share access with partners, branch offices, and vendors, this level of remote access will become a necessity.

Microsoft’s DirectAccess technology in Windows 7 and Windows Server 2008 R2 is designed to make it easy for Windows network administrators to provide secure access to remote workers. DirectAccess uses IPv6 to provide an always-on, secure connection for on-premise and remote users and IPSec policies for authentication and encryption. IPSec allows administrators to control which remote users can access specific network resources; it also supports peer-to-peer applications such as instant messaging.

DirectAccess gives IT administrators a solid solution for clients that reside on the same domain using the Windows 7 operating system. The problem for IT administrators is that many of the worldwide organizations that can benefit the most from secure, remote connections don’t have infrastructures that are quite so neat. It’s the rule, rather than the exception, to have multiple versions of Windows, Windows Server, and non-Windows operating servers and clients throughout the organization.

Forefront Unified Access Gateway (UAG) is one of the Protection and Access products in Microsoft’s Forefront security portfolio. Like DirectAccess, Forefront UAG provides secure access to resources inside the corporate network for employees, partners, and clients. Forefront UAG works with a combination of access technologies, including SSL VPN. But when IT administrators combine Forefront UAG with DirectAccess, they create a powerful, secure, and seamless remote access capability for end users that’s easy to manage.

Forefront UAG supports multiple connectivity options, which allows it to solve the problems associated with enabling secure remote access to legacy applications and existing infrastructure. It can also enable secure remote access for older versions of Windows and non-Windows systems.

Forefront UAG also adds powerful management capabilities, including granular access policies that can limit the resources being accessed remotely according to user, application, and the health of the device trying to access the network.

Let’s examine how the combination of Forefront Unified Access Gateway and DirectAccess work to provide a secure remote access solution for a business with remote workers and branch offices throughout the world.

The business in question wants employees to access applications and information on the corporate network from any device or any location. This includes workers at home offices, salespeople who need to access the network using mobile devices, IT administrators using non-Windows operating systems, branch offices using Windows XP, and a headquarters using Windows 7.

Employees at the corporate headquarters using domain-joined Windows 7 PCs will automatically connect to the corporate network and access applications and servers through DirectAccess (using IPSec and IPv6). The company’s remote or branch office employees using Windows XP or mobile devices will initiate a connection via SSL VPN. When access is initiated, the client sends a request to the DirectAccess + UAG server along with its health statement. The server redirects this request to the Network Protection Server to determine if the client PC or device trying to access the network is healthy. If the client is healthy, the user credentials are authenticated using Active Directory Domain Services. After being authenticated, the client enables the secure tunnel session with the DirectAccess + UAG Server and protected internal servers.

Combining Forefront UAG and DirectAccess can also help organizations with customer-facing portals to handle customer service, for example. It offers a seamless experience for users via a centrally managed gateway. Regardless of where and how they access the portal, customers see a single point of entry.

Businesses that require an even higher level of security can use a combined DirectAccess and Forefront UAG solution to support two-factor authentication technologies like smart cards and tokens. A client-side Attachment Wiper deletes application-specific temporary files from a client’s cache so sensitive information can’t be passed around outside of the organization.

Simplifying remote access increases productivity for end users by delivering the information they need when they need it. The benefits for IT professionals come in the way of a single solution from one vendor to manage and support, and easy, wizard-based administration — all of which adds up to a lower total cost of ownership.