Forefront UAG Creates a Seamless, Secure Remote Experience

The global nature of business means an increasing number of workers aren’t tied to desks, offices, and regular business hours. It also means that information that resides on the corporate network needs to be available to customers, partners, and vendors.

In the United Kingdom in 2005, 3.1 million people were regular home-based workers. Of these 2.4 million were teleworkers — people who work with computers and telecommunications to work at or from home, according to Flexibility, a Web site that covers smarter working habits in Europe.

IT administrators can turn to a number of technologies that make it possible to connect remote workers to data on the corporate network, such as virtual private networks (VPNs), Remote Desktop Protocol, Terminal Services, and remote proxy. At many businesses, remote access solutions are built on products from numerous vendors, creating a headache for IT managers trying to support secure network access for employees and partners.

Microsoft believes the future lies in a world where remote workers have seamless access to the corporate network, without using client software to initiate a connection or experiencing a lag in system response times. As the world continues to shrink and organisations increasingly find the need to share access with partners, branch offices, and vendors, this level of remote access will become a necessity.

Windows 7 and Windows Server 2008 R2 include Microsoft’s DirectAccess technology, which is designed to make it easy for Windows network administrators to provide secure access to remote workers. It uses IPv6 to provide an always-on, secure connection for on-premise and remote users and IPSec policies for authentication and encryption. IPSec lets administrators control which remote users can access specific resources; it also supports peer-to-peer applications such as IM.

If your machines are using Windows 7 and are on the same domain, then DirectAccess will handle your remote access need. The problem for IT administrators is that many of the worldwide organisations that can benefit the most from secure, remote connections don’t have infrastructures that are quite so tidy. It’s the rule, rather than the exception, to have multiple versions of Windows, Windows Server, and non-Windows operating servers and clients throughout the organisation.

Microsoft Forefront Unified Access Gateway (UAG) is one of the Protection and Access products in Microsoft’s Forefront security portfolio. Forefront UAG, much like DirectAccess, provides secure access to resources inside the corporate network for employees, partners, and clients. Forefront UAG works with a combination of access technologies, including SSL VPN. But when you combine Forefront UAG with DirectAccess, you create powerful, secure, and seamless remote access capability for end users that is also easy to manage for IT administrators.

Because it supports multiple connectivity options, Forefront UAG solves the problems associated with enabling secure remote access to legacy applications and existing infrastructure. It can also enable secure remote access for older versions of Windows and non-Windows systems.

Forefront UAG also adds powerful management capabilities, including granular access policies that can limit the resources being accessed remotely according to user, application, and the health of the device trying to access the network.

Let’s examine how the combination of DirectAccess and Forefront Unified Access Gateway work to provide a secure remote access solution for a business with remote workers and branch offices throughout the world.

The business in question wants employees to access applications and information on the corporate network from any device or any location. This includes workers at home offices, salespeople who need to access the network using mobile devices, IT administrators using non-Windows operating systems, branch offices using Windows XP, and a headquarters using Windows 7.

Employees at the corporate headquarters using PCs with Windows 7, domain-joined clients will automatically connect to the corporate network and access applications and servers through DirectAccess (using IPSec and IPv6). Remote or branch office employees using Windows XP or mobile devices will initiate a connection via SSL VPN. When access is initiated, the client sends a request to the DirectAccess + UAG server along with its health statement. The server redirects this request to the Network Protection Server to determine if the client PC or device trying to access the network is healthy. If the client is healthy, the user credentials are authenticated using Active Directory Domain Services. After being authenticated, the client enables the secure tunnel session with the DirectAccess + UAG Server and protected internal servers.

Combining DirectAccess with Forefront UAG can also help organisations with customer-facing portals to handle, for example, customer service. It offers a seamless experience for users via a centrally managed gateway. Regardless of where and how they access the portal, customers see a single point of entry.

Businesses that require an even higher level of security can use a combined DirectAccess and Forefront UAG solution to support two-factor authentication technologies like smart cards and tokens. A client-side Attachment Wiper deletes application-specific temporary files from a client’s cache so sensitive information can’t be passed around outside of the organisation.

Simplifying remote access makes end users more productive by delivering the information they need when they need it. For IT professionals, the benefits are delivered by a single solution from one vendor to manage and support and easy, wizard-based administration — all of which adds up to a lower total cost of ownership.