Microsoft delivers feature-rich SSL-VPN

1 2 Page 2
Page 2 of 2

With our own Web applications, we had only one problem, with a Shockwave Flash site, which did not work properly when sent through the SSL VPN. However, Javascript, well- and poorly-constructed HTML all worked fine.

UAG's protocol translation facility only supports one application, CIFS file servers. Because all CIFS files are seen as a single "file sharing" link in the Web portal, you don't have much granularity of control at the SSL VPN layer. Instead, Active Directory credentials are passed down from the UAG system directly to the file servers and the end file server access controls define what files you can see and which you cannot.

In other words, UAG doesn't restrict access any more than the file servers already do based on group information. What UAG does do is provide access controls based on endpoint security status. For example, the test system we used blocked uploads if your antivirus was not up to spec, but downloads were fine.

We ran into a couple of bugs in the UAG file sharing. When used with a pure Active Directory authentication, everything worked smoothly. However, if we tried to log in to the UAG portal with one set of credentials and use a different set for file sharing, that wouldn't work. We also uncovered a bug when uploading larger files to the UAG file sharing server, with end users getting the dreaded "404 – File or directory not found" error rather than a more informative error message.

Network extension also worked well, with some limitations. UAG supports two different types of network extension. One is based on the original Whale protocol, and the other is based on Microsoft's SSTP protocol. Unfortunately, Whale supports XP and Vista, while SSTP is supported on Vista and Windows 7. This means that any company which has both XP and Vista needs to configure both methods, and have two different access points open.

That's not hard, and we had no problem setting that up. The bigger issue is user training, where Windows 7 users must use a different client and different procedure than Windows XP users. Also, because SSTP runs over Port 443 and Whale protocol doesn't, help desks may run into issues where one works but the other doesn't because of some intervening firewall.

The final area we tested was port forwarding, a technique for exporting single client-server applications. In Windows clients, this was easy to configure and worked well. We used the most common example, Microsoft's own terminal services, which is elegantly supported by UAG. We also tested VNC, a terminal server used in other operating system environments, and one of our own SQL client-server applications, without problems on Windows platforms.

One of the coolest features of UAG was single application forwarding. Using this feature, we could advertise a single application running on a server through the SSL VPN and keep the end user from getting all the way to the desktop. On our test Windows client system, this worked great. Application forwarding, which is based on an ActiveX control provided by Microsoft, isn't supported except in Internet Explorer browsers. Port forwarding also worked on both of our test Macintosh client systems.

In general, we found that UAG was very interoperable with most Web applications (Flash being the exception), application port forwarding, network extension and application forwarding when used in a Windows environment. We had less success and more frustration in the Mac world. Network managers will be able to use UAG and its associated tools to make their internal networks accessible in a safe and controlled way to staff outside the network boundary.

Portal customization conundrums

One of the main functions of an SSL VPN is to export Web-based applications, so the inevitable itch to tinker and fiddle with how the Web page looks strikes frequently. UAG doesn't make it particularly easy to customize the look-and-feel of the Web pages. Full control is there — as long as you feel comfortable diving into the middle of XML files, ASP.NET pages, and writing your own Javascript and Visual Basic.

A few customizations are easy to do. For example, having inaccessible applications (for example, because you're not allowed to run them) not show up on the portal is an important security consideration. UAG also has the concept of multiple types of devices: personal computers, handheld devices and mobile devices; you can block some applications from showing up on devices that can't support them.

On the other hand, some customizations that every other SSL VPN makes trivial are painfully difficult. Let's say you want to put your logo on the home page, and change the copyright notice. You can do it, but you have to navigate a 17MB Web site with 325 files and 35 directories to find the files that you need to update. UAG also does not support any user customization of their own portal, such as maintaining a set of personal bookmarks.

Another piece of portal functionality we tested was the single-sign-on capability. UAG makes it easy to provide single sign-on for applications that link to your Active Directory, simplifying the process for end users and probably increasing security along the way.

Other parts of single sign-on, though, such as saving Web-site specific credentials or using a static password for a Web site are not supported well, if at all. This type of authentication simplification is important when UAG is used as a portal to internal Web sites that aren't connected to Active Directory, or when you're using UAG as a reverse proxy portal to gain access to external Web sites. It's not a hard feature to implement — most other SSL VPNs do it just fine — but UAG doesn't have it.

In our testing, links to Web sites — especially Microsoft Web applications such as SharePoint and Exchange — that used cached credentials in Active Directory authenticated fine without requiring the user to re-login. We had varying success with non-Active Directory Web sites, depending on how the Web site requested login credentials.

Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to

Read more about wide area network in Network World's Wide Area Network section.

This story, "Microsoft delivers feature-rich SSL-VPN" was originally published by Network World.

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Shop Tech Products at Amazon