Alternatives to Microsoft Forefront Unified Access Gateway

The Internet was hardly stunned by Microsoft’s announcement on December 17, 2013, that it was killing off one of the last remnants of its Forefront product line: Forefront Unified Access Gateway (UAG).

UAG’s sister product, Forefront Threat Management Gateway (or as many know it, ISA Server), was already put out to pasture in 2012, but the silence around the future roadmap for UAG made many uneasy, particularly as UAG used a base install of Threat Management Gateway to secure itself.

Forefront Unified Access Gateway (UAG): What Happened?

In a way, UAG was always a time-bound product. It came to Microsoft as the result of the acquisition of Whale Communications in 2006, serving a purpose that was appropriate at the time: to provide fat clients access to internal services from remote locations. Throughout, Microsoft had been billing UAG as a great product to use as a reverse proxy, publishing internal services out to beyond the edge of the network in a secure, inspected way. With a huge service pack after its release, UAG also served to provide a much-needed shortcut in the Windows Server 2008 R2 era to get the DirectAccess remote access and management solution working without tying yourself in knots. For those companies not interested in deploying DirectAccess, it also made a capable SSL VPN solution for secure work on the go.

Nowadays, however, people need more than fat client solutions. Tablets are everywhere. Devices are personally owned. And most organizations are interested in exposing and publishing services as opposed to working on virtual desktops and VPNs (and there are still great solutions available for both of those latter scenarios). Microsoft didn’t see much use for a standalone UAG product going into the future, so it was canned among its transition to a devices and services company.

4 Forefront UAG Alternatives

That is not much solace to UAG’s installed base. If you are one of those folks, it falls to you to find a replacement solution. Here are four options that may work for your organization.

1. The in-the-box solution: This one just might give you one more excuse to get some Windows Server 2012 R2 licenses. In Microsoft’s newest operating system, the Remote Access role includes a feature called Web Application Proxy that replicates about 65 percent of the technology that Forefront UAG put into place. The reverse proxy feature built into the OS securely publishes internal resources out to the Internet and most deployments of, say, Work Folders or workplace join—key work anywhere features Microsoft put into Windows Server 2012 R2—demand a reverse proxy of some sort. If your publishing needs are fairly simple, then UAG might have been overkill and the Web Application Proxy feature may fill that role just fine. Luckily, it is easy to stand this up in a lab and experiment with it, as all you need on the software front is your OS disc.
2. The existing free solution: In many cases a module for IIS called Application Request Routing, or ARR, can perform reverse proxy services. ARR is a fast, well-written module that can act as a reverse proxy for a variety of situations. In fact it is the recommended solution for publishing internal services, such as an on premises Exchange Server or a Lync Server deployment, in a Windows Server 2012 Essentials or Windows Server 2012 R2 Essentials network. This lets the Outlook Autodiscover and RPC over HTTP features (sometimes known as Outlook Anywhere) work over a box with a single public IP address. ARR plugs right into IIS and goes right back to Windows Server 2008, so if you are not ready to deploy the latest and greatest OS, ARR may well provide a simple reverse proxy function that meets your needs.

1. Third-party reverse proxy solutions:Many popular third-party solutions exist to fill the roles reverse proxies execute for networks—to screen inbound user requests for sensitive services, protect weak internal resources while still allowing them to service users beyond the network boundary, and apply validation and policy while an inbound session is active. Some popular alternatives include the following software:
   • Blue Coat ProxySG Web Application Reverse Proxy
   • F5 Networks BIG-IP Reverse Proxy

   You might, however, be spending big bucks for these solutions.

2. Cobble together an open-source solution: Apache, the open source HTTP web server software, has long support reverse proxies through the mod_proxy module and this has traditionally been used for load balancing purposes and to publish content using an intelligent content delivery network, or CDN. You could potentially use Apache and mod_proxy to cobble something together, but I would recommend ARR or the Web Application Proxy as first resorts for best compatibility and results.

The good news for UAG users in all of this? You will be supported through April 14, 2015, with standard patches and telephone support, and the product enters extended support after that until April 14, 2020 – more than six years from the time of this writing. So the barn is not burning down immediately, but a replacement for UAG should be on your medium term search list.