Forefront UAG is no more

Back in September 2012 I wrote a blog entry explaining what had happened to the Forefront product line.  Except on days when I publish something new it is always the most popular post I’ve done, and over time it is the second most read overall!  In that post I talked about Microsoft’s view on the network edge and the demise of the Forefront Threat Management Gateway (TMG), but didn’t talk at all about the Forefront Unified Access Gateway (UAG).  Today Microsoft announced the End of Life of UAG as well.

For those who know nothing about UAG it is another network edge product offering.  It originated as a product and company called Whale, and when first brought into Microsoft it was called the Intelligent Application Gateway (IAG).  IAG offered two capabilities.  First, it was an SSL VPN.  Second, it allowed individual applications on an Intranet to be securely published on to the Internet.  With the introduction of UAG in 2009 it also provided some missing pieces of the puzzle for supporting DirectAccess as Microsoft’s alternative to VPNs.

When Windows 7/Windows Server 2008 R2 were under development it was assumed that third-party networking gear would provide the NAT64 and DNS64 support that was needed for most DirectAccess installations, so Windows Server deferred this support to a future release.  However the networking community was slow to provide this support.  The UAG team jumped in with a NAT64/DNS64 solution inside UAG 2010.  Meanwhile it was quickly recognized that the barriers to adoption of DirectAccess were much greater than had been previously assumed and I was asked to drive an effort to figure out how to accelerate adoption.

A team identified the barriers to adoption of DirectAccess and plans to address them in  both the short-term and long-term were put in place.  The short-term plan consisted primarily of a massive Service Pack (which really could have been a .1 release) to UAG that added functionality that made it much easier to set up and manage a DirectAccess installation.  The Windows networking team also committed to performance improvements in their service pack and shipping a small management client.  The long-term plan consisted of addressing many of these problems, plus some we couldn’t get to in UAG 2010 SP1, directly in Windows Server.  With the release of Windows Server 2012 UAG went from being almost necessary for deployment of DirectAccess to almost superfluous.

Windows Server 2012 R2 contains its own application publishing capabilities which, I am sure, don’t have the flexibility of UAG’s but do meet the basic need.  So just as UAG replaced TMG in its application publishing role, Windows Server 2012 R2 now replaces UAG’s application publishing role. That would leave UAG as an SSL VPN offering, something that Microsoft never really emphasized and is counter-strategic.

UAG served Microsoft well as a gap-filler product.   But Microsoft’s pull-back from being a full-range security software vendor left UAG nowhere to go in terms of having a mission of its own.  Personally I thought that UAG should become a Windows Server Role and, had I stayed at Microsoft (where I was managing UAG amongst other products at the time I left) I would have pursued that direction.  Apparently that’s approximately what Microsoft did.

I think all the strategically weaker parts of the old Forefront family have now been purged.  What remains has strategic significance within the businesses they now reside.  So I guess I can say that I don’t expect any more falling footwear.  At least not related to Microsoft’s pullback from becoming a security products vendor.


This entry was posted in Computer and Internet, Microsoft, Security, Windows and tagged , , , . Bookmark the permalink.

1 Response to Forefront UAG is no more

  1. Bob - Former DECie says:

    I’m using an UAG SSL VPN on my current project to access a remote TFS Server. Hopefully the client will not mess up the DA configuration like they have the UAG. I can understand an inactivity timeout, but a short hard timeout is just silly. I just love it when I’m in the middle of doing a TFS check-in from VS and the UAG timer goes to zero and I get forcibly logged off the VPN, causing my check-in to fail.
    My employer uses DA and has just about completely eliminated the need for any VPN use. In that sense, I can’t say that the loss of Forefront UAG is a big deal, but Hal, thanks for doing such a good job with the product when it was your baby.

Comments are closed.