I have been steadily progressing with my copy of UAG RAW write book and finally managed to finish chapter 5.
If you are wondering why it took me so long to ready the chapter as always the never ending story of too busy pops up but hey, that’s not an excuses, time is a matter of making time!
The main reason apart from time constraints is the fact that this is currently the longest chapter in the book 36 pages ;-) but mainly up until now the most difficult chapter to keep my focus on.
This chapter is all about SSL Tunneling and all the different application templates available to publish non web content (covered in chapter 4). For people new to SSL tunneling and this concept you really need to keep your concentration when reading this section. In my opinion it’s been the most important part of the book for me up until now because as a years old ISA / TMG veteran this is the first real chapter that illustrates the great power of UAG and where it differentiates greatly from ISA/TMG. let’s face it, UAG is the real edge publishing device and can get just about any of your high tech or legacy corporate apps out on the public internet in a secure and controllable way and SSL tunneling is the magic behind it all.
- What I loved:
- Maybe the first thing to mention is the fact that this chapter really illustrates the power of UAG and SSL tunneling and how this product really differentiates away from TMG as edge product for publishing.
- Secondly you really see the power of UAG when I was reading and testing all these templates it put a smile on my face with a jehaa we can use this down at the office ;-)
- In the second paragraph they really take the time to illustrate not everything can be done over SSL and UAG offers three technologies NC, SSTP and DA as workaround for these types of situations. Throughout the chapter you really clearly get the rundown on all of these technologies (except DA that will be covered in a separate chapter.
- My favorite sentence was on page 114 half way down the page “Direct Access is the latest VPN technology from Microsoft…” We have been reading and hearing so much a Direct Access and time and time again I have heard statements DA is not a VPN technology,… Well crap, as great as DA is, and what ever the marketing guys want you to think, DA is all VPN technology with the big difference it’s transparent to the end user and that’s what really makes it great. Under the hood though it’s all IPSec and IPSec over https and authentication, validation and encryption. From me to Ben-Ari and Ran a great thank you for putting this paragraph in the book, you just can’t imagine how many times I have had to advocate DA is just the latest and greatest in VPN technology.
- The information given with client/server applications is just great, you get a rundown of each template, the what the how, why and when. If you read this with care you will know what to use and when.
- I enjoyed the greatly illustrated paragraphs of file access publishing and got this feature running in minutes on the lab and have been using it a lot as it’s just so dammed easy. Just a shame you can’t open and directly save documents like you do in SharePoint. (might be worth mentioning in the paragraph that you need to open save locally > upload back tot he portal.
- What I missed:
- On Page 112 in the last paragraph you will read “The tunneling component is a part of the UAG client components and is called SSL application tunneling” It’s very clear that the component you download when you try to access UAG for the first time is very important and I’m guessing this is what is meant by UAG client components. I’m guessing at this time that you download one client component once and this contains both the health checking logic, ssl tunnel logic and any other logic required by UAG in one neat package. It would be great to get a schematic overview of this component to know exactly what’s in the download package and what each component is responsible for as this could be a real eye opener
- The configuring browser embedded applications was for me the most difficult one to understand. When I started reading this i though why is this here and not in chapter 4? The screenshot on page 115 was unreadable in my print copy so i could not really look at it for some clues so i read on and then start to get the grasp of it through the fictional example. To be honest I don’t have an app like this in any environments i work with at this time. I would have loved to have gotten a reference to a well know app that uses this template for publishing if there are any out there? In any case by the end of that paragraph i knew why it was in here and not chapter 4 but don’t think I’ll ever need this template.
- One thing that has become very clear to me while reading this chapter is UAG has a lot of features in there to make thing possible on legacy clients and software that we now take for granted like VPN tunnels over HTTPS (SSTP), RPC over https for outlook,.. this only emphasizes how much this product was before it’s time. On the other hand this chapter also references a number of features that no longer function correctly with win7 like local drive mapping, NC. For both of these there are solutions in the form of SSTP and the File Access application. And yes, both will do the trick, but still it’s not the same and it does illustrate a great concern I have had since the release of windows7 and IE8. MS is building their software to be top secure and they should as this is very important. However you can see the security is so tight now that apps like UAG can’t cope with it anymore and need work arounds and alternatives to keep functionality running. We could discuss this topic for many hours but what my major concern is that security is so tight now that developers might start to deviate away from MS as they just can’t get their software to work anymore. In the company i do most of my work now i have seen this trend over the last 12 months where we used to be standardized on IE but two of our major cloud service providers software has now been specifically built and supported on firefox with NO support for IE anymore forcing us to deploy Firefox through the company to keep the business running. Advocating with the vendor has brought us nowhere. This just to illustrate a worry i have had for some time now for both the security now being offered by MS and how cloud services are great but you lose when they decide to shift strategy.
- On page 135 you get a nice screenshot of the Access control setting for NC. The paragraph clearly illustrated to me what the difference was between split tunneling and non split tunneling, however I still don’t get what the difference is between Non-Split tunneling and No Internet access as both seem to do the same to me?
- My problem:
- After configuring the SSTP and NC and some other non web app applications I started receiving the below message when activating my configs. It seems the configs still come online as everything seems to be working but i don’t have a clue why this popped up apart from the fact that i might need to add some resources to my test lab?