Microsoft Forefront Unified Access Gateway (UAG) is the evolution of Microsoft’s Intelligent Application Gateway (IAG 2007). Forefront UAG is a secure remote access solution focusing on applying application intelligence and granular access control across applications to enable easy management of access to enterprise applications by mobile and remote employees and partners. Forefront UAG provides centralized management and policy control across all users, devices, and network resources. 

Scaling solutions such as Forefront UAG is often challenging because of the unique requirements raised by such solutions, such as routing server generated connections in situations where the client has a pre-established tunnel to the correct server. This type of persistence of connections requires that the infrastructure solutions used to scale and provide high-availability for Forefront UAG be application-aware and capable of inspecting messages exchanged between the client and Forefront UAG to ensure existing connections are directed to the appropriate server. Without this ability the connections could be directed to the wrong server, i.e. a server without knowledge of the existing connection, and the connection would be dropped.

F5's BIG-IP Local Traffic Manager (LTM) can be used to provide scalability and high availability for Microsoft's Unified Access Gateway. When deployed on either side of the UAG servers, BIG-IP's load balancing capabilities can be leveraged to route both incoming and outgoing traffic through the most appropriate UAG server. BIG-IP LTM handles this traffic with its intelligent traffic engine, iRules, to track client-to-UAG server tunnels, and match server generated connections to the right UAG server.

It requires more than simple load balancing to properly scale and provide the high-availability necessary for Forefront UAG, including configurations to load balance both inbound and outbound connections. Such configurations can be complex, depending on the environment, and requires both network and application network layer skills. The need for persistence of server-generated connections requires a specific network-side scripting implementation, potentially extending the time to deployment.

To make the configuration of BIG-IP LTM simpler and easily reproduced, F5 has documented the process in a step-by-step deployment guide specifically for Forefront UAG. The deployment guide provides a complete methodology for configuring and deploying UAG in a highly-available, scalable environment, including leveraging IP-HTTPS for additional security.

The deployment guide is available now and can be downloaded here, through F5’s application-specific solution center.

Related resources:

• Microsoft Solutions Forum on DevCentral
• Deploying F5 with Microsoft Forefront Unified Access Gateway
• F5 Microsoft Solutions Center from F5
• Microsoft Forefront Unified Access Gateway Center from Microsoft
• External Articles
• Microsoft challenges IBM to Websphere duel • The Register
• F5 Blogs and Articles
• F5 PRO-enabled Management Pack: Managing Application Delivery in a Virtual Environment
• Microsoft Exchange 2010: HELO New Architecture