Many of our customers wonder if it is better to use TMG or UAG for Sharepoint publishing, or whether either should be used at all. The answer, while not complex, involves some consideration of the relative capabilities and benefits of both pieces of software. In this post we will try to outline the key differences which will answer these questions. This post will give you a high level overview of the basic differences between the two.
Technically, you can use both TMG and UAG to publish SharePoint to the outside world. The only difference is in the way the application is presented to end users. TMG is a web proxy, firewall, and a VPN solution, whereas UAG is generally a remote access solution for users. When publishing SharePoint through TMG, you allow users to connect to a specific URL for the SharePoint and present them with the authentication form asking their credentials. On the other hand, when using UAG, users login into a portal and then directly access the set of authorized applications.
Thus, publishing SharePoint through UAG uses a single URL for access to a portal which holds all the published applications. This is unlike TMG which uses multiple URLs to publish different applications.
Another big difference is in the level of customization available in TMG vs. UAG. UAG is far more customizable than TMG, allowing businesses who want to brand their external-facing web pages and login forms with their own color scheme and logo the ability to do so. UAG uses ASP pages and JavaScript to create portal pages, so a developer with a little knowledge around these languages can easily customize the look and feel of the pages.
Ultimately, the biggest difference is that UAG uses endpoint policies to allow or deny access for uploading or downloading documents from the SharePoint sites. The screenshot below gives a better picture of what endpoint policies are available in UAG when publishing SharePoint. Using the “Access Policy,” the UAG can determine who should have access to the SharePoint site. Let’s suppose you want only machines joined to the domain to access the SharePoint site. For doing this, you would need a VBScript to identify whether a machine is in the workgroup or domain joined. There are plenty of scripts available on the internet which you may use for reference. Then, follow the steps listed at http://technet.microsoft.com/en-us/library/ff607423.aspx. Once the script is created and it’s working as expected, the access policy can be created following the steps at http://technet.microsoft.com/en-us/library/dd857309.aspx. Finally, use the created access policy when publishing the SharePoint site under “Endpoint policy settings.”
Another point is that most companies would prefer their users using company-owned devices when accessing corporate resources like SharePoint or OWA. But, that’s not what always happens. Users may access their corporate resources from kiosks installed at airports, hotspots in coffee shops, or their home machines. Deleting the session history from machines which aren’t fully managed by the corporate IT becomes a constant challenge. UAG helps enforce your compliance policies to make sure that only compliant machines are connecting to the corporate resources through the UAG portal. Furthermore, the attachment wiper in UAG deletes the session history when the portal is closed even when it closes accidentally.
UAG clearly has an edge over TMG in publishing SharePoint or other resources, but TMG has its own significance in the areas where it is best used: the web proxy and URL filtering components. TMG is exceptionally strong in that space and it stands out in the market from the rest of the proxy server solutions.