With the release of UAG, our customers are finally able to install the product on any computer, as opposed to the previous releases that were available as an appliance or a pre-configured Virtual Machine. This is good news, but also carries a risk. A lot of customers think that if this is just some piece of software that you can install, then why not use the same server to do some other stuff, and conserve some resources.
Indeed, this is tempting, but from a supportability perspective, this is a big problem. A unique trait of UAG is that it doesn’t work on its own. UAG integrates tightly with several other components, and that makes the whole thing much more sensitive. When you configure a UAG server, it automatically configures other components, like the TMG firewall server that comes along with it, as well as IIS. TMG itself may need to configure the RRAS service, and so on. Because of this “chain of command” within the server, even a minor change to one of the components could cause a lot of damage to the system. For example, if the user is tempted to add some policy rule to TMG, it may conflict with a UAG-created rule, leading to some feature or application being unusable. An even worse case could be that the configuration becomes less secure and expose the server to attack.
Microsoft’s support policy dictates very clearly that the administrator should never attempt to configure any component on the server, except the UAG management console, or if directly instructed to by a Microsoft support engineer or official documentation. This also means that installing additional software on the server is also not supported, so if you planned on hosting a TeamSpeak server on it, better think again. This is somewhat similar to the old “warranty sticker” on appliances – if you decide to open up a TV and stick an espresso machine in it, it might invalidate the warranty. Again, this is not because we want you to have a hard time or spend more money – it’s because the introduction of additional software into the picture could make it hard or even impossible for support engineers to figure out what’s wrong with the server if it blows up. For example – installing certain applications can replace some of the system’s networking components, which are a critical part of UAG. A different component might process data differently, and cause communication problems that make no sense. If this happens, Microsoft Technical Support may not be able to tell exactly which files have been replaced, and be unable to help.
Despite all this, sometimes it is necessary to install some things on servers, and we recognize that. For example, installing an Anti Virus is definitely a good idea. For that end, Microsoft does approve of installing of Anti Virus and Anti Malware tools. These applications may require that certain folders and files be excluded from the scan, and the list is covered (and updated) here: http://technet.microsoft.com/en-us/library/cc707727.aspx
A more problematic question surrounds installation of other management software. For example, what about system or drivers support, like Virtual Machine extensions, hardware drivers that are an installable or system management utilities? Unfortunately, this, although sometimes necessary, still falls under the same category as any other software, and is not supported. Microsoft is certainly not in a position to forbid you from doing anything, but if you do choose to install additional software on a UAG server, you might end up with an unsupported or unsupportable system. In such a case, Microsoft support may have to ask you to uninstall these additions before being able to receive support for your server.