UAG NLB Array for DirectAccess Edge Firewall Configuration
-
Dienstag, 15. Mai 2012 08:50
Hi
We've set up a 2 server UAG NLB array for use with Direct Access. Sat behind an edge firewall
We have two VIPS with public internet addresses e.g. 1.2.3.4 and 1.2.3.5
Each UAG server also has a DIP with a public internet address so UAG1 is 1.2.3.6 and UAG2 is 1.2.3.7
Presently we only have the following ports open (inbound and outbound) on the VIPs (1.2.3.4 and 1.2.3.5)
- Protocol 41
- UDP 3544
- TCP 443
Do we need to open any ports on the DIPs (1.2.3.6 and 1.2.3.7)? And do the DIPs and VIPs need to be able to pass traffic to and from each other within that subnet?
Any help greatly appreciated.
Cheers
Chris
- Bearbeitet cdglloyd Dienstag, 15. Mai 2012 08:53
Alle Antworten
-
Dienstag, 15. Mai 2012 09:40
Hi,
Only the 3 ports you have opened for the VIPs are correct and needed for inbound and outbound comms.
If you are "Windows Updating" directly to MS then you would need 80 and 443 from the DIP's outbound.
Is there a firewall between the two UAG nodes? I have never blocked any traffic within the public subnet.
Regards, Rmknight
- Als Antwort markiert cdglloyd Mittwoch, 16. Mai 2012 15:43
-
Dienstag, 15. Mai 2012 12:29
Do you have a firewall on the "inside" part of your connection as well? Make sure you do not block traffic between the two nodes, you will get errors when trying to activate and establish the NLB.
-
Dienstag, 15. Mai 2012 13:05
Hi
Thanks for the replies.
There's no firewall on the internal side, I'm confirming with our firewall guys that all traffic is free to communicate between all the external DIPs and VIPs. However the NLB claims to have created correctly
Currently the Connectivity Assistant on the Client just states "Cannot Contact the DirectAccess Server" and the logs simply state teredo is "Offline" and IPHTTPS "Failed to Connect to the IPHTTPS Server. Waiting to Reconnect"
I'm beginning to suspect the firewall config for the external VIPs has not been setup right.
Is there anyway that I can check the ports are opened correctly e.g. if I go to https://da.domain.com/IPHTTPS or https://1.2.3.4/IPHTTPS (the first VIP) in IE should that produce anything?
At present I don't get anything (Page cannot be displayed) and don't even get a certificate warning when going to https://1.2.3.4/IPHTTPS which I would expect if there was anything presenting a certificate there marked as da.domain.com
Thanks
Chris
-
Dienstag, 15. Mai 2012 13:24
Sounds like you are on the right track. That is exactly how I usually test, I enter the IP-HTTPS URL into an IE browser from a DA client computer out on the internet and see what happens. You want to enter that URL exactly as specified in the DCA log file (https://gateway.company.com:443/IPHTTPS) - make sure to include the ":443" even though IE it removes it, I have seen random results if you do not include it.
What you should see when browsing that site is a 403 page with no certificate warnings. Anything else and there's your problem. Make sure your DNS name is pointed at the primary VIP, but assuming that is correct, this is almost certainly a firewall problem.
- Als Antwort markiert cdglloyd Mittwoch, 16. Mai 2012 15:43
-
Mittwoch, 16. Mai 2012 15:47
Thanks for the help
Turned out it was to do with the way that VMWare was connecting to the DMZ and the routing between the two. In short neither of the UAG boxes were passing traffic correctly to the internet. So whilst the firewall settings were correct the traffic never made it to the UAG devices.
Cheers
Chris
.png)
.png)
