UAG DirectAccess and External Load Balance - Doubts
-
Tuesday, September 04, 2012 6:32 AM
Hi Guys
I'm setting up a UAG with External Load Balance and got some doubts, below my setting:
UAG1 Array Manager:
External NIC:
164.85.y.10
164.85.y.11
Gateway: Load Balancer IP (164.85.y.150
Internal NIC: 10.30.162.198
Gateway: NONE
UAG2 Array Member:
External NIC:
164.85.y.13
164.85.y.14
Gateway: Load Balancer IP (164.85.y.150)
Internal NIC: 10.30.162.199
Gateway: NONE
External VIP Load Balance
Ilustrative
190.0.0.1 and 190.0.0.2
I read the link below it is necessary manually set the IPv6 on the internal interface of the server and UAG1 UAG2
http://blog.msedge.org.uk/2010/05/path-to-directaccess-part-2-thinking.html
http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/17/configuring-an-external-load-balanced-uag-directaccess-array-for-an-ipv4-only-network.aspx
Internal Interface UAG1 Array Manager:
IPv6 2002:be00:1:8000::a1e:a2c6
Prefix 49
gateway 2002:be00:1:8000::1
and
Internal Interface UAG2 Array Member
IPv6 2002:be00:1:8000::a1e:a2c7
Prefix 49
gateway 2002:be00:1:8000::2
Prefix UAG DirectAccess Wizard:This setting this right? This missing something?
My biggest doubt about this issue is to put the ISATAP on another server in affecting users? It is mandatory?
Dont understand this part:
"If the Forefront UAG DirectAccess server is currently configured as an ISATAP router and you want to continue using ISATAP, move the ISATAP router function to a separate computer."
http://technet.microsoft.com/en-us/library/ee690463.aspx
Can someone tell me if it is mandatory?
Robson Hasselhoff - Follow me @Robk9e
- Edited by Robson de Carvalho Tuesday, September 04, 2012 6:35 AM
All Replies
-
Tuesday, September 04, 2012 11:32 AM
Hi
Your IPv6 prefix configuration seems to be right. The warning is not a problem. Because you configured an IPv6 address on your internal interface, UAG consider that there is no need to enable an ISATAP router. For your end users, this would not be a problem because they will access internal ressources using NAT64/DNS64. But you will have a problem with remote management (remote desktop to a DirectAccess client connected on Internet). In this situation, you no longer have an IPv6 connectivity on LAN (préviously provided by the ISATAP router configured on your UAG box). To restore the manage out scenario, you must deploy your internal ISATAP router. It can be a simple WIndows 2008 R2 box with one or two network cards.
Have a look at this : http://www.windowsnetworking.com/articles_tutorials/configuring-isatap-router-windows-server-2008-r2-part1.html. Once your ISATAP router configured, just enable IPv6 routing on the UAG box with the configurelocalhosttoIPv6Policy.VBS script and enable forwarding on the LAN interface of your UAG box and it will works like a charm.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
-
Tuesday, September 04, 2012 11:49 PMModeratorDo you actually need/want the Manage Out scenario?
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
-
Wednesday, September 05, 2012 7:35 AM
That's a good question.
With NAT64/DNS64 most manage-out capabilities are available. The only exception is when your management solution need to contact your DirectAccess client without client sollicitation. If you only need remote assistance, you can perform it from a DirectAccess client. It have an IPv6 connection. The only thing to know is that by design communication between DirectAccess clients are not secured. An additionnal connection security rule will solve this problem.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
-
Wednesday, September 05, 2012 2:25 PM
Thanks all for replies ;)
I need use Bongar for support, but the consultant bongar says that the appliance bongar not initiate the connection to Client - same so the solution not work. Anyone know like the Bongar solution work together with UAG DirectAccess?
More one doubt, I can enjoy the server NLS for function like ISATAP router ?
Thanks Benoids and Jason .. =D
Robson Hasselhoff - Follow me @Robk9e
-
Wednesday, September 05, 2012 3:08 PM
For NLS on ISTAP, it is technically possible as lon as you use separate names for NLS and ISATAP router Name.
Concerning your Bongar Appliance, if it does noes initiate connection du clients, this means, that clients initiate communication with the appliance. In this case, this should work with NAT64/DNS64 unless your appliance does not like NAT64/DNS64.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
-
Friday, September 14, 2012 7:41 PM
We're using KEMP LM2600 load balancers, and there doesn't appear to be a way to go from isatap router --> Kemp HLB --> correct UAG server containing the DA client session --> DA client. I've read articles that state you don't need an internal load balancer on an ipv4-only internal network. However, with an array you can only route ISATAP to one UAG server or the other (if not load balancing internally). The IPHTTPS Prefix on the UAG array servers is identical (unlike with Windows NLB), so you can't set up multiple IPHTTPS routes on the ISATAP router. However, the F5 load balancer has technology that can handle this scenario by storing the DA client / server session information, and allowing it to be referenced when attempting to manage out. I was trying to determine how to manually change the IPHTTPS prefix on one of the UAG servers, but haven't found a way. I just thought i'd mention this as my configuration is similar to Robson's, and I appear to be stuck using one UAG array server for DA, as a result of this ISATAP routing issue.
.png)
