none
UAG Direct Access multiple sites

    Question

  • Hi,

    Has anybody thought a situation, where you would have two UAG direct access access points, one for example in Finland an another one in US ? So that all US users would be directed to US site and Europe users to Finnish site.

    If I understand, currently you cannot have two separate UAG direct access server. You could have an array of UAG servers, one located in Helsinki and another in US.

    Windows NLB could not handle this of course, but maybe some hardware loadbalancer could direct traffic to appropriate UAG server according source ip or something ?

    here is something: http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/644ffe63-ca16-4f63-819c-25fcf8c3b7f5

    but fault tolerance is not my main purpose. Thomas says there will be some official statements about this issue...

    Is there ?

    Would really appreciate any ideas !

    Thanks !

    Tuesday, December 28, 2010 5:53 PM

Answers

  • In your diagram you have all of the IPV6 addressees and Intranet Prefix based on the External IP of the UAG boxes and you have External IP's for each location that are in the same IP address range.  What do you do if your External IP for say asia, is completely different than the External IP in the other site which the Intranet Prefix was calculated from?  How do you calculate the Intranet Global Prefix if the External IP's are not in the same IP range on the UAG boxes?  I apologize for IPV6 ignorance but I'm trying to set this up with a location in NA and a location in Asia and I can't find any good documentation on exactly how to do it with the External ISATAP routers.

     

     

     

    Thanks,


    allen

    Wednesday, August 24, 2011 8:24 PM

All replies

  • Currently, as I understand it the only way to have multiple entry points to your domain using DirectAccess is to have different sub-domains at those locations.

    http://technet.microsoft.com/en-us/library/ff625682(WS.10).aspx

    There hasn't been any "official statements" in changes to this topology yet but keep an eye on Tom's blog as I would expect it to show up there first.


    MrShannon | TechNuggets Blog | Concurrency Blogs
    Monday, January 03, 2011 5:20 PM
  • Hi,

    with UAG SP1 you can use Direct Access in multiple sites or domains
    http://technet.microsoft.com/en-us/library/gg295322.aspx

     


    Viele Grüße Carsten
    Monday, January 03, 2011 8:40 PM
  • Hi guys,

    I think this is what you might be looking for:

    http://blogs.technet.com/b/edgeaccessblog/archive/2010/12/01/supporting-business-continuity-disaster-recovery-and-multi-site-scenarios-with-uag-2010-rtm-and-uag-2010-service-pack-1.aspx

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, January 04, 2011 2:20 PM
    Moderator
  • Hi,

    We have IPV4 only intranet and UAG is our isatap router.

    "You would install multiple UAG DirectAccess servers or arrays and apply the DirectAccess client and server settings by using different GPOs (which are specific to the particular UAG DirectAccess server or array)and assigning those GPOs to different OUs or security groups. "

    Seems like "the not so hard at all situation" (famous words...), at least with SP1. :)

    Can we create an array _after_  the direct access is configured to UAG ?

    A two node array to UAG in finland and same to US site?

    Thanks !

    • Edited by oraat Tuesday, January 04, 2011 2:49 PM add
    Tuesday, January 04, 2011 2:48 PM
  • Hi Oraat,

    Well, you know by now that nothing is really *easy* :)

    However, in the IPv4 only scenario, you create different arrays - one for each location.

    So you would configure an array in Finland and create Finland DA GPOs and another separate array in the USA and create USA GPOs.

    Then you assign the DA clients to security groups or OUs, and apply the GPOs to the appropriate security group or GPO.

    Make sense?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, January 05, 2011 4:40 PM
    Moderator
  • Tom, considering that ISATAP essentially brings up an Pseudo-IPv6 environment on the Intranet doesn't that also mean he would have to eliminate ISATAP from his deployment and rely exclusively on the NAT64/DNS64 features of UAG to be a true "IPv4 only" network?

    See below (Oraat, not Tom obviously:) for the side effects of not implementing ISATAP

    http://blogs.technet.com/b/tomshinder/archive/2010/10/01/is-isatap-required-for-uag-directaccess.aspx

     


    MrShannon | TechNuggets Blog | Concurrency Blogs
    Thursday, January 06, 2011 1:24 AM
  • Could each UAG server not be the ISATAP router for that location? As it would probably have a different public IPv4 IP address, this should create a unique IPv6 address space for ISATAP for each location...no something I have tried/tested...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, January 06, 2011 9:06 AM
    Moderator
  • Tom, considering that ISATAP essentially brings up an Pseudo-IPv6 environment on the Intranet doesn't that also mean he would have to eliminate ISATAP from his deployment and rely exclusively on the NAT64/DNS64 features of UAG to be a true "IPv4 only" network?

    See below (Oraat, not Tom obviously:) for the side effects of not implementing ISATAP

     

    http://blogs.technet.com/b/tomshinder/archive/2010/10/01/is-isatap-required-for-uag-directaccess.aspx

     

     


    MrShannon | TechNuggets Blog | Concurrency Blogs


    If all OSs and services are IPv4 only, there no reason to even consider ISATAP at this time. But you can still deploy ISATAP and take advantage of NAT64. For the resources that are IPv4 only, NAT64 will be used. For resources that are ISATAP enabled, then the DirectAccess clients can connect to those resources using the ISATAP IPv6 address. However, as you pointed out, if you go completely with IPv4-only and no ISATAP or native IPv6, there is a limited manage out capability.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, January 06, 2011 1:20 PM
    Moderator
  • Could each UAG server not be the ISATAP router for that location? As it would probably have a different public IPv4 IP address, this should create a unique IPv6 address space for ISATAP for each location...no something I have tried/tested...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Hi Jason,

    Ben and I have worked out the Test Lab Guide network diagram for this - I'll publish it today on my blog for everyone's review. One of things you need to do if you want to deploy ISATAP in a multi-site configuration is to have some dedicated ISATAP routers for each of the UAG DirectAccess servers or arrays and then set up on-link connection and prefix for each site's UAG DirectAccess server/array and ISATAP router. It'll be more clear when you see the network diagram later today (or tonight for you).

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, January 06, 2011 1:23 PM
    Moderator
  • Could each UAG server not be the ISATAP router for that location? As it would probably have a different public IPv4 IP address, this should create a unique IPv6 address space for ISATAP for each location...no something I have tried/tested...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Hi Jason,

    Ben and I have worked out the Test Lab Guide network diagram for this - I'll publish it today on my blog for everyone's review. One of things you need to do if you want to deploy ISATAP in a multi-site configuration is to have some dedicated ISATAP routers for each of the UAG DirectAccess servers or arrays and then set up on-link connection and prefix for each site's UAG DirectAccess server/array and ISATAP router. It'll be more clear when you see the network diagram later today (or tonight for you).

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx

    Cool, sounds good...so you need an external ISATAP router as opposed to using UAG?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, January 06, 2011 1:39 PM
    Moderator
  • Yep.

    Check out the network diagram at:

    http://blogs.technet.com/b/tomshinder/archive/2011/01/07/hey-edge-man-how-is-that-multi-site-test-lab-guide-and-document-coming-along.aspx

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Saturday, January 08, 2011 12:11 AM
    Moderator
  • Just been reading that ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Saturday, January 08, 2011 12:59 AM
    Moderator
  • Let me know if you find any "holes" in the design.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, January 10, 2011 3:51 PM
    Moderator
  • Hi, So how does the client know which one to connect to? If I understand it’s done via group policy so that US clients go to US UAG and EU clients to the EU UAG. However what happens when I travel from EU to US? Even though I’m in the US I still go to the EU UAG? Is there no way for the client to determine the closest entry point?
    Wednesday, January 12, 2011 7:47 AM
  • I don't believe it can. The current solutions rely upon you "homing" DA clients to a particular DA array in one location.

    I imagine if you invest in something like a global site load balancer, you could use a virutal public IP address across geo-data centers and then just configure clients with single global DA policy that uses virutalised IP addresses...this is probably not a cheap soluiton though :( 

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, January 12, 2011 9:39 AM
    Moderator
  • That's correct. Our current supported solution is to home DA clients to specific sites.

    I'm almost done - but am having a heck of a time getting the ISATAP router configuration working - I think we need some serious work on improving our ISATAP router documentation :)

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, January 13, 2011 5:45 PM
    Moderator
  • In your diagram you have all of the IPV6 addressees and Intranet Prefix based on the External IP of the UAG boxes and you have External IP's for each location that are in the same IP address range.  What do you do if your External IP for say asia, is completely different than the External IP in the other site which the Intranet Prefix was calculated from?  How do you calculate the Intranet Global Prefix if the External IP's are not in the same IP range on the UAG boxes?  I apologize for IPV6 ignorance but I'm trying to set this up with a location in NA and a location in Asia and I can't find any good documentation on exactly how to do it with the External ISATAP routers.

     

     

     

    Thanks,


    allen

    Wednesday, August 24, 2011 8:24 PM
  • Hi Allen,

    I have just completed this exercise and agree the diagram is a bit confusing in the beginning. It looks like the external IP ranges are in the same range but they are not. It just that for documentation purposes the basic range is always used. The second site has a slightly different external range.

    What I did is simply make my own diagram and for the external IP we caluculated the IPv6 address calculated from that.

    Then it will begin to make sense and you will see what the overall solution will look like.

    Note we used external ISATAP routers not being a windows box, we have Cisco routers in place.

    Drop me a line if you want more info.

    Regards,

    Arjan

    Thursday, October 27, 2011 6:37 AM
  • It appears that http://blogs.technet.com/b/tomshinder/archive/2011/01/07/hey-edge-man-how-is-that-multi-site-test-lab-guide-and-document-coming-along.aspx has been pulled.  Is that a good sign that maybe we will see a finished version soon?

    Don Adams
    Portcullis Systems


    Advanced Technology Consultant
    Monday, November 21, 2011 8:07 PM
  • Yep.

    Check out the network diagram at:

    http://blogs.technet.com/b/tomshinder/archive/2011/01/07/hey-edge-man-how-is-that-multi-site-test-lab-guide-and-document-coming-along.aspx

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx

    Hi Tom,

    I'm looking for the diagram long time back and now I dont found it in the above link. It says "not found".

    If I can get it to see it would be great to study the dagram. can I see it some ware else in the cloud ? :)

    Thank you

    Vafran

    Wednesday, February 22, 2012 11:12 AM