locked
Forefront TMG and UAG Side by Side (TMG Outbound, UAG Inbound) - Possible? RRS feed

  • Question

  • I recently started a thread about the possibility of setting up Forefront UAG 2010 at home, though everyone pointed me to Forefront TMG. My main reason for deploying one of these products is purely remote access. I am not worried about Outbound traffic, only inbound traffic.

    As I described in my earlier post I was proposing to have my network like this: http://img193.imageshack.us/i/networkdiagram.jpg/

     

    After a bit more reading I have now considered Forefront TMG as this seems to be the only viable option for me to use at home. After reading through the TMG documentation I have come up with a new way to deploy UAG with the use of TMG (I know TMG comes with UAG as a watered down version)

    I am considering deploying both Forefront TMG and Forefront UAG side by side in a external network. What I need to know from the experts is whether this scenario is even possible.

    I have constructed a simple Visio drawing to demonstrate what I mean. You can view this here: http://img52.imageshack.us/i/tmguagdeployment.jpg/

    Basically TMG would be the default gateway for internal clients. Then using the second NIC on the server which would be the external NIC and create the external network.

    Basically the clients would be directed through the TMG server for all outbound traffic and then when I wish to remote access my network when on the road UAG would handle all inbound traffic from remote clients.

    So basically is this possible? or should I just stick with TMG? UAG is what I am after with the RemoteApp possibility etc.

     

    Thanks for your help. I look forward to the responses.

    Friday, January 14, 2011 12:34 AM

All replies

  • Hiya,

    I've used the TMG+UAG "side by side" topology with several smaller customers who have had limited budgets or restricted public IP address ranges.

    With this topology you really do get the best of both worlds and the key compromise is that you only have a single-tier firewall between the external and internal networks. However, as both solutions ultimately run TMG, they are both equally "edge ready" and should be trusted as such...

    Consequently, TMG becomes your IPv4 default gateway and UAG becomes your IPv6 and DirectAccess default gateway.

    Cheers

    JJ 


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, January 14, 2011 1:24 AM
  • Hi Jason,

    Thanks for the quick reply. Just so I understand I currently only have 1 external Public IP Address given to me by my ISP.

    If I can avoid it I do not want to use IPv6 on my network.

    With Forefront UAG having a version of TMG embedded into it I am sure this will not cause any issues by deploying the full TMG product next to it?

    I must point out that my reason behind deploying TMG with UAG is that UAG does not pass internal client traffic to the outside world from what I have read. So I cannot just assign my external NIC to the ADSL Modem and then have them on a different network to the Internal NIC on the server.

    So my conclusion was that if I use TMG I am able to create this "external" network and "internal" network as TMG can pass the traffic from the internal clients (who will have the TMG as their Default Gateway) to the internet through the Modem Router.

    Please correct me if I am wrong though.

    Thanks.

    Friday, January 14, 2011 2:38 AM
  • Hi,

    A single IP address will not be sufficient for the side by side topology using TMG+UAG and you will need at least two public IP addresses; one for the TMG external interface and one for the UAG external interface. If you plan to run UAG DirectAccess, you will need at least three IP addresses; one for the TMG external interface and two for the UAG external interface.

    With a single public IP address, you will have no option but to drop UAG and simply deploy TMG. TMG will then do "pretty much everything" that you need, but you will face some compromises by losing UAG. UAG alone cannot meet your basic firewall and secure web proxy needs as although it runs TMG, it is not supported as either a network firewall or an outbound proxy server.

    Cheers

    JJ

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, January 14, 2011 9:53 AM
  • Unless you want to do DirectAccess, TMG is the way to go.

    In fact, for a home deployment of DirectAccess, the Windows DirectAccess is probably good enough. UAG DirectAccess provides features required for enterprise reliabilty.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, January 14, 2011 1:39 PM
  • Unless you want to do DirectAccess, TMG is the way to go.

    In fact, for a home deployment of DirectAccess, the Windows DirectAccess is probably good enough. UAG DirectAccess provides features required for enterprise reliabilty.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx

    However, you will need to implement IPv6 on your intranet and you still need two public IP addresses I believe...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, January 14, 2011 1:58 PM
  • Jason,

    Good points!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, January 17, 2011 3:20 PM
  • TMG and/or UAG seems like an overkill solution for remote connectivity to the home.  Are you doing this just as a way of getting familiar with the products?

    Why not just just configure your router/firewall to port forward remote desktop to your workstation?  Or use something like Live Mesh.  If you really want to get fancy what about using Remote Desktop Services' RDWeb and Gateway?  Any of those solutions will give you connectivity to your home network and would not require you to create an external network or create a new gateway on your LAN.

    If you're just not happy with the features of your home router you could get something that supports DD-WRT and you can get a really nice feature set for free including built-in DynDNS support, VLANs, VPN, etc.


    MrShannon | TechNuggets Blog | Concurrency Blogs
    Wednesday, January 19, 2011 2:06 PM
  • I assumed he was trying to learn the technology too ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, January 19, 2011 2:57 PM
  • Me too :)

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, January 21, 2011 11:22 AM
  • You already got most of the answers. To pick your answer it really depends of what kind of Remote Access functionality you want to use. And whether you have a Domain Controller running 24x7, how many public IP Addresses you have and such.

    I can really recommend you UAG DirectAccess (in a test environment of course). Although you need to have Domain Controller up-and-running, and as mentioned two public IP Addresses. On the other hand UAG can also host a trunk for you with VPN functionality, a RDG (Remote Desktop Gateway) and many more. If you just want VPN support out-of-the-box; go for TMG.

    But... you can also wait for Windows Server 2012 to be realeased. It offers DirectAccess which does support NAT and requires only one public IP Address.

    About your network. If you only have a flat network (single subnet), you will alway have a problem testing UAG and TMG. It may be off-topic, but what I can really recommend you; is segmenting your network with a L3 switch. I have a test environment running with TMG/UAG, each of them having two network interfaces and such. You don't need an expensive Cisco Catalyst 3750 or something like that. Just have a look at a Cisco Small Medium Business SG300 series L3 switch for only $100-250. They offer ALL features you need to design the network as you needs. Very suitable for our test environments.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Monday, August 6, 2012 8:37 AM