locked
forefront unified application gateway config RRS feed

  • Question

  • Since I already have a firewall and I only want to use the ssl vpn application of forefront unified application gateway, can I set the server up using only one netcard, and have the card natted to the outside world on my 3rd party firewall? Or must i have 2 nics and have the server in parallel with my firewall?

    I'm just looking at using the ssl vpn and not the direct access solution since i have non-microsoft and windosw xp remote clients.

    thanks,

     

    Tuesday, March 30, 2010 2:21 PM

Answers

  • Hi Mike,

    You can put the UAG server behind your existing firewall if you like, or you can put it in parallel. While our documentation doesn't describe an edge deployment for the UAG, the only reason for this is that we've made the assumption that all enterprises already have a firewall deployment and would prefer to put the UAG behind that front-end firewall. However, this is not a recommended or preferred deployment, just a recognition of what's being done out in the field right now.

    Not sure what you mean by disabling routing. How are you thinking of deploying the UAG? There may be certain circumstances where routing might be an issue (such as if you deploy UAG as an SSTP remote access VPN server), but when acting in its reverse proxy role, the source IP address is going to be the internal IP address on the UAG server, so you don't need to configure it as the default outbound route.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Wednesday, March 31, 2010 7:11 PM
    Wednesday, March 31, 2010 12:34 PM

All replies

  • Forefront UAG must be installed on a computer with two network adapters. See http://technet.microsoft.com/en-us/library/dd903051.aspx for full details.

    James.

    • Proposed as answer by James Kilner Wednesday, March 31, 2010 9:02 AM
    Wednesday, March 31, 2010 9:02 AM
  • Can you hook it in parallel with an existing firewall and disable routing on the Forefront server so there is no routing loops? Or must you use a Microsoft prduct as your firewall if you are going to use UAG?

     

    thanks

    Wednesday, March 31, 2010 12:20 PM
  • Hi Mike,

    You can put the UAG server behind your existing firewall if you like, or you can put it in parallel. While our documentation doesn't describe an edge deployment for the UAG, the only reason for this is that we've made the assumption that all enterprises already have a firewall deployment and would prefer to put the UAG behind that front-end firewall. However, this is not a recommended or preferred deployment, just a recognition of what's being done out in the field right now.

    Not sure what you mean by disabling routing. How are you thinking of deploying the UAG? There may be certain circumstances where routing might be an issue (such as if you deploy UAG as an SSTP remote access VPN server), but when acting in its reverse proxy role, the source IP address is going to be the internal IP address on the UAG server, so you don't need to configure it as the default outbound route.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Wednesday, March 31, 2010 7:11 PM
    Wednesday, March 31, 2010 12:34 PM