locked
UAG & Exchange RRS feed

  • Question

  • Hi,

    In my environment, i am plannning to deploy UAG in the below manner -

    Internet-->External firewall-->UAG-->Internal Firewall->Exchange 2010 Environment

    Planning to deploy UAG in an array and will install an isolated domain controller in the DMZ dedicated for UAG.

    Can i use a single UAG to talk to multiple Exchange environments (in isolation) and publish multiple Exchange OWA/Activesync portals ?  I believe we need to add Authentication servers during configuration. Are these the AD Servers on the Exchange Environment ?

    So then can i add AD servers (in groups ) from multiple exchange environments and then use them in the publishing scenarios ?

    Thanks,

    Ravi

     

     

    Friday, September 9, 2011 4:04 PM

Answers

  • If you are using discrete AD repositories and not relying on Windows trusts, you simply need LDAP/LDAPS between UAG and the internal domain controllers...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Saturday, September 10, 2011 11:55 PM
  • Hi Ravi,

    as Jason said, its plain LDAP/LDAP(S) so the protocols needed are TCP389/636.

    BTW: If you or some of your customers do have security concerns regarding LDAP access, then you could also use WinHTTP validated portal pre-authentication. WinHTTP is a very simple and secure (in terms of low foot print) authentication type, which makes use of authenticated HTTPS reqests to your backend application, to validate the user provided credentials. If the backend application accepts the provided credentials, then UAG would know they are correct and therefore grants portal access... 

    -Kai


    Sunday, September 11, 2011 11:44 AM

All replies

  • Hi Ravi,

    a single "Yes" does answer all the questions you've asked.

    In UAG you can add as many LDAP repositories (e.g. Active Directory DC) as you like. Those repositories will be used to pre-authenticate the user on the UAG portal and they will be also used to define which repository users should have access to which internal application (with SSO).

    Each of the LDAP repositories can contain two domain controllers (primary/backup), those DCs can be distribted in your hosting environment  and you don't need additional trusts to the DMZ environment.

    -Kai

    Friday, September 9, 2011 6:05 PM
  • Hi Kai,

     

    Thanks for this. So based on this, i will have to open AD authentication ports on my internal firewall. Are these standard AD/DNS communication ports or is there a standard list available from a UAG perspective ?

     

    Cheers,

    Ravi

    Saturday, September 10, 2011 8:49 PM
  • If you are using discrete AD repositories and not relying on Windows trusts, you simply need LDAP/LDAPS between UAG and the internal domain controllers...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Saturday, September 10, 2011 11:55 PM
  • Hi Ravi,

    as Jason said, its plain LDAP/LDAP(S) so the protocols needed are TCP389/636.

    BTW: If you or some of your customers do have security concerns regarding LDAP access, then you could also use WinHTTP validated portal pre-authentication. WinHTTP is a very simple and secure (in terms of low foot print) authentication type, which makes use of authenticated HTTPS reqests to your backend application, to validate the user provided credentials. If the backend application accepts the provided credentials, then UAG would know they are correct and therefore grants portal access... 

    -Kai


    Sunday, September 11, 2011 11:44 AM
  • Thanks a lot for this.

    Cheers,


    Ravi

    Monday, September 12, 2011 10:30 AM