locked
UAG Forefront 2010, Direct Access and Remote Desktop publishing on one mashine RRS feed

  • Question

  • Hello,

    We have issue with this configuration.

    Direct Access (UAG) working well, Teredo, 6to4, IP-HTTPS.

    We want to publish Remote Desktop via UAG (RD Publishing) over new trunk, but unsuccessfully...Remote desktop Gateway service integrated in UAG working with default Web Site, where we already have IPHTTPS configs.

    Question is: Can this configuration work together ? (UAG, Direct Access and RD publishing (predefined). ?

    Thanks in advance.

    P.S. I'm really tired with this :)

    Monday, October 25, 2010 10:56 AM

Answers

  • The UAG wizard will wipe your IIS site settings, so AFAIK you cannot use IIS on the UAG server for anything other than IPHTTPS.

    The only work-around would be to configure the "other" IIS site after you have activated your UAG configuration, but know that the next time you activate a config the "other" IIS site(s) will get blown away again.

    I'd recommend you stand up another server for the other role.  Virtual machines would serve you well here.


    MrShannon | TechNuggets Blog | Concurrency Blogs
    • Proposed as answer by MrShannon Thursday, October 28, 2010 12:27 PM
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 6:07 PM
    Thursday, October 28, 2010 12:26 PM
  • Hey guys,

    It looks like we need a TLG that shows you have to configure the entire deal - SSTP, RDG, DA, Portal on the same machine, does that sound right?

    It might take a while, since there isn't any guidance that I'm aware of that shows you how to do that. But, I should be able to find the people who will know how to do this :)

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 6:06 PM
    Thursday, October 28, 2010 2:24 PM

All replies

  • Do you mean via the UAG portal?

    If so, then yes as discussed here: http://technet.microsoft.com/en-us/library/ee522953.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Monday, October 25, 2010 12:21 PM
  • Thanks for quick feedback. 

    In this article no information about RD Gateway service :( This service used when we publish RD Services via UAG Portal. After that IIS on UAG server don't understand where right cert placed.

    Monday, October 25, 2010 12:54 PM
  • Port 443 on default web site responsible for Direct Access and use DA cert, if I create new trunk on UAG for RD publishing, new web site created, BUT ! after activation default web site change DA cert for RD cert. It's a problem.
    Monday, October 25, 2010 1:25 PM
  • Your portal trunk is using a dedicated IP address - yes?


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, October 25, 2010 1:41 PM
  • Yes,

    2 external IP's for DA solution, and 1 external IP for trunk.

    Monday, October 25, 2010 1:46 PM
  • Have you tried looking in the RD Gateway Manager node of the RDS MMC and managing the certificate mapping directly?

    In my DA lab, the cert assigned to DA and the cert used for the RD gateway are different, but both are on the same server...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, October 25, 2010 2:04 PM
  • RDG MMC console, not a real one. Because UAG have own RDG service (You can try change CAP settings in mmc)

    in UAG portal try to create new trunk, add application RD services (predifined) and after that, press Activate configuration.

    In my situation, after this step DA cert replaced with RDG cert. Mystification :) 

    And one more: if i look on IIS bindings on Default web site, i have 2 ports 80 and 443, after configuration activation via UAG, i have one more additional 443 binding...

    Monday, October 25, 2010 2:15 PM
  • Default situation: DA working. - IPHTTPS working (because only this metod use DA cert). 

    IIS default web site: bindings - 443 - DAcert

    Go to RDG mmc console, RD Gateway not configured: cert needed: change to RD cert. Back to IIS and....we see that in default web site bindings RD cert instead of DA cert :(

    Monday, October 25, 2010 2:24 PM
  • And You DA configured via UAG ?
    Monday, October 25, 2010 2:47 PM
  • Yes.

    The lab is mainly for UAG DA, so let me check if I get the same results as you described above...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, October 25, 2010 3:15 PM
    • Marked as answer by Erez Benari Monday, October 25, 2010 10:25 PM
    • Unmarked as answer by Sergej Irchin Tuesday, October 26, 2010 9:40 AM
    Monday, October 25, 2010 3:52 PM
  • No result :(

    RDG using default web site...how I can change this ?

    Tuesday, October 26, 2010 9:24 AM
  • The UAG wizard will wipe your IIS site settings, so AFAIK you cannot use IIS on the UAG server for anything other than IPHTTPS.

    The only work-around would be to configure the "other" IIS site after you have activated your UAG configuration, but know that the next time you activate a config the "other" IIS site(s) will get blown away again.

    I'd recommend you stand up another server for the other role.  Virtual machines would serve you well here.


    MrShannon | TechNuggets Blog | Concurrency Blogs
    • Proposed as answer by MrShannon Thursday, October 28, 2010 12:27 PM
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 6:07 PM
    Thursday, October 28, 2010 12:26 PM
  • The UAG wizard will wipe your IIS site settings, so AFAIK you cannot use IIS on the UAG server for anything other than IPHTTPS.

    The only work-around would be to configure the "other" IIS site after you have activated your UAG configuration, but know that the next time you activate a config the "other" IIS site(s) will get blown away again.

    I'd recommend you stand up another server for the other role.  Virtual machines would serve you well here.


    MrShannon | TechNuggets Blog | Concurrency Blogs

    Interesting that is not covered in the support boundaries document...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, October 28, 2010 12:47 PM
  • Hey guys,

    It looks like we need a TLG that shows you have to configure the entire deal - SSTP, RDG, DA, Portal on the same machine, does that sound right?

    It might take a while, since there isn't any guidance that I'm aware of that shows you how to do that. But, I should be able to find the people who will know how to do this :)

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 6:06 PM
    Thursday, October 28, 2010 2:24 PM
  • Please find this peoples :) We need this documentation.
    Friday, October 29, 2010 9:39 AM
  • Hi,

    did anyone find a solution? I guess I still have exactly the same problem.

     

    Was this fixed with SP1? I installed SP1 but still the same problem.

     

    Also i got RD Gateway not available error message.

     

    Thanks.


    Regards,

     

    ckuever

    Tuesday, March 1, 2011 8:15 PM